Home> Support> Technical Documents>

RG-Router Implementation Cookbook (V1.3)

2018-06-27 View: 16244
Catalog

 

 

        Ruijie Networks – Innovation Beyond Networks

 

 

 

 

 

 

 

RG-Router Implementation Cookbook (V1.3)

 

 

 

 

 

 

 

 

 

 

 

 

Copyright Statement

Ruijie Networks©2013

Ruijie Networks reserves all copyrights of this document. Any reproduction, excerption, backup, modification, transmission, translation or commercial use of this document or any portion of this document, in any form or by any means, without the prior written consent of Ruijie Networks is prohibited.

 

,锐捷中英文组合(横式),锐捷网络logo(中文),锐捷logo(英文),,, , , ,  , ,   are registered trademarks of Ruijie Networks. Counterfeit is strictly prohibited.

 

Exemption Statement

This document is provided “as is”. The contents of this document are subject to change without any notice. Please obtain the latest information through the Ruijie Networks website. Ruijie Networks endeavors to ensure content accuracy and will not shoulder any responsibility for losses and damages caused due to content omissions, inaccuracies or errors.


       Preface

This guide provides an overview and explains how to configure the various features for the RG-RSR30-44 Router, RG-RSR20-14E Router, RG-RSR10-02E Router, RG-RSR10-02 Router, and RG-RSR 77 series Router. Some information may not apply to your particular router model.

Audience

l  Network Engineers

l  Network Administrator

 

Obtain Technical Assistance

l  Ruijie Networks Websites : http://www.ruijienetworks.com

l  Ruijie Service Portal : http://caseportal.ruijienetworks.com

 

Welcome to report error and give advice in any Ruijie manual to Ruijie Service Portal

 

Related Documents

l  Product Datasheet

RG-RSR30-44 Reliable Multi-Service Router Datasheet

RG-RSR20-14E Reliable Multi-Service Router Datasheet

RG-RSR10-02E Reliable Multi-Service Router Datasheet

RG-RSR10-02 Reliable Multi-Service Router Datasheet

RG-RSR77-X Core Service distributed Router Datasheet

l  Hardware Installation Guide

RG-RSR30 Series Routers Hardware Installation and Reference Guide

RG-RSR20-14E Series Routers Hardware Installation and Reference Guide

RG-RSR10-02E Series Routers Hardware Installation and Reference Guide

RG-RSR10 (20) Series Router Hardware Installation and Reference Guide

RG-RSR77 Series Router Hardware Installation and Reference Guide

l  RGOS Configuration guide

RG-RSR30 Series Router RGOS Configuration Guide

RG-RSR20-14E Series Router RGOS Configuration Guide

RG-RSR10-02E Series Router RGOS Configuration Guide

RG-RSR10 (20) Series Router RGOS Configuration Guide

RG-RSR77 Series Router RGOS Configuration Guide

l  RGOS Command Reference

RG-RSR30 Series Router RGOS Command Reference

RG-RSR20-14E Series Router RGOS Command Reference

RG-RSR10-02E Series Router RGOS Command Reference

RG-RSR10 (20) Series Router RGOS Command Reference

RG-RSR77 Series Router RGOS Command Reference

l  White Paper

White Paper for Ruijie ERPS Technology

White Paper for REF Technology

White Paper for WAN Transmission Acceleration Technology of Routers

Revision History

Date

Change contents

Reviser

2016.5

Initial publication V1.0

TAC Oversea

2017.2

Add now chapters of 1.1.3 Distributed Router Upgrade , 2.1.4 Syslog, 2.4.6 VPDN 2.0, 2.6.5 DLDP, 3.1 4G Solutions, 5.1 Detailed Configuration for Internet Access on publication V1.1

TAC Oversea

2017.10

Add new chapter of 3.3.2        Import Configuration Using FUNC Key

TAC Oversea

 

 

 

 

 

 

 

 

 

       Index

 

1      Preface. 1-2

2      Index. 2-4

3      Maintenance. 3-1

3.1           Firmware Upgrade. 3-1

3.1.1       Upgrade in Xmodem Mode. 3-1

3.1.2       Upgrade in Router Mode. 3-7

3.1.3       Distributed Router Upgrade. 3-13

3.2           Password Restoration. 3-27

3.2.1       Password Restoration with RGOS Version 10.X. 3-27

3.2.2       Password Restoration on RSR77. 3-30

3.2.3       Password Restoration on 4G Router 3-32

3.3           Upgrade Firmware and Import Configuration Using FUNC Key  3-35

3.3.1       Upgrade Firmware Using Fun Key. 3-35

4      Configuration. 4-37

4.1           Basic Function Configuration. 4-37

4.1.1       Initial Configuration. 4-37

4.1.2       Ruijie Express Forwarding (REF) 4-38

4.1.3       DHCP. 4-40

4.1.4       Syslog. 4-47

4.2           IP routing. 4-49

4.2.1       Static Route. 4-49

4.2.2       RIP. 4-59

4.2.3       OSPF. 4-69

4.2.4       BGP. 4-88

4.2.5       Route Control 4-97

4.2.6       Policy-Based Routing. 4-108

4.2.7       Routing across VRFs. 4-112

4.3           Fixed Switch Modules. 4-118

4.4           Security. 4-119

4.4.1       ACL. 4-119

4.4.2       NAT. 4-125

4.4.3       IPSEC.. 4-143

4.4.4       GRE. 4-179

4.4.5       L2TP VPN.. 4-182

4.4.6       VPDN 2.0. 4-188

4.4.7       Local Attack Protection. 4-214

4.5           Network Management and Monitoring. 4-216

4.5.1       IPFIX. 4-216

4.6           Reliability. 4-228

4.6.1       BFD.. 4-228

4.6.2       VRRP. 4-238

4.6.3       2.6.3 Link-Based Interface Backup. 4-241

4.6.4       GR.. 4-243

4.6.5       DLDP. 4-244

4.7           QOS. 4-247

4.7.1       Traffic Classification and Marking. 4-247

4.7.2       Congestion Avoidance. 4-258

4.7.3       Traffic Control 4-266

4.7.4       Generic Traffic Shaping (GTS) 4-272

4.7.5       QoS Implementation Guide. 4-274

5      Solution Configuration Guide. 5-279

5.1           4G Solutions. 5-279

5.1.1       4G Products and Common Commands. 5-279

5.1.2       4G Typical Scenario Configuration Guide. 5-281

5.1.3       Other Function Configuration for a 4G Router 5-308

5.1.4       Configuring WiFi for the 4G Router 5-314

5.1.5       4G FAQs and Faults. 5-315

6      Device Status Detection. 6-316

6.1           Check Clock. 6-316

6.2           Check Log. 6-317

6.3           Check Hardware Status. 6-317

6.4           Check CPU Utilization. 6-318

6.5           Check Memory Utilization. 6-319

6.6           Check Flow Table Status. 6-319

6.7           Check Interface Status. 6-320

6.8           Basic Fault Information Collection. 6-321

7      Detailed Case Study. 7-322

7.1           Detailed Configuration for Internet Access. 7-322

7.1.1       Internet Access Configuration Guide. 7-322


 

       Maintenance

1.1      Firmware Upgrade

1.1.1     Upgrade in Xmodem Mode

 

I. Topology

 

II. Upgrade in Xmodem Mode

Notes:

The default baud rate of the SIC-3G card is 115,200 Bd during startup and the baud rate for accessing the main screen is 9,600 Bd after startup. If the startup baud rate is changed to another value, select the new baud rate for login.

1.      Power on the device and press Ctrl+C to access the BootLoader main menu.

2.      (Optional) If the current baud rate of the SIC-3G card is 115,200 Bd, skip this step. Otherwise, perform the following step:

Note: Changing the baud rate to 115,200 Bd aims at accelerating transmission speed over Xmodem.

1)  Select 6. Scattered utilities.

2)  Select 4. Set baudrate.

3)  Select 2. Change baudrate to 115200.

4)  Change the baud rate for logging in to a terminal to 115,200 Bd and press Enter. The change is successful if the console displays correct information.

3.      Press Ctrl+Z twice to return to the BootLoader main menu.

4.      (Optional) If the main program of the SIC-3G card is lost, go to Step 4. Otherwise, perform the following step:

1)     Select 4. File management utilities to access the file management submenu.

2)     Select 1. Remove a file. Enter rgos.bin after the "The filename you want to remove:" prompt is displayed, and then press Enter.

3)     Press Ctrl+Z to return to the BootLoader main menu.

5.      Transfer the automatic upgrade package to the SIC-3G card.

1)     Select 1. XModem utilities.

2)     Select 1. Upgrade Main program.

3)     Send the Xmodem file.

To send the Xmodem file by using SecureCRT, choose Option > Session Option from the main menu; in the Session Option dialog box, choose Terminal > X/Y/Zmodem and click 1024 bytes (Xmodem-1k/Ymodem-1k) in X/Ymodem send packet size.

Choose Transfer > Send Xmodem from the main menu, select the bin file used for upgrade (name the bin file rgos.bin), and click OK to start upgrade.

6.      Restart the SIC-3G card for the automatic upgrade package to run.

1)     After downloading ends, press Ctrl+Z to return to the BootLoader main menu, and select 6. Scattered utilities.

2)     Select 2. Reload system.

The card upgrade is in progress. Please wait patiently.

 

III. Upgrade Verification

1)     After the upgrade ends, the card automatically restarts and enters the major release till the PCI BUS Scan/Setup End screen is displayed.

2)     Change the baud rate for the PC to connect to the SIC-3G card console to 9,600 Bd, and press Enter to enter the major release environment. Then, the upgrade is complete.

 

1.1.2     Upgrade in Router Mode

 

Features

The NMX-24ESW switch fabric module of the RSR20 series routers adopts the distributed system architecture. The NMX-24ESW switch fabric module is equipped with an independent CPU, memory, flash memory, and other hardware, and has an independent main program. The NMX-24ESW switch fabric module can be upgraded in router mode or independently.

Upgrade in router mode:

The software version of the switch fabric module is bound into the software version of the router. An upgrade channel is established between the router and the switch fabric module, and the router directly transmits the software version of the switch fabric module to the flash memory of the latter, thereby achieving remote upgrade of the switch fabric module.

The RSR20 series routers of 10.3(5t86)/10.3 (5b6) p3 and later versions support switch fabric module upgrade in router mode.

Independent upgrade of the switch fabric module

The network port of the switch fabric module is connected to an external TFTP server through a network cable, and the TFTP server transmits the software version of the switch fabric module to the flash memory of the latter.

The switch fabric module of all versions supports this upgrade mode.

 

I. Upgrade Steps

1.      Log in to the switch fabric module from the router.

In router mode, run the service-module fastEthernet 5/0 session command to enter the switch fabric module.

RSR20-14#service-module fastEthernet 5/0 session     //Enter the switch fabric module. If the switch fabric module is seated in Slot 5,enter5/0; if it is seated in Slot 6, enter 6/0.

Ruijie#      //If the device prompt is changed to Ruijie#, you enter the switch fabric module successfully.

 

2.      Back up the original software version of the switch fabric module.

Notes:

If the current main program running on the switch fabric module is rgos.bin, run the copy flash:rgos.bin flash:rgos.bak command for backup; if the main program is rgnos.bin, run the copy flash:rgnos.bin flash:rgnos.bak command for backup.

The following example is based on the main program rgos.bin running on the switch fabric module.

a.      Display the name of the current main program running on the switch fabric module.

Ruijie#dir

 

    Mode Link      Size               MTime Name

-------- ---- --------- ------------------- ------------------

<DIR>    1         0 1970-01-01 08:00:00 dev/

<DIR>    1         0 1970-01-01 08:00:03 ram/

<DIR>    2         0 1970-01-01 08:00:35 tmp/

<DIR>    0         0 1970-01-01 08:00:00 proc/

            1         8 1970-01-04 10:15:00 priority.dat

1   5885184 1970-01-01 09:42:03 rgos.bin //The current main program running on the switch fabric module is rgos.bin.

            1   5885184 1970-01-01 08:07:19 rgos.10.2(2).33474

--------------------------------------------------------------

3 Files (Total size 11770376 Bytes), 4 Directories.

Total 31457280 bytes (30MB) in this device, 17907712 bytes (17MB) available.

b.      Back up the software version of the switch fabric module.

Ruijie#copy flash:rgos.bin flash:rgos.bak  //Back up the software version of the switch fabric module as rgos.bak.

Ruijie#dir

 

    Mode Link      Size               MTime Name

-------- ---- --------- ------------------- ------------------

<DIR>    1         0 1970-01-01 08:00:00 dev/

<DIR>    1         0 1970-01-01 08:00:03 ram/

<DIR>    2         0 1970-01-01 08:00:35 tmp/

<DIR>    0         0 1970-01-01 08:00:00 proc/

            1         8 1970-01-04 10:15:00 priority.dat

1   5885184 1970-01-01 08:05:51 rgos.bak    //The software version of the switch fabric module is backed up successfully.

            1   5885184 1970-01-01 09:42:03 rgos.bin

--------------------------------------------------------------

3 Files (Total size 11770376 Bytes), 4 Directories.

Total 31457280 bytes (30MB) in this device, 17907712 bytes (17MB) available.

c.     Press Ctrl+X to exit from the switch fabric module to the router mode.

3.      Upgrade the main program of the router.

For the upgrade method, see section "Main Program Upgrade" (choose Daily Maintenance>Software Upgrade>Mid-range and Low-end Series Router Upgrade>10.x Version Upgrade> Main Program Upgrade).

4.      Display the software versions of the router and switch fabric module.

1)      Display the software version of the router in router mode.

RSR20-14#dir

 

    Mode Link      Size               MTime Name

-------- ---- --------- ------------------- ------------------

<DIR>    1         0 1970-01-01 00:00:00 dev/

<DIR>    2         0 2013-03-29 02:15:55 esw/ //Directory for storing the software version of the switch fabric module

<DIR>    2         0 2011-05-23 03:40:19 log/

<DIR>    2         0 2013-03-29 04:31:32 mnt/

<DIR>    1         0 2013-03-29 04:31:26 ram/

<DIR>    2         0 2013-03-29 04:31:46 tmp/

<DIR>    0         0 1970-01-01 00:00:00 proc/

            1      1263 2013-01-31 14:19:56 config_0113.bak

1   7248608 2013-03-29 02:15:36 rgos.bin //Software version of the router

--------------------------------------------------------------                                                                

2 Files (Total size 7249871 Bytes), 7 Directories.

Total 33030144 bytes (31MB) in this device, 20160512 bytes (19MB) available.

2)      Display the software version of the switch fabric module in router mode.

Notes:

For RSR20 series routers of 10.3(5t86), 10.3(5b6)p3, and later versions, the software version of the switch fabric module is packaged into the main program of the router. After the router upgrade is complete, the router automatically decompresses the software version of the switch fabric module into the esw folder in the flash memory.

RSR20-14#cd esw //Access the directory for storing the software version of the switch fabric module.

RSR20-14#dir

 

    Mode Link      Size               MTime Name

-------- ---- --------- ------------------- ------------------

1   4221664 2013-03-29 02:16:04 esw_install.bin //Main program file of the switch fabric module

--------------------------------------------------------------

1 Files (Total size 4221664 Bytes), 0 Directories.

Total 33030144 bytes (31MB) in this device, 20160512 bytes (19MB) available.

5.       Return to the main program of the router in the flash memory and enable the terminal monitor function.

RSR20-14#cd ..      //Return to the main program of the router in the flash memory.

RSR20-14#terminal monitor    //Enable the terminal monitor function.

6.      Shut down services of the switch fabric module, and deliver the main program of the switch fabric module from the flash memory of the router to the flash memory of the switch fabric module.

Notes:

1)       It takes about 15 minutes to transmit the software version of the switch fabric module from the router to the flash memory of the switch fabric module.

2)       When the prompt "Upload completed" is displayed, wait another 8-15 minutes (15 minutes are recommended) to ensure that the version files of the switch fabric module are all received.

3)       Do not perform destructive operations such as power-off and restart during upgrade of the switch fabric module. Otherwise, the upgrade of the switch fabric module will fail.

4)       If the switch fabric module or router is restarted before version files of the switch fabric module are all received, the version files may be damaged and the switch fabric module may fail to start. In this case, run the RSR20-14#service-module fastEthernet 5/0 reset command in router mode to restart the switch fabric module, press Ctrl+C to enter the Ctrl layer of the switch fabric module, press Ctrl+Q to enter the CLI mode, and then run the Ctrl>rename rgos.bak  rgos.bin command to restore the original main program of the switch fabric module. Then, run the Ctrl>reload command to restart the switch fabric module and restore services.

RSR20-14#esw-switch shut-service    //Shut down services of the switch fabric module.

RSR20-14#esw-upgrade xmodem slot 5 //Transmit the software version of the switch fabric module in the flash memory of the router to the flash memory of the switch fabric module (if the switch fabric module is seated in Slot 5, enter slot 5; if it is seated in Slot 6, enter slot 6).

*Mar 29 06:09:29: %UPGRADE-6-ESW_CARD_UPRADE: Now start transmit file.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!#*Mar 29 06:24:45: %UPGRADE-6-ESW_CARD_UPRADE: Upload completed, 4221664 bytes of valid data has been transferred.

*Mar 29 06:24:45: %UPGRADE-6-ESW_CARD_UPRADE: Please wait a few minutes(about 8-15min) for the switch card upgrading until you can login the card.  //Wait another 8-15 minutes (15 minutes are recommended) to ensure that version files of the switch fabric module are all received.

7.      Enable services of the switch fabric module, log in to the switch fabric module, and check its software version.

RSR20-14#esw-switch open-service   //Enable services of the switch fabric module.

RSR20-14#service-module fastEthernet 5/0 session   //Enter the switch fabric module. If the switch fabric module is seated in Slot 5, enter 5/0; if it is seated in Slot 6, enter 6/0.

8.      (Optional) Rename the main program file of the switch fabric module.

If the original main program of the switch fabric module is rgnos.bin, skip to Step 9.

Notes:

l  If the original main program file of the switch fabric module is rgnos.bin, the version file transmitted over Xmodem directly replaces it and the file does not need to be renamed. The switch fabric module fails if it is renamed.

l  If the original main program file of the switch fabric module is rgos.bin, the new program file needs to be renamed rgos.bin to ensure successful upgrade. The following example is based on the original main program file rgos.bin of the switch fabric module.

1)      Display the main program file of the switch fabric module.

Ruijie#dir

 

    Mode Link      Size               MTime Name

-------- ---- --------- ------------------- ------------------

<DIR>    1         0 1970-01-01 08:00:00 dev/

<DIR>    1         0 1970-01-01 08:00:03 ram/

<DIR>    2         0 1970-01-01 08:00:35 tmp/

<DIR>    0         0 1970-01-01 08:00:00 proc/

            1         8 1970-01-04 10:15:00 priority.dat

1   4221696 1970-01-01 08:51:00 rgnos.bin //New main program of the switch fabric module

1   5885184 1970-01-01 08:05:51 rgos.bak //Original main program backup of the switch fabric module

1   5885184 1970-01-01 09:42:03 rgos.bin //Original main program of the switch fabric module

--------------------------------------------------------------

4 Files (Total size 15992072 Bytes), 4 Directories.

Total 31457280 bytes (30MB) in this device, 12918784 bytes (12MB) available.

2)     Rename the new main program of the switch fabric module rgos.bin.

Ruijie#rename flash:rgnos.bin flash:rgos.bin   //The new main program directly replaces the original main program.

3)     Check whether the new main program is renamed successfully.

Ruijie#dir

 

    Mode Link      Size               MTime Name

-------- ---- --------- ------------------- ------------------

<DIR>    1         0 1970-01-01 08:00:00 dev/

<DIR>    1         0 1970-01-01 08:00:03 ram/

<DIR>    2         0 1970-01-01 08:00:35 tmp/

<DIR>    0         0 1970-01-01 08:00:00 proc/

            1         8 1970-01-04 10:15:00 priority.dat

            1   5885184 1970-01-01 08:05:51 rgos.bak

1   4221696 1970-01-01 08:51:00 rgos.bin //The new main program is successfully renamed rgos.bin.

9.      Press Ctrl+X to exit the switch fabric module and restart the router to complete upgrade of the switch fabric module.

Notes:

1)     The switch fabric module can be managed on the screen of the router. It is not recommended that the switch fabric module be independently restarted and upgraded. If some management commands become available after the switch fabric module is independently restarted, the router needs to be restarted.

2)     When the system reaches the state "FastEthernet 0/0, changed state to up" after router restart, wait 4-5 minutes for the switch fabric module to complete upgrade. Then, the system is restarted completely. This waiting is required only after the upgrade of the switch fabric module is complete, and is not required in normal restart.

RSR20-14#reload   //Restart the router to complete the upgrade.

Proceed with reload? [no]y

 

II. Upgrade Verification

Check whether the software versions of both the router and switch fabric module are upgraded successfully.

1)     Check whether the router is upgraded successfully.

RSR20-14#show version

System description      : Ruijie Router (RSR20-14) by Ruijie Networks

System start time       : 2013-03-29 7:7:40

System uptime           : 0:0:3:36

System hardware version : 1.00

System software version : RGOS 10.3(5T86), Release(154167)

System BOOT version     : 10.3.154167

2)     Enter the switch fabric module and check whether it is upgraded successfully.

Ruijie#show version

System description      : Ruijie Switch Service Module(NM2-24ESW) by Ruijie Network Co., Ltd..

System start time       : 1970-1-1 8:0:0

System hardware version : 2.0

System software version : RGOS 10.2(3T42), Release(153542)

System boot version     : 10.2.21580

System CTRL version     : 10.2.45595

System serial number    : 0000000000000

Device information:

  Device-1

    Hardware version : 2.0

    Software version : RGOS 10.2(3T42), Release(153542)

    BOOT version     : 10.2.21580

CTRL version     : 10.2.45595

    Serial Number    : 0000000000000

 

1.1.3     Distributed Router Upgrade

Instructions for Distributed Router Upgrade

I. RSR distributed routers include the following series:

RSR30-X SPU10 V2

RSR50E-40

RSR77 series (RSR7704/RSR7708/RSR7716)

RSR77-X series (RSR7708-X/RSR7716-X)

Upgrade in CTRL mode

II. Upgrade at the CTRL Layer

1)     Generally only when an upgrade fails or the main program is lost, the upgrade is performed at the CTRL layer. To upgrade at the CTRL layer, you must connect the cable between a router and a PC to the MGMT interface on the main processing unit (MPU) of the router.

2)     If send download request is displayed during startup and the device cannot enter the user mode, it indicates that functions of the current software version are lost and you need to upgrade the version at the CTRL layer.

III. Upgrade Steps

1.      Prepare the upgrade file on the PC and start the TFTP Server.

1)       Put the software upgrade file and the Trivial File Transfer Protocol (TFTP) Server in the same folder (rename the software version to rgos.bin).

2)       Double click startftp.exe to start the TFTP Server.

2.      Restart the router and enter command mode at the CTRL layer.

Restart the router. When Press Ctrl+C to enter Ctrl .... is displayed, press Ctrl+C to enter command mode at the CTRL layer. Ctrl> prompt is displayed.

3.       Check card identification.

Before the upgrade, check card identification. If any card fails to be identified, please stop the process in case all cards fail to be upgraded. If any card is in UNKNOWN status, it indicates that this card fails to be upgraded and you need to restart the device. If the card is still in UNKNOWN status after restart, contact Ruijie technical support engineers for upgrade guidance.

Run the upgrade–slot command to check the upgrade path of the device. The following is an example:

Note:Perform upgrade only when all cards are identified.

4.      Transmit the automatic upgrade package to the router.

Connect the cable between the PC and the router to the MGMT interface on the MPU of the router. Run the TFTP command to transmit the automatic upgrade package.

When the prompt SUCCESS: UPGRADING OK is displayed on the router, it indicates that the upgrade package has been transmitted to the router.

5.       Upgrade line cards.

Run the upgrade -slot all -force command to upgrade the version of line cards.

The router automatically upgrades all line cards.

6.      Reset the system to run the automatic upgrade package.

Note:

1.      Do not perform any dangerous operation such as reset or power cutoff when running the automatic upgrade package until the upgrade process is finished.

2.      After the running process is finished, the system is automatically reset to boot a new system.

IV. Verification

1)       Run the show version command to display the device version and check whether the upgrade is successful.

Note:

Run the show version command to display the MAIN, CTRL, and BOOT versions of the MPU and all line cards. If all of these are the latest versions, the upgrade is successful.

2)       Run the show version slot command to display the status of each slot card. Confirm that the software status of each line card is running. The following is an example:

If the status is installed or runing-config for a long time after software upgrade, please immediately contact Ruijie for technical support.

 

Upgrade in Main Program Mode (via TFTP)

I. Upgrade Steps

1.      Configure an IP address for the router Ethernet interface.

Configure an IP address for the router.

Note:

Ensure that the PC can ping the router. Disable the firewall of the PC before upgrade.

2.      Prepare the upgrade file on the PC and start the TFTP Server.

1)     Put the software upgrade file and the TFTP server in the same folder.

2)     Double click startftp.exe to start the TFTP Server.

3.      Check card identification.

Before the upgrade, check card identification. If any card fails to be identified, please stop the process in case all cards fail to be upgraded. If any card is in no card status, it indicates that this card fails to be upgraded and you need to restart the device. If the card is still in no card status after restart, contact Ruijie technical support engineers for upgrade guidance.

Run the show upgrade command to check the upgrade path of the device.The following is an example:

Perform upgrade only when all cards are identified. Only the line cards or engines of the version to be released are displayed while the slot number of the active engine is not displayed. That is, if RSR77 has two engines, the standby engine instead of the active engine is displayed; if RSR77 has only one engine, the slot number of the engine is not displayed.

4.      Transmit the automatic upgrade package to the router.

Run the copy tftp: flash:/rgos.bin command to transmit the upgrade file to the router.

 

After transmission, the system automatically verifies the validity of the file. If the standby supervisor module has been inserted before upgrade, the installation package is automatically synchronized to the standby supervisor module. When the prompt SUCCESS: UPGRADING OK is displayed, it indicates that the automatic upgrade package has been transmitted to the router.

Note:

1)       If the prompt Verify the image .......[ok] is displayed, it indicates successful transmission and verification.

2)       If the prompt System is running defragment, please wait....Press Ctrl+C to quit..... is displayed, it indicates that the router is running defragment and please wait.

3)       If the prompt Transmission fail or ...... is displayed, it indicates that transmission fails. Check whether the PC can ping the router, whether the designated directory of TFTP Server is correct, and whether the file name is correct.

4)       If the prompt ERROR: THE BINARY FILE CANNOT BE USED IN CURRENT PRODUCT !!! is displayed, it indicates that validity verification fails (the automatic upgrade package is not applicable to the current product). Please check whether the correct automatic upgrade package is used.

5.      Decompress the upgrade package to line cards (if the current version is 3b21 or a later version, it is recommended but not mandatory to upgrade it to a later version).

Note:

1)       The new and old versions of RSR77 series routers have the same upgrade command: upgrade system rgos.bin, and are only different in the user interface (UI). If the current version is 10.4 (3b15) p1 or a later version, as the upgrade function is optimized and the upgrade time is reduced, the UI is different from that of an earlier version.

2)       After the upgrade system rgos.bin command is run to upgrade and restart the device, the old version of the BOOT layer may remain but it does not matter. If it is required to keep the versions of the MAIN layer, CTRL layer, and BOOT layer consistent, run the following command.

a.      The following is a upgrade UI example for 10.4 (3b15) p1 and a later version.

After the automatic upgrade package is downloaded to the device, run the upgrade system rgos.bin command to upgrade line cards.

Note:

The device is upgraded automatically. The following red box indicates the line cards and corresponding MAIN layer, CTRL layer, and BOOT layer to be upgraded.

Note:

After the upgrade process is finished, the upgrade result is displayed, specifying the line cards implementing image upgrade in this process, image type, and upgrade results. OK indicates successful upgrade. FAIL indicates failed upgrade.

3)       The following is a upgrade UI example for 10.4 (3b15) p1 and an earlier version.

After the automatic upgrade package is downloaded to the device, run the upgrade system rgos.bin command to upgrade line cards.

Note:

The device is upgraded automatically. The following red box indicates the line cards and corresponding MAIN layer, CTRL layer, and BOOT layer to be upgraded.

6.      Reset the system to run the automatic upgrade package.

Note:

Do not perform any dangerous operation such as reset or power cutoff when running the automatic upgrade package until the upgrade process is finished.

 

II. Verification

1)       Run the show version command to display the device version and check whether the upgrade is successful.

Note:

a)       Run the show version command to display the MAIN versions of the MPU and all line cards. If all of these are the latest versions, the upgrade is successful.

b)       The MAIN, CTRL, and BOOT versions can be inconsistent. When the manual upgrade is performed, the upgrade system automatically determines whether to upgrade CTRL/BOOT versions based on the upgrade policy in the installation package. Upgrade versions as required.

2)       Run the show version slot command to display the status of each slot card. Confirm that the software status of each slot card is running. The following is an example:

If the status is installed or runing-config for a long time after software upgrade, please immediately contact Ruijie for technical support.

 

Upgrade in Main Program Mode (via FTP)

I. Note to Upgrade via FTP

As the PC where the new version is stored is translating a private Intranet address to a public address, the device cannot be upgraded via TFTP. By upgrade via File Transfer Protocol (FTP), enable FTP Server on the PC and transmit the software version to the device via FTP.

II. Upgrade Tips

1.      Enable FTP Server on the device.

2.      Transmit the software version to the device with the PC as an FTP client.

3.      Restart the device to confirm the upgrade result.

III. Upgrade Steps

1.      Log in to the device to be upgraded and enable FTP Server.

Ruijie(config)#ftp-server enable    --->Enables FTP Server.

Ruijie(config)#ftp-server username ruijie --->Configures FTP Server user name.

Ruijie(config)#ftp-server password ruijie --->Configures FTP Server password.

Ruijie(config)#ftp-server topdir /   --->Configures the directory where received files are stored for FTP Server. For the upgrade file, the directory must be indicated by "/".

2.      Configure FTP parameters for the PC to log in to the device and transmit the new version to the device.

Put the bin file to be uploaded in a root directory of a disk, such as C:\.

Choose Menu > Run > CMD, and then press Enter.

Enter disk C (where the bin file is stored) and enable FTP Server.

Log in to the device to configure parameters.

3.      Transmit the bin file to the device.

The file is transmitted.

Run the bye command to disable the connection to FTP Server.

4.      Restart the device to check the upgrade result.

Log in to the device and run the DIR command to confirm whether the size in bytes of the rgos.bin file is consistent with the size in the release notes.

For a RSR77/77-X/50E-40 device, upgrade line cards.

Save the configuration of the device, and restart the device.

Run the Ruijie#write command to save the configuration:

Run the Ruijie#reload command to restart the device:

After restart, run the show version command to confirm whether the device has been upgraded to the target version.

 

1.2      Password Restoration

1.2.1     Password Restoration with RGOS Version 10.X

 

I. Password Restoration Requirements

If an administrator forgets the login password, the administrator can enter the Boot layer to restore the password by using a configuration cable, and previous configuration needs to be reserved.

 

II. Password Restoration Principle

The device reads the config.text file during startup and the password is stored in the config.text file. Therefore, enter the BootLoader mode of the device and rename the file. When the device fails to locate the config.text file during startup, it directly enters the system. After the device enters the system, name the configuration file config.text, set a new password and save it. Then, you can log in to the device by using the new password next time.

 

III. Password Restoration

1.      Get a configuration cable ready for password restoration. The device needs to be restarted and password restoration needs to be completed at the Boot layer.

2.      Rename the configuration file rather than delete it during password restoration. Otherwise, the configuration will be lost.

 

IV. Configuration Steps

1.      Restart the router to enter the CLI mode of the Boot layer.

Notes:

The operations of entering the CLI mode of the Boot layer from RSR routers are different for routers with RGOS later than or earlier than 10.4. You can directly enter the CLI mode of routers with RGOS later than 10.4, and you need to enter the menu mode first if the routers run RGOS earlier than 10.4.

1)     Enter the CLI mode of the Boot layer from the router with RGOS later than 10.4.

Restart the router. When the "Press Ctrl+C to enter Boot ..." prompt is displayed, press Ctrl+C to enter the CLI mode of the Boot layer. The BootLoader> prompt is displayed.

2)     Enter the CLI mode of the Boot layer from the router with RGOS earlier than 10.4.

a.      Restart the router. When the "Press Ctrl+C to enter Boot Menu ..." prompt is displayed, press Ctrl+C to enter the menu mode of the Boot layer.

b.      In menu mode of the Boot layer, press Ctrl+Q to enter the CLI mode of the Boot layer. The BootLoader> prompt is displayed.

2.      Rename the configuration file.

BootLoader>rename config.text config.bak

3.      Restart the device.

BootLoader>reload

4.      Restore the configuration file.

5.      Set a new password and save device configuration.

RSR20-14E#configure terminal

RSR20-14E(config)#enable secret ruijie      //Set a new password.

RSR20-14E(config)#end

RSR20-14E#write        //Save device configuration.

After a new password is set, you can use it to log in to the system. Other configuration keeps unchanged.

 

1.2.2     Password Restoration on RSR77

 

I. Password Restoration Requirements

If an administrator forgets the login password, the administrator can enter the Ctrl layer to restore the password by using a configuration cable, and previous configuration needs to be reserved.

 

II. Password Restoration Principle

The device reads the config.text file during startup and the password is stored in the config.text file. Therefore, enter the Ctrl layer of the device and rename the file. When the device fails to locate the config.text file, it directly enters the system. After the device enters the system, name the configuration file config.text, set a new password and save it. Then, you can log in to the device by using the new password next time.

 

III. Password Restoration

1. Get a configuration cable ready for password restoration. The device needs to be restarted and password restoration needs to be completed at the Ctrl layer.

2. Rename the configuration file rather than delete it during password restoration. Otherwise, the configuration will be lost.

 

IV. Steps

1.      Restart the router to enter the CLI mode of the Ctrl layer.

Restart the router. When the "Press Ctrl+C to enter Ctrl ..." prompt is displayed, press Ctrl+C to enter the CLI mode of the Ctrl layer. The Ctrl> prompt is displayed.

2.      Rename the configuration file.

Ctrl>rename config.text config.bak   // Rename the configuration file config.bak.

3.      Restart the device.

Ctrl>reload

4.      Restore the configuration file.

Note:

To copy the configuration file of routers with RGOS earlier than 10.4, the command must be copy flash:/config.bak flash:/config.text and a slash (/) must be added behind flash: to indicate the absolute path. The slash (/) does not need to be added for routers with RGOS later than 10.4.

5.      Set a new password and save device configuration.

RSR7708#configure terminal

RSR7708(config)#enable secret ruijie

RSR7708(config)#end

RSR7708#*Mar  8 10:36:56: %SYS-5-CONFIG_I: Configured from console by console

*Mar  8 10:36:56: %PARAM-6-CONFIG_SYNC: Sync'ing the running configuration to the standby supervisor.

*Mar  8 10:36:56: %PARAM-6-CONFIG_SYNC: The running configuration has been successfully synchronized to the standby supervisor.

RSR7708#write

Building configuration...

[OK]

RSR7708#*Mar  8 10:37:01: %PARAM-6-CONFIG_SYNC: Sync'ing the startup configuration to the standby supervisor.

*Mar  8 10:37:01: %PARAM-6-CONFIG_SYNC: The startup configuration has been successfully synchronized to the standby supervisor.

After a new password is set, you can use it to log in to the system. Other configuration keeps unchanged.

 

1.2.3     Password Restoration on 4G Router

I. Steps

RSR10-01G series 4G routers realize the password recovery by utilizing the “FUNC” button of devices. The recovery steps are as follows:

1.      Restart the device, and press the “FUNC” key immediately for 6-10s.

2.      Changed the IP address of PC in same segment as router, using the default IP address to login the router Web interface

1)     Change the IP address of PC into 192.168.1.0/24 segment, we suggest modify the IP address to be the unique IP address of network, such as 192.168.1.2.

2)     Access http://192.168.1.1 with Chrome or Firefox browser, using account and password:  admin/admin

.

3)     The web interface will redirect to a recovery page.

The recovery interface displays the original IP address of this device, the IP address usually is LAN gateway of Intranet. And this page also provides three options at the same time.

 

A.     Recover to the latest configuration: use this function, the configuration of device will not be changed, it is used to the circumstance that the customer remembers the account and password of the device, but forget the IP address.

B.     Reset the login password of web only: using this function, users can login the device by using “admin” as username and password, but all configuration is same as before (Attention: you need to login the router by using original IP address instead of 192.168.1.1 after using this function)

1)     Perform the operation of resetting the password

input the new password and click the reset button t reset the web password

2)          Access the original IP address

(the IP address is 192.168.100.254 during the instance.)

Change the IP address of PC to be any address during the 192.168.100.0 segment. Then open http://192.168.100.254 using web browser, login with admin (username) and ruijie( new password).

 

C.     Factory reset, it will clear all configuration and recover the device into default login account and IP address.

 

 

1.3      Upgrade Firmware and Import Configuration Using FUNC Key

1.3.1     Upgrade Firmware Using Fun Key

 

Features

You can upgrade the device software in one-key mode by using the FUNC key. No commands need to be executed for the upgrade.

Notes:

1.      The FUNC key must exist on the device or supervisor module (this key does not exist on devices of earlier versions and therefore, the one-key upgrade is not supported in such devices).

2.      Access and convergence switches support one-key upgrade since version 3b12.

3.      The RSR77 router supports one-key upgrade since version 3b21.

Principle

After the device is normally started and successfully identifies a USB flash drive or SD card, press the FUNC key. The system interrupts the current task and executes the FUNC key processing task. In the FUNC key processing task, the system detects whether an SD card or USB flash drive is inserted into the current device. If not, the system directly resets. If a storage medium is identified, the system scans the storage medium to detect whether an installation package in the specified file name format exists in the root directory. If an installation package in the correct format is detected, the system upgrades the device. After the upgrade ends, the system resets and restarts using the new software version.

Upgrade Steps

1.      Get ready the bin file required for upgrade.

Copy the bin file into the root directory of the USB flash drive and rename it rgos.bin. It is strongly recommended that only one bin file be stored in the USB flash drive.

2.      Insert the USB flash drive into the USB port of the device.

Wait till the USB indicator on the panel turns solid green, indicating that the device has correctly identified the USB flash drive.

3.      Press FUNC to upgrade the device (the device cannot be powered off).

Use a small object to press the FUNC key. After FUNC is pressed, the device automatically starts upgrade. The USB indicator blinks and the device automatically resets after upgrade. After the SYS indicator turns solid green, the upgrade is complete. Log in to the device to check the version.

Verification

Run the show version command to check whether the device is upgraded successfully.

Ruijie#show version

System description      : Ruijie Router (RSR20-14-E) by Ruijie Networks

System start time       : 2015-01-29 11:53:33

System uptime           : 11:2:44:28

System hardware version : 1.00

System software version : RGOS 10.3(3b23), Release(174201)

System BOOT version     : 10.3.150859

System serial number    : 123456789efagd

Ruijie#

For RSR77 routers, run the show version slot command to display operating status of cards in slots and check that Software Status of each card is running. The following figure shows an example.

If you wait for a long time after software upgrade but Status is always installed or running-config, immediately contact Ruijie Network to seek technical support.

 

       Configuration

1.1      Basic Function Configuration

1.1.1     Initial Configuration

 

Features

There is no startup configuration on Ruijie routers by default. You can log in to the management device by using a console cable. The following initial configuration is recommended to facilitate management and maintenance of devices.

 

Configuration

Host name (recommended):

Ruijie(config)#hostname XWRJ    //Name the device XWRJ.

XWRJ(config)#

 

Interface description (recommended):

XWRJ(config)#interface f0/0

XWRJ(config-if-FastEthernet 0/0)#description To_BJ

 

System clock (mandatory):

System time is very important. Fault logs and the CA certificate rely on timestamp.

Ruijie>enable 

Ruijie#clock set 10:00:00 12 1 2012     //Set the clock in the format of hh:mm:ssmmddyyyy.

Ruijie#configure terminal        //Enter global configuration mode.

Ruijie(config)#clock timezone beijing 8    /Set the device time zone to East Area 8 (Beijing time).

 

Log recording (recommended):

Record logs in the flash memory. History logs are very useful for locating a fault. Note: Debug logs can be recorded only after the log level is set to 7.

XWRJ(config)#logging file flash:log 2000000 7

 

Management IP address (recommended):

In general, loopback 0 is used as the management interface according to customer network planning.

XWRJ(config)#interface loopback 0

XWRJ(config-if-Loopback 0)#ip address 1.1.1.1 255.255.255.255

 

Telnet (recommended):

Configure the telnet function for all network devices. If the telnet function is not configured, faults can be handled only at site.

XWRJ(config)#enable secret 0 ruijie     //The enable password must be configured for the telnet function.

XWRJ(config)#line vty 0 4

XWRJ(config-line)#password 0 ruijie

XWRJ(config-line)#login

 

Password encryption (recommended):

Router (config)# service password-encryption      //This command encrypts all passwords configured on the device.

 

1.1.2     Ruijie Express Forwarding (REF)

 

Features

Ruijie Express Forwarding (REF) is Ruijie-specific fast forwarding technology. All functions of the current router software version are implemented based on the REF platform. The IP REF function must be configured on all Layer-3 interfaces. If the REF function is not correctly enabled, device functions may be unavailable or the device may run abnormally.

The following exceptions may arise if the REF function is not correctly enabled on the device:

1.      The CPU utilization of the device is high.

2.      High delay, packet loss, and other exceptions occur on customer services forwarded or processed by the device.

3.      Some functions are unavailable on the device.

4.      The device runs abnormally and the device breaks down or restarts.

The REF function needs to be configured on the following devices:

RSR10, RSR20, RSR30, NPE50, RSR50, and RSR50E-80 series routers

The REF function does not need to be configured on the following devices:

RSR810, RSR820, RSR10-02E, RSR20-14E/F, RSR30-X, RSR50E-40, RSR77, RSR77-X series routers and new products released later, on which the IP REF function is enabled for all Layer-3 interfaces by default

Enabling the REF

1.      Ensure that the IP REF function is configured on all Layer-3 interfaces of routers during project testing and engineering implementation.

2.      Pay attention to the REF configuration of Layer-3 interfaces of routers during network inspection. If the REF function is not correctly configured, configure IP REF in a timely manner.

Note: Services may be interrupted instantaneously when IP REF is configured. Therefore, configure it in non-peak hours of services.

3.      The interfaces, on which the IP REF function needs to be configured, are as follows:

Ethernet interfaces:

      interface FastEthernet

   ip ref

      interface GigabitEthernet

   ip ref

Virtual interfaces:

      interface Dialer

   ip ref

      interface Group-Async

   ip ref

  interface Multilink

      ip ref

      interface Tunnel

      ip ref

      interface Virtual-ppp

      ip ref

      interface Virtual-template

      ip ref

      interface Vlan

      ip ref

WAN interfaces:

      interface Async

   ip ref

      interface ATM

   ip ref

      interface  Pos

   ip ref

      interface Serial

   ip ref

      Controller e1

   ip ref

      Controller sonet

ip ref

Note: The IP REF function cannot be configured on some interfaces of routers with RGOS earlier than 10.4. You do not need to memorize such interfaces but remember the following configuration principle: In interface configuration mode, run the ip ref command. If ip ref is executed, the IP REF function is needed on the interface.

 

1.1.3     DHCP

1.1.3.1     DHCP Basic Configuration

 

Features

The Dynamic Host Configuration Protocol (DHCP) operates based on client/server mode. The DHCP server dynamically allocates IP addresses, gateway addresses, DNS server addresses, and other parameters for clients.

DHCP supports two mechanisms for IP address allocation:

l  Dynamic allocation: The DHCP server allocates an IP address to a client for a limited period of time (or until the client explicitly relinquishes the IP address).

l  Manual allocation: Network administrators specify IP addresses for clients. Administrators can allocate specified IP addresses to clients by using DHCP.

 

Scenarios

DHCP needs to be enabled on routers to meet enterprises' requirement that a host connecting to the network should be able to automatically obtain an IP address without extra configuration.

 

I.Networking Requirements

Requirement 1: common DHCP configuration

Requirement 2: Static IP addresses need to be allocated to specific PCs.

 

II. Networking Topology

III. Configuration Tips

1.      Enable the DHCP service.

2.      Configure the DHCP address pool.

3.      (Optional) Configure IP addresses that cannot be allocated to PCs.

4.      (Optional) Specify static IP addresses that need to be allocated to specific PCs.

5.      Verify and save the configuration.

 

IV. Configuration Steps

Requirement 1: common DHCP configuration

1.      Enable the DHCP service.

Ruijie>enable 

Ruijie#configure terminal

Ruijie(config)#service dhcp     //Enable the DHCP service(the DHCP service is disabled on RSR series routers by default and this command must be executed to enable it).

2.      Configure the DHCP address pool.

Ruijie(config)#ip dhcp pool ruijie  //Create a DHCP address pool named ruijie.

Ruijie(dhcp-config)#lease 1 2 3 //1, 2, and 3 indicate day, hour, and minute respectively (addresses are released after 24 hours by default).

Ruijie(dhcp-config)#network 192.168.1.0 255.255.255.0 //The range of addresses that can be allocated is 192.168.1.1 to 192.168.1.254.

Ruijie(dhcp-config)#dns-server 8.8.8.8  6.6.6.6 //8.8.8.8 indicates the IP address of the primary DNS server and 6.6.6.6 indicates the IP address of the secondary DNS server.

Ruijie(dhcp-config)#default-router 192.168.1.1 //Gateway address. Only the IP address is required while the subnet mask is not needed.

Ruijie(dhcp-config)#exit

4.      (Optional) Configure IP addresses that cannot be allocated to PCs.

Ruijie(config)#ip dhcp excluded-address 192.168.1.1  192.168.1.10   //192.168.1.1 to 192.168.1.10 should not be allocated by the DHCP server.

5.      Verify and save the configuration.

Ruijie(config)#end

Ruijie#write      //Verify and save the configuration.

 

Verification

1)     Set the network adapter of a PC to automatically obtain an IP address and then check whether the network adapter successfully obtains an IP address.

Right-click the network adapter of the PC, choose Status from the shortcut menu, and then click Details. The IP address obtained by the network adapter and other parameter values are displayed.

2)     Display information about the IP address dynamically allocated on the router.

Requirement 2: Static IP addresses need to be allocated to specific PCs.

DHCP manual allocation. Assume that the PC with the MAC address of f0de.f17f.cb4c is required to automatically obtain the IP address 192.168.1.88.

Therefore, the DHCP server needs to allocate static IP addresses to clients with specific MAC addresses. There are two methods of allocating IP addresses based on the client MAC address identifier in the clients' DHCP requests:

1)     Run the client-identifier 01+mac address command (01 indicates that the network type is Ethernet).

2)      Run the hardware-address   mac address command.

Notes:

It is recommended that the client-identifier command be executed to allocate static IP addresses to clients with specific MAC addresses. If IP addresses fail to be manually allocated using the client-identifier command, run the hardware-address command.

1.      Enable the DHCP service.

Ruijie>enable 

Ruijie#configure terminal

Ruijie(config)#service dhcp      //Enable the DHCP service(the DHCP service is disabled on RSR series routers by default and this command must be executed to enable it).

2.      Specify static IP addresses that need to be allocated to specific PCs.

Ruijie(config)#ip dhcp pool zhangsan //Set the name of the static IP address pool to zhangsan.

Ruijie(dhcp-config)#client-identifier01f0.def1.7fcb.4c//Configure the client MAC address (this mode is recommended).

(Optional) Ruijie(dhcp-config)#hardware-address f0de.f17f.cb4c  //Configure the client MAC address (attempt this command if an IP address fails to be manually allocated using the client-identifier command).

Ruijie(dhcp-config)#host 192.168.1.88 255.255.255.0   //Configure the static IP address to be allocated and its subnet mask.

Ruijie(dhcp-config)#dns-server 8.8.8.8  6.6.6.6 //8.8.8.8 indicates the IP address of the primary DNS server and 6.6.6.6 indicates the IP address of the secondary DNS server.

Ruijie(dhcp-config)#default-router 192.168.1.1 //Configure the user gateway.

3.      Verify and save the configuration.

Ruijie(config)#end

Ruijie#write      //Verify and save the configuration.

Verification

1)     Set the network adapter of a PC to automatically obtain an IP address and then check whether the network adapter successfully obtains an IP address.

Right-click the network adapter of the PC, choose Status from the shortcut menu, and then click Details. The IP address obtained by the network adapter and other parameter values are displayed.

2)     Display information about the allocated IP address on the router.

 

 

1.1.3.2     DHCP Relay

 

Features

The Dynamic Host Configuration Protocol (DHCP) relay is also called DHCP relay agent. If a DHCP client is in the same IP network segment as the DHCP server, the DHCP client can correctly obtain an IP address that is dynamically allocated. If a DHCP client is not in the same IP network segment as the DHCP server, DHCP relay agent is required. DHCP relay agent breaks the limitation that a DHCP server must exist in each IP network segment. It is capable of transmitting DHCP messages to a DHCP server in a different IP network segment and transmitting messages from a server to a DHCP client that is not in the same IP network segment as the DHCP server.

 

Scenarios

An enterprises needs to deploy a DHCP server but intranet users are not in the same network segment as the DHCP server. The DHCP relay function needs to be enabled on the gateway router of the users.

 

I.Networking Requirements

1)     The DHCP server is an intranet server with the IP address of 192.168.2.100.

2)     Intranet user hosts are connected to a router, which is in a different IP network segment from the DHCP server. The user hosts can automatically obtain IP addresses only by using DHCP relay.

 

II. Networking Topology

 

III. Configuration Tips

1.      Enable the DHCP service.

2.      Enable DHCP relay.

3.      Verify and save the configuration.

 

IV. Configuration Steps

Notes:

1)      The DHCP server can be a Windows- or Linux-based host with the DHCP service enabled or a router or switch configured with the DHCP service.

2)      If an RSR router functions as a DHCP server, see section "DHCP" for the configuration (choose Typical Configuration>Basic Function Configuration>DHCP>DHCP).

3)       Ensure that the DHCP server functions properly. Test method: Connect a PC to a switch that is in the same network segment as the DHCP server and set the server IP address to be in the same IP address segment as the DHCP client. Then, check whether the PC automatically obtains an IP address.

1.      Enable the DHCP service.

Ruijie>enable 

Ruijie#configure terminal

Ruijie(config)#service dhcp      //Enable the DHCP service (the DHCP service is disabled on RSR series routers by default and this command must be executed to enable it).

2.      Enable DHCP relay.

Ruijie(config)#ip helper-address 192.168.2.100 //Set the address of the DHCP relay to 192.168.2.100.

3.      Verify and save the configuration.

Ruijie(config)#end

Ruijie#write      //Check that the configuration is correct and save the configuration.

 

V. Verification

1)     Set the network adapter of a PC to automatically obtain an IP address and then check whether the network adapter successfully obtains an IP address.

Right-click the network adapter of the PC, choose Status from the shortcut menu, and then click Details. The IP address obtained by the network adapter and other parameter values are displayed.

 

2)     Display information about the IP address dynamically allocated on the router.

1.1.4     Syslog

Features:

During operation, the device may encounter status changes (for example, the link status may switch between UP and DOWN) and some events (such as abnormal packets and handling exceptions). Ruijie product logs provide a mechanism where in case of status changes or events, messages in a fixed format are automatically generated and displayed in related windows (such as the console and Virtual Teletype Terminal (VTY)) or saved in related media (such as the memory buffer and flash) or transmitted to a set of log servers on the network for network diagnosis and troubleshooting by the administrator. To facilitate the administrator to read and manage logs and packets, the logs and packets can be marked with timestamps and numbers and classified by priorities.

I.Networking Requirements

When an exception occurs in the device, the administrator can check the cause via logs, and analyze and locate faults.

 

II. Configuration Tips

1.      Enable/disable logs.

2.      Enable log display on the VTY window.

3.      Configure the buffer memory space for logs.

4.      Save logs in the flash.

5.      Send logs to the Syslog Server on the network.

6.      Enable the log timestamp.

7.      Run the CLI command to save logs.

 

III. Configuration Steps

1.      Enable/disable logs.

Logs are enabled by default. If logs are disabled, the device will not print logs on the user window or send them to the Syslog Server or save them in related media (such as the buffer memory or flash).

Ruijie(config)#logging on      //Enables logs.

Ruijie(config)#no logging on    //Disables logs. Generally it is not recommended.

2.      Enable log display on the VTY window.

Note:

Log in to the device through Telnet and SSH. Logs are not displayed by default. To display them, run the terminal monitor command.

Ruijie#terminal monitor //Enables log display on the VTY window.

Ruijie#terminal no monitor      //Disables log display on the VTY window.

3.      Configure the buffer memory space for logs.

Ruijie(config)#logging buffered 1000000  7       //1000000 indicates that the buffer memory space of logs is 1,000,000 bytes (when logs exceed the threshold, old logs are overwritten). 7 indicates that all logs (including debugging data) are saved.

 

4.      Save logs in the flash.

   

Ruijie(config)#logging file flash:log 6000000  7     //6000000 indicates that the buffer memory space of logs is 6,000,000 bytes (when logs exceed the threshold, old logs are overwritten). 7 indicates that all logs (including debugging data) are saved. 16 log.txt files are generated by default. Each file has a size of 6 MB and all files occupy 6*16=72 MB in the flash. Please rationally assign the value based on the total size of the flash.

 

Note:

When an exception occurs in the device, you need to collect logs and it is recommended to save them in the flash (logs are saved only in the memory by default and may be lost in case of power failure or device restart.)

a)       Send logs to the Syslog Server on the network.

Ruijie(config)#logging server 192.168.1.2            //192.168.1.2 indicates the address of the Syslog Server.

Ruijie(config)#logging trap 7            //(Optional) Configures logs to be sent to the Syslog Server. 7 indicates that all logs (including debugging data) are saved.

Ruijie(config)#logging source interface loopback 0       //(Optional) Configures the source IP address where the device sends the syslog packets.

 

Note:

When an exception occurs in the device, you need to collect logs and it is recommended to send them to the Syslog Server on the network (logs are saved only in the memory by default and may be lost in case of power failure or device restart.)

5.      Enable the log timestamp.

Ruijie(config)#service timestamps debug datetime msec //Enables the timestamp for debugging data.

Ruijie(config)#service timestamps log datetime msec  //Enables the timestamp for common logs.

6.      Run the CLI command to save logs.

Ruijie(config)#logging userinfo command-log

 

1.2      IP routing

1.2.1     Static Route

1.2.1.1     Basic Configuration of Static Route

 

Features

Static routes are manually configured routes. With static routes, data packets can be transmitted to a specified target network along preset paths. When no dynamic routing protocol is available for learning routes to some target networks, configuring static routes is very significant.

 

Scenarios

The network scale of an enterprise is small, with less than five routers, and mutual communication and data sharing are required throughout the network. Static routes can be configured on all routers in the network to meet this requirement.

 

I.Networking Requirements

Configure static routes to implement network connectivity.

 

II. Networking Topology

 

 

III. Configuration Tips

1.      Configure IP addresses for interfaces of Router R1.

2.      Configure IP addresses for interfaces of Router R2.

3.      Configure a static route for Router R1.

4.      Configure a static route for Router R2.

5.      Save the configuration.

 

IV. Configuration Steps

1.       Configure IP addresses for interfaces of Router R1.

  Ruijie>enable    //Enter privileged EXEC mode.

  Ruijie#configure terminal     //Enter global configuration mode.

  Ruijie(config)#interface fastethernet 0/1

  Ruijie(config-if-FastEthernet 0/1)#ip address 192.168.1.254 255.255.255.0

  Ruijie(config-if-FastEthernet 0/1)#interface fastethernet 0/0

  Ruijie(config-if-FastEthernet 0/0)#ip address 192.168.3.1 255.255.255.0

  Ruijie(config-if-FastEthernet 0/0)#exit

2.       Configure IP addresses for interfaces of Router R2.

  Ruijie>enable

  Ruijie#configure terminal    

  Ruijie(config)#interface fastethernet 0/1

  Ruijie(config-if-FastEthernet 0/1)#ip address 192.168.2.254 255.255.255.0

  Ruijie(config-if-FastEthernet 0/1)#interface fastethernet 0/0

  Ruijie(config-if-FastEthernet 0/0)#ip address 192.168.3.2 255.255.255.0

  Ruijie(config-if-FastEthernet 0/0)#exit

3.      Configure a static route for Router R1.

Notes:

1)     The next hop of static routes can be configured to two forms (next-hop IP address and local outbound interface). If the next hop of a static route is configured to local outbound interface, it is considered that the static route is a directly-connected route. In an Ethernet link, ARP information about each destination address needs to be parsed. If default routes are configured for a network egress and the next hop is configured to local outbound interface, a large number of ARP packets need to be parsed, which occupies large space in the ARP table. If the ARP proxy function is disabled at the peer end, the network may fail. If the next hop of a static route is configured to next-hop IP address, the static route is deemed to be a common recursive route.

2)     When configuring static routes in an Ethernet link, configure the next hop in the form of outbound interface + next-hop IP address. If default routes are configured for a network egress, do not configure the next hop to local outbound interface.

3)     It is recommended that the next hop of static routes be configured to local outbound interface for PPP and HDLC WAN links.

Ruijie(config)#ip route 192.168.2.0 255.255.255.0 192.168.3.2   //Configure a static route for forwarding data packets with the destination IP address of 192.168.2.0/24 to the device with the IP address of 192.168.3.2.

4.      Configure a static route for Router R2.

Ruijie(config)#ip route 192.168.1.0 255.255.255.0 192.168.3.1   //Configure a static route for forwarding data packets with the destination IP address of 192.168.1.0/24 to the device with the IP address of 192.168.3.1.

5.      Save the configuration.

Ruijie(config)#end  //Return to privileged EXEC mode.

Ruijie#write      //verify and save the configuration.

 

V. Verification

1.      Ping the intranet address of the peer end from an intranet PC. If the ping succeeds, the static route is configured correctly.

To ping the intranet address of the peer end, do as follows: Choose Start>Run. In the Run dialog box, enter cmd. In the window that is displayed, enter ping X.X.X.X (X.X.X.X indicates the intranet IP address of the peer end).

2.      Run the Ruijie#show  ip route command to display information about routes.

Example of the static route configured for Router R1:

Ruijie#show ip route

Codes:C - connected, S - static, R - RIP, B - BGP

        O - OSPF, IA - OSPF inter area

        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

        E1 - OSPF external type 1, E2 - OSPF external type 2

        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia - IS-IS inter area, * - candidate default

Gateway of last resort is no set

S192.168.2.0/24 [1/0] via 192.168.3.2

C192.168.3.0/24 is directly connected, FastEthernet 0/0

C192.168.3.1/32 is local host.

C192.168.1.0/24 is directly connected, FastEthernet 0/1

C192.168.1.254/32 is local host.

 

1.2.1.2     Floating Static Route

Features

When multiple routes with the same prefix exist on a network, the route with a smaller administrative distance (AD) value (route reliability, a smaller value indicates a higher route priority) is selected as the active route and the route with a larger AD value is used as a standby route. When the next hop of the active route is unreachable, the active route disappears and the standby route takes effect and becomes active. When multiple paths are reachable to a destination network, you can configure multiple static routes and set the AD value for the static routes to implement backup of active and standby links. This function is called floating static routing.

 

Scenarios

An enterprise has two egress links, with one functioning as active and the other functioning as standby. Normally, users of the enterprise access the network through the active link. When the active link fails, the router automatically switches traffic to the standby link, ensuring normal operation of the network. In this case, the floating static routing function can be enabled on the router.

 

I.Networking Requirements

1.      The router has two paths reachable to the destination network.

2.      When the active link (F0/0 in the example) fails (the interface is down or the link is disconnected), the standby link becomes active.

 

II. Networking Topology

 

III. Configuration Tips

1.      Configure interface IP addresses for Router R1.

2.      Configure interface IP addresses for Router R2.

3.      Configure a static route for Router R1.

4.      Configure a static route for Router R2.

 

IV. Configuration Steps

1.      Configure interface IP addresses for Router R1.

     Ruijie>enable                

     Ruijie#configure terminal    

     Ruijie(config)#interface fastethernet 0/2

     Ruijie(config-if-FastEthernet 0/2)#ip address 192.168.4.1 255.255.255.0

     Ruijie(config-if-FastEthernet 0/2)#interface fastethernet 0/1

     Ruijie(config-if-FastEthernet 0/1)#ip address 192.168.1.254 255.255.255.0

     Ruijie(config-if-FastEthernet 0/1)#interface fastethernet 0/0

     Ruijie(config-if-FastEthernet 0/0)#ip address 192.168.3.1 255.255.255.0

     Ruijie(config-if-FastEthernet 0/0)#exit

2.      Configure interface IP addresses for Router R2.

     Ruijie>enable                

     Ruijie#configure terminal    

    Ruijie(config)#interface fastethernet 0/2

     Ruijie(config-if-FastEthernet 0/2)#ip address 192.168.4.2 255.255.255.0

     Ruijie(config-if-FastEthernet 0/2)#interface fastethernet 0/1

     Ruijie(config-if-FastEthernet 0/1)#ip address 192.168.2.254 255.255.255.0

     Ruijie(config-if-FastEthernet 0/1)#interface fastethernet 0/0

     Ruijie(config-if-FastEthernet 0/0)#ip address 192.168.3.2 255.255.255.0

     Ruijie(config-if-FastEthernet 0/0)#exit

3.      Configure a static route for Router R1.

Notes:

1)     The next hop of static routes can be configured to two forms (next-hop IP address and local outbound interface). If the next hop of a static route is configured to local outbound interface, it is considered that the static route is a directly-connected route. In an Ethernet link, ARP information about each destination address needs to be parsed. If default routes are configured for a network egress and the next hop is configured to local outbound interface, a large number of ARP packets need to be parsed, which occupies large space in the ARP table. If the ARP proxy function is disabled at the peer end, the network may fail. If the next hop of a static route is configured to next-hop IP address, the static route is deemed to be a common recursive route.

2)     It is recommended that the next hop of a static route be configured to next-hop IP address in an Ethernet link. If default routes are configured for a network egress, do not configure the next hop to local outbound interface.

3)     The next hop of static routes can be configured to local outbound interface or next-hop IP address in PPP and HDLC WAN links, because PPP and HDLC links are point-to-point links and Layer-2 address resolution is not involved.

4)     If the next hop of a static route is configured to local outbound interface, it is considered that the static route is a directly-connected route and the default AD is 0. If the next hop of a static route is configured to next-hop IP address, it is considered that the static route is a common recursive route and the default AD is 1.

Ruijie(config)#ip route 192.168.2.0 255.255.255.0 192.168.3.2      //Configure a static route for forwarding data packets with the destination IP address of 192.168.2.0/24 to the device with the IP address of 192.168.3.2.

Ruijie(config)#ip route 192.168.2.0 255.255.255.0 192.168.4.2 10 //Configure a static route for forwarding data packets with the destination IP address of 192.168.2.0/24 to the device with the IP address of 192.168.4.2 and set AD to 10 (the default AD is 1 and a smaller AD indicates a higher route priority).

4.      Configure a static route for Router R2.

Ruijie(config)#ip route 192.168.1.0 255.255.255.0 192.168.3.1  //Configure a static route for forwarding data packets with the destination IP address of 192.168.1.0/24 to the device with the IP address of 192.168.3.1.

Ruijie(config)#ip route 192.168.1.0 255.255.255.0 192.168.4.1 10   //Configure a static route for forwarding data packets with the destination IP address of 192.168.1.0/24 to the device with the IP address of 192.168.4.1 and set AD to 10 (the default AD is 1 and a smaller AD indicates a higher route priority).

 

V. Verification

 

Example of the static route configured for Router R1:

1.       Remove the cable of the active link (F0/0) connected to Router R1 and run the Ruijie#show  ip route command to display the route and check whether the route is switched to the standby link:

Example of the static route configured for Router R1:

2.       When the active link (F0/0 in the example) is normal, run the Ruijie#show  ip route command to display the route:

Ruijie#show ip route

Codes:  C - connected, S - static, R - RIP, B - BGP

        O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

        E1 - OSPF external type 1, E2 - OSPF external type 2

        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia - IS-IS inter area, * - candidate default

Gateway of last resort is no set

S    192.168.2.0/24 [1/0] via 192.168.3.2       //Data packets destined for 192.168.2.0 are transmitted along the active link F0/0 and the next hop is 192.168.3.2.

C    192.168.1.0/24 is directly connected, FastEthernet 0/1

C    192.168.1.254/32 is local host.

C    192.168.3.0/24 is directly connected, FastEthernet 0/0

C    192.168.3.1/32 is local host.

C    192.168.4.0/24 is directly connected, FastEthernet 0/2

C    192.168.4.1/32 is local host.

 

 

Ruijie#show ip route

Codes:  C - connected, S - static, R - RIP, B - BGP

        O - OSPF, IA - OSPF inter area

        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

        E1 - OSPF external type 1, E2 - OSPF external type 2

        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia - IS-IS inter area, * - candidate default

Gateway of last resort is no set

S    192.168.2.0/24 [10/0] via 192.168.4.2       //Data packets destined for 192.168.2.0 are transmitted along the standby link F0/2 and the next hop is 192.168.4.2. The active/standby links are switched successfully.

C    192.168.1.0/24 is directly connected, FastEthernet 0/1

C    192.168.1.254/32 is local host.

C    192.168.4.0/24 is directly connected, FastEthernet 0/2

C    192.168.4.2/32 is local host.

 

1.2.1.3     VRF Static Route

 

Features

When multiple interfaces on a router belong to the same Virtual Routing & Forwarding (VRF) table and data needs to be forwarded by these interfaces, VRF static routing needs to be configured for data forwarding.

 

I.Networking Requirements

As shown in the following figure, Interfaces F0/0 and F0/2 of Router R1 belong to the VRF table named abc, Router R2 is a common global router, and network-wide interworking needs to be implemented.

 

II. Networking Topology

 

III. Configuration Tips

1. Configure a VRF table named abc on Router R1.

2. Configure basic IP addresses.

3. Add interfaces on Router R1 to the VRF table.

4. Configure static routes.

 

IV. Configuration Steps

1.       Configure a VRF table named abc on Router R1.

Notes:

VRF is locally effective. When VRF is enabled at the local end, interfaces on the local router that belong to the same VRF table can interwork with each other. Interfaces that belong to different VRF tables are logically isolated, regardless of whether VRF is enabled on the peer router.

Ruijie(config)#hostname R1

R1(config)#ip vrf abc //Enable a VRF table named abc on the router.

R1(config-vrf)#exit

2.       Configure basic IP addresses.

R1(config)#interface fastEthernet 0/2

R1(config-if-FastEthernet 0/2)#ip ref

R1(config-if-FastEthernet 0/2)#ip address 192.168.1.1 255.255.255.0

R1(config-if-FastEthernet 0/2)#exit

R1(config)#interface fastEthernet 0/0

R1(config-if-FastEthernet 0/0)#ip ref

R1(config-if-FastEthernet 0/0)#ip address 10.1.1.1 255.255.255.0

R1(config-if-FastEthernet 0/0)#exit

 

Ruijie(config)#hostname R2

R2(config)#interface fastEthernet 0/0

R2(config-if-FastEthernet 0/0)#ip ref

R2(config-if-FastEthernet 0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-if-FastEthernet 0/0)#exit

R2(config)#interface fastEthernet 0/1

R2(config-if-FastEthernet 0/1)#ip ref

R2(config-if-FastEthernet 0/1)#ip address 10.2.1.1 255.255.255.0

R2(config-if-FastEthernet 0/1)#exit

3.       Add interfaces on Router R1 to the VRF table.

Notes:

When an interface is added to a VRF table and an IP address has been configured for the interface, the IP address will be deleted and you need to reconfigure an IP address for the interface.

R1(config)#interface fastEthernet 0/2

R1(config-if-FastEthernet 0/2)#ip vrf forwarding abc //Configure the VRF table named ABC.

% Interface FastEthernet 0/2 IP address 192.168.1.1 removed due to enabling VRF abc

R1(config-if-FastEthernet 0/2)#ip address 192.168.1.1 255.255.255.0       //Reconfigure an IP address for Interface F0/2.

R1(config-if-FastEthernet 0/2)#exit

R1(config)#interface fastEthernet 0/0

R1(config-if-FastEthernet 0/0)#ip vrf forwarding abc   //Add the interface to the VRF table named abc.

% Interface FastEthernet 0/0 IP address 10.1.1.1 removed due to enabling VRF abc

R1(config-if-FastEthernet 0/0)#ip address 10.1.1.1 255.255.255.0   //Reconfigure an IP address for the interface.

R1(config-if-FastEthernet 0/0)#exit

4.       Configure static routes.

Notes:

In addition to commands for configuring static routes, the vrf abc command needs to be executed for configuring VRF static routes. The precautions for configuring VRF static routes are the same as those for configuring common static routes. For details, see static route configuration.

R1(config)#ip route vrf abc 10.2.1.0 255.255.255.0 192.168.1.2         //Configure a static route in the VRF table named abc.

R2(config)#ip route 10.1.1.0 255.255.255.0 192.168.1.1        //Configure a common static route on R2 because VRF is not enabled on Router R2.

 

V. Verification

1.       Ping the intranet address of the peer end from an intranet PC. If the ping operation succeeds, the VRF static routing is configured correctly.

To ping the intranet address of the peer end, do as follows: Choose Start > Run. In the Run dialog box, enter cmd. In the window that is displayed, enter ping X.X.X.X (X.X.X.X indicates the intranet IP address of the peer end).

2.       Run the show ip route vrf abc command to display the VRF route.

R1#show ip route vrf abc 

Routing Table: abc

 

Codes:  C - connected, S - static, R - RIP, B - BGP

        O - OSPF, IA - OSPF inter area

        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

        E1 - OSPF external type 1, E2 - OSPF external type 2

        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia - IS-IS inter area, * - candidate default

 

Gateway of last resort is no set

C    10.1.1.0/24 is directly connected, FastEthernet 0/0

C    10.1.1.1/32 is local host.

S    10.2.1.0/24 [1/0] via 192.168.1.2

C    192.168.1.0/24 is directly connected, FastEthernet 0/2

C    192.168.1.1/32 is local host.

1.2.2     RIP

1.2.2.1     Basic configuration of RIP

 

Features

The Routing Information Protocol (RIP) is an old routing protocol, which is widely applied in small-sized networks and networks using the same medium. RIP adopts the distance vector algorithm and therefore it is a distance vector protocol. RIPv1 is defined in RFC 1058 and RIPv2 is defined in RFC 2453. Ruijie RGOS software supports both RIPv1 and RIPv2. RIP uses UDP packets to exchange routing information and the UDP port ID is 520. Normally, RIPv1 packets are broadcast packets while RIPv2 packets are multicast packets, with the multicast address of 224.0.0.9. RIP sends an update packet every other 30 seconds. If a device fails to receive a route update packet from the peer end within 180 seconds, it marks all routes from the peer end as unreachable. After that, if the device still fails to receive a route update packet from the peer end within 120 seconds, the device deletes the routes from the routing table.

 

Scenarios

The network scale of an enterprise is small, with less than ten routers, and mutual communication and data sharing are required throughout the network. Therefore, RIP needs to be enabled on all routers in the network.

 

I.Networking Requirements

The RIP protocol needs to run on routers throughout the network so that routes across the network are reachable.

      

II. Networking Topology

III. Configuration Tips

1.       Configure basic IP addresses for routers throughout the network.

2.       Enable RIP on routers throughout the network and advertise interfaces to the RIP process.

 

IV. Configuration Steps

1.       Configure basic IP addresses for routers throughout the network.

Ruijie(config)#hostname R1

R1(config)#interface gigabitEthernet 0/0

R1(config-GigabitEthernet 0/0)#ip address 192.168.1.1 255.255.255.0

R1(config-GigabitEthernet 0/0)#exit

R1(config)#interface gigabitEthernet 0/1

R1(config-GigabitEthernet 0/1)#ip address 10.1.1.1 255.255.255.0

R1(config-GigabitEthernet 0/1)#exit

 

Ruijie(config)#hostname R2

R2(config)#interface fastEthernet 0/0

R2(config-if-FastEthernet 0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-if-FastEthernet 0/0)#exit

R2(config)#interface fastEthernet 0/1

R2(config-if-FastEthernet 0/1)#ip address 192.168.2.1 255.255.255.0

R2(config-if-FastEthernet 0/1)#exit

 

Ruijie(config)#hostname R3

R3(config)#interface fastEthernet 0/0

R3(config-if-FastEthernet 0/0)#ip address 10.4.1.1 255.255.255.0

R3(config-if-FastEthernet 0/0)#exit

R3(config)#interface fastEthernet 0/1

R3(config-if-FastEthernet 0/1)#ip address 192.168.2.2 255.255.255.0

R3(config-if-FastEthernet 0/1)#exit

2.       Enable RIP on routers throughout the network and advertise interfaces to the RIP process.

Notes:

1)       There are two RIP versions: RIPv1 and RIPv2. RIPv2 uses multicast update packets to replace broadcast update packets and carries mask information of routes in the packets. Therefore, RIPv2 is recommended.

2)       When the network command is executed to advertise a network over RIP, only the classful network is advertised even if a subnet address is entered in this command. All interfaces that belong to this classful network will be advertised to the RIP process.

3)       By default, RIP performs automatic summarization at the border of the classful network. If the classful network is discontinuous, a routing learning exception will be incurred. Therefore, it is recommended that automatic summarization be disabled after RIP is enabled, and manual summarization be adopted.

R1(config)#router rip

R1(config-router)#version 2         //Enable RIPv2.

R1(config-router)#no auto-summary       //Disable automatic summarization.

R1(config-router)#network 192.168.1.0     //Advertise the network segment 192.168.1.0 to the RIP process.

R1(config-router)#network 10.0.0.0

R1(config-router)#exit

 

R2(config)#router rip

R2(config-router)#version 2

R2(config-router)#no auto-summary

R2(config-router)#network 192.168.1.0

R2(config-router)#network 192.168.2.0

R2(config-router)#exit

 

R3(config)#router rip

R3(config-router)#version 2

R3(config-router)#no auto-summary

R3(config-router)#network 192.168.2.0

R3(config-router)#network 10.0.0.0

R3(config-router)#exit

 

V. Verification

Check routes on routers throughout the network. If each router successfully learns routes throughout the network, RIP is configured correctly.

 

 

1.2.2.2     RIP in VRF

 

Features

The Routing Information Protocol (RIP) is an old routing protocol, which is widely applied in small-sized networks and networks using the same medium. RIP adopts the distance vector algorithm and therefore it is a distance vector protocol.  RIPv1 is defined in RFC 1058 and RIPv2 is defined in RFC 2453. Ruijie RGOS software supports both RIPv1 and RIPv2.  RIP uses UDP packets to exchange routing information and the UDP port ID is 520. Normally, RIPv1 packets are broadcast packets while RIPv2 packets are multicast packets, with the multicast address of 224.0.0.9. RIP sends an update packet every other 30 seconds. If a device fails to receive a route update packet from the peer end within 180 seconds, it marks all routes from the peer end as unreachable. After that, if the device still fails to receive a route update packet from the peer end within 120 seconds, the device deletes the routes from the routing table.

 

I.Networking Requirements

As shown in the following figure, Interfaces F0/0 and F0/2 of Router R1 belong to a VRF table named abc, and Router R2 is a common global router. The RIP protocol needs to be configured on routers throughout the network to so that routes across the network are reachable.

      

II. Networking Topology

III. Configuration Tips

1.       Configure a VRF table named abc on Router R1.

2.       Configure basic IP addresses.

3.       Add interfaces on Router R1 to the VRF table.

4.       Enable RIP on routers throughout the network and advertise interfaces to the RIP process.

 

IV. Configuration Steps

1.       Configure a VRF table named abc on Router R1.

Notes:

VRF is locally effective. When VRF is enabled at the local end, interfaces on the local router that belong to the same VRF table can interwork with each other. Interfaces that belong to different VRF tables are logically isolated, regardless of whether VRF is enabled on the remote router.

Ruijie(config)#hostname R1

R1(config)#ip vrf abc //Enable a VRF table named abc on the router.

R1(config-vrf)#exit

2.       Configure basic IP addresses.

R1(config)#interface fastEthernet 0/2

R1(config-if-FastEthernet 0/2)#ip address 192.168.1.1 255.255.255.0

R1(config-if-FastEthernet 0/2)#exit

R1(config)#interface fastEthernet 0/0

R1(config-if-FastEthernet 0/0)#ip address 10.1.1.1 255.255.255.0

R1(config-if-FastEthernet 0/0)#exit

 

Ruijie(config)#hostname R2

R2(config)#interface fastEthernet 0/0

R2(config-if-FastEthernet 0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-if-FastEthernet 0/0)#exit

R2(config)#interface fastEthernet 0/1

R2(config-if-FastEthernet 0/1)#ip address 10.2.1.1 255.255.255.0

R2(config-if-FastEthernet 0/1)#exit

3.       Add interfaces on Router R1 to the VRF table.

Notes:

When an interface is added to a VRF table and an IP address has been configured for the interface, the IP address will be deleted and you need to reconfigure an IP address for the interface.

R1(config)#interface fastEthernet 0/2

R1(config-if-FastEthernet 0/2)#ip vrf forwarding abc

% Interface FastEthernet 0/2 IP address 192.168.1.1 removed due to enabling VRF abc

R1(config-if-FastEthernet 0/2)#ip address 192.168.1.1 255.255.255.0       //Reconfigure an IP address for Interface F0/2.

R1(config-if-FastEthernet 0/2)#exit

R1(config)#interface fastEthernet 0/0

R1(config-if-FastEthernet 0/0)#ip vrf forwarding abc

% Interface FastEthernet 0/0 IP address 10.1.1.1 removed due to enabling VRF abc

R1(config-if-FastEthernet 0/0)#ip address 10.1.1.1 255.255.255.0

R1(config-if-FastEthernet 0/0)#exit

4.       Enable RIP on routers throughout the network and advertise interfaces to the RIP process.

Notes:

To configure VRF RIP, run the address-family ipv4 vrf command after enabling RIP. The precautions for configuring VRF RIP are the same as those for configuring common RIP. For details, see RIP basic configuration.

R1(config)#router rip

R1(config-router)#address-family ipv4 vrf abc //Enable RIP after enabling the VRF table named abc.

R1(config-router-af)#version 2     //Enable RIPv2.

R1(config-router-af)#no auto-summary    //Disable automatic summarization.

R1(config-router-af)#network 192.168.1.0   //Advertise the network segment 192.168.1.0 to the RIP process.

R1(config-router-af)#network 10.0.0.0

R1(config-router-af)#exit

R1(config-router)#exit

 

R2(config)#router rip

R2(config-router)#version 2

R2(config-router)#no auto-summary

R2(config-router)#network 192.168.1.0

R2(config-router)#network 10.0.0.0

R2(config-router)#exit

 

V. Verification

Check the VRF routing table on Router R1 and global routing tables on other routers. If each router successfully learns routes throughout the network, VRF RIP is configured correctly.

R1#show ip route vrf abc

Routing Table: abc

 

Codes:  C - connected, S - static, R - RIP, B - BGP

        O - OSPF, IA - OSPF inter area

        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

        E1 - OSPF external type 1, E2 - OSPF external type 2

        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia - IS-IS inter area, * - candidate default

 

Gateway of last resort is no set

C    10.1.1.0/24 is directly connected, FastEthernet 0/0

C    10.1.1.1/32 is local host.

R    10.2.1.0/24 [120/1] via 192.168.1.2, 00:02:53, FastEthernet 0/2

C    192.168.1.0/24 is directly connected, FastEthernet 0/2

C    192.168.1.1/32 is local host.

 

1.2.2.3     Redistribution

 

Features

The route redistribution function imports routes learnt from other routing protocols to the Routing Information Protocol (RIP) domain.

 

Scenarios

Multiple routing protocols are enabled on the network of an enterprise, and mutual communication and data sharing are required throughout the network. Therefore, routes learnt by other routing protocol need to be imported to the RIP domain.

 

I.Networking Requirements

In addition to RIP, other routing protocols run on the network, and routes learnt by other routing protocols need to be redistributed to RIP.    

       

II. Networking Topology

 

III. Configuration Tips

1.       Configure IP addresses and basic RIP information for routers throughout the network.

2.       Configure a static route destined for the network 10.1.2.0/24 on Router R1.

3.       Redistribute the static route to the RIP domain.

 

IV. Configuration Steps

1.       Configure IP addresses and basic RIP information for routers throughout the network.

For the configuration, see RIP basic configuration (choose Typical Configuration>IP Routing>RIP>Basic Configuration).

2.       Configure a static route destined for the network 10.1.2.0/24 on Router R1.

R1(config)#ip route 10.1.2.0 255.255.255.0 192.168.11.2

3.       Redistribute the static route to the RIP domain.

Notes:

1)     The commands for RIP to redistribute routes learnt by other routing protocols are as follows:

R1(config)#router rip

R1(config-router)#redistribute ?

  bgp        Border Gateway Protocol (BGP)

  connected   Connected

  ospf        Open Shortest Path First (OSPF)

  static       Static routes

1)       External routes imported by RIP are effective routes on the local router and must be the routes that can be displayed after the show ip route command is executed on the local router.

2)       A metric must be specified for external routes imported by RIP. The default metric value is infinite and the imported external routes with the metric unspecified are ineffective.

The following example is based on import of a static route by RIP. The import of other routes is the same as that of a static route.

R1(config)#router rip

R1(config-router)#redistribute static metric 1      //Redistribute the static route to the RIP domain and set metric to 1.

R1(config-router)#exit

 

V. Verification

Check routes on other routers. If the other routers successfully learn the route destined for the external network 10.1.2.0/24, redistribution is configured correctly.

 

1.2.2.4     Summarization

 

Features

The route summarization function enables the Routing Information Protocol (RIP) to summarize specific routes learnt by or generated by RIP and transfer them to RIP neighbors, so as to reduce route entries on routers.

 

Scenarios

There are numerous IP network segments in the network of an enterprise. Route summarization can be configured on routers to reduce route entries on the routers and improve router performance.

 

I.Networking Requirements

Specific routes learnt by RIP need to be summarized to reduce route entries.

 

II. Networking Topology

III. Configuration Tips

1.       Configure IP addresses and basic RIP information for routers throughout the network.

2.       Configure route summarization.

 

IV. Configuration Steps

1.       Configure IP addresses and basic RIP information for routers throughout the network.

For the configuration, see RIP basic configuration (choose Typical Configuration > IP Routing > RIP > Basic Configuration).

2.       Configure route summarization.

Notes:

1)       RIP can summarize routes generated by RIP or learnt from neighbors on outbound interfaces, but cannot perform supernetting summarization on these routes.

2)       Automatic summarization must be disabled before routes learnt or generated by RIP are manually summarized.

R1(config)#router rip

R1(config-router)#no auto-summary       //Disable automatic summarization.

R1(config-router)#exit

R1(config)#interface gigabitEthernet 0/0

R1(config-GigabitEthernet 0/0)#ip rip summary-address 10.1.0.0 255.255.0.0     //Summarize the route as 10.1.0.0/16.

R1(config-GigabitEthernet 0/0)#exit

 

V. Verification

Check routes on routers throughout the network. If all the routers correctly learn the summarized route, route summarization of RIP is configured correctly.

 

1.2.3     OSPF

1.2.3.1     Basic Configuration of OSPF

 

Features

The Open Shortest Path First (OSPF) protocol is a link status-based internal gateway routing protocol, developed by the OSPF Working Group of Internet Engineering Task Force (IETF). OSPF is exclusively designed for IP. It directly runs at the IP layer and the protocol ID is 89. OSPF packets are exchanged in multicast mode, with the multicast address of 224.0.0.5 (to all OSFP routers) or 224.0.0.6 (to designated routers). When an OSPF routing domain is large, a hierarchical structure is often adopted. That is, an OSPF routing domain is divided into several areas, which are interconnected through a backbone area. Each non-backbone area needs to be directly connected to the backbone area.

 

Scenarios

The network scale of an enterprise is large, with more than ten routers, and mutual communication and data sharing are required throughout the network. Therefore, OSPF needs to be enabled on all routers in the network.

 

I.Networking Requirements

The OSPF protocol needs to run on routers throughout the network so that routes across the network are reachable.

 

II. Networking Topology

III. Configuration Tips

1.       Configure basic IP addresses for routers throughout the network.

2.       Enable OSPF on routers throughout the network and advertise interfaces to a specified area.

3.       (Optional) Adjust the OSPF network type for Ethernet interfaces.

 

IV. Configuration Steps

1.       Configure basic IP addresses for routers throughout the network.

Ruijie(config)#hostname R1

R1(config)#interface gigabitEthernet 0/0

R1(config-GigabitEthernet 0/0)#ip address 192.168.1.1 255.255.255.0

R1(config-GigabitEthernet 0/0)#exit

R1(config)#interface gigabitEthernet 0/1

R1(config-GigabitEthernet 0/1)#ip address 10.1.1.1 255.255.255.0

R1(config-GigabitEthernet 0/1)#exit

R1(config)#interface loopback 0        //Configure the address of Interface loopback 0 as router ID of OSPF.

R1(config-Loopback 0)#ip address 1.1.1.1 255.255.255.255 

R1(config-Loopback 0)#exit

 

Ruijie(config)#hostname R2

R2(config)#interface fastEthernet 0/0

R2(config-if-FastEthernet 0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-if-FastEthernet 0/0)#exit

R2(config)#interface fastEthernet 0/1

R2(config-if-FastEthernet 0/1)#ip address 192.168.2.1 255.255.255.0

R2(config-if-FastEthernet 0/1)#exit

R2(config)#interface loopback 0

R2(config-if-Loopback 0)#ip address 2.2.2.2 255.255.255.255

R2(config-if-Loopback 0)#exit

 

Ruijie(config)#hostname R3

R3(config)#interface fastEthernet 0/0

R3(config-if-FastEthernet 0/0)#ip address 192.168.3.1 255.255.255.0

R3(config-if-FastEthernet 0/0)#exit

R3(config)#interface fastEthernet 0/1

R3(config-if-FastEthernet 0/1)#ip address 192.168.2.2 255.255.255.0

R3(config-if-FastEthernet 0/1)#exit

R3(config)#interface loopback 0

R3(config-if-Loopback 0)#ip address 3.3.3.3 255.255.255.255

R3(config-if-Loopback 0)#exit

 

Ruijie(config)#hostname R4

R1(config)#interface gigabitEthernet 0/0

R1(config-GigabitEthernet 0/0)#ip address 192.168.3.2 255.255.255.0

R1(config-GigabitEthernet 0/0)#exit

R1(config)#interface gigabitEthernet 0/1

R1(config-GigabitEthernet 0/1)#ip address 10.4.1.1 255.255.255.0

R1(config-GigabitEthernet 0/1)#exit

R1(config)#interface loopback 0

R1(config-Loopback 0)#ip address 4.4.4.4 255.255.255.255

R1(config-Loopback 0)#exit

2.       Enable OSPF on routers throughout the network and advertise interfaces to a specified area.

Notes:

1)       An OSPF process ID only indicates an OSPF process on the local router. OSPF process IDs of routers throughout the network can be different.

2)       When establishing a neighbor relationship, OSPF detects the area ID in the hello packet from the peer end. If the local router and peer router are in the same link, the OSPF area IDs at both ends must be the same.

3)       The network command is described as follows: It is used to define an interface on which OSPF is to be enabled. Such an interface is matched using the form of IP network segment + wildcard mask (0 means that the equivalent bit must match and 1 means that the equivalent bit does not matter). It is recommended that the interface IP address be appended behind network and the wildcard mask be set to 0.0.0.0. Then, the interface with the IP address will be advertised to the OSPF process.

R1(config)#router ospf 1      //Enable OSPF and set the process ID to 1.

R1(config-router)#network 192.168.1.1 0.0.0.0 area 1     //Advertise the interface with the IP address of 192.168.1.1 to the OSPF area 1.

R1(config-router)#network 10.1.1.1 0.0.0.0 area 1

R1(config-router)#exit

 

R2(config)#router ospf 1

R2(config-router)#network 192.168.1.2 0.0.0.0 area 1

R2(config-router)#network 192.168.2.1 0.0.0.0 area 0

R2(config-router)#exit

 

R3(config)#router ospf 1

R3(config-router)#network 192.168.2.2 0.0.0.0 area 0

R3(config-router)#network 192.168.3.1 0.0.0.0 area 2

R3(config-router)#exit

 

R4(config)#router ospf 1

R4(config-router)#network 192.168.3.2 0.0.0.0 area 2

R4(config-router)#network 10.4.1.1 0.0.0.0 area 2

R4(config-router)#exit

3.       (Optional) Adjust the OSPF network type for Ethernet interfaces.

Notes:

The default OSPF network type of Ethernet interfaces is broadcast. A Designated Router (DR)/Backup Designated Router (BDR) is elected within 40 seconds of waiting time. For point-to-point Ethernet interconnection interfaces, it is recommended that the OSPF network type of interfaces at both ends be set to point-to-point, to accelerate convergence of the OSPF neighbor relationship.

R2(config)#interface fastEthernet 0/1

R2(config-if-FastEthernet 0/1)#ip ospf network point-to-point        //Set the OSPF network type of the interface to point-to-point (The OSPF network type at both ends of a link must be the same).

R2(config-if-FastEthernet 0/1)#exit

 

R3(config)#interface fastEthernet 0/1

R3(config-if-FastEthernet 0/1)#ip ospf network point-to-point

R3(config-if-FastEthernet 0/1)#exit

 

V. Verification

1.       Check whether an OSPF neighbor relationship is established between adjacent routers and the neighbor status. If adjacent routers successfully establish a neighbor relationship and the neighbor status is full, OSPF runs properly.

Notes:

When the OSPF network type is multi-access network, the neighbor relationship between DR others is 2-way and the neighbor status cannot be full.

 

2.       Check routes on routers throughout the network. If each router successfully learns routes throughout the network, OSPF is configured correctly.

 

1.2.3.2     OSPF in VRF

 

Features

The Open Shortest Path First (OSPF) protocol is a link status-based internal gateway routing protocol, developed by the OSPF Working Group of Internet Engineering Task Force (IETF). OSPF is exclusively designed for IP. It directly runs at the IP layer and the protocol ID is 89. OSPF packets are exchanged in multicast mode, with the multicast address of 224.0.0.5 (to all OSFP routers) or 224.0.0.6 (to designated routers). When an OSPF routing domain is large, a hierarchical structure is often adopted. That is, an OSPF routing domain is divided into several areas, which are interconnected through a backbone area. Each non-backbone area needs to be directly connected to the backbone area.

 

I.Networking Requirements

As shown in the following figure, Interfaces F0/0 and F0/2 of Router R1 belong to a VRF table named abc and Router R2 is a common global router. The OSPF protocol needs to be configured on routers throughout the network (the entire network is in Area 0) so that routes across the network are reachable.

      

II. Networking Topology

III. Configuration Tips

1.       Configure a VRF table named abc on Router R1.

2.       Configure basic IP addresses.

3.       Add interfaces on Router R1 to the VRF table.

4.       Enable OSPF on routers throughout the network and advertise interfaces to the OSPF process.

 

IV. Configuration Steps

1.      Configure a VRF table named abc on Router R1.

Notes:

VRF is locally effective. When VRF is enabled at the local end, interfaces on the local router that belong to the same VRF table can interwork with each other. Interfaces that belong to different VRF tables are logically isolated, regardless of whether VRF is enabled on the remote router.

Ruijie(config)#hostname R1

R1(config)#ip vrf abc //Enable a VRF table named abc on the router.

R1(config-vrf)#exit

2.      Configure basic IP addresses.

R1(config)#interface fastEthernet 0/2

R1(config-if-FastEthernet 0/2)#ip address 192.168.1.1 255.255.255.0

R1(config-if-FastEthernet 0/2)#exit

R1(config)#interface fastEthernet 0/0

R1(config-if-FastEthernet 0/0)#ip address 10.1.1.1 255.255.255.0

R1(config-if-FastEthernet 0/0)#exit

R1(config)#interface loopback 0        //Configure the address of Interface loopback 0 as router ID of OSPF.

R1(config-Loopback 0)#ip address 1.1.1.1 255.255.255.255 

R1(config-Loopback 0)#exit

 

Ruijie(config)#hostname R2

R2(config)#interface fastEthernet 0/0

R2(config-if-FastEthernet 0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-if-FastEthernet 0/0)#exit

R2(config)#interface fastEthernet 0/1

R2(config-if-FastEthernet 0/1)#ip address 10.2.1.1 255.255.255.0

R2(config-if-FastEthernet 0/1)#exit

R2(config)#interface loopback 0

R2(config-if-Loopback 0)#ip address 2.2.2.2 255.255.255.255

R2(config-if-Loopback 0)#exit

3.      Add interfaces on Router R1 to the VRF table.

Notes:

1)       When an interface is added to a VRF table and an IP address is configured for the interface, the IP address will be deleted and you need to reconfigure an IP address for the interface.

2)       When the address of the loopback interface is used as router ID of OSPF, the loopback interface does not need to be added to the VRF table.

R1(config)#interface fastEthernet 0/2

R1(config-if-FastEthernet 0/2)#ip vrf forwarding abc  //Add the interface to the VRF table.

% Interface FastEthernet 0/2 IP address 192.168.1.1 removed due to enabling VRF abc

R1(config-if-FastEthernet 0/2)#ip address 192.168.1.1 255.255.255.0       //Reconfigure an IP address for Interface F0/2.

R1(config-if-FastEthernet 0/2)#exit

R1(config)#interface fastEthernet 0/0

R1(config-if-FastEthernet 0/0)#ip vrf forwarding abc

% Interface FastEthernet 0/0 IP address 10.1.1.1 removed due to enabling VRF abc

R1(config-if-FastEthernet 0/0)#ip address 10.1.1.1 255.255.255.0

R1(config-if-FastEthernet 0/0)#exit

4.       Enable OSPF on routers throughout the network and advertise interfaces to the OSPF process.

Notes:

To configure VRF OSPF, associate the OSPF process with a relevant VRF table during enabling of the OSFP process. The precautions for configuring VRF OSPF are the same as those for configuring common OSPF. For details, see OSPF basic configuration.

R1(config)#router ospf 1 vrf abc//Enable OSPF process 1 in the VRF table named abc.

R1(config-router)#network 192.168.1.1 0.0.0.0 area 0   //Advertise the interface with the IP address of 192.168.1.1 to the OSPF area 1.

R1(config-router)#network 10.1.1.1 0.0.0.0 area 0

R1(config-router)#exit

 

R2(config)#router ospf 1

R2(config-router)#network 192.168.1.2 0.0.0.0 area 0

R2(config-router)#network 10.2.1.1 0.0.0.0 area 0

R2(config-router)#exit

 

V. Verification

1.       Check whether an OSPF neighbor relationship is established between adjacent routers and the neighbor status. If adjacent routers successfully establish a neighbor relationship and the neighbor status is full, OSPF runs properly.

R1#show ip ospf neighbor

 

OSPF process 1, 1 Neighbors, 1 is Full:

Neighbor ID     Pri   State                BFD State  Dead Time   Address         Interface

2.2.2.2              1   Full/BDR                 -            00:00:36    192.168.1.2     FastEthernet 0/2

Check the VRF routing table on Router R1 and global routing tables on other routers. If each router successfully learns routes throughout the network, VRF OSPF is configured correctly.

R1#show ip route vrf abc

Routing Table: abc

 

Codes:  C - connected, S - static, R - RIP, B - BGP

        O - OSPF, IA - OSPF inter area

        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

        E1 - OSPF external type 1, E2 - OSPF external type 2

        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia - IS-IS inter area, * - candidate default

 

Gateway of last resort is no set

C    10.1.1.0/24 is directly connected, FastEthernet 0/0

C    10.1.1.1/32 is local host.

O    10.2.1.0/24 [110/2] via 192.168.1.2, 00:10:21, FastEthernet 0/2

C    192.168.1.0/24 is directly connected, FastEthernet 0/2

C    192.168.1.1/32 is local host.

 

1.2.3.3     Redistribution

 

Features

The route redistribution function imports routes learnt from other routing protocols to the Open Shortest Path First (OSPF) domain.

 

Scenarios

Multiple routing protocols are enabled on the network of an enterprise, and mutual communication and data sharing are required throughout the network. Therefore, routes learnt by other routing protocol need to be imported to the OSPF domain.

 

I.Networking Requirements

In addition to OSPF, other routing protocols run on the network, and routes learnt by other routing protocols need to be redistributed to OSPF.

 

II. Networking Topology

III. Configuration Tips

1.       Configure IP addresses and basic OSPF information for routers throughout the network.

2.       Configure a static route destined for the network 10.1.2.0/24 on Router R1.

3.       Redistribute the static route to the OSPF domain.

 

IV. Configuration Steps

1.       Configure IP addresses and basic OSPF information for routers throughout the network.

For the configuration, see OSPF basic configuration (choose Typical Configuration > IP Routing > OSPF > Basic Configuration).

2.       Configure a static route destined for the network 10.1.2.0/24 on Router R1.

R1(config)#ip route 10.1.2.0 255.255.255.0 192.168.11.2

3.       Redistribute the static route to the OSPF domain.

Notes:

1)     The commands for OSPF to redistribute routes learnt from other routing protocols are as follows:

R1(config)#router ospf 1

R1(config-router)#redistribute ?

  bgp        Border Gateway Protocol (BGP)

  connected  Connected

  ospf       Open Shortest Path First (OSPF)

  rip        Routing Information Protocol (RIP)

  static     Static routes

2)     There are two metric types for external routes imported by OSPF: type 1 and type 2.

a.       Metric type 1: The internal cost is superposed when routes are transmitted within the OSPF domain. If an internal network needs to select a route for an imported external route, type 1 is recommended (the default metric type is 2 for imported external routes).

b.       Metric type 2: The internal cost is not superposed when routes are transmitted within the OSPF domain.

R1(config)#router ospf 1

R1(config-router)#redistribute static metric-type ?

  1  Set OSPF External Type 1 metrics     

2     Set OSPF External Type 2 metrics

3)     External routes imported by OSPF are effective routes on the local router and must be the routes that can be displayed after the show ip route command is executed on the local router.

4)     When a route is redistributed to the OSPF domain, subnets must be appended. Otherwise, only main class network routes are redistributed.

The following example is based on import of a static route by OSPF. The import of other routes is the same as that of a static route.

R1(config)#router ospf 1

R1(config-router)#redistribute static subnets //Redistribute the static route.

R1(config-router)#exit

 

V. Verification

Check routes on other routers. If the routers successfully learn the route destined for the external network 10.1.2.0/24, redistribution is configured correctly.

 

1.2.3.4     Summarization

 

Features

The route summarization of the Open Shortest Path First (OSPF) reduces the size of the routing table on routers. The OSPF route summarization can be configured only on Area Border Routers (ABRs) and Autonomous System Boundary Routers (ASBRs). ABRs summarize routes inside an OSPF domain while ASBRs summarize routes outside an OSPF domain. OSPF cannot summarize intra-area routes.

 

Scenarios

There are numerous IP network segments in the network of an enterprise. Route summarization can be configured on routers to reduce route entries on routers and improve router performance.

 

I.Networking Requirements

Specific routes learnt by OSPF need to be summarized to reduce route entries.

 

II. Networking Topology

 

III. Configuration Tips

1.       Configure IP addresses and basic OSPF information for routers throughout the network.

2.       Redistribute the external static route 10.1.2.0/24 to the OSPF domain.

3.       Summarize the intra-domain route.

4.       Summarize the inter-domain route.

 

IV. Configuration Steps

1.       Configure IP addresses and basic OSPF information for routers throughout the network.

For the configuration, see OSPF basic configuration (choose Typical Configuration>IP Routing>OSPF>Basic Configuration).

2.       Redistribute the external static route 10.1.2.0/24 to the OSPF domain.

For the configuration, see OSPF redistribution (choose Typical Configuration>IP Routing>OSPF>Redistribution).

3.       Summarize the intra-domain route.

Summarize the route 10.4.1.0/24 on Router R4 as the route 10.4.0.0/16 on Router R3.

R3(config)#router ospf 1

R3(config-router)#area 2 range 10.4.0.0 255.255.0.0    //Summarize the intra-domain route (the area appended behind area must be the area from which the route comes).

R3(config-router)#exit

4.       Summarize the inter-domain route.

Notes:

OSPF only summarizes external routes on ASBRs from which the external routes are distributed.

Summarize the static route 10.1.2.0/16 that is distributed to Router R1 as 10.1.0.0/16 on Router R1.

R1(config)#router ospf 1

R1(config-router)#summary-address 10.1.0.0 255.255.0.0      //Summarize the inter-domain route.

R1(config-router)#exit

 

V. Verification

Check routes on routers throughout the network. If intra-domain and inter-domain routes are all correctly summarized, route summarization of OSPF is configured correctly.

 

1.2.3.5     Stub Area

 

Features

A stub area, located at the distal end of an OSPF domain, is capable of filtering out type4 and type5 Link State Advertisements (LSAs) to reduce the size of the link status database and routing table.

 

I.Networking Requirements

Requirement 1: Configure Area 2 as a stub area to filter out type 4 and type 5 LSAs.

Requirement 2: Configure Area 2 as a totally stub area to filter out type 3, type 4, and type 5 LSAs.

 

II. Networking Topology

III. Configuration Tips

1.       A stub area is capable of filtering out type 4 and type 5 LSAs and one type 3 LSA default route is generated on the Area Border Router (ABR).

2.       A totally stub area is capable of filtering out type 3, type 4, and type 5 LSAs and one type 3 LSA default route is generated on the ABR.

3.       Routers in a stub area are not allowed to import routes outside an OSPF domain.

 

IV. Configuration Steps

Requirement 1: Configure Area 2 as a stub area to filter out type 4 and type 5 LSAs.

1.       Configure IP addresses and basic OSPF information for routers throughout the network.

For the configuration, see OSPF basic configuration (choose Typical Configuration>IP Routing>OSPF>Basic Configuration).

2.       Configure a static route on Router R1 and distribute it to the OSPF domain.

For the configuration, see OSPF redistribution (choose Typical Configuration>IP Routing>OSPF>Redistribution).

3.       Configure Area 2 as a stub area.

Notes:

1)       When an area is configured as a stub area, all routers in the area must be configured as the stub area.

2)       The backbone area (Area 0) cannot be configured as a stub area.

3)       Virtual links cannot traverse a stub area.

R3(config)#router ospf 1

R3(config-router)#area 2 stub      //Configure Area 2 as a stub area.

R3(config-router)#exit

 

R4(config)#router ospf 1

R4(config-router)#area 2 stub

R4(config-router)#exit

Requirement 2: Configure Area 2 as a totally stub area to filter out type 3, type 4, and type 5 LSAs.

1.       Configure IP addresses and basic OSPF information for routers throughout the network.

For the configuration, see OSPF basic configuration (choose Typical Configuration>IP Routing>OSPF>Basic Configuration).

2.       Configure a static route on Router R1 and distribute it to the OSPF domain.

For the configuration, see OSPF redistribution (choose Typical Configuration>IP Routing>OSPF>Redistribution).

3.       Configure Area 2 as a totally stub area.

Notes:

When an area is configured as a totally stub area, all routers in the area must be configured as the stub area and the no-summary parameter must be set on the ABR.

R3(config)#router ospf 1

R3(config-router)#area 2 stub no-summary   //Configure Area 2 as a totally stub area.

R3(config-router)#exit

 

R4(config)#router ospf 1

R4(config-router)#area 2 stub

R4(config-router)#exit

 

V. Verification

1.       Verification of the stub area

Check routes on routers in the stub area. If inter-domain routes are filtered out but inter-area routes persist, and an OIA default route is generated, the stub area is configured correctly.

2.       Verification of the totally stub area

Check routes on routers in the totally stub area. If both inter-domain routes and inter-area routes are filtered out and an OIA default route is generated, the totally stub area is configured correctly.

 

1.2.3.6     NSSA Area

 

Features

A Not-So-Stubby Area (NSSA), located at the distal end of an OSPF domain, is capable of filtering out type 4 and type 5 Link State Advertisements (LSAs) to reduce the size of the link status database and routing table.

 

I.Networking Requirements

Requirement 1: Configure Area 2 as an NSSA to filter out type 4 and type 5 LSAs, and import external static routes.

Requirement 2: Configure Area 2 as a totally NSSA to filter out type 3, type 4, and type 5 LSAs, and import external static routes.

 

II. Networking Topology

III. Configuration Tips

1.       An NSSA is capable of filtering out type 4 and type 5 LSAs and no type 3 LSA default route is generated on the Area Border Router (ABR).

2.       A totally NSSA is capable of filtering out type 3, type 4, and type 5 LSAs and one type 3 LSA default route will be generated on the ABR.

3.       Routers in an NSSA are allowed to import routes outside an OSPF domain.    

 

IV. Configuration Steps

Requirement 1: Configure Area 2 as an NSSA to filter out type 4 and type 5 LSAs, and import external static routes.

1.       Configure IP addresses and basic OSPF information for routers throughout the network.

For the configuration, see OSPF basic configuration (choose Typical Configuration > IP Routing > OSPF > Basic Configuration).

2.       Configure a static route on Router R1 and Router R4 each, and distribute them to the OSPF domain.

For the configuration, see OSPF redistribution (choose Typical Configuration > IP Routing > OSPF > Redistribution).

3.       Configure Area 2 as an NSSA.

Notes:

1)       When an area is configured as an NSSA, all routers in the area must be configured as the NSSA.

2)       The backbone area (Area 0) cannot be configured as an NSSA.

R3(config)#router ospf 1

R3(config-router)#area 2 nssa      //Configure Area 2 as an NSSA.

R3(config-router)#exit

 

R4(config)#router ospf 1

R4(config-router)#area 2 nssa

R4(config-router)#exit

Requirement 2: Configure Area 2 as a totally NSSA to filter out type 3, type 4, and type 5 LSAs, and import external static routes.

1.       Configure IP addresses and basic OSPF information for routers throughout the network.

For the configuration, see OSPF basic configuration (choose Typical Configuration > IP Routing > OSPF > Basic Configuration).

2.       Configure a static route on Router R1 and Router R2 each, and distribute them to the OSPF domain.

For the configuration, see OSPF redistribution (choose Typical Configuration > IP Routing > OSPF > Redistribution).

3.       Configure Area 2 as a totally NSSA.

Notes:

When an area is configured as a totally NSSA, all routers in the area must be configured as the totally NSSA and the no-summary parameter must be set on the ABR.

R3(config)#router ospf 1

R3(config-router)#area 2 nssa no-summary   //Configure Area 2 as a totally NSSA.

R3(config-router)#exit

 

R4(config)#router ospf 1s

R4(config-router)#area 2 nssa

R4(config-router)#exit

 

V. Verification

1.       Verification of the NSSA

Check routes on routers in the NSSA. If inter-domain routes are filtered out but inter-area routes persist, and routes outside the OSPF domain can be successfully imported (other routers in the NSSA learns the OSPF NSSA routes), the NSSA is configured correctly.

 

2.       Verification of the totally NSSA

Check routes on routers in the totally NSSA. The totally NSSA is configured correctly if inter-domain routes and inter-area routes are filtered out, routes outside the OSPF domain can be successfully imported (other routers in the NSSA learns the OSPF NSSA routes), and one OIA default route is generated.

 

1.2.4     BGP

1.2.4.1     Basic Configuration of IBGP

 

Features

The Border Gateway Protocol (BGP) is an Exterior Gateway Protocol (EGP) used for communication between routers in different Autonomous Systems (ASs). BGP is used to exchange network accessibility information between different ASs and eliminate routing loops by using its own mechanism. BGP uses TCP as the transmission protocol. The reliable transmission mechanism of TCP ensures transmission reliability of BGP. Routers running BGP are called BGP speakers. BGP speakers between which a BGP session is established are called BPG peers.

Two modes can be used to establish BGP peers between BGP speakers: Internal BGP (IBGP) and External BGP (EBGP). IBGP refers to a BGP connection established within an AS while EBGP refers to a BGP connection established between different ASs. In a word, EBGP completes exchange of routing information between different ASs while IBGP completes transfer of routing information within an AS.

 

I.Networking Requirements

1)       Router R1 and Router R2 both belong to AS123 and an IBGP neighbor relationship needs to be established between Router R1 and Router R2.

2)       Routes are advertised to neighbors over IBGP.

 

II. Networking Topology

III. Configuration Tips

1.       Configure basic IP addresses for routers throughout the network.

2.       Configure a static route on Router R1 and Router R2 to ensure Interfaces Loopback 0 of Router R1 and Router R2 are reachable.

3.       Configure an IBGP neighbor relationship.

4.       Advertise routes to BGP.

 

IV. Configuration Steps

1.      Configure basic IP addresses for routers throughout the network.

Ruijie(config)#hostname R1

R1(config)#interface gigabitEthernet 0/0

R1(config-GigabitEthernet 0/0)#ip address 192.168.1.1 255.255.255.0

R1(config-GigabitEthernet 0/0)#exit

R1(config)#interface gigabitEthernet 0/1

R1(config-GigabitEthernet 0/1)#ip address 10.1.1.1 255.255.255.0

R1(config-GigabitEthernet 0/1)#exit

R1(config)#interface loopback 0        //Configure the address of Interface Loopback 0 as the update source address of BGP.

R1(config-Loopback 0)#ip address 1.1.1.1 255.255.255.255

R1(config-Loopback 0)#exit

 

Ruijie(config)#hostname R2

R2(config)#interface fastEthernet 0/0

R2(config-if-FastEthernet 0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-if-FastEthernet 0/0)#exit

R2(config)#interface fastEthernet 0/1

R2(config-if-FastEthernet 0/1)#ip address 192.168.2.1 255.255.255.0

R2(config-if-FastEthernet 0/1)#exit

R2(config)#interface loopback 0

R2(config-if-Loopback 0)#ip address 2.2.2.2 255.255.255.255

R2(config-if-Loopback 0)#exit

 

3.       Configure a static route on Router R1 and Router R2 to ensure Interfaces Loopback 0 of Router R1 and Router R2 are reachable.

R1(config)#ip route 2.2.2.2 255.255.255.255 192.168.1.2

R2(config)#ip route 1.1.1.1 255.255.255.255 192.168.1.1

 

4.       Configure an IBGP neighbor relationship.

Notes:

1)     If the AS ID of a BGP neighbor of a router is consistent with the AS ID of the router, an IBGP neighbor relationship is established; if their AS IDs are different, an EBGP neighbor relationship is established.

2)     Selection of the update source address for a BGP neighbor relationship

a.       An EBGP neighbor relationship is established at the border of an AS. It is recommended that the address of a directly connected interface be used as the update source address of the EBGP neighbor. In this way, IGP is not necessary because the directly connected interface is reachable.

b.       An IBGP neighbor relationship is established within an AS. It is recommended that the loopback address be used as the update source address of the IBGP neighbor because the loopback address is reliable (the BGP neighbor flapping will not be incurred due to breakdown of a physical line) and IGP is often used inside the AS to make the route to the update source address reachable.

3)     IBGP supports split horizon. That is, routes learnt from an IBGP neighbor will not be transferred to other IBGP neighbors but will be transferred to EBGP neighbors.

R1(config)#router bgp 123//Enable the BGP process, with the AS ID of 123.

R1(config-router)#neighbor 2.2.2.2 remote-as 123     //Specify the address of a BGP neighbor and the AS ID of the neighbor.

R1(config-router)#neighbor 2.2.2.2 update-source loopback 0       //Configure the update source address of BGP.

R1(config-router)#exit

 

R2(config)#router bgp 123

R2(config-router)#neighbor 1.1.1.1 remote-as 123

R2(config-router)#neighbor 1.1.1.1 update-source loopback 0

R2(config-router)#exit

 

5.       Advertise routes to BGP.

Notes:

In BGP, the network command is used to specify the routes to be advertised to the BGP process rather than specify the interfaces to be enabled with BGP, which is different from the network command in RIP and OSPF. Routes advertised to the BGP process using the network command must be the routes that are displayed after the show ip route command is executed and whose mask is consistent with the value of the mask parameter.

R1(config)#router bgp 123

R1(config-router)#network 10.1.1.0 mask 255.255.255.0

R1(config-router)#exit

 

V. Verification

1.       Check whether a BGP neighbor relationship is established between routers and the neighbor status. If a BGP neighbor relationship is established normally and State is Established, IBGP runs normally.

2.       Check routes on IBGP neighbor routers. If routes advertised by the peer end are learnt, IBGP is configured correctly.

 

1.2.4.2     Basic Configuration of EBGP

 

Features

The Border Gateway Protocol (BGP) is an Exterior Gateway Protocol (EGP) used for communication between routers in different Autonomous Systems (ASs). BGP is used to exchange network accessibility information between different ASs and eliminate routing loops by using its own mechanism. BGP uses TCP as the transmission protocol. The reliable transmission mechanism of TCP ensures transmission reliability of BGP. Routers running BGP are called BGP speakers. BGP speakers between which a BGP session is established are called BPG peers.

Two modes can be used to establish BGP peers between BGP speakers: Internal BGP (IBGP) and External BGP (EBGP). IBGP refers to a BGP connection established within an AS while EBGP refers to a BGP connection established between different ASs. In a word, EBGP completes exchange of routing information between different ASs while IBGP completes transfer of routing information within an AS.

 

I.Networking Requirements

1)     Router R1 belongs to AS1, Router R2 belongs to AS2, and an EBGP neighbor relationship needs to be established between Router R1 and Router R2.

2)     Routes are advertised to neighbors over EBGP.

 

II. Networking Topology

 

III. Configuration Tips

1.      Configure basic IP addresses for routers throughout the network.

2.      Configure an EBGP neighbor relationship.

3.      Advertise routes to the BGP process.

 

IV. Configuration Steps

1.      Configure basic IP addresses for routers throughout the network.

Ruijie(config)#hostname R1

R1(config)#interface gigabitEthernet 0/0

R1(config-GigabitEthernet 0/0)#ip address 192.168.1.1 255.255.255.0

R1(config-GigabitEthernet 0/0)#exit

R1(config)#interface gigabitEthernet 0/1

R1(config-GigabitEthernet 0/1)#ip address 10.1.1.1 255.255.255.0

R1(config-GigabitEthernet 0/1)#exit

 

Ruijie(config)#hostname R2

R2(config)#interface fastEthernet 0/0

R2(config-if-FastEthernet 0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-if-FastEthernet 0/0)#exit

R2(config)#interface fastEthernet 0/1

R2(config-if-FastEthernet 0/1)#ip address 10.4.1.1 255.255.255.0

R2(config-if-FastEthernet 0/1)#exit

2.      Configure an EBGP neighbor relationship.

Notes:

1)     If the AS ID of a BGP neighbor of a router is consistent with the AS ID of the router, an IBGP neighbor relationship is established; if their AS IDs are different, an EBGP neighbor relationship is established.

R1(config)#router bgp 1

R1(config-router)#neighbor 192.168.1.2 remote-as 2

R1(config-router)#exit

 

R2(config)#router bgp 2

R2(config-router)#neighbor 192.168.1.1 remote-as 1

R2(config-router)#exit

3.      Advertise routes to the BGP process.

R1(config)#router bgp 1

R1(config-router)#network 10.1.1.0 mask 255.255.255.0

R1(config-router)#exit

 

R2(config)#router bgp 2

R2(config-router)#network 10.4.1.0 mask 255.255.255.0

R2(config-router)#exit

Notes:

In BGP, the network command is used to specify the routes to be advertised to the BGP process rather than specify the interfaces to be enabled with BGP, which is different from the network command in RIP and OSPF. Routes advertised to the BGP process using the network command must be the routes that are displayed after the show ip route command is executed and whose mask is consistent with the value of the mask parameter.

 

 

V. Verification

1.      Check whether a BGP neighbor relationship is established between routers and the neighbor status. If a BGP neighbor relationship is established normally and State is Established, EBGP runs normally.

2.      Check routes on EBGP neighbor routers. If routes advertised by the peer end are learnt, EBGP is configured correctly.

 

1.2.4.3     Route Reflector

 

Features

Route reflector solves the split horizon problem of the Internal Border Gateway Protocol (IBGP).

 

I.Networking Requirements

As shown in the following networking topology, Router R1 and Router R3 fail to learn BGP routes of the peer end due to split horizon of IBGP neighbors. Therefore, the route reflector needs to be configured to solve split horizon problem of IBGP neighbors.

 

II. Networking Topology

III. Configuration Tips

1.      Configure IP addresses and basic IBGP information for routers throughout the network.

2.      Configure a route reflector.

 

III. Configuration Steps

1.      Configure IP addresses and basic IBGP information for routers throughout the network.

For the configuration, see "IBGP Basic Configuration" (choose Typical Configuration>IP Routing>BGP>IBGP Basic Configuration).

2.      Configure a route reflector.

Configure Router R2 as a route reflector and specify Router R1 as a client.

R2(config)#router bgp 123

R2(config-router)#neighbor 1.1.1.1 route-reflector-client          //Specify R1 to be the client of the route reflector on Router R2.

R2(config-router)#exit

Notes:

1)     When a router is configured as the client of a route reflector, the BGP neighbor relationship with the client will be broken.

2)     A route reflector must have learnt IBGP routes so that it can reflect routes.

3)     A route reflector can mutually reflect routes between a non-client and a client and between clients but cannot reflect routes learnt from a non-client to other non-clients.

 

V. Verification

Check routes throughout the network. If Router R1 and Router 3 successfully learn routes from the peer end, the route reflector is configured correctly.

 

1.2.5     Route Control

 

Similarities:

Both can be used to match the route prefix.

Differences:

ACL can be used to filter IP packets by five elements while prefix-list can be used only to match the route prefix.

Selection:

Either ACL or prefix-list is acceptable when the route prefix needs to be matched. When the route prefix with different mask lengths in a large network segment needs to be matched, prefix-list is preferred.

 

distribute-list and route-map

Similarities:

Both can be used to filter routes.

Differences:

1)     Distribute-list can be used only to filter route entries and does not support route attribute modification. route-map can be used to filter route entries and supports route attribute modification.

2)     Route-map can be used to forcibly change the next hop of data packets to implement policy-based routing (PBR).

3)     Distribute-list can be applied in routing protocol redistribution, route transfer between distance vector routing protocol neighbors (it can be used to filter routes because routes are transferred between distance vector routing protocol neighbors), and route submission to the routing table by the link state routing protocol (LSAs rather than routes are transferred between link state routing protocol neighbors and therefore it cannot be used to filter LSAs transferred between neighbors).

4)     Route-map is applied in routing protocol redistribution and route transfer between BGP neighbors.

Selection:

The selection of distribute-list or route-map depends on the application scenario. If both can be used but the route attribute needs to be modified, route-map is preferred. If the route attribute does not need to be modified, either is acceptable.

 

1.2.5.1     Distribute-list

 

Features

Distribute-list controls route updates and filters route entries. It does not support route attribute modification.

 

I.Networking Requirements

Redistribute RIP routes to the OSPF domain on Router R2. Route filtering is required during redistribution, and only the routes 172.16.1.32/28, 172.16.1.48/29, and 172.16.1.56/30 are allowed to be redistributed to the OSPF domain.

 

II. Networking Topology

III. Configuration Tips

1.      Configure basic IP addresses.

2.      Enable RIP on Router R1 and Router R2 and advertise interfaces to the RIP process.

3.      Enable OSPF on Router R2 and Router R3 and advertise interfaces to the OSPF process.

4.      Redistribute routes learnt by RIP to the OSPF process on Router R2.

5.      Use an ACL or prefix-list to match the routes to be learnt.

6.      Redistribute RIP routes to the OSPF process on Router R2 and use distribute-list to filter routes.

 

IV. Configuration Steps

1.      Configure basic IP addresses.

Ruijie(config)#hostname R1

R1(config)#interface fastEthernet 0/0

R1(config-if-FastEthernet 0/0)#ip address 192.168.1.1 255.255.255.0

R1(config-if-FastEthernet 0/0)#exit

R1(config)#interface loopback 1

R1(config-if-Loopback 1)#ip address 172.16.1.1 255.255.255.224

R1(config-if-Loopback 1)#exit

R1(config)#interface loopback 2

R1(config-if-Loopback 2)#ip address 172.16.1.33 255.255.255.240

R1(config-if-Loopback 2)#exit

R1(config)#interface loopback 3

R1(config-if-Loopback 3)#ip address 172.16.1.49 255.255.255.248

R1(config-if-Loopback 3)#exit

R1(config)#interface loopback 4

R1(config-if-Loopback 4)#ip address 172.16.1.57 255.255.255.252

R1(config-if-Loopback 4)#exit

 

Ruijie(config)#hostname R2

R2(config)#interface fastEthernet 0/2

R2(config-if-FastEthernet 0/2)#ip address 192.168.1.2 255.255.255.0

R2(config-if-FastEthernet 0/2)#exit

R2(config)#interface fastEthernet 0/0

R2(config-if-FastEthernet 0/0)#ip address 192.168.2.1 255.255.255.0

R2(config-if-FastEthernet 0/0)#exit

 

Ruijie(config)#hostname R3

R3(config)#interface fastEthernet 0/1

R3(config-if-FastEthernet 0/1)#ip address 192.168.2.2 255.255.255.0

R3(config-if-FastEthernet 0/1)#exit

2.      Enable RIP on Router R1 and Router R2 and advertise interfaces to the RIP process.

R1(config)#router rip

R1(config-router)#version 2     //Enable RIPv2.

R1(config-router)#no auto-summary     //Disable automatic summarization.

R1(config-router)#network 172.16.0.0     //Advertise the classful network 172.16.0.0 to the RIP process.

R1(config-router)#network 192.168.1.0  

R1(config-router)#exit

 

R2(config)#router rip

R2(config-router)#version 2

R2(config-router)#no auto-summary

R2(config-router)#network 192.168.1.0

R2(config-router)#exit

3.      Enable OSPF on Router R2 and Router R3 and advertise interfaces to the OSPF process.

R2(config)#router ospf 1    //Enable OSPF Process 1.

R2(config-router)#network 192.168.2.1 0.0.0.0 area 0    //Advertise the interface with the IP address of 192.168.2.1 to Area 0 of OSPF Process 1.

R2(config-router)#exit

 

R3(config)#router ospf 1

R3(config-router)#network 192.168.2.2 0.0.0.0 area 0

R3(config-router)#exit

4.      Redistribute routes learnt by RIP to the OSPF process on Router R2.

R2(config)#router ospf 1

R2(config-router)#redistribute rip subnets    //Redistribute RIP routes to the OSPF process. Subnets must be appended.

R2(config-router)#exit

5.       Use an ACL or prefix-list to match the routes to be learnt.

Notes:

1)       Both ACL and prefix-list can be used to match route entries. Select either of them.

2)       When the route prefix with different mask lengths in a large network segment needs to be matched, prefix-list is preferred. You can also use an ACL but you need to enter multiple entries.

In the following example, the route entries 172.16.1.32/27, 172.16.1.48/28, and 172.16.1.56/29 need to be matched, three ACE entries are required in the ACL but only one entry is required in the prefix-list.

1)     Use an ACL to match route entries.

Notes:

The ACL is used to match route entries here and the mask is set to 0.0.0.0 to precisely match route entries.

R2(config)#ip access-list standard 1

R2(config-std-nacl)#10 permit 172.16.1.32 0.0.0.0

R2(config-std-nacl)#20 permit 172.16.1.48 0.0.0.0

R2(config-std-nacl)#30 permit 172.16.1.56 0.0.0.0

R2(config-std-nacl)#exit                 

2)     Use a prefix-list to match route entries.

Notes:

1)       The prefix-list can be used only to match route entries. It cannot be used to filter data packets.

2)       The prefix-list matches subnets in a network segment, where ge indicates the mask length that a mask length must be greater than or equal to while le indicates the mask length that a mask length must be smaller than.

3)       The prefix-list is also matched from top to bottom and the last entry deny any is at the bottom.

R2(config)#ip prefix-list ruijie seq 10 permit 172.16.1.0/24 ge 28 le 30   //Define a prefix-list named ruijie to match the route prefix 172.16.1.0/24 with the subnet mask length greater than or equal to 28 and smaller than or equal to 30.

6.       Redistribute RIP routes to the OSPF process on Router R2 and use distribute-list to filter routes.

Notes:

1)     Route entries filtered by distribute-list are matched by the ACL and prefix-list. The route entries to be filtered are determined by ACL and prefix-list.

2)     distribute-list can be applied in routing protocol redistribution, route transfer between distance vector routing protocol neighbors (it can be used to filter routes because routes are transferred between distance vector routing protocol neighbors), and route submission to the routing table by the link state routing protocol (LSAs rather than routes are transferred between link state routing protocol neighbors and therefore it cannot be used to filter LSAs transferred between neighbors).

The following examples use the distribute-list to call an ACL and prefix-list to filter routes.

1)     Use the distribute-list to apply an ACL to filter routes.

R2(config)#router ospf 1   

R2(config-router)#distribute-list 1out rip     //Filter routes when RIP routes are redistributed to the OSPF process (note that the direction must be out).

R2(config-router)#exit

2)     Use the distribute-list to call a prefix-list to filter routes.

R2(config)#router ospf 1

R2(config-router)#distribute-list prefix ruijie out rip    //Filter routes when RIP routes are redistributed to the OSPF process (note that the direction must be out).

R2(config-router)#exit

Supplement:

1)     The distance vector protocol uses the distribute-list to filter route entries transmitted between neighbors. The commands are as follows:

R2(config)#router rip

R2(config-router)#distribute-list 1infastEthernet 0/2 //1 indicates ACL 1 and the prefix-list can be also used. In indicates routes learnt from neighbors and out indicates routes transferred to neighbors. Specific interfaces can be also appended.

2)     The link state protocol uses the distribute-list to filter route entries to be submitted to the routing table.

R2(config)#router ospf 1

R2(config-router)#distribute-list 1 in //1 indicates ACL 1 and a prefix-list can be also used. The direction must be in.

 

V. Verification

Check route entries on Router R3. If Router R3 successfully learns the route entries 172.16.1.32/28, 172.16.1.48/29, and 172.16.1.56/30, the distribute-list used for route filtering is configured correctly.

R3#show ip route

 

Codes:  C - connected, S - static, R - RIP, B - BGP

        O - OSPF, IA - OSPF inter area

        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

        E1 - OSPF external type 1, E2 - OSPF external type 2

        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia - IS-IS inter area, * - candidate default

 

Gateway of last resort is no set

O E2 172.16.1.32/28 [110/20] via 192.168.2.1, 00:02:45, FastEthernet 0/1

O E2 172.16.1.48/29 [110/20] via 192.168.2.1, 00:02:29, FastEthernet 0/1

O E2 172.16.1.56/30 [110/20] via 192.168.2.1, 00:02:21, FastEthernet 0/1

C    192.168.2.0/24 is directly connected, FastEthernet 0/1

C    192.168.2.2/32 is local host.

 

1.2.5.2     Route-map

 

Features

Route-map controls route updates and supports route attribute modification.

 

I.Networking Requirements

Redistribute RIP routes to the OSPF domain on Router R2. Route filtering is required during redistribution, and only the routes 172.16.1.32/28, 172.16.1.48/29, and 172.16.1.56/30 are allowed to be redistributed to the OSPF domain. The type of the imported external route is OE1 and the metric value is 50.

 

II. Networking Topology

 

III. Configuration Tips

1.      Configure basic IP addresses.

2.      Enable RIP on Router R1 and Router R2 and advertise interfaces to the RIP process.

3.      Enable OSPF on Router R2 and Router R3 and advertise interfaces to the OSPF process.

4.      Redistribute routes learnt by RIP to the OSPF process on Router R2.

5.     Use an ACL or prefix-list to match the routes to be learnt.

6.      Configure route-map.

7.      Redistribute RIP routes to the OSPF process on Router R2 and call route-map for routing control.

 

IV. Configuration Steps

1.      Configure basic IP addresses.

Ruijie(config)#hostname R1

R1(config)#interface fastEthernet 0/0

R1(config-if-FastEthernet 0/0)#ip address 192.168.1.1 255.255.255.0

R1(config-if-FastEthernet 0/0)#exit

R1(config)#interface loopback 1

R1(config-if-Loopback 1)#ip address 172.16.1.1 255.255.255.224

R1(config-if-Loopback 1)#exit

R1(config)#interface loopback 2

R1(config-if-Loopback 2)#ip address 172.16.1.33 255.255.255.240

R1(config-if-Loopback 2)#exit

R1(config)#interface loopback 3

R1(config-if-Loopback 3)#ip address 172.16.1.49 255.255.255.248

R1(config-if-Loopback 3)#exit

R1(config)#interface loopback 4

R1(config-if-Loopback 4)#ip address 172.16.1.57 255.255.255.252

R1(config-if-Loopback 4)#exit

 

Ruijie(config)#hostname R2

R2(config)#interface fastEthernet 0/2

R2(config-if-FastEthernet 0/2)#ip address 192.168.1.2 255.255.255.0

R2(config-if-FastEthernet 0/2)#exit

R2(config)#interface fastEthernet 0/0

R2(config-if-FastEthernet 0/0)#ip address 192.168.2.1 255.255.255.0

R2(config-if-FastEthernet 0/0)#exit

 

Ruijie(config)#hostname R3

R3(config)#interface fastEthernet 0/1

R3(config-if-FastEthernet 0/1)#ip address 192.168.2.2 255.255.255.0

R3(config-if-FastEthernet 0/1)#exit

2.      Enable RIP on Router R1 and Router R2 and advertise interfaces to the RIP process.

R1(config)#router rip

R1(config-router)#version 2     //Enable RIPv2.

R1(config-router)#no auto-summary     //Disable automatic summarization.

R1(config-router)#network 172.16.0.0     //Advertise the classful network 172.16.0.0 to the RIP process.

R1(config-router)#network 192.168.1.0  

R1(config-router)#exit

 

R2(config)#router rip

R2(config-router)#version 2

R2(config-router)#no auto-summary

R2(config-router)#network 192.168.1.0

R2(config-router)#exit

3.      Enable OSPF on Router R2 and Router R3 and advertise interfaces to the OSPF process.

R2(config)#router ospf 1    //Enable OSPF Process 1.

R2(config-router)#network 192.168.2.1 0.0.0.0 area 0    //Advertise the interface with the IP address of 192.168.2.1 to Area 0 of OSPF Process 1.

R2(config-router)#exit

 

R3(config)#router ospf 1

R3(config-router)#network 192.168.2.2 0.0.0.0 area 0

R3(config-router)#exit

4.      Redistribute routes learnt by RIP to the OSPF process on Router R2.

R2(config)#router ospf 1

R2(config-router)#redistribute rip subnets    //Redistribute RIP routes to the OSPF process. Subnets must be appended.

R2(config-router)#exit

5.      Use an ACL or prefix-list to match the routes to be learnt.

Notes:

1)     Both ACL and prefix-list can be used to match route entries. Select either of them.

2)     If several subnet routes in a network segment need to be matched, the prefix-list is preferred. You can also use an ACL but you need to enter multiple entries.

In the following example, the route entries 172.16.1.32/27, 172.16.1.48/28, and 172.16.1.56/29 need to be matched, three ACE entries are required in the ACL but only one entry is required in the prefix-list.

1)     Use an ACL to match route entries.

Notes:

The ACL is used to match route entries here and the mask is set to 0.0.0.0 to precisely match route entries.

R2(config)#ip access-list standard 1

R2(config-std-nacl)#10 permit 172.16.1.32 0.0.0.0

R2(config-std-nacl)#20 permit 172.16.1.48 0.0.0.0

R2(config-std-nacl)#30 permit 172.16.1.56 0.0.0.0

R2(config-std-nacl)#exit                 

2)     Use a prefix-list to match route entries.

Notes:

1)     The prefix-list can be used only to match route entries. It cannot be used to filter data packets.

2)     The prefix-list matches subnets in a network segment, where ge indicates the mask length that a mask length must be greater than or equal to while le indicates the mask length that a mask length must be smaller than.

3)     The prefix-list is matched from top to bottom, which is the same as the matching sequence and rules of the ACL.

R2(config)#ip prefix-list ruijie seq 10 permit 172.16.1.0/24 ge 28 le 30   //Define a prefix-list named ruijie to match the route prefix 172.16.1.0/24 with the subnet mask length greater than or equal to 28 and smaller than or equal to 30.

6.      Configure route-map.

Notes:

1)     route-map can be used to filter routes and modify route attributes.

2)     route-map can use multiple matching conditions (including route entries, metric value, and metric type) whereas distribute-list can be used only to match route entries.

3)     route-map is matched from top to bottom and there is an implicit deny any at the end of any route-map.

4)     The execution logic of route-map is as follows:

route-map aaa permit 10
        match x y z    //Multiple match conditions are
compiled horizontally, which are in the OR relationship. That is, the match statement is matched as long as one condition is met.
        match a 
                set b   //
Multiple set statements are compiled vertically and multiple set actions will be executed simultaneously.
                set c

route-map aaapermit20
   match p

match q       //Multiple match conditions are compiled vertically, which are in the AND relationship. That is, the match statement is matched only when all the conditions are met.
                set r

route-map aaadeny any (hidden in the system)

The execution logic is as follows:

 If (x or y or z)
        then set (b and c)
        else if (p and q)
                then set r
                else deny

 

Match ip address of route-map can be used to match an ACL or prefix-list but only either of them can be selected. See the following examples.

1)     Match ip address uses an ACL for matching.

R2(config)#route-map aaa permit 10

R2(config-route-map)#match ip address 1 //Match route entries in ACL 1.

R2(config-route-map)#set metric-type type-1     //Set the type to 1 for imported external routes.

R2(config-route-map)#set metric 50  //Set metric to 50 for imported external routes.

R2(config-route-map)#exit

2)     Match ip address uses a prefix-list for matching.

R2(config)#route-map aaa permit 10

R2(config-route-map)#match ip address prefix-list ruijie //Match route entries in the prefix-list named ruijie.

R2(config-route-map)#set metric-type type-1  

R2(config-route-map)#set metric 50

R2(config-route-map)#exit

7.       Redistribute RIP routes to the OSPF process on Router R2 and call route-map for routing control.

Notes:

Route-map can be applied during route redistribution or establishment of a BGP neighbor relationship using the neighbor command.

R2(config)#router ospf 1

R2(config-router)#redistribute rip subnets route-map aaa //Apply route-map aaa when RIP routes are redistributed to the OSPF process.

R2(config-router)#exit

Supplement:

The configuration commands of applying route-map for establishment of a BGP neighbor relationship are as follows:

R2(config)#router bgp 1

R2(config-router)#neighbor 10.1.1.1 route-map aaa in //in indicates that control is performed on routes learnt from the neighbor and out indicates that control is performed on routes distributed to the neighbor (route-map is used for the BGP neighbor for routing control. After route-map is configured, routes of the BGP neighbor need to be soft reset so that the configuration takes effect. Do not perform this operation in peak hours of services).

 

V. Verification

Check route entries on Router R3. Route-map used for routing control is configured correctly if Router R3 successfully learns route entries 172.16.1.32/28, 172.16.1.48/29, and 172.16.1.56/30, the routes are of OE1 type, and the cost is changed.

R3#show ip route

 

Codes:  C - connected, S - static, R - RIP, B - BGP

        O - OSPF, IA - OSPF inter area

        N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

        E1 - OSPF external type 1, E2 - OSPF external type 2

        i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

        ia - IS-IS inter area, * - candidate default

 

Gateway of last resort is no set

O E1 172.16.1.32/28 [110/51] via 192.168.2.1, 00:03:14, FastEthernet 0/1

O E1 172.16.1.48/29 [110/51] via 192.168.2.1, 00:03:14, FastEthernet 0/1

O E1 172.16.1.56/30 [110/51] via 192.168.2.1, 00:03:14, FastEthernet 0/1

C    192.168.2.0/24 is directly connected, FastEthernet 0/1

C    192.168.2.2/32 is local host.

 

1.2.6     Policy-Based Routing

 

Features

Policy-Based Routing (PBR) provides a data packet routing and forwarding mechanism that is more flexible than destination address-based routing and forwarding. PBR flexibly selects a route based on the source address, destination address, port ID, and packet length of IP/IPv6 packets.

 

Scenarios

An enterprise has two egress paths, some PCs in the intranet access the Internet through one egress path and the other PCs in the intranet access the Internet through the other egress path. In this case, the PBR function can be enabled on routers.

 

I.Networking Requirements

As shown in the following networking topology, Router R1 has two egresses to the external network: Router R3 and Router R4. The intranet 172.16.1.0/24 needs to access the external network through Router R3 and the intranet 172.16.2.0/24 needs to access the external network through Router R4.

 

II. Networking Topology

 

III. Configuration Tips

1.      Configure basic IP addresses.

2.      Configure basic IP routes to ensure routes throughout the network are reachable.

3.      Configure ACLs on Router R1 to match the traffic of the intranet.

4.      Configure PBR.

5.      Apply PBR.

 

IV. Configuration Steps

1.      Configure basic IP addresses.

Ruijie(config)#hostname R1

R1(config)#interface gigabitEthernet 0/0

R1(config-GigabitEthernet 0/0)#ip address 192.168.1.1 255.255.255.0

R1(config-GigabitEthernet 0/0)#exit

R1(config)#interface gigabitEthernet 0/1

R1(config-GigabitEthernet 0/1)#ip address 192.168.2.1 255.255.255.0

R1(config-GigabitEthernet 0/1)#exit

R1(config)#interface gigabitEthernet 0/2

R1(config-GigabitEthernet 0/2)#ip address 192.168.3.1 255.255.255.0

R1(config-GigabitEthernet 0/2)#exit

 

Ruijie(config)#hostname R2

R2(config)#interface gigabitEthernet 0/0

R2(config-GigabitEthernet 0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-GigabitEthernet 0/0)#exit

R2(config)#interface gigabitEthernet 0/1

R2(config-GigabitEthernet 0/1)#ip address 172.16.1.1 255.255.255.0

R2(config-GigabitEthernet 0/1)#exit

R2(config)#interface gigabitEthernet 0/2

R2(config-GigabitEthernet 0/2)#ip address 172.16.2.1 255.255.255.0

R2(config-GigabitEthernet 0/2)#exit

 

Ruijie(config)#hostname R3

R3(config)#interface fastEthernet 0/0

R3(config-if-FastEthernet 0/0)#ip address 192.168.2.2 255.255.255.0

R3(config-if-FastEthernet 0/0)#exit

 

Ruijie(config)#hostname R4

R4(config)#interface fastEthernet 0/0

R4(config-if-FastEthernet 0/0)#ip address 192.168.3.2 255.255.255.0

R4(config-if-FastEthernet 0/0)#exit

2.      Configure basic IP routes to ensure routes throughout the network are reachable.

R1(config)#ip route 172.16.0.0 255.255.0.0 192.168.1.2

R2(config)#ip route 100.1.1.0 255.255.255.0 192.168.1.1

R3(config)#ip route 172.16.0.0 255.255.0.0 192.168.2.1

R4(config)#ip route 172.16.0.0 255.255.0.0 192.168.3.1

3.      Configure ACLs on Router R1 to match the traffic of the intranet.

R1(config)#ip access-list standard 10          //Configure ACL 10 to match the traffic of intranet 172.16.1.0/24.

R1(config-std-nacl)#10 permit 172.16.1.0 0.0.0.255

R1(config-std-nacl)#exit

R1(config)#ip access-list standard 20      //Configure ACL 20 to match the traffic of intranet 172.16.2.0/24.

R1(config-std-nacl)#10 permit 172.16.2.0 0.0.0.255

R1(config-std-nacl)#exit

4.      Configure PBR.

R1(config)#route-map ruijiepermit 10        //Configure a route-map named ruijie.

R1(config-route-map)#match ip address 10     //Match traffic of intranet ACL 10.

R1(config-route-map)#set ip next-hop 192.168.2.2 //Set the next-hop address of IP packets to 192.168.2.2.

R1(config-route-map)#exit

R1(config)#route-map ruijie permit 20

R1(config-route-map)#match ip address 20

R1(config-route-map)#set ip next-hop 192.168.3.2

R1(config-route-map)#exit

Notes:

1)     Route-map matches traffic from top to bottom. When traffic matches the PBR, data is forwarded based on the matched policy and the match stops.

2)     There is a deny all statement in the route-map. Intranet traffic that does not match PBR is not discarded but routed and forwarded as normal IP packets.

3)     Set ip next-hop can be used to set the next-hop IP address or outbound interface of data packets. The next-hop IP address is recommended.

6.      Apply PBR.

R1(config)#interface gigabitEthernet 0/0

R1(config-GigabitEthernet 0/0)#ip policy route-map ruijie //Apply PBR.

R1(config-GigabitEthernet 0/0)#exit

Notes:

The PBR must be applied in inbound interfaces of data packets rather than in outbound interfaces of data packets. Actually, PBR forcibly sets the next hop of data packets when data packets are transmitted into a router. In outbound interfaces, a router has conducted IP routing on data packets and sends out the data packets. Therefore, PBR does not take effect in the outbound direction.

 

V. Verification

Track routes to the external network 100.1.1.0/24 by using the source address on Router R2. If the intranet 172.16.1.0/24 accesses the external network through R3 and the intranet 172.16.2.0/24 accesses the external network through R4, PBR is configured correctly.

R2#traceroute 100.1.1.1 source 172.16.1.1

< press Ctrl+C to break >

Tracing the route to 100.1.1.1

 

 1    192.168.1.1 0 msec 0 msec 0 msec

2    192.168.2.2 10 msec 0 msec 10 msec     //The intranet 172.16.1.0/24 accesses the external network through Router R3.

Other paths are omitted here.

 

R2#traceroute 100.1.1.1 source 172.16.2.1

< press Ctrl+C to break >

Tracing the route to 100.1.1.1

 

 1    192.168.1.1 0 msec 0 msec 0 msec

2    192.168.3.2 10 msec 0 msec 10 msec     //The intranet 172.16.2.0/24 accesses the external network through Router R4.

Other paths are omitted here.

1.2.7     Routing across VRFs

Features:

The VPN Routing and Forwarding table (VRF) is used to solve conflicts between local routes. The connection between a PE and a CE should be correlated with a VRF. Each VRF can be assumed as a "virtual router" and routing between VRFs is isolated.

A VRF consists of:

1.      An independent routing table;

2.      A set of interfaces belonging to this VRF;

3.      A set of routing protocols only applicable to this VRF.

 

As forwarding between VRFs is isolated, how is route connectivity between VRFs realized? There are two common methods: static routing and policy-based routing to implement routing across VRFs.

Routing across VRFs through Static Routing:

Configuration Template 1:

ip route [vrf vrf_name] network mask [interface-type interface-number] [ip-address]

 

Configuration Example 1:

ip route vrf vpn1 10.0.0.0 255.0.0.0 GigabitEthernet 3/1/0 12.0.0.1

 

Configuration Explanation 1:

Add a static route to 10.0.0.0/8 segment in the VRF VPN1. Data packets to this segment are forwarded from the GI3/1/0 interface to the next-hop interface 12.0.0.1.

The outbound interface (the GI3/1/0 interface in the example) indicates the VRF to which data packets are transferred, that is, specifies the VRF to which the outbound interface belongs. It indicates that the destination segment will be transferred to this VRF.

 

//If no VRF is added on an interface, this interface belongs to a global VRF, namely a global routing table.

//As VRF transfer is marked by the outbound interface, configure a static route in the form of outbound interface + next hop IP address. Otherwise, the ARP resolution will fail and data cannot be transferred.

Configuration Template 2:

ip route [vrf vrf_name] network mask  ip-address global

 

Configuration Example 2:

ip route vrf vpn1 10.0.0.0 255.0.0.0 12.0.0.1 global

 

Configuration Explanation 2:

Global indicates a global routing table.

Add a static route to 10.0.0.0/8 segment in the VRF VPN1. Data packets to this segment are forwarded from the global routing table to the next-hop interface 12.0.0.1.

Difference between Configuration Template 1 and Configuration Template 2:

"Configuration Template 1" supports routing across VRFs between VRFs, and between any VRF and a global routing table.

"Configuration Template 2" supports routing across VRFs between any VRF and a global routing table only and cannot support routing across VRFs between any VRFs.

Routing across VRFs Through Policy-based Routing:

1)     Define the ACL interesting traffic.

ip access-list extended 100

 10 permit ip 10.0.0.0 0.255.255.255 any

 

2)     Define policy-based routing.

route-map internet permit 10

 match ip address 100

 set vrf vpn1

//set vrf: Routes IP packets through the specified interface using a VRF instance. The priority of policy-based routing is higher than that of common routing. This command cannot not be configured together with set ip [default] nexthop or set [default ]interface. Select routes for IP packets that are received from the interface and match the match rules using a VRF specified by set vrf, no matter whether this VRF and the interface that receives the packets belong to the same VRF.

3)     Apply policy-based routing on the interface.

interface GigabitEthernet 3/1/0

 ip policy route-map internet

 

 

I. Actual Networking Requirements

The Multiprotocol Label Switching (MPLS) VPN has been widely used. As known to all, the public network and VPN carried by MPLS cannot access each other because they are across VRFs which isolate the public network from the private network.

The networks have a requirement that some non-VPN services need to be carried by a public network. That is, some services are not included in the VPN can be accessed through a public network. As generally VPN services and non-VPN services have no need for mutual access, the two can be carried by the same public network.

However, some networks have a special requirement that non-VPN services need to access the Internet while the Internet egress belongs to a VRF instance of MPLS VPN. How to realize mutual access between non-VPN services and VPN services becomes an issue.

Requirements:

The department A and office MAN belongs to a non-VPN service and needs to realize mutual access with other non-VPN services.

The department A and office MAN needs to access the Internet.

Non-VPN services other than the department A and office MAN cannot access the Internet.

Topology Description:

This topology is the actual topology of a network.

The part with yellow shading refers to the public network and carries VPN services and non-VPN services at the same time.

At the Internet egress, the interface that connects two RSR7716 routers to a RSR7708 router belongs to the VRF Internet.

 

II. Network Topology

 

III. Analog Networking Requirements

PC 1 belongs to a non-VPN service and needs to realize mutual access with other non-VPN services.

PC 1 needs to access the Internet.

Non-VPN services other than PC 1 cannot access the Internet.

IV. Network Topology

V. Configuration Tips

Data transmission is bidirectional. Ruijie considers the route connectivity both from PC 1 to the Internet and from the Internet to PC 1.

From PC 1 to the Internet:

Requirement: PC 1 needs to access the Internet, but non-VPN services other than PC 1 cannot access the Internet. Therefore, implement the VRF policy-based routing in the direction of the ingress GI3/1/0 of PE 1. Routing across VRFs is allowed in the PC 1 segment only and blocked in other segments.

Import a default route to the global routing table on PE 1 so that non-VPN services on the public network can learn the default route to the Internet.

From the Internet to PC 1:

PE 1 needs a reverse route. Ruijie uses the static routing across VRFs to reverse to the PC1 segment.

PE 1 needs to redistribute the static route to OSPF in VRF so that the egress router can learn the non-VPN route.

 

VI. Configuration Steps

Routing across VRFs is generally applied to PEs on the MPLS VPN, but it is VRF transfer in essence and unrelated to the MPLS.Therefore, MPLS VPN configuration is not involved in this example.

PE 1 Configuration:

1.      Basic configuration for route connectivity.

ip vrf vpn1  

interface GigabitEthernet 3/1/0

   ip policy route-map internet

   ip address 12.0.0.2 255.255.255.0

interface GigabitEthernet 3/1/1

   ip vrf forwarding vpn1

   ip address 23.0.0.2 255.255.255.0

interface Loopback 0

   ip address 2.2.2.2 255.255.255.255

router ospf 1

   network 2.2.2.2 0.0.0.0 area 0

   network 12.0.0.2 0.0.0.0 area 0

   default-information originate always

router ospf 10 vrf vpn1

   redistribute static subnets

   network 23.0.0.2 0.0.0.0 area 0

 

2.      Routing policy from PC 1 to the Internet (via policy-based routing)

route-map internet permit 10

   match ip address 100

   set vrf vpn1

ip access-list extended 100

   10 permit ip 10.0.0.0 0.255.255.255 any

interface GigabitEthernet 3/1/0

   ip policy route-map internet

 

3.      Routing policy from the Internet to PC 1 (via static routing)

ip route vrf vpn1 10.0.0.0 255.0.0.0 GigabitEthernet 3/1/0 12.0.0.1

 

PE 2 Configuration:

interface GigabitEthernet 0/0

   ip ref

   ip address 12.0.0.1 255.255.255.0

interface GigabitEthernet 0/1

   ip ref

   ip address 10.0.0.254 255.255.255.0

interface Loopback 0

   ip ref

   ip address 1.1.1.1 255.255.255.255

router ospf 1

   network 1.1.1.1 0.0.0.0 area 0

   network 10.0.0.0 0.0.0.255 area 0

   network 12.0.0.1 0.0.0.0 area 0

 

Configuration for the Internet egress router

interface GigabitEthernet 0/0

   ip ref

   ip address 23.0.0.3 255.255.255.0

interface Loopback 0

   ip ref

   ip address 3.3.3.3 255.255.255.255

router ospf 1

   redistribute static subnets

   network 23.0.0.3 0.0.0.0 area 0

   default-information originate

ip route 0.0.0.0 0.0.0.0 Loopback 0

 

 

VII. Verification

1.      PC 1 can ping the Internet egress router 3.3.3.3.

PC1#ping 3.3.3.3

Sending 5, 100-byte ICMP Echoes to 3.3.3.3, timeout is 2 seconds:

  < press Ctrl+C to break >

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/12/20 ms

 

1.3      Fixed Switch Modules

 

Features

The RSR10-02E, RSR20-04E, and RSR20-14E/F routers have fixed switch ports. These routers are designed using a new architecture and therefore, the configuration is different from that of the NMX-24ESW switch module. The fixed switch modules have the following characteristics:

1.      You cannot log in to fixed switch modules and they do not need to be managed separately (there is no centralized or distributed management).

2.      All configurations of fixed switch modules are completed on the router CLI (integrated routing and switching are implemented).

3.      The method for configuring the switching function of fixed switch modules is the same as the configuration method on the switch.

Configuration Examples

(Note: The following configuration is completed on the router CLI.)

1.      Create VLAN 10 and VLAN 20.

Ruijie#config terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Ruijie(config)#vlan 10

Ruijie(config-vlan)#exi

Ruijie(config)#vlan 20

2.      Configure the SVI addresses for VLAN 10 and VLAN 20.

Ruijie(config)#interface vlan 10

Ruijie(config-if-VLAN 10)#ip address 10.0.0.1 255.255.255.0

Ruijie(config-if-VLAN 10)#exit

Ruijie(config)#interface vlan 20

Ruijie(config-if-VLAN 20)#ip address 20.0.0.1 255.255.255.0

3.      Configure attribute of switch ports.

Ruijie(config)#interface fastEthernet 1/1

Ruijie(config-if-FastEthernet 1/1)#switchport mode access

Ruijie(config-if-FastEthernet 1/1)#switchport access vlan 10

Ruijie(config-if-FastEthernet 1/1)#exit

Ruijie(config)#interface fastEthernet 1/2

Ruijie(config-if-FastEthernet 1/2)#switchport mode access

Ruijie(config-if-FastEthernet 1/2)#switchport access vlan 20

Ruijie(config-if-FastEthernet 1/2)#exit

Ruijie(config)#interface fastEthernet 1/3

Ruijie(config-if-FastEthernet 1/3)#switchport mode trunk

 

1.4      Security

1.4.1     ACL

1.4.1.1     Standard ACL

 

A standard ACL can only match source IP addresses.

 

Application Scenario

During security policy setting, a standard ACL can be used to control all traffic from certain IP addresses or a network segment, for example, prohibiting certain IP addresses from accessing all resources. An extended ACL can be used to control partial traffic from certain IP addresses or a network segment, for example, prohibiting certain IP addresses from accessing another network segment.

 

I.Networking Requirements

The intranet IP address PC1 192.168.1.2 is prohibited from accessing the Internet, but other IP addresses are not prohibited.

 

II. Network Topology

 

 

III. Configurations Tips

1.      Configure a standard ACL in global mode.

2.      Apply the standard ACL on the intranet interface.

3.      Save the configuration.

 

IV. Configuration Steps

1.      Configure a standard ACL in global mode

Notes:

(1)    The number of a standard ACL ranges from 1 to 99 and from 1300 to 1999. The number of an extended ACL ranges from 100 to 199 and from 2000 to 2699.

(2)    A standard ACL can only match source IP addresses, but an extended ACL can match five elements of the data stream (source IP address, destination IP address, source port, destination port, and protocol number).

(3)    An ACL matches the ACE entries from top to down (according to the ascending order of the sequence numbers of the ACE entries). After finding a match, the ACL executes the action (allow/deny) of the related ACE entry and does not match any other ACE entries.

(4)    An ACL contains an implicit ACE entry (deny any) that denies all traffic.(4) To prohibit a certain network segment while allowing other network segments, after configuring an ACE entry denying the traffic, add an ACE entry "permit any" to allow other traffic.

Ruijie(config)#ip access-list standard 1 //Creates a standard ACL 1

Ruijie(config-std-nacl)#10 deny 192.168.1.2 0.0.0.0 //Configures the ACL entry with a sequence number of 10 to match the IP address 192.168.1.2 (IP address + wildcard mask)

Ruijie(config-std-nacl)#20 permit any      // Configures to permit other traffic

Ruijie(config-std-nacl)#exit

2.      Call the standard ACL on the intranet interface

Ruijie(config)#interface fastEthernet 0/0

Ruijie(config-if-FastEthernet 0/0)#ip access-group 1 in       //Applies the ACL 1 on the intranet interface

3.      Save the configuration

Ruijie(config-if-FastEthernet 0/0)#end

Ruijie#write        //Verifies and saves the configuration

 

V. Verification

Test whether the intranet PCs can access the Internet. If PC1 cannot access the Internet but other PCs can, the configuration is correct.

1.      Show configuration of the ACL.

Ruijie#show access-lists

ip access-list standard 1

10 deny 192.168.1.2 0.0.0.0

20 permit any

2.      Show application of the ACL on the interface.

Ruijie#show ip access-group

ip access-group 1 in

Applied On interface FastEthernet 0/0.

 

1.4.1.2     Extended ACL

 

Function Introduction:

An extended ACL can match five elements of the data stream (source IP address, destination IP address, source port, destination port, and protocol number).

 

Application Scenario:

During security policy setting, an extended ACL can be used to control partial traffic from certain IP addresses or a network segment. For example, to prohibit an IP address from accessing websites, an extended ACL can be written with the source IP address being the aforesaid IP address, the destination IP address being any IP address, and the destination port being 80 (the HHTP port is 80).

 

I.Networking Requirements

PC1 is prohibited from accessing the Web service of 100.100.100.100 (TCP port80), but other traffic is all permitted.

 

II. Network Topology

 

III. Configurations Tips

1.      Configure an extended ACL in global mode

2.      Apply the extended ACL on the intranet interface

3.      Save the configuration

 

IV. Configuration Steps

1.      Configure an extended ACL in global mode

(1)    The number of a standard ACL ranges from 1 to 99 and from 1300 to 1999. The number of an extended ACL ranges from 100 to 199 and from 2000 to 2699.

(2)    A standard ACL can only match source IP addresses, but an extended ACL can match five elements of the data stream (source IP address, destination IP address, source port, destination port, and protocol number).

(3)    An ACL matches the ACE entries from top to down (according to the ascending order of the sequence numbers of the ACE entries). After finding a match, the ACL executes the action (allow/deny) of the related ACE entry and does not match any other ACE entries.

(4)    An ACL contains an implicit ACE entry (deny any) that denies all traffic.To prohibit a certain network segment while allowing other network segments, after configuring an ACE entry denying the traffic, add an ACE entry "permit any" to allow other traffic.

Ruijie(config)#ip access-list extended 100

Ruijie(config-ext-nacl)#10 deny tcp 192.168.1.2 0.0.0.0 100.100.100.100 0.0.0.0 eq 80    //Configures an extended ACL to prohibit the intranet PC1192.168.1.2 fromaccessingPort80 of 100.100.100.100.

Ruijie(config-ext-nacl)#20 permit ip any any    //Configures to permit other traffic (mandatory)

Ruijie(config-ext-nacl)#exit

2.      Apply the extended ACL on the intranet interface

Ruijie(config)#interface fast Ethernet 0/0

Ruijie(config-if-FastEthernet 0/0)#ip access-group 254.00 cm    //Applies the ACL on the interface

3.      Save the configuration

Ruijie(config-if-FastEthernet 0/0)#end

Ruijie#write        //Verifies and saves the configuration

 

V. Verification

1.      Test whether theintranet PC1 can access the Web service of 100.100.100.100 and other traffic. If PC1 cannot access the Web service of 100.100.100.100 but can access other traffic, the configuration is correct.

2.      Show configuration of the ACL.

Ruijie#show access-lists

ip access-list extended 100

10 deny tcp host 192.168.1.2 host 100.100.100.100 eq www

20 permit ip any any

3.      Show application of the ACL on the interface.

Ruijie#show ip access-group

ip access-group 100 in

Applied On interface Fast Ethernet 0/0.

 

1.4.1.3     Reflexive ACL

 

Function Introduction:

Reflexive ACLs can be used for one-way access. A temporary access list is automatically generated based on the L3 and L4 information of the traffic originated by the intranet. The temporary access list is created according to the following principles: the protocol is not changed, the source IP address and the destination IP address are exchanged, and the source port and the destination port are exchanged. The router allows traffic to enter the intranet only when the L3 and L4 information of the returned traffic exactly matches that of the temporary access list created based on the outbound traffic.

Application Scenario

During security policy setting, standard/extended ACLs can be used to match IP traffic. Besides, reflexive ACLs can also be used to meet one-way access demands. Only when one end actively initiates an access session, the return packets from the peer can be passed. If the peer actively initiates an access session, the access is denied by the ACL.

I.Networking Requirements

The loopback 0 address 1.1.1.1 of R1 can actively access loopback 0 3.3.3.3 of R3, but R3 cannot actively access R1, so as to realize one-way access from R1 to R3.

 

II. Network Topology

        thismessage://0cf41154-3b79-4300-ae90-42e445c0e45b.png

 

III. Configurations Tips

1.      Complete basic configuration for each device, including the configuration of interface IP addresses and routers.

2.      Configure a reflexive ACL on R2.

IV. Configuration Steps

1.      Complete basic configuration for each device, including the configuration of interface IP addresses and routers

Omitted.

3.      Configure a reflexive ACL

R2(config)#ip access-list extended 100

R2(config-ext-nacl)#permit ip host 1.1.1.1 host 3.3.3.3

R2(config)#inter gi0/0

R2(config-if-GigabitEthernet 0/0)#ip access-group 100 in reflect

R2(config)#ip access-list extended 101

R2(config-ext-nacl)#deny ip any any

R2(config)#inter gi0/1

R2(config-if-GigabitEthernet 0/0)#ip access-group 101 in 

 

V. Verification

1.      After configuration, the ping from loopback 0 of R1 to loopback 0 of R3 shows to be successful.

R1#ping 3.3.3.3 source 1.1.1.1

Sending 5, 100-byte ICMP Echoes to 3.3.3.3, timeout is 2 seconds:

  < press Ctrl+C to break >

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 10/12/20 ms

2.      The ping from loopback 0 of R3 to loopback 0 of R1 is failed.

R3#ping 1.1.1.1 source 3.3.3.3           

Sending 5, 100-byte ICMP Echoes to 1.1.1.1, timeout is 2 seconds:

  < press Ctrl+C to break >

.....

Success rate is 0 percent (0/5)

 

1.4.2     NAT

 

Features:

NAT: refers to Network Address Translation. During normal data forwarding, the source and destination addresses at the IP header and the port number are not changed. However, when NAT is enabled, the packet header contents are changed, implementing functions such as hiding real addresses of inside and outside hosts, enabling multiple hosts to share a few IP addresses to access inside and outside networks, implementing overlapping of IP addresses, and server load balance.

 

Port Address Translation (PAT): also known as Network Address Port Translation (NAPT) or port reusing of NAT. It is used to implement network address translation by mapping and distinguishing data streams based on IP addresses and port numbers so that multiple inside hosts can access an outside network using one or a few legal IP addresses.

 

NAT terms:

Inside local: inside local address (the real address of an inside host, generally a private address).

 

Inside global: inside global address (the address of an inside host for accessing outside networks after NAT; it is a legal IP address allocated by ISP).

 

Outside local: outside local address (the address of an outside host after NAT; it is generally a private IP address. When an inside host accesses the outside host, the outside host is considered as an inside host instead of an outside host.)

 

Outside global: outside global address (the real address of an outside host; it is a legal IP address on the Internet).

 

1.4.2.1     Source IP Address Translation

1.4.2.2     PPPOE

 

Ruijie products support PPP over Ethernet (PPPOE) for Dial-on-Demand Routing (DDR).Similar to DDR, the products are featured by dialing stimulation upon data communication and automatic disconnection after idle timeout.

The PPPOE implementation of the products is similar to that of senior DDR (DDR Profiles).An Ethernet interface is bound to a logic dialer interface, and the logic dialer interface implements specific negotiation.

 

Application Scenario

An enterprise rents the broadband dialing line of a Telecom operator to access Internet resources.

 

I.Networking Requirements

Intranet users use the RG-RSR router to access Internet, and the Internet line is the ADSL dialing line.

 

II. Network Topology

 

 

III. Configurations Tips

1.      Configure dialing.

2.      Configure NAT.

3.      Configure the default route.

 

IV. Configuration Steps

1.      Enable PPPOE on the physical interface

Ruijie>enable 

Ruijie#configure terminal

Ruijie(config)#interface FastEthernet 0/0

Ruijie(config-if-FastEthernet 0/0)#pppoe enable                                //Enables PPPOE

Ruijie(config-if-FastEthernet 0/0)# pppoe-client dial-pool-number 5 no-ddr  //Binds the Ethernet interface to the dialer pool 5

Ruijie(config-if-FastEthernet 0/0)# ip ref                                          //Enable Ruijie Express Forwarding (REF). If the command is not identified, REF is enabled by default.

Ruijie(config-if-FastEthernet 0/0)#exit

2.      Configure the logic dialer interface

Ruijie(config)#interface dialer 0

Ruijie(config-if-dialer 0)# ip ref                           //Enables REF. If the command is not identified, ref is enabled by default.

Ruijie(config-if-dialer 0)#encapsulation ppp           //Encapsulates PPP

Ruijie(config-if-dialer 0)#ppp chap hostname pppoe      //Configures the CHAP-encrypted user name: pppoe

Ruijie(config-if-dialer 0)#ppp chap password  pppoe     /Configures the CHAP-encrypted password: pppoe

Ruijie(config-if-dialer 0)#ppp pap sent-username pppoe password pppoe         //Configures PAP-encrypted user name and password

Ruijie(config-if-dialer 0)#ip address negotiate              //Negotiates to obtain the IP address

Ruijie(config-if-dialer 0)#dialer pool 5                     //Associates the dialer pool 5

Ruijie(config-if-dialer 0)#dialer-group 1               //Rules stimulating dialing

Ruijie(config-if-dialer 0)#dialer idle-timeout 300  //The dialer is disconnected when the idle time of 300s times out

Ruijie(config-if-dialer 0)#mtu 1492

Ruijie(config-if-dialer 0)#exit

Ruijie(config)#access-list 1 permit any                            

Ruijie(config)#dialer-list 1 protocol ip permit         //Global dialer list

3.      Configure NAT

Ruijie(config)#access-list 100 permit ip any any        //Defines the data stream to execute NAT. The parameter is set to "any" here.

Ruijie(config)#ip nat pool ruijie prefix-length 24            //Configures the NAT address pool to "ruijie" and match 24bits mask.

Ruijie(config-ipnat-pool)#address interface dialer 0 match interface dialer 0    //Configures IP NAT translation. To forward data from dialer 0, use the address of dialer 0 for NAT.

 Ruijie(config-nat-pool)#exit

Ruijie(config)#ip nat inside source list 100 pool ruijie overload  // Configures the NAT policy. "100" indicates access-list 100 and "ruijie" indicates the address pool of NAT.

 Ruijie(config)#interface dialer 0

Ruijie(config-if-dialer 0)#ip nat outside                      //Indicates an Internet NAT interface

 Ruijie(config-if-dialer 0)#interface fastEthernet 0/1      

Ruijie(config-if-FastEthernet 0/1)#ip nat inside          //Indicates an intranet NAT interface

Ruijie(config-if-FastEthernet 0/1)#ip address 192.168.1.1 255.255.255.0         //Configures an intranet IP address as the intranet gateway

 Ruijie(config-if-FastEthernet 0/1)#ip ref

4.      Configure the default route

Ruijie(config)#ip route 0.0.0.0 0.0.0.0  dialer 0

 

V. Verification

1.      Check whether dialing is successful

Ruijie#show ip interface brief

Interface                         IP-Address(Pri)         OK?      Status  

FastEthernet 0/0                  no address            YES       DOWN    

FastEthernet 0/1                 192.168.1.1/24          YES       UP      

dialer 0                           222.168.1.2           YES       UP

Note: If the configuration is correct, the IP address is displayed after "dialer 0".

2.      After the IP address, mask and gateway of an intranet computer are configured to 192.168.1.x, 255.255.255.0 and 192.168.1.1 respectively, and the DNS is correctly configured, the computer can access Internet.

 

1.4.2.3     Basic Network Access Configuration for Router without Switching Interface

 

Introduction:

This section introduces basic network access configurations for routers without switching interfaces. The router models include RSR1002, RSR20-04, RSR20-14, RSR20-18, RSR20-24, RSR30-44 (without NMX-24ESW card), RSR30-X, RSR50 series, and RSR77 series. It is common that the routers have routing interfaces but do not have switching interfaces. If multiple PCs need to access the Internet, a switch is needed in the inside network. This section introduces how to access Internet through NAT and how to map the inside network server to the Internet.

Features:

Port Address Translation (PAT): also known as Network Address Port Translation (NAPT).It is used to implement network address translation by mapping and distinguishing data streams based on IP addresses and port numbers of outside interfaces so that multiple inside hosts can access an outside network using IP addresses of the outside interfaces. It is often used when there is only one public network address.

Address pool translation: It is used to implement network address translation by mapping and distinguishing data streams based on IP addresses and port numbers of the public address pool so that multiple inside hosts can access the outside network using a few public IP addresses. It is often used when one outbound interface has multiple public IP addresses.

Static NAT: It is used to map IP addresses of inside hosts to public IP addresses in the one to one manner, or map IP addresses and port numbers of inside hosts to public IP addresses and port numbers in the one to one manner. It is often used to map an IP address of an inside host to a public IP address, or map a port of an inside server to a port of a public address so that the inside server can be accessed through the public IP address or public IP address + port number.

 

Scenarios

An enterprise can rent a private line of an operator for network access. The following describes three scenarios for relevant functions:

Scenario 1: When there is only one public IP address, the IP addresses of all inside network users need to be translated into the IP address of the outside network interface, so that all inside network users can access the outside network.

Scenario 2: When there is a public IP address segment, the IP addresses of all inside network users need to be translated into the IP addresses in the public IP address segment, so that the inside network users can access the outside network.

Scenario 3: The inside network server is mapped to a public IP address so that outside network users can access the resources on the inside network server through the public IP address.

 

I.Networking Requirements

An RSR router is used as the Internet egress, and all inside PC gateways are on this router. The router is used to access the outside network, the IP address (port number) of the inside network server is mapped to a public IP address (port number), so as to provide services for outside users.   

 

II. Network Topology

 

 

III. Configurations Steps

1.      Configure basic IP addresses.

2.      Configure basic IP routes.

3.      Configure the DHCP server.

4.      Define the inside network port and outside network port for NAT.

5.      Configure ACLs on R1, and match the inside network traffic for NAT.

6.      Configure a NAT policy for scenario 1.

7.      Configure a NAT policy for scenario 2.

8.      Configure a NAT policy for scenario 3.

 

IV. Configuration Steps

1.      Configure basic IP addresses.

Ruijie(config)#hostname R1

R1(config)#interface gigabitEthernet 0/0

R1(config-GigabitEthernet 0/0)#ip address 172.168.1.254 255.255.255.0

R1(config-GigabitEthernet 0/0)#exit

R1(config)#interface gigabitEthernet 0/1

R1(config-GigabitEthernet 0/1)#ip address 192.168.2.1 255.255.255.0

R1(config-GigabitEthernet 0/1)#exit

3.      Configure basic IP routes.

R1(config)#ip route 0.0.0.0 0.0.0.0 192.168.2.2      // Configures the outbound route to the default route of the Internet.

4.      Configure the DHCP server.

Ruijie(conf)#service dhcp //Enables the DHCP service.

Ruijie(conf)#ip  dhcp pool ruijie //ruijie refers to the name of the DHCP address pool, and can be named at random.

Ruijie(dhcp-config)#netw 172.16.1.0 255.255.255.0 //Indicates the network segment of the IP addresses from which a computer will obtain an IP address.

Ruijie(dhcp-config)#default-router 172.16.1.254 //Indicates the gateway address of the f0/1 interface connected to the computer, that is, the IP address of the f0/1 interface.

Ruijie(dhcp-config)#dns-server 202.96.113.34 202.96.13.35  //Indicates the computer's DNS. The former one is the active DNS, and the latter one is the standby DNS.

5.      Define the inside network port and outside network port for NAT.

R1(config)#interface gigabitEthernet 0/1

R1(config-GigabitEthernet 0/1)#ip nat outside      //Configures the outside network port for NAT.

R1(config-GigabitEthernet 0/1)#exit

R1(config)#int gigabitEthernet 0/0

R1(config-GigabitEthernet 0/0)#ip nat inside //Configures the inside network port for NAT.

R1(config-GigabitEthernet 0/0)#exit

5.      Configure ACLs on R1, and match the inside network traffic for NAP.

R1(config)#ip access-list standard 10

R1(config-std-nacl)#10 permit 172.16.1.0 0.0.0.255

R1(config-std-nacl)#exit

6.      Configure a NAT policy for scenario 1.

R1(config)#ip nat inside source list 10 interface gigabitEthernet 0/1 overload     //Performs NAT for traffic matched by ACL 10, and translates the traffic into the address of the gigabitEthernet 0/1 interface.

7.      Configure a NAT policy for scenario 2.

(1)    Configure the Internet address pool.

R1(config)#ip nat pool ruijie netmask 255.255.255.0         //Configures a public address pool named ruijie.

R1(config-ipnat-pool)#address 192.168.2.10 192.168.2.11  //Indicates the start and end IP addresses of a public address.

R1(config-ipnat-pool)#address 192.168.2.15 192.168.2.15 //If there are multiple discontinuous public addresses, multiple public address segments can be configured.

R1(config-ipnat-pool)#exit

Notes:

a.      The IP addresses in the public address pool may not be in the same network segment as the IP addresses of outside network ports, as long as they are available IP addresses allocated by the outside network.

b.      The start and end IP addresses of the public addresses can be discontinuous.

(2)    Configure a NAT policy.

R1(config)#ip nat inside source list 10 pool ruijie overload      //Performs NAT for traffic matched to ACL 10, and translates the traffic into address in the address pool named ruijie.

Notes:

The parameter overload is used to perform NAT overload. If the parameter overload is not added, it indicates that dynamic one-to-one IP mapping is performed, instead of port translation. However, this cannot solve the problem of insufficient public addresses. The purpose of performing NAT at the network egress is to solve the problem of insufficient public addresses, and thus the parameter overload must be added.

8.      Configure a NAT policy for scenario 3.

Map the IP address 172.16.1.100 of the inside network server to a public IP address 192.168.2.168; or map the TCP Port 80 of inside network 172.16.1.100 to Port 10 of public network 192.168.2.168.

The following are examples of one-to-one mapping based on IP addresses and port mapping based on TCP and UDP:

(1)    One-to-one mapping based on IP addresses

R1(config)#ip nat inside source static 172.16.1.100 192.168.2.168 permit-inside      //Maps inside network 172.16.1.100 to public network 192.168.2.168.

(2)     Port mapping based on TCP and UDP

R1(config)#ip nat inside source static tcp 172.16.1.100 80 192.168.2.168 80  permit-inside      //Maps the TCP port 23 of inside network 172.16.1.100 to port 23 of public network 192.168.2.168.

Notes:

(1)    Static NAT can be used for one-to-one mapping of IP addresses and port mapping based on TCP and UDP.

(2)    The permit-inside function: When an inside network server is statically mapped to a public address, if an inside network PC needs to access the server through the public address, the parameter permit-inside must be configured. The parameter permit-inside is recommended when static NAT is configured.

 

V. Verification

Verification for scenario 1: test whether the inside network can access the outside network. If an inside network PC can access the outside network, the NAT configuration is correct. The NAT translation entries on the outbound router are displayed as follows:

 

Verification for scenario 2: test whether the inside network can access the outside network. If an inside network PC can access the outside network, the NAT configuration is correct. The NAT translation entries on the outbound router are displayed as follows:

1.4.2.4     Multiple Egresses NAT and Permit-inside function

 

Features:

If an outside network has multiple egresses, when data packets are forwarded through different outside interfaces, the inside and outside data streams are translated into different IP addresses + port numbers. In addition, the permit-inside function enables an inside host to access an inside server through a public network address.

 

Scenario

An enterprise rents private lines of multiple operators for network access. An inside server needs to be mapped to two outside interfaces so that outside users can access the resources on the server. To enable inside users to access the inside server through the IP addresses of the outside interfaces (sometimes a domain name is needed to access the server, but the resolved domain name maps to the public IP address), you can use the permit-inside function of NAT to enable both inside and outside users to access the server through the public address.

 

I.Networking Requirements

As shown in the network topology below, R1 has two egresses to an outside network: R3 and R4. The required implementation is as follows: inside users in the network segment of access the outside network through R3 and that the inside addresses are translated into the public address of the egress; inside users in the network segment of access the outside network through R4 and the inside addresses are translated into the public address of the egress. The address 172.16.1.100 of an inside server needs to be translated into the public address192.168.2.168, and both inside and outside PCs need to access the server through the public address.

      

II. Network Topology

 

III. Configurations Tips

1.      Configure basic IP addresses.

2.      Configure basic IP routes.

3.      Define the inside port and outside port for NAT.

4.      Configure an ACL on R1, and match the inside traffic for NAT.

5.      Configure the public address pool.

6.      Configure an NAT policy.

7.      Configure static NAT.

8.      Configure an ACL on R1 and match the inside traffic.

9.      Configure a policy route.

10.   Apply the policy route.

 

IV. Configuration Steps

1.      Configure basic IP addresses.

Ruijie(config)#hostname R1

R1(config)#interface gigabitEthernet 0/0

R1(config-GigabitEthernet 0/0)#ip address 192.168.1.1 255.255.255.0

R1(config-GigabitEthernet 0/0)#exit

R1(config)#interface gigabitEthernet 0/1

R1(config-GigabitEthernet 0/1)#ip address 192.168.2.1 255.255.255.0

R1(config-GigabitEthernet 0/1)#exit

R1(config)#interface gigabitEthernet 0/2

R1(config-GigabitEthernet 0/2)#ip address 192.168.3.1 255.255.255.0

R1(config-GigabitEthernet 0/2)#exit

 

Ruijie(config)#hostname R2

R2(config)#interface gigabitEthernet 0/0

R2(config-GigabitEthernet 0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-GigabitEthernet 0/0)#exit

R2(config)#interface gigabitEthernet 0/1

R2(config-GigabitEthernet 0/1)#ip address 172.16.1.1 255.255.255.0

R2(config-GigabitEthernet 0/1)#exit

R2(config)#interface gigabitEthernet 0/2

R2(config-GigabitEthernet 0/2)#ip address 172.16.2.1 255.255.255.0

R2(config-GigabitEthernet 0/2)#exit

 

Ruijie(config)#hostname R3

R3(config)#interface fastEthernet 0/0

R3(config-if-FastEthernet 0/0)#ip address 192.168.2.2 255.255.255.0

R3(config-if-FastEthernet 0/0)#exit

 

Ruijie(config)#hostname R4

R4(config)#interface fastEthernet 0/0

R4(config-if-FastEthernet 0/0)#ip address 192.168.3.2 255.255.255.0

R4(config-if-FastEthernet 0/0)#exit

2.      Configure basic IP routes so that the entire network is accessible.

R1(config)#ip route 172.16.0.0 255.255.0.0 192.168.1.2

R2(config)#ip route 100.1.1.0 255.255.255.0 192.168.1.1

R2(config)#ip route 192.168.0.0 255.255.0.0 192.168.1.1

3.      Define the inside port and outside port for NAT.

R1(config)#interface gigabitEthernet 0/1

R1(config-GigabitEthernet 0/1)#ip nat outside      //Configures the outside interface for the first NAT.

R1(config-GigabitEthernet 0/1)#exit

R1(config)#interface gigabitEthernet 0/2

R1(config-GigabitEthernet 0/1)#ip nat outside      //Configures the outside interface for the second NAT.

R1(config-GigabitEthernet 0/1)#exit

R1(config)#int gigabitEthernet 0/0

R1(config-GigabitEthernet 0/0)#ip nat inside   //Configures the inside interface for NAT.

R1(config-GigabitEthernet 0/0)#exit

4.      Configure an ACL on R1, and match the inside traffic for NAT.

R1(config)#ip access-list standard 10

R1(config-std-nacl)#10 permit 172.16.1.0 0.0.0.255

R1(config-std-nacl)#20 permit 172.16.2.0 0.0.0.255

R1(config-std-nacl)#exit

5.      Configure the public address pool.

Notes:

If multiple public egresses are available and data packets are forwarded from different egresses, NAT needs to be performed to match the available public address of a corresponding egress. Ruijie devices use the parameter match interface in the NAT address pool to match the outbound interface for sending data packets. The source addresses of the data packets are translated into the available public address of the outbound interface through NAT.

R1(config)#ip nat pool nat_ruijie netmask 255.255.255.0     //Configures the public address pool nat_ruijie for NAT.

R1(config-ipnat-pool)#address 192.168.2.10 192.168.2.11 match interface GigabitEthernet 0/1   //When data packets are forwarded through the GigabitEthernet 0/1 interface, the addresses are translated into 192.168.2.10 - 192.168.2.11through NAT.

R1(config-ipnat-pool)#address 192.168.3.10 192.168.3.11 match interface GigabitEthernet 0/2    //When data packets are forwarded through the GigabitEthernet 0/2 interface, the addresses are translated into 192.168.3.10 - 192.168.3.11through NAT.

R1(config-ipnat-pool)#exit

6.      Configure the source address translation through NAT.

R1(config)#ip nat inside source list 10 pool nat_ruijie overload  //Translates the traffic matched to ACL 10 into addresses in the nat_ruijie address pool, and performs NAT overload.

Notes:

The parameter overload is used to perform NAT overload. If the parameter overload is not added, dynamic one-to-one IP mapping will be performed and port number port translation will not be performed. This cannot solve the problem of insufficient public addresses. If NAT is performed at the network egress to solve the problem of insufficient public addresses, the parameter overload must be added.

7.      Configuring static NAT

Notes:

Static NAT can be used for one-to-one translation of IP addresses and port number translation based on TCP and UDP.

1)     permit-inside: When an inside server is statically mapped to a public address, if an inside PC needs to access the server through the public address, the parameter permit-inside must be configured. The parameter permit-inside is recommended when static NAT is configured.

The following describes the examples of one-to-one IP address mapping and port number mapping based on TCP and UDP:

One-to-one IP address mapping

R1(config)#ip nat inside source static 172.16.1.100 192.168.2.168 permit-inside  //Maps the inside address 172.16.1.100 to the public address 192.168.2.168.

2)     Port number mapping based on TCP and UDP

R1(config)#ip nat inside source static tcp 172.16.1.100 23 192.168.2.168 23  permit-inside  //Maps inside 172.16.1.100 TCP port 23 to public 192.168.2.168 TCP port 23.

8.      Configure an ACL on R1 and match the inside traffic

Notes:

Restricted by the flow table processing mechanism of Ruijie, the permit-inside function and the policy-based routing of NAT are conflicting with each other. Therefore, it is necessary to deny the traffic in the network segment from inside users to the server in the ACL of a policy route. The policy route is not executed when inside users accesses the server. The configuration is as follows:

R1(config)#ip access-list extended 110        //Configures ACL 110 to match the access traffic from the inside network segment 172.16.1.0/24 to the outside network.

R1(config-ext-nacl)#10 deny ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255

R1(config-ext-nacl)#20 permit ip 172.16.1.0 0.0.0.255 any

R1(config)#ip access-list extended 120      //Configures ACL 120 to match the access traffic from the inside network segment 172.16.1.0/24 to the outside network.

R1(config-ext-nacl)#10 deny ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255

R1(config-ext-nacl)#20 permit ip 172.16.2.0 0.0.0.255 any

R1(config-ext-nacl)#exit

 

If the deny rule is not configured for the traffic between inside servers and users the data translation analysis is as follows:

If an inside PC 172.16.2.10 accesses the server through 192.168.2.168, the translation process is as follows:

 

Source IP address

Destination IP address

Before translation

172.16.2.10

192.168.2.168

After translation

192.168.2.168

172.16.1.100

Based on the flow table processing mechanism of Ruijie, the data flow is deemed as a data flow with the source IP address of 172.16.2.10 and the destination IP address of172.16.1.100 after the translation. Therefore, when configuring a policy route ACL, such traffic must be discarded first (that is, all the traffic from the inside network segment to the network segment where the server resides); otherwise, such traffic will be redirected by policy-based routing to the next hop of the specified outside interface. In addition, since the network segment 172.16.1.0 where the server resides is also configured with policy-based routing, the above problem also exists on the server.

9.      Configure a policy route.

R1(config)#route-map ruijiepermit 10        //Configures route-map ruijie.

R1(config-route-map)#match ip address 110    //Matches the traffic of inside network ACL 110.

R1(config-route-map)#set ip next-hop 192.168.2.2  //Forcibly sets the next hop of IP packets to 192.168.2.2 and sets the egress to R3.

R1(config-route-map)#exit

R1(config)#route-map ruijie permit 20

R1(config-route-map)#match ip address 120

R1(config-route-map)#set ip next-hop 192.168.3.2

R1(config-route-map)#exit

10.   Apply the policy route.

R1(config)#interface gigabitEthernet 0/0

R1(config-GigabitEthernet 0/0)#ip policy route-map ruijie //Applies the policy route.

R1(config-GigabitEthernet 0/0)#exit

 

V. Verification

1.      Test whether an inside PC can access an outside network, and check whether the policy route is selected. If 172.16.1.0/24 can access the outside network through R3, and 172.16.2.0/24 can access the outside network through R4, the configurations of the multi-egress NAT and policy route are correct.

R2#traceroute 100.1.1.1 source 172.16.1.1

< press Ctrl+C to break >

Tracing the route to 100.1.1.1

 

 1    192.168.1.1 0 msec 0 msec 0 msec

2    192.168.2.2 10 msec 0 msec 10 msec     //172.16.1.0/24 accesses the outside network through R3.

Other routes are omitted.

2.      Test whether inside and outside PCs can access the server through the public IP address. If all inside PCs can access the server through the public IP address, the configuration of static NAT is correct. When the inside PCs access the server through the public address, and the NAT mapping table is as follows:

 

1.4.2.2           Outside Source IP Address Translation

 

Features:

When an inside host needs to access an outside network without introducing an outside route, the IP address + port number of the outside host can be translated into the IP address + port number of the inside network through outside source IP address translation.

 

I.Networking Requirements

Due to the security policy for the inside network, only mutual access between inside PCs is allowed.

When inside PCs need to access an outside server, the outside source IP address translation function of NAT can be used to translate the public address of the outside server into an inside address so that the inside users do not know that they have accessed the outside network.

 

II. Network Topology

 

III. Configurations

1.      Configure basic IP addresses.

2.      Configure basic IP routes.

3.      Define the inside port and outside port for NAT.

4.      Configure the outside source address translation of NAT.

 

IV. Steps

1.      Configure basic IP addresses.

Ruijie(config)#hostname R1

R1(config)#interface gigabitEthernet 0/0

R1(config-GigabitEthernet 0/0)#ip address 192.168.1.1 255.255.255.0

R1(config-GigabitEthernet 0/0)#exit

R1(config)#interface gigabitEthernet 0/1

R1(config-GigabitEthernet 0/1)#ip address 192.168.2.1 255.255.255.0

R1(config-GigabitEthernet 0/1)#exit

 

Ruijie(config)#hostname R2

R2(config)#interface gigabitEthernet 0/0

R2(config-GigabitEthernet 0/0)#ip address 192.168.1.2 255.255.255.0

R2(config-GigabitEthernet 0/0)#exit

R2(config)#interface gigabitEthernet 0/1

R2(config-GigabitEthernet 0/1)#ip address 172.16.1.1 255.255.255.0

R2(config-GigabitEthernet 0/1)#exit

R2(config)#interface gigabitEthernet 0/2

R2(config-GigabitEthernet 0/2)#ip address 172.16.2.1 255.255.255.0

R2(config-GigabitEthernet 0/2)#exit

 

Ruijie(config)#hostname R3

R3(config)#interface fastEthernet 0/0

R3(config-if-FastEthernet 0/0)#ip address 192.168.2.2 255.255.255.0

R3(config-if-FastEthernet 0/0)#exit

2.      Configure the IP route.

R1(config)#ip route 172.16.0.0 255.255.0.0 192.168.1.2

R1(config)#ip route 100.1.1.0 255.255.255.0 192.168.2.2

R2(config)#ip route 192.168.0.0 255.255.0.0 192.168.1.1

R3(config)#ip route 172.16.0.0 255.255.0.0 192.168.2.1      //Configures the return route from the outside network to inside network (If the outside network has no return route to the inside network, the inside source IP address translation needs to be performed on the egress router).

3.      Define the inside port and outside port for NAT.

R1(config)#interface gigabitEthernet 0/1

R1(config-GigabitEthernet 0/1)#ip nat outside      //Configures the outside interface for NAT.

R1(config-GigabitEthernet 0/1)#exit

R1(config)#int gigabitEthernet 0/0

R1(config-GigabitEthernet 0/0)#ip nat inside//Configures the inside interface for NAT.

R1(config-GigabitEthernet 0/0)#exit

4.      Configure the outside source address translation of NAT.

Notes:

(1)    The outside source IP address translation can be used for one-to-one IP address translation and port number translation based on TCP and UDP.

(2)    During the outside source IP address translation, the inside local address of the outside server may not be in the network segment on the egress router. The inside local address is only required to be reached by the inside route and be able to route packets of inside PCs accessing the server to the egress router.

The following describes the examples of one-to-one IP address mapping and port number mapping based on TCP and UDP:

1)     One-to-one IP address mapping

R1(config)#ip nat outside source static 100.1.1.1 192.168.1.168       //When the inside network accesses 192.168.1.168, translates the destination IP address into 100.1.1.1.1

2)     Port mapping based on TC P and UDP

R1(config)#ip nat outside source static tcp 100.1.1.1 23 192.168.1.168 23     //When the inside network accesses TCP Port 23 of 192.168.1.168, translates the destination IP address into Port 23 of 100.1.1.1.

 

V. Verification

Test whether the inside network can be accessed by a private IP addresses visible on the local network through the outside server. If the outside server can be normally accessed, the NAT configuration of the outside source IP address translation is correct. The NAT translation entries on the egress router are displayed as follows:

 

1.4.3     IPSEC

1.4.3.1     IPSEC Debug

 

Description of IPSec Debugging

Notes: To debug IPSec, you need to enable "debug crypto isakmp" and "debug crypto ipsec". The customer business may be affected due to IPSec debugging. Therefore, customer permission must be obtained before debugging, and IPSec debugging must be performed during non-peak hours.

R1#ping 3.3.3.3 sou 1.1.1.1

Sending 5, 100-byte ICMP Echoes to 3.3.3.3, timeout is 2 seconds:

< press Ctrl+C to break >

*Oct 18 12:26:54: %7: Get acquire: 1.1.1.1/0.0.0.0 -> 3.3.3.3/0.0.0.0  //Triggers interesting traffic, from 1.1.1.1 to 3.3.3.3.

*Oct 18 12:26:54: %7: Get acquire: negotiate source 10.1.1.1 -> dest 202.100.1.100  //Negotiates with the peer 202.100.1.100.

*Oct 18 12:26:54: %7:  set acquire!

*Oct 18 12:26:54: %7: receve sa acquire

*Oct 18 12:26:54: %7: Acqurire negociate with 202.100.1.100

*Oct 18 12:26:54: %7: (33) sending packet to 202.100.1.100 (I) MM_SI1_WR1, MM_SA_SETUP  // Sends the first packet of Phase 1 to negotiate with the IKE policy parameter.

*Oct 18 12:26:54: %7: sendout main I1, and wait R1

*Oct 18 12:26:54: %7: IKE recvmsg 124 bytes.

*Oct 18 12:26:54: %7: IKE:recvmsg for 10.1.1.1 of interface GigabitEthernet 0/0.

*Oct 18 12:26:54: %7: Not IKE NAT negotiate pkt.

*Oct 18 12:26:54: %7: (33) received packet from 202.100.1.100, (I) MM_SI1_WR1, MM_SA_SETUP  // Receives the second packet of Phase 1.

*Oct 18 12:26:54: %7:   Exchange type : 0x2<sa><vendor ID><vendor ID>

*Oct 18 12:26:54: %7:  extract_payload done!

*Oct 18 12:26:54: %7: main mode r1 process

*Oct 18 12:26:54: %7: (33) Checking ISAKMP transform 1 against priority 10 policy

*Oct 18 12:26:54: %7:     encryption DES-CBC

*Oct 18 12:26:54: %7:     hash SHA

*Oct 18 12:26:54: %7:     auth pre-share

*Oct 18 12:26:54: %7:     default group 1

*Oct 18 12:26:54: %7:     life type in seconds

*Oct 18 12:26:54: %7: life duration 86400 orginal:86400

*Oct 18 12:26:54: %7: (33) atts are acceptable                            // Receives from the peer end the policy field matched with this end.

*Oct 18 12:26:54: %7: vendor_id=0x4a 0x13 0x1c 0x81 0x7 0x3 0x58 0x45 0x5c 0x57 0x28 0xf2 0xe 0x95 0x45 0x2f

*Oct 18 12:26:54: %7:  nat_t's vendor id is detected, nat_vid_t_index=0.//The detection result shows that the peer end supports NAT-T.

*Oct 18 12:26:54: %7: vendor_id=0x4a 0x13 0x1c 0x81 0x7 0x3 0x58 0x45 0x5c 0x57 0x28 0xf2 0xe 0x95 0x45 0x2f //Indicates the vendor_id in RFC3947 used to detect whether the packet passes through the NAT device.

*Oct 18 12:26:54: %7: vendor_id=0xaf 0xca 0xd7 0x13 0x68 0xa1 0xf1 0xc9 0x6b 0x86 0x96 0xfc 0x77 0x57 0x1 0x0

*Oct 18 12:26:54: %7:  dpd's vendor id is detected.

*Oct 18 12:26:54: %7: (33) sending packet to 202.100.1.100 (I) MM_SI2_WR2, MM_KEY_EXCH   //Sends the third packet of Phase 1.

*Oct 18 12:26:54: %7: IKE message packet process over.

*Oct 18 12:26:54: %7: IKE recvmsg 200 bytes.

*Oct 18 12:26:54: %7: IKE:recvmsg for 10.1.1.1 of interface GigabitEthernet 0/0.

*Oct 18 12:26:54: %7: Not IKE NAT negotiate pkt.

*Oct 18 12:26:54: %7: (33) received packet from 202.100.1.100, (I) MM_SI2_WR2, MM_KEY_EXCH //Receives the fourth packet of Phase 1.

*Oct 18 12:26:54: %7:   Exchange type : 0x2<key><nonce><NAT-D><NAT-D>

*Oct 18 12:26:54: %7:  extract_payload done!

*Oct 18 12:26:54: %7: main mode process R2:(33) processing NONCE payload.

*Oct 18 12:26:54: %7: (33)main mode process R2:SKEYID state generated

*Oct 18 12:26:54: %7: Local has been NAT.  //Indicates that the IP address of the local end has been translated through NAT.

*Oct 18 12:26:54: %7:  Local machine IP is 10.1.1.1, port is 500.

*Oct 18 12:26:54: %7: Local IP NAT-D hash:, len=20

*Oct 18 12:26:54: %7: 0xe3,0x9f,0x02,0x7f,0x11,0x14,0x2a,0xc6,0xe8,0x5d,0x03,0x3d,0xbf,0x41,0x69,0x20,

*Oct 18 12:26:54: %7: 0x46,0xa7,0x1a,0xb7,

*Oct 18 12:26:54: %7: Peer recv local IP NAT-D hash:, len=20

*Oct 18 12:26:54: %7: 0x28,0xea,0x92,0x1d,0x40,0x68,0x5b,0xd5,0xb3,0x88,0x5c,0x5b,0x18,0xd6,0x63,0xcd, //Checks whether hash of local NAT-D is consistent with hash of received NAT-D. If not, it can be determined that the IP address of the peer has been translated through NAT.

*Oct 18 12:26:54: %7: 0x3c,0xcf,0xe2,0xb7,

*Oct 18 12:26:54: %7: Local record peer NAT-D hash:, len=20

*Oct 18 12:26:54: %7: 0xf8,0x61,0x67,0x99,0x1b,0xbb,0xe0,0xc3,0xa1,0xad,0xec,0xac,0x5f,0x0c,0xb5,0x1e,

*Oct 18 12:26:54: %7: 0xae,0x48,0xf5,0x1b,

*Oct 18 12:26:54: %7: Peer recv NAT-D hash:, len=20

*Oct 18 12:26:54: %7: 0xf8,0x61,0x67,0x99,0x1b,0xbb,0xe0,0xc3,0xa1,0xad,0xec,0xac,0x5f,0x0c,0xb5,0x1e,

*Oct 18 12:26:54: %7: 0xae,0x48,0xf5,0x1b,

*Oct 18 12:26:54: %7:  Peer hasn't been NAT. //Checks whether hash of NAT-D of the peer recorded locally is consistent with hash of NAT-D received from the peer. If yes, it can be determined that the IP address of the peer hasn't been translated through NAT.

*Oct 18 12:26:54: %7: (33) sending packet to 202.100.1.100 (I) MM_SI3_WR3, MM_VERIFY   //Sends the fifth packet of Phase 1 used for identity verification.

*Oct 18 12:26:54: %7: IKE message packet process over.

*Oct 18 12:26:54: %7: IKE recvmsg 72 bytes.

*Oct 18 12:26:54: %7: IKE:recvmsg for 10.1.1.1 of interface GigabitEthernet 0/0.

*Oct 18 12:26:54: %7: IKE NAT negotiate pkt.

*Oct 18 12:26:54: %7: (33) received packet from 202.100.1.100, (I) MM_SI3_WR3, MM_VERIFY       //Receives the sixth packet of Phase 1 used for identity verification.

*Oct 18 12:26:54: %7:   Exchange type : 0x2<id><hash>

*Oct 18 12:26:54: %7:  extract_payload done!

*Oct 18 12:26:54: %7: (33) (auth pre-share) processing ID payload. message ID = 0

*Oct 18 12:26:54: %7: (33) (auth pre-share) processing HASH payload. message ID = 0

*Oct 18 12:26:54: %7: (33) (auth pre-share) SA has been authenticated with 202.100.1.100

*Oct 18 12:26:54: %7: (main mode)(33) (I)Phase_1 negotiate complete!               // Indicates that the negotiation of Phase 1 is completed and the negotiation enters Phase 2.

*Oct 18 12:26:54: %7: ++++++++++++++Fill quick sa's dpd_mode(0).

*Oct 18 12:26:54: %7: (33) Beginning Quick Mode exchange, M-ID of 1336559833

*Oct 18 12:26:54: %7:   life seconds 3600

*Oct 18 12:26:54: %7:   life kilobytes 4608000

*Oct 18 12:26:54: %7:   mode 3

*Oct 18 12:26:54: %7:   hash 1

*Oct 18 12:26:54: %7: 0 0 0 34 1 3 4 1 10 10 b7 6c 0 0 0 28 1 2 0 0 80 1 0 1 0 2 0 4 0 0 e 10 80 1 0 2 0 2 0 4 0 46 50 0 80 4 0 3 80 5 0 1

*Oct 18 12:26:54: %7: (33)(quick mode) sending packet to 202.100.1.100 (I) QM_SI1_WR1   // Sends the first packet of Phase 2.

*Oct 18 12:26:54: %7: IKE message packet process over.

*Oct 18 12:26:54: %7: IKE recvmsg 176 bytes.

*Oct 18 12:26:54: %7: IKE:recvmsg for 10.1.1.1 of interface GigabitEthernet 0/0.

*Oct 18 12:26:54: %7: IKE NAT negotiate pkt.

*Oct 18 12:26:54: %7: find phase 2 quick sa!

*Oct 18 12:26:54: %7: (33) (1336559833)received packet from 202.100.1.100, (I) QM_SI1_WR1  //Receives the second packet of Phase 2.

*Oct 18 12:26:54: %7:   Exchange type : 0x20<hash><sa><nonce><id>

*Oct 18 12:26:54: %7:  extract_payload done!

*Oct 18 12:26:54: %7: (quick mode)(isakmp_id---33) process r1:processing SA payload. message ID = 1336559833a 0 0 40 0 0 0 1 0 0 0 1 0 0 0 34 1 3 4 1 7b 72 b2 44 0 0 0 28 1 2 0 0 80 1 0 1 0 2 0 4 0 0 e 10 80 1 0 2 0 2 0 4 0 46 50 0 80 4 0 3 80 5 0 1

*Oct 18 12:26:54: %7:  set->lifebak_sec=3600

*Oct 18 12:26:54: %7:  Check Attr successful!

*Oct 18 12:26:54: %7: (quick_mode)(I)phase 2 sa established,begining to update sab!          //Indicates that the SA of Phase 2 is generated and it starts to upgrade SAB.

*Oct 18 12:26:54: %7: (33) Creating IPSec SAs-esp.

*Oct 18 12:26:54: %7:     inbound SA has spi 269530988

*Oct 18 12:26:54: %7:     protocol esp, DES_CBC

*Oct 18 12:26:54: %7:     auth MD5

*Oct 18 12:26:54: %7:  fill esp in success!

*Oct 18 12:26:54: %7:     outbound SA has spi 2071114308

*Oct 18 12:26:54: %7:     protocol esp, DES_CBC

*Oct 18 12:26:54: %7:     auth MD5

*Oct 18 12:26:54: %7:  fill esp out success!

*Oct 18 12:26:54: %7:    lifetime of 3600 seconds, soft 3555 seconds

*Oct 18 12:26:54: %7:    lifetime of 4607000 kilobytes, soft 256 kilobytes

*Oct 18 12:26:54: %7: +++++++++++++Fill sab' dpd_mode(0)

*Oct 18 12:26:54: %7: add first sab into salink.

*Oct 18 12:26:54: %7:  life_seconds=3600

*Oct 18 12:26:54: %7:  life_back_seconds=3600

*Oct 18 12:26:54: %7: (quick mode)(isakmp_id---33) sending packet to 202.100.1.100 (I) QM_IDLE  //Sends the third packet of Phase 2.

*Oct 18 12:26:54: %7: (quick mode)(isakmp_id---33)process r1:Phase_2 negotiate complete!

*Oct 18 12:26:54: %7: ike's tunnel (number=1)established.

*Oct 18 12:26:54: %7: IKE message packet process over.

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

 

1.4.3.2     Basic Configuration

1.4.3.3     IPSEC Static Tunnel

 

Features

When IPSec static tunnels are used for networking, you need to manually configure the two ends of each IPSec tunnel, but dynamic negotiation is not needed. However, with the increase of encrypted points and tunnels, it is more difficult to configure and maintain IPSec tunnels. Therefore, the static tunnel technology is generally used in scenarios with fewer encrypted points.

 

Scenario

If the headquarters of a company and its branches need to mutually share data through their inside networks and hope that the data are not easily intercepted, cracked or stolen by hackers during transmission, you can create an IPSec VPN on the network devices of the headquarters and branches. The IPSec VPN not only enables the headquarters and branches to directly access the resources of each other, but also encrypts the data during transmission, so as to ensure data security. If both the headquarters and branches use static IP addresses, a static IPSec VPN can be used.

 

Working Principle

The IPSec VPN has two negotiation stages: ISAKMP and IPSec. At the ISAKMP stage, the protection policies of the two ends are negotiated to verify the validity of the peers, generate the encryption key, and protect the negotiation of the IPSec SA at the second stage. At the IPSec stage, the protection policies for IPSec SA are determined, including whether to use AH or ESP, transmission mode or tunnel mode, and what the protected data is. The negotiation purpose of the second stage is to generate the IPSec SA for protecting IP data. The IPSec communication peers must reach an agreement on the security policies at the first and second stages; otherwise, the IPSec negotiation fails.

 

I.Networking Requirements

Two LANs access the Internet (or a private network) through two RSR routers respectively. In addition, the network segments 192.168.0.0/24 and 192.168.1.0/24 of the two LANs need to communicate with each other, and the communication traffic must be encrypted.

In this scenario, a static IPSec VPN is deployed on the two RSR routers to implement communication between the LANs and meet the data encryption requirements.

II. Network Topology

 

 

III. Configurations

1.      Configure routers R1 and R2 so that R1 and R2 can access the Internet and can be successfully pinged by each other.

2.      Configure a static IPSec VPN tunnel on R1.

(1)    Configure the interesting traffic of IPSec.

(2)    Configure the ISAKMP policy.

(3)    Configure the pre-shared key.

(4)    Configure the IPSec transform set.

(5)    Configure the IPSec crypto map.

(6)    Apply the crypto map to an interface.

3.      Configure a route on R1 to direct the traffic to LAN 2 to the egress.

4.      Configure a static IPSec VP tunnel on R2.

(1)    Configure the interesting traffic of IPSec.

(2)    Configure the ISAKMP policy.

(3)    Configure the pre-shared key.

(4)    Configure the IPSec transform set.

(5)    Configure the IPSec crypto map.

(6)    Apply the crypto map to an interface.

5.      Configure a route on R2 to direct the network segment route of LAN 1 to the egress.

Notes:

The IP network segments of LAN1 and LAN2 to be mutually accessed shall not be overlapped.

Since RSR50 and RSR50E involve the IPSec function, they must be configured with AIM-VPN encryption cards (For details about how to check whether RSR50 and RSR50E have been configured with AIM-VPN encryption cards, see the appendix at the end of this document).

IV. Configuration Steps

1.      Configure routers R1 and R2 so that R1 and R2 can access the Internet and can be successfully pinged by each other.

2.      Configure a static IPSec VPN tunnel onR1.

(1)    Configure the interesting traffic of IPSec.

access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255  //Specifies the traffic with source address 192.168.0.0/24 and destination network 192.168.1.0/24 as interesting traffic.

(2)    Configure the ISAKMP policy.

crypto isakmp keepalive 5 periodic  //Configures the IPSec DPD detection function.

crypto isakmp policy 1//Creates a new ISAKMP policy.

authentication pre-share      //Specifies "pre-shared key" as the authentication method. Configures "authentication rsa-sig" in case of digital certificates, and "authentication digital-email" in case of digital envelopes.

group 2    //

encryption 3des      //Specifies 3DES for encryption.

(3)    Configure the pre-shared key.

crypto isakmp key 0 ruijie address 10.0.0.2  //Specifies "ruijie" as the pre-shared key of peer 10.0.0.2. The same key should be used at the peer end. The key does not need to be configured when digital certificates/envelopes are used for authentication.

(4)    Configure the IPSec transform set.

crypto ipsec transform-set myset  esp-des esp-md5-hmac //Specifies that ESP encapsulation, DES encryption and MD5 verification are used for IPsec.

(5)    Configure the IPSec encryption map.

crypto map mymap 5 ipsec-isakmp //Creates a crypto map named "mymap".

set peer 10.0.0.2//Specifies the peer address.

set transform-set myset//Specifies myset as the IPsec transform set.

match address 101//Specifies ACL 101 as the interesting address.

(6)    Apply the encryption map to an interface.

interface GigabitEthernet0/0

ip add 10.0.0.1 255.255.255.0

crypto map mymap

3.      Configure a route on R1 to direct the traffic to LAN 2 to the egress.

     ip route 192.168.1.0 255.255.255.0 10.0.0.2

4.      Configure a static IPSec VPN tunnel on R2.

(1)    Configure the interesting traffic of IPSec.

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255  //Specifies the traffic with source address 192.168.1.0/24 and destination network 192.168.0.0/24 as interesting traffic.

(2)    Configure the ISAKMP policy.

crypto isakmp policy 1  //Creates a new ISAKMP policy.

authentication pre-share      //Specifies "pre-shared key" as the authentication method. Configures "authentication rsa-sig" in case of digital certificates, and "authentication digital-email" in case of digital envelops.

encryption 3des      //Specifies 3DES for encryption.

group 2

(3)    Configure the pre-shared key.

crypto isakmp key 0 ruijie address 10.0.0.1  //Specifies "ruijie" as the pre-shared key of peer 10.0.0.1. The same key should be used at the peer end. The key does not need to be configured in case of digital certificates/envelopes.

(4)    Configure the IPSec transformation set.

crypto ipsec transform-set myset  esp-des esp-md5-hmac //Specifies ESP encapsulation, DES encryption and MD5 Verification for IPSec.

(5)    Configure the crypto map.

crypto map mymap 5 ipsec-isakmp     //Creates a crypto map named "mymap".

set peer 10.0.0.1      //Specifies the peer address.

set transform-set myset    //Specifies myset as the transform set.

match address 101     //Specifies ACL 101 as the interesting traffic

(6)    Apply the crypto map to an interface

interface GigabitEthernet0/0

ip add 10.0.0.2 255.255.255.0

crypto map mymap

5.      Configure a route on R2 to direct the traffic to Lan 1 to the egress.

     ip route 192.168.0.0 255.255.255.0 10.0.0.1

 

V. Verification

1.      In R1, ping 192.168.1.1 with source IP address 192.168.0.1 The communication is normal.

R1#ping 192.168.1.1 source 192.168.0.1

Sending 5, 100-byte ICMP Echoes to 192.168.1.1, timeout is 2 seconds:

< press Ctrl+C to break >

.!!!!

2.      Check whether the negotiation about the ISAKMP and IPSec SA have been successful on R1.

Ruijie#show crypto isakmp sa  //Shows the result of ISAKMP SA negotiation.

destinationsourcestateconn-idlifetime(second)

10.0.0.210.0.0.1IKE_IDLE084129//The ISAKMP negotiation is successful and the status is IKE_IDLE.

Ruijie#show crypto ipsec sa //Shows the result of IPSec SA negotiation.

Interface: GigabitEthernet 0/0

Crypto map tag:mymap    //Indicates the name of the crypto map applied to the interface.

local ipv4 addr 10.0.0.1    //Indicates the IP address used during ISAKMP/IPSec negotiation.

media mtu 1500

==================================

sub_map type:static, seqno:5, id=0

local  ident (addr/mask/prot/port): (192.168.0.0/0.0.0.255/0/0))    //Indicates the source IP addresses of the interesting traffic.

remote  ident (addr/mask/prot/port):(192.168.1.0/0.0.0.255/0/0)) //Indicates the destination IP addresses of the interesting traffic.

PERMIT

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4    //Indicates the number of packets successfully encapsulated, encrypted and digested.

#pkts decaps:4, #pkts decrypt:4, #pkts verify 4//Indicates the number of packets successfully decapsulated, decrypted and verified. When data is encrypted through IPSec for communication, you can see constant increasing of the preceding statistic counts when you repeatedly run the command show crypto ipsec sa.

#send errors 0, #recv errors 0  //Indicates the number of packets that are incorrectly sent and received. Normally, the counts do not increase.

Inbound esp sas:

spi:0x2ecca8e (49072782)    //Indicates the inbound SPI of the IPSec SA.

transform:esp-des esp-md5-hmac    //Indicates that the IPSec encryption transform set is esp-des esp-md5-hmac.

in use settings={Tunnel Encaps,}   //Indicates that the tunnel mode is used.

crypto map mymap 5

sa timing: remaining key lifetime (k/sec): (4606998/1324)  //Indicates that the remaining lifetime of the SA is: 4606998 kilobytes/1324 seconds.

IV size:8 bytes   //Indicates that the length of IV vector is 8 bytes.

Replay detection support: Y   //Indicates the anti-replay processing.

Outbound esp sas:

spi:0x5730dd4b (1462820171)//Indicates the outbound SPI of the IPSec SA. When the inbound SPI and outbound SPI are displayed, it indicates that the IPSec SA negotiation is successful.

transform: esp-des esp-md5-hmac

 in use settings={Tunnel Encaps,}

crypto map mymap 5

sa timing: remaining key lifetime (k/sec): (4606998/1324)

IV size: 8 bytes

Replay detection support: Y

 

VI. Appendix

1.      How to check whether RSR50 and RSR50E have been configured with AIM-VPN encryption cards?

RSR50 and RSR50E have no embedded VPN encryption cards. IPSec is processed through processes, and therefore its performance is very low. For packets of 500pps 60Byte, 50 packets are lost and the packet loss rate is 10%. For packets of larger than 2Kpps, the packet loss rate is 100%.

If IPSec is used when there is no AIM-VPN encryption card, function failures related to IPSec may occur. For example: even when data streams are encrypted with small traffic, the CPU usage is about 100%; or large packets cannot be successfully pinged.

An AIM-VPN card is a pluggable card with a size similar to that of a RAM card. It is inserted inside the management board.

You can use the following method to check whether the management board is configured with an AIM-VPN card:

RSR50#debug su

RSR50(support)#pci show

RSR50(support)#

*Jan 29 13:41:23: %7: =================BEGIN====================

*Jan 29 13:41:23: %7: PCI Bus 0 slot 1/0: PCI device 0x166D:0x0002

*Jan 29 13:41:23: %7: PCI Bus 0 slot 6/0: PCI device 0x104C:0xAC28

*Jan 29 13:41:23: %7: PCI Bus 1 slot 2/0: PCI device 0x14D9:0x0020

*Jan 29 13:41:23: %7: PCI Bus 1 slot 2/1: PCI device 0x1142:0x9001

*Jan 29 13:41:23: %7: PCI Bus 1 slot 3/0: PCI device 0x14D9:0x9000

*Jan 29 13:41:23: %7: PCI Bus 1 slot 3/1: PCI device 0x1142:0x9001

*Jan 29 13:41:23: %7: PCI Bus 1 slot 4/0: PCI device 0x14D9:0x9000

*Jan 29 13:41:23: %7: PCI Bus 1 slot 4/1: PCI device 0x1142:0x9001

*Jan 29 13:41:23: %7: PCI Bus 1 slot 5/0: PCI device 0x14D9:0x9000

*Jan 29 13:41:23: %7: PCI Bus 1 slot 5/1: PCI device 0x1142:0x9001

*Jan 29 13:41:23: %7: PCI Bus 14 slot 1/0: PCI device 0x1131:0x1561

*Jan 29 13:41:23: %7: PCI Bus 14 slot 1/1: PCI device 0x1131:0x1562

*Jan 29 13:41:23: %7: =================_^_====================

As long as 0x0020 is shown, the management card has the AIM-VPN card.

*Jan 29 13:41:23: %7: PCI Bus 1 slot 2/0: PCI device 0x14D9:0x0020

Notes:

If the log function is disabled (), the output information of the pci show command is empty. If you log in to the device through the vty line, the corresponding information will be output only when the terminal monitor is enabled.

 

1.4.3.4     IPSEC Dynamic Tunnel

 

Features

A dynamic IPSec tunnel is generally used in a topology with multiple branches. The dynamic tunnel is configured at the central point to receive IPSec VPN dial-in data from the branches. The central point is easy for configuration and maintenance, and has high expansibility.

 

Scenario

If the headquarters of a company and its branches need to mutually share data through their intranets and hope that the data will not be easily intercepted or cracked by hackers during transmission, you can create an IPSec VPN between the network devices of the headquarters and branches. The IPSec VPN not only enables the headquarters and branches to directly access the resources of each other, but also encrypts the data during transmission, so as to ensure data security. If static IP addresses are used in the headquarters while the dial-up mode is used in the branches (the IP addresses are not permanent, a dynamic IPSec VPN can be used.

 

I.Networking Requirements

Due to business development, a company sets up multiple branches all over the country. The egress router in the headquarters is connected to the Internet through a dedicated line of a Telecom operator, while the branches are connected to the Internet through a dedicated line or ADSL. The branches need to access the business server in the headquarters, and communication data between the branches and the headquarters needs to be encrypted to ensure business security.

A dynamic IPSec VPN can be deployed on the egress router in the headquarters to receive dial-in data from the branches, so as to enable mutual business access between the headquarters and the branches, and encrypt relevant data.

 

II. Network Topology

III. Configuration Tips

1.      Configure routers in the headquarters and its branches, so that the routers can access the Internet.

2.      Configure a dynamic IPSec VPN tunnel on the egress router in the headquarters.

(1)    Configure the ISAKMP policy.

(2)    Configure the pre-shared key.

(3)    Configure the IPSec transform set.

(4)    Configure the dynamic crypto map.

(5)    Map the dynamic IPSec encryption map to the static IPSec encryption map.

(6)    Apply the encryption map to an interface.

3.      Configure the route on the router of the headquarters, and direct the branches to the egress.

4.      Configure a static IPSec VPN tunnel on the routers of the branches.

(1)    Configure the interesting traffic of IPSec.

(2)    Configure the ISAKMP policy.

(3)    Configure the pre-shared key.

(4)    Configure the IPSec transform set.

(5)    Configure the crypto map.

(6)    Apply the encryption map to an interface.

6.      Configure the routes on the routers of the branches, and direct the traffic to the headquarters to the egress.

Notes:

l  The IP network segments of LAN 1 and LAN 2 to be mutually accessed must not be overlapped.

l  Since RSR50 and RSR50E involve the IPSec function, they must be configured with AIM-VPN encryption cards (For details about how to check whether RSR50 and RSR50E have been configured with AIM-VPN encryption cards, see the appendix at the end of this section).

IV. Configuration Steps

1.      Configure routers in the headquarters and its branches, so that the routers can access the Internet

It must be ensure that the ping from branches to the headquarters’ public IP address is successful.

2.      Configure a dynamic IPSec VPN tunnel on the egress router of the headquarters.

(1)    Configure the ISAKMP policy.

crypto isakmp policy 1   //Creates a new ISAKMP policy.

encryption 3des        //Specifies to use 3DES for encryption.

authentication pre-share            //Specifies the authentication method is "pre-shared key". Configures "authentication rsa-sig" in case of digital certificates, and "authentication digital-email" in case of digital envelopes.

(2)    Configure the pre-shared key.

crypto isakmp key 0 ruijie address 0.0.0.0 0.0.0.0                 //Configures the pre-shared key to "ruijie". The same key shall be configured for the IPSec client. Because the IP address at the peer end is dynamic, the address 0.0.0.0 0.0.0.0 is used to represent all IPSec clients.

(3)    Configure the IPSec transform set.

crypto ipsec transform-set myset esp-des esp-md5-hmac   //Specifies IPSec to use ESP for encapsulation, DES for encryption and MD5 for verification.

(4)    Configure the IPSec crypto map.

crypto dynamic-map dymymap 5             //Creates a dynamic IPSec crypto map named "dymymap".

set transform-set myset                           //Specifies the transform set to "myset".

(5)    Map the dynamic crypto map to the static crypto map.

crypto map mymap 10 ipsec-isakmp dynamic dymymap   //Maps the dynamic crypto map "dymymap" to the static crypto map "mymap".

(6)    Apply the crypto map to an interface.

interface GigabitEthernet 0/0

 crypto map mymap

3.      Configure the route on the router of the headquarters, and direct the traffic to the branches to the egress.

  ip route 192.168.1.0 255.255.255.0 10.0.0.2

ip route 192.168.2.0 255.255.255.0 10.0.0.2

ip route 192.168.3.0 255.255.255.0 10.0.0.2

......

4.      Configure the static IPSec VPN tunnel on the routers of the branches(taking branch1 as an example).

(1)    Configure the interesting traffic of IPSec.

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255  //Specifies the traffic with source address 192.168.1.0/24 and destination network 192.168.0.0/24 as interesting traffic.

(2)    Configure the ISAKMP policy.

crypto isakmp keepalive 5 periodic //Configures the IPSec DPD detection function.

crypto isakmp policy 1            //Creates a new ISAKMP policy.

authentication pre-share          //Specifies the authentication method is "pre-shared key". Configures "authentication rsa-sig" in case of digital certificates, and "authentication digital-email" in case of digital envelopes.

encryption 3des                 //Specifies to use 3DES for encryption.

(3)    Configure the pre-shared key.

crypto isakmp key 0 ruijie address 10.0.0.1  //Specifies "ruijie" as the pre-shared key of the peer 10.0.0.1. The same key shall be used on the egress router of the headquarters. The key does not need to be configured in case of digital certificates/envelopes.

(4)    Configure the IPSec transform set.

crypto ipsec transform-set myset  esp-des esp-md5-hmac //Specifies IPSec to use ESP for encapsulation, DES for encryption and MD5 for verification.

(5)    Configure the crypto map

crypto map mymap 5 ipsec-isakmp //Creates a crypto map named "mymap"

set peer 10.0.0.1                 //Specifies the peer address.

set transform-set myset           //Specifies the transform set as "myset".

match address 101               //Specifies ACL 101 as the interesting traffic .

(6)    Apply the encryption map to an interface.

interface dialer 0

crypto map mymap

5.      Configure the routes on the routers of the branches, and direct the traffic to the headquarters to the egress.

  ip route 192.168.0.0 255.255.255.0 dialer 0

 

V. Verification

1.      Ping 192.168.0.1 from the router of branch 1 with source IP address 192.168.1.1. The communication is normal.

R1#ping 192.168.0.1 source 192.168.1.1

Sending 5, 100-byte ICMP Echoes to 192.168.1.1, timeout is 2 seconds:

< press Ctrl+C to break >

.!!!!

2.      On the router of branch1, check whether ISAKMP and IPSec SA negotiations are successful.

Ruijie#show crypto isakmp sa                                     //Shows the result of ISAKMP SA negotiation.

 destination       source            state                    conn-id           lifetime(second)

10.0.0.2          10.0.0.1          IKE_IDLE                 0                 84129                //The ISAKMP negotiation is successful and the status is IKE_IDLE.

Ruijie#show crypto ipsec sa                                             //Shows the result of IPSec SA negotiation.

Interface: GigabitEthernet 0/0

Crypto map tag:mymap    //Indicates the name of the crypto map applied to the interface.

local ipv4 addr 10.0.0.1                  //Indicates the IP address used during ISAKMP/IPSec negotiation.

         media mtu 1500

         ==================================

         sub_map type:static, seqno:5, id=0

         local  ident (addr/mask/prot/port): (192.168.0.0/0.0.0.255/0/0))  //Indicates the source IP address of the interesting traffic.

remote  ident (addr/mask/prot/port): (192.168.1.0/0.0.0.255/0/0))//Indicates the destination IP address of the interesting traffic.

         PERMIT

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4    //Indicates the number of packets successfully encapsulated, encrypted and digested.

#pkts decaps:4, #pkts decrypt:4, #pkts verify 4    //Indicates the number of packets successfully decapsulated, decrypted and verified. When data is encrypted through IPSec for communication, you can see constant increasing of the preceding statistic counts when you repeatedly run the command show crypto ipsec sa.

#send errors 0, #recv errors 0    //Indicates the number of packets that are incorrectly sent and received. Normally, the counts do not increase.

 Inbound esp sas:

spi:0x2ecca8e (49072782)                   //Indicates the inbound SPI of IPSec SA.

               transform: esp-des esp-md5-hmac  //Indicates that the IPSec encryption transform set is esp-des esp-md5-hmac.

in use settings={Tunnel Encaps,}         //Indicates that the tunnel mode is used.

               crypto map mymap 5

               sa timing: remaining key lifetime (k/sec): (4606998/1324)  //Indicates that the remaining lifetime of the SA is: 4,606,998 kilobytes/1,324 seconds.

               IV size: 8 bytes   //Indicates that the length of IV vector is 8 bytes.

Replay detection support: Y   //Indicates the anti-replay processing.

 Outbound esp sas:

spi:0x5730dd4b (1462820171)//Indicates the outbound SPI of IPSec SA. Only when the inbound SPI and outbound SPI are both displayed, the IPSec SA negotiation is successful.

               transform: esp-des esp-md5-hmac

               in use settings={Tunnel Encaps,}

               crypto map mymap 5

               sa timing: remaining key lifetime (k/sec): (4606998/1324)

               IV size: 8 bytes

               Replay detection support:Y

 

VI. Appendix

1.      How to check whether RSR50 and RSR50E have been configured with AIM-VPN encryption cards?

RSR50 and RSR50E have no embedded VPN encryption cards. IPSec is processed through processes, and therefore its performance is poor. For packets of 500pps 60Byte, 50 packets are lost and the packet loss rate is 10%. For packets of larger than 2Kpps, the packet loss rate is 100%.

If IPSec is used when there is no AIM-VPN encryption card, function failures related to IPSec may occur. For example, the CPU utilization is constantly at 100%, even though the encrypted data traffic is light. , or the ping with large packets size would fail.

An AIM-VPN card is a pluggable card with a size similar to that of a memory bank. It is inserted inside the management board.

You can use the following method to check whether the management board is configured with an AIM-VPN card:

RSR50#debug su

RSR50(support)#pci show

RSR50(support)#

*Jan 29 13:41:23: %7: =================BEGIN====================

*Jan 29 13:41:23: %7: PCI Bus 0 slot 1/0: PCI device 0x166D:0x0002

*Jan 29 13:41:23: %7: PCI Bus 0 slot 6/0: PCI device 0x104C:0xAC28

*Jan 29 13:41:23: %7: PCI Bus 1 slot 2/0: PCI device 0x14D9:0x0020

*Jan 29 13:41:23: %7: PCI Bus 1 slot 2/1: PCI device 0x1142:0x9001

*Jan 29 13:41:23: %7: PCI Bus 1 slot 3/0: PCI device 0x14D9:0x9000

*Jan 29 13:41:23: %7: PCI Bus 1 slot 3/1: PCI device 0x1142:0x9001

*Jan 29 13:41:23: %7: PCI Bus 1 slot 4/0: PCI device 0x14D9:0x9000

*Jan 29 13:41:23: %7: PCI Bus 1 slot 4/1: PCI device 0x1142:0x9001

*Jan 29 13:41:23: %7: PCI Bus 1 slot 5/0: PCI device 0x14D9:0x9000

*Jan 29 13:41:23: %7: PCI Bus 1 slot 5/1: PCI device 0x1142:0x9001

*Jan 29 13:41:23: %7: PCI Bus 14 slot 1/0: PCI device 0x1131:0x1561

*Jan 29 13:41:23: %7: PCI Bus 14 slot 1/1: PCI device 0x1131:0x1562

*Jan 29 13:41:23: %7: =================_^_====================

As long as 0x0020 is displayed, the management board has the AIM-VPN card.

*Jan 29 13:41:23: %7: PCI Bus 1 slot 2/0: PCI device 0x14D9:0x0020

Notes:

If the logging function is disabled (), the output data of the pci show command is empty. If you log in to the device through the VTY line, the corresponding data will be output only when the terminal monitor is enabled.

 

1.4.3.5     IPSEC Dynamic Tunnel with Domain Name Authentication

 

Features

A dynamic IPSec tunnel is generally used in a topology with multiple branches. The dynamic tunnel is configured at the central point to receive IPSec VPN dial-in information from the branches. The central point is easy for configuration and maintenance, and has high expansibility.

Because IP addresses in the branches are not static, it is unable to use the IP addresses to specify different pre-shared keys. If the same pre-shared key is used in all branches, the key is easily leaked, and thus network security is under threat. This problem can be solved through domain name authentication. Different domain names are allocated to different branches and different keys are specified to different domain names. In this way, key security is guaranteed.

I.Networking Requirements

Due to business development, a company sets up multiple branches all over the country. The egress router in the headquarters is connected to the Internet through a dedicated line of a Telecom operator, while the branches are connected to the Internet through a dedicated line or ADSL. The branches need to access the business server in the headquarters, and communication data between the branches and the headquarters needs to be encrypted to ensure business security.

A dynamic IPSec VPN can be deployed on the egress router in the headquarters to receive dial-in information from the branches, so as to enable mutual business access between the headquarters and the branches, and encrypt relevant data. When the branches use the IPSec VPN to access the Internet in dial-up mode, the key of each branch is authenticated separately.

II. Network Topology

III. Configuration Tips

1.      Configure routers in the headquarters and its branches, so that the routers can access the Internet.

2.      Configure a dynamic IPSec VPN tunnel on the egress router in the headquarters.

(1)    Configure the ISAKMP policy.

(2)    Configure the pre-shared key.

(3)    Configure the ISAKMP mode as automatic identification.

(4)    Configure the IPSec transform set.

(5)    Configure the dynamic IPSec crypto map.

(6)    Map the dynamic IPSec encryption map to the static IPSec encryption map.

(7)    Apply the encryption map to an interface.

3.      Configure the route on the router of the headquarters, and direct the traffic to the branches to the egress.

4.      Configure the static IPSec VPN tunnel on the routers of the branches.

(1)    Configure the self-identity.

(2)    Configure interesting traffic of IPSec.

(3)    Configure the ISAKMP policy.

(4)    Configure the pre-shared key.

(5)    Configure the IPSec transform set.

(6)    Configure the crypto map.

(7)    Apply the encryption map to an interface.

5.      Configure the routes on the routers of the branches, and direct the traffic to headquarters to the egress.

Notes:

l  The IP network segments of LAN 1 and LAN 2 to be mutually accessed must not be overlapped.

l  Since RSR50 and RSR50E involve the IPSec function, they must be configured with AIM-VPN encryption cards (For details about how to check whether RSR50 and RSR50E have been configured with AIM-VPN encryption cards, see the appendix at the end of this section).

IV. Configuration Steps

1.      Configure routers in the headquarters and its branches, so that the routers can access the Internet.

        It must be ensure that the ping from branches to the headquarters’ public IP address is successful.

2.      Configure a dynamic IPSec VPN tunnel on the egress router of the headquarters.

(1)    Configure the ISAKMP policy.

crypto isakmp policy 1     //Creates a new ISAKMP policy.

encryption 3des        //Specifies to use 3DES for encryption.

authentication pre-share            //Specifies the authentication method is "pre-shared key". Configures "authentication rsa-sig" in case of digital certificates, and "authentication digital-email" in case of digital envelopes.

(3)    Configure the pre-shared key.

crypto isakmp key 0 password3 hostname site3.ruijie.com.cn

crypto isakmp key 0 password2 hostname site2.ruijie.com.cn

crypto isakmp key 0 password1 hostname site1.ruijie.com.cn     //Configures the pre-shared key of each branch separately, and uses hostname to specify the name of each branch.

(4)    Configure the ISAKMP mode as automatic identification.

crypto isakmp mode-detect       //Configures the ISAKMP mode as automatic identification, so that negotiations can be received from the branches in IKE aggressive mode.

(5)    Configure the IPSec encryption transform set.

crypto ipsec transform-set myset esp-des esp-md5-hmac      //Specifies IPSec to use ESP for encapsulation, DES for encryption and MD5 for verification.

(5)    Configure the dynamic IPSec crypto map

crypto dynamic-map dymymap 5             //Creates a dynamic IPSec crypto map named "dymymap".

set transform-set myset                     //Specifies the transform set to "myset".

(6)    Map the dynamic crypto map to the static crypto map.

crypto map mymap 10 ipsec-isakmp dynamic dymymap   //Maps the dynamic crypto map "dymymap" to the static crypto map "mymap".

(7)    Apply the encryption map to an interface.

interface GigabitEthernet 0/0

   crypto map mymap

3.      Configure the router on the router of the headquarters, and direct the traffic to the branches to the egress.

     ip route 192.168.1.0 255.255.255.0 10.0.0.2

ip route 192.168.2.0 255.255.255.0 10.0.0.2

ip route 192.168.3.0 255.255.255.0 10.0.0.2

......

4.      Configure the static IPSec VPN tunnel on the routers of the branches (taking branch1 as an example).

(1)    Configure the self-identity.

self-identity fqdn site1.ruijie.com.cn  //Configures the self-identity to "site1.ruijie.com".

(2)    Configure the interesting traffic of IPSec

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255  //Specifies the traffic with source address 192.168.1.0/24 and destination network 192.168.0.0/24 as interesting traffic.

(3)    Configure the ISAKMP policy

crypto isakmp keepalive 5 periodic //Configures the IPSec DPD detection function.

crypto isakmp policy 1            //Creates a new ISAKMP policy.

authentication pre-share         //Specifies the authentication method is "pre-shared key". Configures "authentication rsa-sig" in case of digital certificates, and "authentication digital-email" in case of digital envelopes.

encryption 3des                 //Specifies to use 3DES for encryption.

(4)    Configure the pre-shared key.

crypto isakmp key 0 password1 address 10.0.0.2  //Specifies "password1" as the pre-shared key of the peer 10.0.0.1. The key must be the same as that specified by the headquarters for the branch. The key does not need to be configured in case of digital certificates/envelopes.

(3)    Configure the IPSec transform set.

crypto ipsec transform-set myset  esp-des esp-md5-hmac //Specifies IPSec to use ESP for encapsulation, DES for encryption and MD5 for verification.

(6)    Configure the crypto map.

crypto map mymap 5 ipsec-isakmp //Creates a crypto map named "mymap".

set peer 10.0.0.2                 //Specifies the peer address.

set transform-set myset           //Specifies the transform set to "myset".

set exchange-mode aggressive   //Specifies to use the aggressive mode to initiate IKE negotiations.

match address 101               //Specifies ACL 101 as the interesting traffic.

(7)    Apply the encryption map to an interface.

interface dialer 0

    crypto map mymap

5.      Configure the routes on the routers of the branches, and direct the traffic to the headquarters to the egress.

ip route 192.168.0.0 255.255.255.0 dialer 0

 

V. Verification

1.      Pint 192.168.0.1 from the router of branch 1 with source IP address 192.168.1.1. The communication is normal.

R1#ping 192.168.0.1 source 192.168.1.1

Sending 5, 100-byte ICMP Echoes to 192.168.1.1, timeout is 2 seconds:

< press Ctrl+C to break >

.!!!!

2.      On the router of branch1, check whether ISAKMP and IPSec SA negotiations are successful.

Ruijie#show crypto isakmp sa                                   //Shows the result of ISAKMP SA negotiation.

 destination       source            state                    conn-id           lifetime(second)

10.0.0.2          10.0.0.1          IKE_IDLE                 0                 84129                //The ISAKMP negotiation is successful and the status is IKE_IDLE.

Ruijie#show crypto ipsec sa                                             //Shows the result of IPSec SA negotiation.

Interface: GigabitEthernet 0/0

Crypto map tag:mymap    //Indicates the name of the crypto map applied to the interface.

local ipv4 addr 10.0.0.1                  //Indicates the IP address used during ISAKMP/IPSec negotiation.

         media mtu 1500

         ==================================

         sub_map type:static, seqno:5, id=0

         local  ident (addr/mask/prot/port): (192.168.0.0/0.0.0.255/0/0))   //Indicates the source IP address of the interesting traffic.

remote  ident (addr/mask/prot/port): (192.168.1.0/0.0.0.255/0/0))//Indicates the destination IP address of the interesting traffic.

         PERMIT

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4//Indicates the number of packets successfully encapsulated, encrypted and digested.

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4//Indicates the number of packets successfully decapsulated, decrypted and verified. When data is encrypted through IPSec for communication, you can see constant increasing of the preceding statistic counts when you repeatedly run the command show crypto ipsec sa.

#send errors 0, #recv errors 0//Indicates the number of packets that are incorrectly sent and received. Normally, the counts do not increase.

 Inbound esp sas:

spi:0x2ecca8e (49072782)                //Indicates the inbound SPI of IPSec SA.

               transform: esp-des esp-md5-hmac    //Indicates that the IPSec encryption transform set is esp-des esp-md5-hmac.

in use settings={Tunnel Encaps,}         //Indicates that the tunnel mode is used.

               crypto map mymap 5

               sa timing: remaining key lifetime (k/sec): (4606998/1324)  //Indicates that the remaining lifetime of the SA is: 4,606,998 kilobytes/1,324 seconds.

               IV size: 8 bytes   //Indicates that the length of IV vector is 8 bytes.

Replay detection support: Y   //Indicates the anti-replay processing.

 Outbound esp sas:

spi:0x5730dd4b (1462820171)//Indicates the outbound SPI of IPSec SA. Only when the inbound SPI and outbound SPI are both displayed, the IPSec SA negotiation is successful.

               transform: esp-des esp-md5-hmac

               in use settings={Tunnel Encaps,}

               crypto map mymap 5

               sa timing: remaining key lifetime (k/sec): (4606998/1324)

               IV size: 8 bytes

               Replay detection support: Y

 

VI. Appendix

1.      How to check whether RSR50 and RSR50E have been configured with AIM-VPN encryption cards?

RSR50 and RSR50E have no embedded VPN encryption cards. IPSec is processed through processes, and therefore its performance is poor. For packets of 500pps 60Byte, 50 packets are lost and the packet loss rate is 10%. For packets of larger than 2Kpps, the packet loss rate is 100%.

If IPSec is used when there is no AIM-VPN encryption card, function failures related to IPSec may occur. For example, the CPU utilization is constantly at 100%, even though the encrypted data traffic is light. , or the ping with large packets size would fail.

An AIM-VPN card is a pluggable card with a size similar to that of a memory bank. It is inserted inside the management board.

You can use the following method to check whether the management board is configured with an AIM-VPN card:

RSR50#debug su

RSR50(support)#pci show

RSR50(support)#

*Jan 29 13:41:23: %7: =================BEGIN====================

*Jan 29 13:41:23: %7: PCI Bus 0 slot 1/0: PCI device 0x166D:0x0002

*Jan 29 13:41:23: %7: PCI Bus 0 slot 6/0: PCI device 0x104C:0xAC28

*Jan 29 13:41:23: %7: PCI Bus 1 slot 2/0: PCI device 0x14D9:0x0020

*Jan 29 13:41:23: %7: PCI Bus 1 slot 2/1: PCI device 0x1142:0x9001

*Jan 29 13:41:23: %7: PCI Bus 1 slot 3/0: PCI device 0x14D9:0x9000

*Jan 29 13:41:23: %7: PCI Bus 1 slot 3/1: PCI device 0x1142:0x9001

*Jan 29 13:41:23: %7: PCI Bus 1 slot 4/0: PCI device 0x14D9:0x9000

*Jan 29 13:41:23: %7: PCI Bus 1 slot 4/1: PCI device 0x1142:0x9001

*Jan 29 13:41:23: %7: PCI Bus 1 slot 5/0: PCI device 0x14D9:0x9000

*Jan 29 13:41:23: %7: PCI Bus 1 slot 5/1: PCI device 0x1142:0x9001

*Jan 29 13:41:23: %7: PCI Bus 14 slot 1/0: PCI device 0x1131:0x1561

*Jan 29 13:41:23: %7: PCI Bus 14 slot 1/1: PCI device 0x1131:0x1562

*Jan 29 13:41:23: %7: =================_^_====================

As long as 0x0020 is displayed, the management board has the AIM-VPN card.

*Jan 29 13:41:23: %7: PCI Bus 1 slot 2/0: PCI device 0x14D9:0x0020

Notes:

If the logging function is disabled (), the output information of the pci show command is empty. If you log in to the device through the VTY line, the corresponding information will be output only when the terminal monitor is enabled.

 

1.4.3.6     IPSEC Dynamic Tunnel Based on Digital Certificate

 

Features

A dynamic IPSec tunnel is generally used in a topology with multiple branches. The dynamic tunnel is configured at the central point to receive IPSec VPN dial-in information from the branches. The central point is easy for configuration and maintenance, and has high expansibility.

When the pre-shared key is used for authentication, the key is easily leaked. If digital certificates are used for authentication, the security of identity authentication can be effectively guaranteed.

 

Scenario

The headquarters of a company and its branches need to mutually share data through their intranets and hope that the data will not be easily intercepted or cracked by hackers during transmission. The branches are connected to the Internet through ADSL in the dial-up mode (that is, the IP addresses accessing the Internet are not permanent). The headquarters and the branches use a digital certificate to verify validity of each other. For this purpose, you can deploy a dynamic IPSec VPN based on the digital certificate on the network devices in the headquarters, and deploy a static IPSec VPN based on the digital certificate on the network devices in the branches.

 

I.Networking Requirements

Due to business development, a company sets up multiple branches all over the country. The egress router in the headquarters is connected to the Internet through a dedicated line of a telecom operator, while the branches are connected to the Internet through a dedicated line or ADSL. The branches need to access the business server in the headquarters, and communication data between the branches and the headquarters needs to be encrypted to ensure business security.

A dynamic IPSec VPN can be deployed on the egress router in the headquarters to receive dial-in information from the branches, so as to enable mutual business access between the headquarters and the branches, and encrypt relevant data. The branches and the headquarters use a digital certificate to verify the identity of each other.

II. Network Topology

III. Configuration

1.       Configure routers in the headquarters and branches, so that the routers can access the Internet.

2.       Import the digital certificate on the egress router of the headquarters and routers of the branches.

3.       Configure a dynamic IPSec VPN tunnel on the egress router of the headquarters.

4.       Configure the route on the router of the headquarters, and direct the traffic to the branches to the egress.

5.       Configure a static IPSec VPN tunnel on the routers of the branches.

6.       Configure the routes on the routers of the subsidiaries, and direct the traffic to the headquarters to the egress.

Notes:

l  The IP network segments of LAN 1 and LAN 2 to be mutually accessed must not be overlapped.

l  Since RSR50 and RSR50E involve the IPSec function, they must be configured with AIM-VPN encryption cards (For details about how to check whether RSR50 and RSR50E have been configured with AIM-VPN encryption cards, see the appendix at the end of this section).

IV. Configuration Steps

1.       Configure routers in the headquarters and its branches, so that the routers can access the Internet.

        It must be ensured that the ping from branches to the headquarters’ public IP address is successful.

2.       Import the digital certificate on the egress router of the headquarters and routers of the branches

Based on on-site environment and customer demands, select an appropriate method to import the digital certificate. For detailed operations of digital certificate import, refer to the section CA Digital Certificate Configuration (Typical Configuration--->Security--->CA Digital Certificate Configuration).

3.       Configure a dynamic IPSec VPN tunnel on the egress router of the headquarters.

(1)    Configure the ISAKMP policy.

crypto isakmp policy 1//Creates a new ISAKMP policy.

encryption 3des        //Specifies to use 3DES for encryption.

authentication rsa-sig                //Specifies the authentication method is "digital certificate". The default authentication method is digital certificate.

(2)    Configure the IPSec transform set.

crypto ipsec transform-set myset esp-des esp-md5-hmac//Specifies IPSec to use ESP for encapsulation, DES for encryption and MD5 for verification.

(3)    Configure the dynamic IPSec encryption map.

crypto dynamic-map dymymap 5             //Creates a dynamic IPSec Crypto map named "dymymap".

set transform-set myset                           //Specifies the transform set to "myset".

(4)    Map the dynamic IPSec Crypto map to the static IPSec Crypto map.

crypto map mymap 10 ipsec-isakmp dynamic dymymap   //Maps the dynamic IPSec Crypto map "dymymap" to the static IPSec Crypto map "mymap".

(5)    Apply the encryption map to an interface.

interface GigabitEthernet 0/0

    crypto map mymap

(6)    Disable the certificate time and validity check.

crypto pki trustpoint center               //Enters the corresponding trust point of the certificate.

time-check none                              //Disables the certificate time check.

revocation-check none                     //Indicates not to check whether the certificate is revoked.

Notes: It is recommended to disable the certificate time check and revocation list check; otherwise, the IPSec negotiation may fail.

4.       Configure the route on the router of the headquarters, and direct the traffic to the branches to the egress.

  ip route 192.168.1.0 255.255.255.0 10.0.0.2

ip route 192.168.2.0 255.255.255.0 10.0.0.2

ip route 192.168.3.0 255.255.255.0 10.0.0.2

......

5.       Configure the static IPSec VPN tunnel on the routers of the branches(taking branch1 as an example).

(1)    Configure the interesting traffic of IPSec.

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255  //Specifies the traffic with source address 192.168.1.0/24 and destination network 192.168.0.0/24 as interesting traffic.

(2)    Configure the ISAKMP policy.

crypto isakmp keepalive 5 periodic  //Configures the IPSec DPD detection function.

crypto isakmp policy 1            //Creates a new ISAKMP policy.

encryption 3des                      //Specifies to use 3DES for encryption.

authentication rsa-sig                //Specifies the authentication method is "digital certificate". The default authentication method is digital certificate.

(3)    Configure the IPSec encryption transform set.

crypto ipsec transform-set myset  esp-des esp-md5-hmac //Specifies IPSec to use ESP for encapsulation, DES for encryption and MD5 for verification.

(4)    Configure the IPSec encryption map.

crypto map mymap 5 ipsec-isakmp //Creates an crypto map named "mymap".

set peer 10.0.0.2                              //Specifies the peer address.

set transform-set myset                  //Specifies the transform set to "myset".

interesting traffic 101                         //Specifies ACL 101 as the interesting traffic.

(5)    Apply the crypto map to an interface.

interface dialer 0

    crypto map mymap

(6)    Disable the certificate time and validity check.

crypto pki trustpoint center               //Enters the corresponding trustpoint of the certificate.

time-check none                              //Disables the certificate time check.

revocation-check none                     //Indicates not to check whether the certificate is revoked.

Notes: It is recommended to disable the certificate time check and revocation list check; otherwise, the IPSec negotiation may fail.

6.       Configure the routes on the routers of the branches, and direct the traffic to the headquarters to the egress.

  ip route 192.168.0.0 255.255.255.0 dialer 0

 

V. Verification

1.      Ping192.168.0.1 from the router of branch 1 with source IP address 192.168.1.1. The communication is normal.

R1#ping 192.168.0.1 source 192.168.1.1

Sending 5, 100-byte ICMP Echoes to 192.168.1.1, timeout is 2 seconds:

<press Ctrl+C to break >

.!!!!

2.      On the router of branch1, check whether ISAKMP and IPSec SA negotiations are successful.

Ruijie#show crypto isakmp sa                                     //Shows the result of ISAKMP SA negotiation.

 destination       source            state          conn-id           lifetime(second)

10.0.0.2          10.0.0.1          IKE_IDLE         0                 84129                //The ISAKMP negotiation is successful and the status is IKE_IDLE.

Ruijie#show crypto ipsec sa                                             //Shows the result of IPSec SA negotiation.

Interface: GigabitEthernet 0/0

Crypto map tag:mymap    //Indicates the name of the crypto map applied to the interface.

local ipv4 addr 10.0.0.1                  //Indicates the IP address used during ISAKMP/IPSec negotiation.

         media mtu 1500

         ==================================

sub_map type:static, seqno:5, id=0

         local  ident (addr/mask/prot/port): (192.168.0.0/0.0.0.255/0/0))   //Indicates the source IP address of the interesting traffic.

remote  ident (addr/mask/prot/port): (192.168.1.0/0.0.0.255/0/0))//Indicates the destination IP address of the interesting traffic.

         PERMIT

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4  //Indicates the number of packets successfully encapsulated, encrypted and digested.

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4     //Indicates the number of packets successfully decapsulated, decrypted and verified. When data is encrypted through IPSec for communication, you can see constant increasing of the preceding statistic counts when you repeatedly run the command show crypto ipsec sa.

#send errors 0, #recv errors 0    //Indicates the number of packets that are incorrectly sent and received. Normally, the counts do not increase.

 Inbound esp sas:

spi:0x2ecca8e (49072782)                   //Indicates the inbound SPI of IPSec SA.

               transform: esp-des esp-md5-hmac    //Indicates that the IPSec encryption transform set is esp-des esp-md5-hmac.

in use settings={Tunnel Encaps,}         //Indicates that the tunnel mode is used.

               crypto map mymap 5

               sa timing: remaining key lifetime (k/sec): (4606998/1324)  //Indicates that the remaining lifetime of the SA is: 4,606,998 kilobytes/1,324 seconds.

               IV size: 8 bytes   //Indicates that the length of IV vector is 8 bytes.

Replay detection support: Y   //Indicates the anti-replay processing.

 Outbound esp sas:

spi:0x5730dd4b (1462820171)   //Indicates the outbound SPI of IPSec SA. Only when the inbound SPI and outbound SPI are both displayed, the IPSec SA negotiation is successful.

               transform: esp-des esp-md5-hmac

               in use settings={Tunnel Encaps,}

               crypto map mymap 5

               sa timing: remaining key lifetime (k/sec): (4606998/1324)

               IV size: 8 bytes

               Replay detection support: Y

 

VI. Appendix

1.      How to check whether RSR50 and RSR50E have been configured with AIM-VPN encryption cards?

RSR50 and RSR50E have no embedded VPN encryption cards. IPSec is processed through processes, and therefore its performance is poor. For packets of 500pps 60Byte, 50 packets are lost and the packet loss rate is 10%. For packets of larger than 2Kpps, the packet loss rate is 100%.

If IPSec is used when there is no AIM-VPN encryption card, function failures related to IPSec may occur. For example, the CPU utilization is constantly at 100%, even though the encrypted data traffic is light. , or the ping with large packets size would fail.

An AIM-VPN card is a pluggable card with a size similar to that of a memory bank. It is inserted inside the management board.

You can use the following method to check whether the management board is configured with an AIM-VPN card:

RSR50#debug su

RSR50(support)#pci show

RSR50(support)#

*Jan 29 13:41:23: %7: =================BEGIN====================

*Jan 29 13:41:23: %7: PCI Bus 0 slot 1/0: PCI device 0x166D:0x0002

*Jan 29 13:41:23: %7: PCI Bus 0 slot 6/0: PCI device 0x104C:0xAC28

*Jan 29 13:41:23: %7: PCI Bus 1 slot 2/0: PCI device 0x14D9:0x0020

*Jan 29 13:41:23: %7: PCI Bus 1 slot 2/1: PCI device 0x1142:0x9001

*Jan 29 13:41:23: %7: PCI Bus 1 slot 3/0: PCI device 0x14D9:0x9000

*Jan 29 13:41:23: %7: PCI Bus 1 slot 3/1: PCI device 0x1142:0x9001

*Jan 29 13:41:23: %7: PCI Bus 1 slot 4/0: PCI device 0x14D9:0x9000

*Jan 29 13:41:23: %7: PCI Bus 1 slot 4/1: PCI device 0x1142:0x9001

*Jan 29 13:41:23: %7: PCI Bus 1 slot 5/0: PCI device 0x14D9:0x9000

*Jan 29 13:41:23: %7: PCI Bus 1 slot 5/1: PCI device 0x1142:0x9001

*Jan 29 13:41:23: %7: PCI Bus 14 slot 1/0: PCI device 0x1131:0x1561

*Jan 29 13:41:23: %7: PCI Bus 14 slot 1/1: PCI device 0x1131:0x1562

*Jan 29 13:41:23: %7: =================_^_====================

As long as 0x0020 is displayed, the management board has the AIM-VPN card.

*Jan 29 13:41:23: %7: PCI Bus 1 slot 2/0: PCI device 0x14D9:0x0020

Notes:

If the logging function is disabled (), the output information of the pci show command is empty. If you log in to the device through the VTY line, the corresponding information will be output only when the terminal monitor is enabled.

 

1.4.3.7     Extended Configuration

1.4.3.8