This page provides examples of how to configure routing on a DIGITAL VNswitch 900EF module. It describes the steps a user performs to install and configure a typical VLAN routing network, including all the CLI commands necessary to configure routing for a variety of configurations.
This section contains the following topics:
Hardware Components |
Bridge Settings |
Connecting to the Configuration Console |
Network Topology |
The examples use the same hardware and software components, the same initial settings, the same connection method, and the same network topology.
The discussion uses the same hardware components for all examples. The hardware consists of a DIGITAL VNswitch 900EF V2.0 module configured with the factory default settings and connected to a DIGITAL MultiSwitch 900.
The VNswitch is factory configured for plug-n-play bridging as the factory default setting. This means that all the bridge ports are configured in a single default VLAN, with routing disabled.
The first task is to connect to the modules configuration console. This can be done a variety of ways, including connecting through the MultiSwitch 900 and via Telnet.
All the examples use the same network topology. The network consists of three VLANs. The first VLAN is dedicated to users with a VLAN name of DEFAULT. The second VLAN is dedicated to the engineering department with a VLAN name of engineering. The third VLAN is dedicated to an FDDI backbone with a VLAN name of backbone. The existing FDDI backbone is already running RIP and the example describes how you configure a new VNswitch 900EF to support the new Default and Engineering groups. Figure 1 illustrates the network topology used in all the examples.
Figure 1: Example Network Topology
This section contains the following topics:
The following examples assume that the connection to the VNswitch console is achieved using the Redirect option from the MultiSwitch 900 menu.
To operate a VNswitch router on a VLAN, you must first enable routing globally. The router is initially configured with routing globally disabled. Issuing the enable routing command and answering yes to the prompt, the router automatically invokes a restart. To enable routing globally, enter:
config Config>enable routing Press Return. The following is displayed and requires action: Enable RIP listening after restart [No]? Default Gateway [0.0.0.0]? When the box reboots the MAC address assigned to the interface associated with the HST address may be different from the one currently being used. Therefore you may need to flush the ARP cache on your host before you can reconnect via Telnet. ***WARNING*** This will invoke an automatic RESTART Are you sure you want to do this (Yes or No): Yes System Restart ... After the system is restarted, the VNswitch Installation Menu appears. Routing on your VNswitch is now enabled. |
After the system restarts, routing is enabled on the DEFAULT VSD, which is attached to the first VLAN interface (VI). This VI has the original HST IP address assigned to it, unless you did not have an IP address originally, or you choose not to transfer it after enabling routing.
The next task is to configure three VLANS and assign them to VIs. The backbone VLAN contains the FDDI for connection to the FDDI backbone. The engineering VLAN contains the first three Ethernet ports (Eth/1, Eth/2 and Eth/3), which will be used by the engineering group. The DEFAULT VLAN is for users, and contains all the other ports.
Since you are not configuring over a Telnet connection, you can move the ports between VLANs without losing your console connection. Also, since the DEFAULT VLAN already exists, you do not need to create it.
Once you have enabled routing and entered the VSD Config process, you are now ready to create two VSDs. To create two VSDs named backbone and engineering, enter:
Main>config Config>vlans VSD Config>create vsd VSD Name: [ ] backbone Bridge Ports (range 1-13): [ ]? 13 VNbus tag (range 66-128): [ ] Routing over VI (none, any, or one of 15-45): [any]? * VSD 2 created. VSD Config>create vsd VSD Name: [ ] engineering Bridge Ports (range 1-13): [ ]? 1-3 VNbus tag (range 66-128): [ ] Routing over VI (none, any, or one of 16-45): [any]? * VSD 3 created. VSD Config>list all VSD Name Ports VNbus tag ifc 1 DEFAULT 4-12 65 14 2 backbone 13 15 3 engineering 1-3 16 |
* The default "Any" assigns the lowest available VI number.
With the ports assigned to the correct VLANs, the IP addresses are assigned to the appropriate VIs and RIP is enabled and configured on each (See Figure 2). The configuration of IP is dynamic (therefore, the commands take effect immediately after they are entered). In this example, you use a standard 24-bit subnet mask for all subnets. By default, RIP is set to advertise and receive routes on an interface, so you do not need to change any of the RIP interface settings in the following task. To configure IP and RIP, enter:
Config>ip Internet protocol user configuration IP config> IP config>add address 14 10.1.3.1 255.255.255.0 IP config>add address 15 192.1.1.1 255.255.255.0 IP config>add address 16 10.1.4.1 255.255.255.0 IP Config>enable rip IP Config>list address IP addresses for each interface: Ifc 0 IP disabled on this interface ... Ifc 14 10.1.3.1 255.255.255.0 Network broadcast, fill 1 Ifc 15 192.1.1.1 255.255.255.0 Network broadcast, fill 1 Ifc 16 10.1.4.1 255.255.255.0 Network broadcast, fill 1 Ifc 17 IP disabled on this interface ... Ifc 45 IP disabled on this interface Router-ID: Not set Internal IP address: Not set |
The module is now transmitting and receiving RIP packets on each VLAN. To check that the IP routing tables in the module contain all the routes, at the Monitor> prompt, enter ip dump.
Figure 2: Example Configuring IP
The engineering group wants to run the gated program on their UNIX workstations; however, you do not want to allow the possibility of any unofficial routes being announced by these workstations from being learned by RIP on the VNswitch and propagated to the rest of the network. In addition, you want to ensure that a default route is always propagated to the engineering VLAN, but not the backbone VLAN, so that the UNIX workstations, which are listening to the default route announcements, can find the local router.
The following task disables the reception of RIP packets on the engineering VLAN, enables the announcement of default routes to the engineering network (by default RIP does not announce default routes), and enables the fabrication of a default route if there is not one already in the routing table. To modify IP and RIP for Send-Only operation, enter:
IP Config>disable receiving rip 10.1.4.1 IP Config>enable sending default-routes 10.1.4.1 IP Config>set originate-rip-default Always originate default route? [No]: yes Originate default of cost [1]? |
There is a single router (192.1.1.200) on the backbone VLAN that is the gateway to the rest of the network and the internet. This gateway router does not announce a default route in its RIP announcements. You want to set up a static default route from the VNswitch to the gateway router and have the default route announced in the engineering and DEFAULT VLANs.
The following task defines the static default route to the gateway router (at a cost of 1) and enables announcement of the default route into the engineering and DEFAULT VLANs respectively (by default announcement of default routes in RIP is disabled). To modify IP and RIP to define a static default route, perform the following steps:
IP Config>add route IP destination [0.0.0.0]? Address mask [0.0.0.0]? Via gateway at [0.0.0.0]? 192.1.1.200 Cost [1]? IP Config>enable sending default-routes 10.1.4.1 IP Config>enable sending default-routes 10.1.3.1 |
There is a single router (192.1.1.200) on the backbone VLAN that is the gateway to the rest of the network and the internet. This gateway router announces a default route in its RIP announcements. You want to receive this default and readvertise it on the DEFAULT and engineering VLANs.
The following steps enable reception of the default route on the backbone interface (by default the default route is ignored in received RIP packets) and enable announcement of the default route into the engineering and DEFAULT VLANs respectively (by default announcement of default routes in RIP is disabled). To modify IP and RIP to receive a default route, enter:
IP Config>enable override default
192.1.1.1 IP Config>enable sending default-routes 10.1.3.1 IP Config>enable sending default-routes 10.1.4.1 |
This section contains the following topics:
Disabling Telnet Access from the Default VLAN |
Enabling Access Controls |
Modifying Access Controls to Enable Telnet from a Single Host |
This example demonstrates the use of access controls using the same network configuration as in the RIP Configuration section. Assume that you want to prevent Telnet access to the engineering VLAN from the DEFAULT VLAN. To do this you use IP access controls to disable use of the Telnet protocol (which uses TCP port 23) from the DEFAULT VLAN subnets.
The commands to set up and enable the appropriate access controls are shown in the following example. The order is important in access-control processing (controls at the top of the list are checked first and processing halts when the first matching control is found). Also, the default action (if no access-control matches the packet) is to discard the packet.
The following task blocks any Telnet protocol packets on the default subnet 10.1.3.0 (DEFAULT VLAN) and the destination address is to the engineering VLAN. This task also enables access for all other protocols to all other destinations. To disable Telnet access from the DEFAULT VLAN, enter:
IP Config> add access-control Enter type [E]? Internet source [0.0.0.0]? 10.1.3.0 Source mask [255.255.255.255]? 255.255.255.0 Internet destination [0.0.0.0]? 10.1.4.0 Destination mask [255.255.255.255]? 255.255.255.0 Enter starting protocol number ([CR] for all) [-1]? 6 Enter ending protocol number [6]? Enter starting port number ([CR] for all) [-1]? 23 Enter ending port number [23]? IP Config>add access-control I 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 -1 -1 IP Config>list access-control Access Control is: enabled List of access control records: |
Ty | Source | Mask | Destination | Mask | BegPro | EndPro | BegPrt | EndPrt | |
1 | E | 10.1.3.0 | FFFFFF00 | 10.1.4.0 | FFFFFF00 | 6 | 6 | 23 | 23 |
2 | I | 0.0.0.0 | 00000000 | 0.0.0.0 | 00000000 | 0 | 255 | 0 | 65535 |
Notes:
This task blocks Telnet access from the engineering VLAN to the DEFAULT VLAN since responses from the DEFAULT VLAN are blocked.
For access controls to take effect, you must set access control on and then restart the module. To enable access controls, enter:
IP Config>set access-control on IP Config>exit Config>exit Main> Main>restart Are you sure you want to restart the system? (Yes or [No]): yes |
The network manager has a PC in the DEFAULT VLAN that requires Telnet access to the engineering VLAN. In this example, an extra access control is added to allow that particular PC (10.1.3.15) Telnet access to any destination.
This task allows Telnet access from source address 10.1.3.15 to any destination. The task allows Telnet packets from any source address to reach the 10.1.3.15 PC. The task also moves the two new access controls to the top of the list so that they are executed before the one that blocks all Telnet access from the DEFAULT VLAN. To modify access controls to enable Telnet from a single host ,enter:
IP Config> add access-control Enter type [E]? I Internet source [0.0.0.0]? 10.1.3.15 Source mask [255.255.255.255]? Internet destination [0.0.0.0]? Destination mask [255.255.255.255]? 0.0.0.0 Enter starting protocol number ([CR] for all) [-1]? 6 Enter ending protocol number [6]? Enter starting port number ([CR] for all) [-1]? 23 Enter ending port number [23]? IP Config>add access-control I 0.0.0.0 0.0.0.0 10.1.3.15 255.255.255.255 6 6 23 23 IP Config>list access-control Access Control is: enabled List of access control records: |
Ty | Source | Mask | Destination | Mask | BegPro | EndPro | BegPrt | EndPrt | |
1 | E | 10.1.3.0 | FFFFFF00 | 10.1.4.0 | FFFFFF00 | 6 | 6 | 23 | 23 |
2 | I | 0.0.0.0 | 00000000 | 0.0.0.0 | 00000000 | 0 | 255 | 0 | 65535 |
3 | I | 10.1.3.15 | FFFFFF00 | 0.0.0.0 | 00000000 | 6 | 6 | 23 | 23 |
4 | I | 0.0.0.0 | 00000000 | 10.1.3.15 | FFFFFFFF | 6 | 6 | 23 | 23 |
IP Config>move access-control Enter index of control to move [1]? 3 Move record AFTER record number [0]? About to move: |
Ty | Source | Mask | Destination | Mask | BegPro | EndPro | BegPrt | EndPrt | |
3 | I | 10.1.3.15 | FFFFFFFF | 0.0.0.0 | 00000000 | 6 | 6 | 23 | 23 |
to be the first element in the list Are you sure this is what you want to do(Yes or [No]): yes |
|||||||||
IP Config>move access-control Enter index of control to move [1]? 4 Move record AFTER record number [0]?1 About to move: |
Ty | Source | Mask | Destination | Mask | BegPro | EndPro | BegPrt | EndPrt | |
4 | I | 0.0.0.0 | 00000000 | 10.1.3.15 | FFFFFFFF | 6 | 6 | 23 | 23 |
to be after: | |||||||||
1 | I | 10.1.3.15 | FFFFFFFF | 0.0.0.0 | 00000000 | 6 | 6 | 23 | 23 |
Are you sure this is what you want to do(Yes or [No]): yes IP Config>list access-control Access Control is: enabled List of access control records: |
Ty | Source | Mask | Destination | Mask | BegPro | EndPro | BegPrt | EndPrt | |
1 | I | 10.1.3.15 | FFFFFFFF | 0.0.0.0 | 00000000 | 6 | 6 | 23 | 23 |
2 | I | 0.0.0.0 | 00000000 | 10.1.3.15 | FFFFFFFF | 6 | 6 | 23 | 23 |
3 | E | 10.1.3.0 | FFFFFF00 | 10.1.4.0 | FFFFFF00 | 6 | 6 | 23 | 23 |
4 | I | 0.0.0.0 | 00000000 | 0.0.0.0 | 00000000 | 0 | 255 | 0 | 65535 |
This section contains the following topics:
Configuring OSPF Areas |
Configuring OSPF Interfaces |
Enabling OSPF |
Modifying OSPF to Propagate RIP Routes |
This example uses the same network configuration as described in Modifying Access Controls to Enable Telnet from a Single Host. In this example, however, OSPF replaces RIP as the routing protocol. The existing backbone VLAN is part of the OSPF backbone area. The DEFAULT and engineering VLANs are placed in a new OSPF area, 1.1.1.1. This example assumes that routing is enabled, the engineering and backbone VLANs are configured, and the IP addresses are configured (refer to Configuring IP and RIP on a VLAN).
In this example, the VNswitch is connected to two areas. The first area is the OSPF backbone area that has the special area ID of 0.0.0.0. The second area is a new OSPF area that contains the DEFAULT and engineering VLANs. This new area can have any unique area ID (except the reserved one of 0.0.0.0). In this example, the area 10.1.0.0 is used to show that the area contains subnets of 10.1.0.0. (See Figure 3)
This task sets areas 0.0.0.0 and 10.1.0.0. Both areas are none-stub areas, and the backbone area is using simple password authentication. To configure OSPF areas, enter:
Config>ospf Open SPF-Based Routing Protocol configuration console OSPF Config>set area Area number [0.0.0.0]? Authentication Type [0]? 1 OSPF Config>set area Area number [0.0.0.0]? 10.1.0.0 Authentication Type [0]? Is this a stub area? [No]: OSPF Config>list area --Area configuration-- Area ID AuType Stub? Default-cost Import-summaries? 0.0.0.0 1=Simple-pass No N/A N/A 10.1.0.0 0=None No N/A N/A |
Figure 3: Example Configuring OSPF Areas
In this example, the OSPF interfaces are configured and each interface is associated with a single area. The backbone VLAN is part of the OSPF backbone area and the engineering and DEFAULT VLANs are part of the 10.1.0.0 area. Since the backbone area is configured to run with password authentication, the set interface command prompts for a password (a string of up to 8 characters), which should be the same as the password being used by other routers in the OSPF backbone area.
This task configures the backbone interface (supplying a password of mypasswd). The task also configures the DEFAULT and engineering interfaces respectively. The three enable interface commands enable each of the interfaces (by default the interfaces are disabled). To configure OSPF interfaces, enter:
OSPF Config>set interface Interface IP address [0.0.0.0]? 192.1.1.11 Attaches to area [0.0.0.0]? Retransmission Interval (in seconds) [5]? Transmission Delay (in seconds) [1]? Router Priority [1]? Hello Interval (in seconds) [10]? Dead Router Interval (in seconds) [40]? Type Of Service 0 cost [1]? Authentication Key []? mypasswd Retype Auth. Key []? mypasswd OSPF Config>set interface Interface IP address [0.0.0.0]? 10.1.4.11 Attaches to area [0.0.0.0]? 10.1.0.0 Retransmission Interval (in seconds) [5]? Transmission Delay (in seconds) [1]? Router Priority [1]? Hello Interval (in seconds) [10]? Dead Router Interval (in seconds) [40]? Type Of Service 0 cost [1]? Authentication Key []? Retype Auth. Key []? OSPF Config>set interface Interface IP address [0.0.0.0]? 10.1.3.11 Attaches to area [0.0.0.0]? 10.1.0.0 Retransmission Interval (in seconds) [5]? Transmission Delay (in seconds) [1]? Router Priority [1]? Hello Interval (in seconds) [10]? Dead Router Interval (in seconds) [40]? Type Of Service 0 cost [1]? Authentication Key []? Retype Auth. Key []? OSPF Config>enable interface 192.1.1.11 OSPF Config>enable interface 10.1.4.11 OSPF Config>enable interface 10.1.3.11 OSPF Config>list interface --Interface configuration-- IP address Sta Area Cost Rtrns TrnsDly Pri Hello Dead 192.1.1.11 Ena 0.0.0.0 1 5 1 1 10 40 10.1.4.11 Ena 10.1.0.0 1 5 1 1 10 40 10.1.3.11 Ena 10.1.0.0 1 5 1 1 10 40 Authentication Keys IP address AuType Key (Hex/Ascii) 192.1.1.11 1=Simple-pass 0x6D79706173737764 "mypasswd" 10.1.4.11 0=None 0x0000000000000000 "" 10.1.3.11 0=None 0x0000000000000000 "" OSPF Config> |
This example enables OSPF and restarts the VNswitch so that the OSPF configuration takes effect. The enable ospf command prompts for the number of external routes and the number of routers in the OSPF domain so that it can allocate sufficient memory for its databases. In this example, an arbitrary number of 500 external routes and 50 routers is used. To enable OSPF, enter:
OSPF Config>enable ospf Estimated # external routes [0]? 500 Estimated # OSPF routers [0]? 50 OSPF Config>exit Config>exit Main>restart Are you sure you want to restart the system? (Yes or [No]): yes |
Suppose that there are other routers in engineering that are only running RIP and you want to ensure that the networks they are advertising are reachable from the backbone and DEFAULT VLANs (which are only running OSPF). To do this, you configure RIP to run on the engineering VLAN (as described in the previous example) and configure OSPF to advertise the RIP routes (shown below). In addition, you also want to advertise any static routes you may have configured.
This task configures OSPF as an autonomous system (AS) boundary router and instructs it to import RIP and static routes and advertise them in OSPF. The task also sets route comparison to type 1, which causes OSPF to advertise the imported routes as OSPF external type 1 routes rather than as external type 2 routes. To modify OSPF to propagate RIP routes, enter:
OSPF Config>enable as Import RIP routes? [No]: yes Import static routes? [No]: yes Import direct routes? [No]: Import subnet routes? [No]: yes Always originate default route? [No]: OSPF Config>set comparison Compare to type 1 or 2 externals [2]? 1 OSPF Config> |
At the completion of this task, perform the procedures for a restart command.