IP Router Configuration
In This Chapter
This chapter provides information about commands required to configure basic router parameters.
Topics in this chapter include:
Configuring IP Router Parameters
In order to provision services on a 7705 SAR, IP parameters must be configured on the node. Logical IP routing interfaces must be configured to associate entities, such as a port or the system, with IP addresses.
A special type of IP interface is the system interface. Configuration of the system interface is the first step in the provisioning process. When configured, the system IP address can be advertised via peering or signaling protocols.
A system interface must have a unique IP address with a 32-bit subnet mask (for IPv4) or 128-bit prefix length (for IPv6). The system interface is used as the router identifier by higher-level protocols such as OSPF, IS-IS, and BGP, unless overwritten by an explicit router ID.
The following router parameters can be configured:
Interfaces
The 7705 SAR routers use different types of interfaces for various functions. Interfaces must be configured with parameters such as the address or port. An interface that is assigned to a port is a network interface. The system interface is a logical entity and is not assigned to a physical port.
The 7705 SAR supports IES and VPRN interfaces. IES is used to provide direct forwarding of IP traffic between CE devices and to facilitate the transport of in-band management traffic over ATM links. VPRN provides a Layer 3 virtual private network service to end customers.
Network Interface
A network interface (a logical IP routing interface) can be configured on a network-facing physical or logical port, and is used for connectivity purposes. Each network interface can have only one IP address. The connections are point-to-point; for example, a network port on an Ethernet interface cannot be connected to a LAN but must be connected to a network interface on another router.
Secondary IP address assignment, which is used to connect the same interface to more than one subnet, is not supported.
Network ports are used to transport Ethernet, ATM, and TDM services by means of pseudowires.
IP address assignment is not supported on access (customer-facing) ports except for services such as IES or VPRN.
On the 2-port 10GigE (Ethernet) Adapter card/module, the network interface can only be created on the v-port (not the ring ports).
The 7705 SAR can be used as an LER (label edge router) or LSR (label switch router).
OSPF, RIP, IS-IS, and BGP are supported as dynamic routing protocols, and static routes to next-hop addresses are also supported.
Some network Ethernet ports support network egress per-VLAN shapers on a per-network-interface basis. Refer to the “Per-VLAN Network Egress Shapers” section in the 7705 SAR OS Quality of Service Guide for details.
Ethernet Ports and Multiple ARP Entries
Multiple far-end MAC addresses can be associated with an Ethernet network port on the Ethernet Adapter card. These IP-to-MAC mappings are stored in the ARP table.
With multiple far-end MAC addresses supported in the ARP table, an Ethernet port can work with multiple network devices located in the same LAN segment. The 7705 SAR provides dynamic addressing by the ARP protocol as soon as MAC address resolution is needed for a given IP address. As devices are added to or removed from the network, the router updates the ARP table, adding new dynamic addresses and aging out those that are not in use.
Using the ARP table, the 7705 SAR inserts the appropriate far-end MAC address into the egress packet after the forwarding decision has been made based on the routing tables.
There is no limit to the number of MAC addresses per port or per adapter card. If the number of ARP entries reaches the system limit and a new MAC address that is not already in the ARP table becomes available, at least one MAC address must be flushed from the ARP table with the command clear>router>arp.
Dynamic ARP and Static MAC entry
The MAC address of the far end can be learned dynamically or be statically configured.
ARP is the common way to dynamically resolve the MAC address of next-hop IP hosts and is the primary way to resolve IP-to-MAC associations. ARP packets are sent as soon as a MAC address resolution is needed for a given IP address.
Static configuration of MAC addresses for next-hop routers is also supported. Static configuration provides a higher level of security against IP hijacking attacks.
 | Note:
|
Configurable ARP Retry Timer
A timer is available to configure a shorter retry interval when an ARP request fails. An ARP request may fail for a number of reasons, such as network connectivity issues. By default, the 7705 SAR waits 5000 ms before retrying an ARP request. The configurable retry timer makes it possible to shorten the retry interval to between 100 and 30 000 ms.
| Note:
The ARP retry default value of 5000 ms is intended to protect CPU cycles on the 7705 SAR, especially when it has a large number of interfaces. Configuring the ARP retry timer to a value shorter than the default should be done only on mission-critical links, such as uplinks or aggregate spoke SDPs transporting mobile traffic; otherwise, the retry interval should be left at the default value. |
The configurable ARP retry timer is supported on VPRN and IES service interfaces, as well on the router interface.
Proxy ARP
Proxy ARP is a technique by which a router on one network responds to ARP requests intended for another node that is physically located on another network. The router effectively pretends to be the destination node by sending an ARP response to the originating node that associates the router’s MAC address with the destination node’s IP address (acts as a proxy for the destination node). The router then takes responsibility for routing traffic to the real destination.
Proxy ARP simplifies networking schemes because it enables nodes on a subnet to reach remote subnets without the need to configure routing or a default gateway.
The 7705 SAR supports both proxy ARP and local proxy ARP. Local proxy ARP is similar to proxy ARP except that it is used within a subnet; the router responds to all requests for IP addresses within the subnet and forwards all traffic between the hosts in the subnet. Local proxy ARP is used on subnets where hosts are prevented from communicating directly.
Typically, routers support proxy ARP only for directly attached networks. The 7705 SAR supports proxy ARP for all known networks in the routing instance where the virtual interface proxy ARP is configured.
Proxy ARP is supported on:
- the global routing table
- IES service interfaces
- VPRN service interfaces
A typical application for proxy ARP is when hosts in a private subnet need to communicate to host/servers via the public Internet; for example, when using network address translation (NAT). Source NAT can be used for creating connections from inside (private network) to outside (public network). If an arriving IP packet on the 7705 SAR matches the NAT policy rules, an internal mapping is created between the private source IP address/source port and a public source IP address/source port. The public IP address and port are configured in the NAT pool policy.
Proxy ARP is therefore required for Source NAT when the NAT pool uses a range of IP public addresses. The NAT pool public IP address can either be in a different subnet than the public interface or in the same subnet as the public interface. Proxy ARP can be used to respond to ARP requests for an IP address in these NAT pools.
| Note:
Only remote proxy ARP is applicable for NAT. |
In order to support NAT and other edge-like environments, proxy ARP supports policies that allow the provider to:
- configure prefix lists that determine for which target networks proxy ARP will be attempted
- configure prefix lists that determine for which source hosts proxy ARP will be attempted
As an example, when a source NAT pool is configured with a dynamic IP pool with the address range 1.1.1.2 to 1.1.1.254 on the public interface 1.1.1.1, proxy ARP can be used to resolve the ARP request of the NAT pool hosts with the local interface (1.1.1.1) MAC address (remote proxy ARP).
As another example, if a NAT pool of addresses in the range 2.2.2.1 to 2.2.2.100 is configured on the public Layer 3 interface 128.251.10.59, then by enabling remote proxy ARP, the 7705 SAR will respond to ARP requests from hosts 2.2.2.1 to 2.2.2.100. In addition, a route policy with a prefix list can be created and used as a proxy ARP policy for finer granularity of the IP range for which proxy ARP is being used.
For detailed information on NAT, see NAT.
ETH-CFM Support
Ethernet Connectivity Fault Management (ETH-CFM) is defined in the IEEE 802.1ag and ITU Y.1731 standards. ETH-CFM specifies protocols, procedures, and managed objects to support fault management (including discovery and verification of the path), detection, and isolation of a connectivity fault in an Ethernet network.
ETH-CFM requires the configuration of specific entities at the global level and at the Ethernet service level and/or network interface level. Maintenance domains (MDs) and maintenance associations (MAs) are configured at the global level. Maintenance association endpoints (MEPs) are configured at the service level and network interface level.
MEPs that are not service-based are referred to as facility MEPs. A facility MEP is a Down MEP that detects failure conditions for an Ethernet transport network using ETH-CCM and, where appropriate, propagates alarm conditions so that the Epipe services that share this common transport are aware of the failure. The 7705 SAR supports facility MEPs on network interfaces.
Facility MEPs are created in the same way as service MEPs, by configuring the ETH-CFM domain and association. However, the association used to build the facility MEP does not include a bridge identifier, as the facility MEP is not bound to a service. The CLI ensures that a bridge identifier is not configured when the association is applied to a facility MEP.
The following applies to facility MEPs on network interfaces:
- the MEP must be a Down MEP
- the port must be in network mode
- the port must be configured for null or dot1q encapsulation
- the MEP supports all fault management functionality, with the exception of alarm indication signaling (AIS)
- the MEP supports all performance monitoring functionality including synthetic loss measurement (SLM)
- the MEP supports throughput measurement via loopback messaging at wire speed
- received CFM messages are processed only when the VLAN ID, the MAC destination address, and the MEP level matches those of the MEP
Network interface facility MEPs are supported on all network Ethernet ports on the 7705 SAR adapter cards and chassis.
For detailed information on ETH-CFM entities and on ETH-CFM support for services, refer to the 7705 SAR OS Services Guide, “ETH-CFM (802.1ag and Y.1731)”. For information on running Ethernet OAM tests, refer to the 7705 SAR OS OAM and Diagnostics Guide, “ETH-CFM (802.1ag and Y.1731)”.
System Interface
The system interface is associated with the node, not a specific interface. It is used during the configuration of the following entities:
- LSP creation (next hop) — when configuring MPLS paths and LSPs
- the addresses on a target router — to set up an LDP, OSPF, or BGP session between neighbors and to configure SDPs (the system interface is the service tunnel endpoint)
The system interface is also referred to as the loopback interface. It is used as the router identifier if a router ID has not been explicitly configured. Additional loopback interfaces can be configured; however, the system interface is a special loopback interface.
The system interface is used to preserve connectivity (when alternate routes exist) and to decouple physical connectivity and reachability. If an interface carrying peering traffic fails, and there are alternative links to the same peer system interface, peering could be either unaffected or re-established over the alternate links. The system interface IP address is also used for MPLS and pseudowire/VLL signaling (via targeted LDP).
IP Addresses
IP addresses are assigned to system interfaces and to network-facing physical or logical ports. The IP addresses are in the form <ip-address/prefix-length> or <ip-address/subnet mask>.
IP version 4 (IPv4) addresses are supported on all interfaces except the CWDM/OADM module. On the 2-port 10GigE (Ethernet) Adapter card and 2-port 10GigE (Ethernet) module, an IPv4 network address is assigned to the v-port only.
IP version 6 (IPv6) addresses are supported on:
- access ports (IES only); for a complete list of cards and ports that support IES IPv6 SAPs, refer to the 7705 SAR OS Services Guide, “IES for Customer Traffic”
- network ports (null or dot1q encapsulation) on:
- 2-port 10GigE (Ethernet) Adapter card (v-port only)
- 8-port Ethernet Adapter card, version 2
- 6-port Ethernet 10Gbps Adapter card
- 8-port Gigabit Ethernet Adapter card
- 10-port 1GigE/1-port 10GigE X-Adapter card
- Packet Microwave Adapter card
- Ethernet ports on the 7705 SAR-F
- Ethernet ports on the 7705 SAR-M (all variants)
- Ethernet ports on the 7705 SAR-A (all variants)
- Ethernet ports on the 7705 SAR-W
- Ethernet ports on the 7705 SAR-Wx
- Ethernet ports on the 7705 SAR-H
- Ethernet ports on the 7705 SAR-Hc
- Ethernet management port
- DSL module ports when the module is installed in the 7705 SAR-M (variants with module slots)
- GPON module ports when the module is installed in the 7705 SAR-M (variants with module slots)
- 2-port 10GigE (Ethernet) module (v-port only) when the module is installed in the 7705 SAR-M (variants with module slots)
- GPON interface via SFP in the 7705 SAR-W
- network ports on the 4-port OC3/STM1 Clear Channel Adapter card (POS encapsulation)
The 7705 SAR supports IPv6 dual stack on Ethernet ports and the management port. IPv6 dual stack is also supported on DSL module ports and GPON module ports when the module is installed in the 7705 SAR-M (variants with module slots), and on GPON interfaces via SFP in the 7705 SAR-W. Dual stack allows both IPv4 and IPv6 to run simultaneously on the interface.
Network IP addresses can be assigned manually, or assigned dynamically using DHCP when the 7705 SAR is acting as a DHCP client. System IP addresses must be assigned manually.
Internet Protocol Versions
The 7705 SAR supports IP version 4 (IPv4 – RFC 791, Internet Protocol) and IP version 6 (IPv6 – RFC 2460, Internet Protocol, Version 6 Specification). The 7705 SAR can forward IPv6 packets over static routes for network forwarding, IES services, and node management.
IPv6 is a newer version of IP, designed as a successor to IPv4. Some of the differences between IPv4 and IPv6 are:
- expanded addressing capabilities — IPv6 increases the IP address size from 32 bits (IPv4) to 128 bits, to support more levels of addressing hierarchy, a much greater number of addressable nodes, and simplified autoconfiguration of addresses
- header format simplification — some IPv4 header fields have been dropped or made optional to reduce the processing cost of packet handling and to limit the bandwidth cost of the IPv6 header
- improved support for extensions and options — changes in the way IP header options are encoded allows for more efficient forwarding, less stringent limits on the length of options, and greater flexibility for introducing new options in the future
- flow labeling capability — the capability to enable the labeling of packets belonging to particular traffic flows for which the sender requests special handling, such as non-default quality of service (QoS) or real-time service, was added in IPv6
- authentication and privacy capabilities — extensions to support authentication, data integrity, and (optional) data confidentiality are specified for IPv6
IPv6 Address Format
IPv6 uses a 128-bit address, as opposed to the IPv4 32-bit address. Unlike IPv4 addresses, which use the dotted-decimal format, with each octet assigned a decimal value from 0 to 255, IPv6 addresses use the colon-hexadecimal format X:X:X:X:X:X:X:X, where each X is a 16-bit section of the 128-bit address. For example:
2001:0DB8:0000:0000:0000:0000:0000:0000
Leading zeros can be omitted from each block in the address. A series of zeros can be replaced with a double colon. For example:
2001:DB8::
The double colon can only be used once in an address.
The IPv6 prefix is the part of the IPv6 address that represents the network identifier. The network identifier appears at the beginning of the IP address and is made up of the network address and subnet address. The IPv6 prefix length, which begins with a forward slash (/), specifies the number of bits in the network identifier; this is similar to the subnet mask in IPv4 addresses. For example, the address 1080:6809:8086:6502::1/64 means that the first 64 bits of the address represent the network identifier; the remaining 64 bits represent the node identifier.
The following adapter cards support the full IPv6 subnet range for IPv6 static routes and interface IP addresses:
- 6-port Ethernet 10Gbps Adapter card
- 8-port Gigabit Ethernet Adapter card, version 2 and version 3
- 2-port 10GigE (Ethernet) Adapter card (on the v-port)
- 10-port 1GigE/1-port 10GigE X-Adapter card
For these cards, the supported route range for statically provisioned or dynamically learned routes is from /1 to /128. Supported interface IP address prefixes are from /4 to /127, and /128 on system or loopback interfaces.
For all other cards, modules, and ports (including the v-port on the 2-port 10GigE (Ethernet) module), the supported range for statically provisioned or dynamically learned routes is from /1 to /64 or is /128 (indicating a host route). Supported interface IP address prefixes are from /4 to /64, and /128 on system or loopback interfaces.
IPv6 Headers
The IPv6 header format is shown in Figure 1. Table 2 describes the fields.
Figure 1: IPv6 Header Format
Table 2: IPv6 Header Field Descriptions
Field | Description |
Version | 4-bit IP version number (v6) |
Traffic Class | 8-bit value that enables a source to identify the delivery classification of its packets |
Flow Label | 20-bit flow label that can be used by a source to label packets for which the source requests special handling by IPv6 routers; for example, non-default QoS or real-time service A flow contains a series of packets that travel between a particular source and particular destination |
Payload Length | The length of the payload (16-bit unsigned integer), which is the rest of the packet following the IPv6 header, in octets Any extension headers that are present in the packet are considered to be part of the payload; therefore, the payload always begins immediately after the Destination Address |
Next Header | 8-bit selector that identifies the type of header immediately following the IPv6 header. The Next Header uses the same values as the IPv4 protocol field for some protocols; for example, the values for TCP and UDP are the same for both IPv4 and IPv6. The Next Header values differ from IPv4 when IPv6 extension headers are identified or when IPv6 unique protocols, such as ICMPv6, are identified. |
Hop Limit | 8-bit unsigned integer that is decremented by 1 by each node that forwards the packet. If the hop limit is decremented to 0, the packet is discarded and the node sends the ICMPv6 message “Hop Limit Exceeded in transit” back to the sender. |
Source Address | 128-bit address of the originator of the packet |
Destination Address | 128-bit address of the intended recipient of the packet |
Neighbor Discovery
IPv6 provides autoconfiguration of addresses, where equipment connecting to an IPv6 network can autoconfigure a usable address. There are two types of address autoconfiguration: stateless and stateful. Stateless autoconfiguration requires no manual configuration of hosts, minimal configuration of routers, and no servers. The host generates its own addresses using locally available information and information advertised by routers, such as the 7705 SAR. Stateless autoconfiguration is a feature of the neighbor discovery protocol.
Stateful autoconfiguration involves hosts obtaining interface addresses and/or configuration information from a server. For more information on stateful configuration, see DHCP Relay and DHCPv6 Relay.
Stateless autoconfiguration uses two neighbor discovery messages: router solicitation and router advertisement. The host sends router solicitation messages to find routers, and the routers send router advertisement messages to indicate their presence. The host sends the router solicitation message to all routers, requesting the IPv6 prefix as well as the IPv6 address of the routers. Each router responds with a router advertisement message indicating their IPv6 prefix and IPv6 address.
Neighbor discovery performs Layer 2 neighbor address resolution similar to ARP in IPv4. In addition, the neighbor discovery protocol performs a neighbor reachability function, where a “stale” neighbor entry is probed for reachability using a unicast neighbor solicitation message. This function ensures that link-layer address changes will be discovered reliably in addition to confirming the presence of the IPv6 neighbor.
Neighbor discovery is implemented within ICMPv6.
Router ID
The router ID is a 32-bit IP address (IPv4) that uniquely identifies the router within an autonomous system (see Autonomous Systems).
IS-IS and BGP use the router ID as their system ID.
OSPF routers use the router IDs of the neighbor routers to establish adjacencies. Neighbor IDs are learned when Hello packets are received from the neighbor.
Before configuring OSPF parameters, ensure that the router ID is derived by one of the following methods:
- define the value using the config>router>router-id ip-address command
- define the system interface using the config>router>interface ip-int-name command (used if the router ID is not specified with the config>router>router-id ip-address command)A system interface (also referred to as the loopback address) must have an IP address with a 32-bit subnet mask. The system interface is assigned during the primary router configuration process when the interface is created in the logical IP interface context.
- if you do not specify a router ID, the last 4 bytes of the MAC address are used
- the router ID can be derived on the protocol level; for example, BGP
Autonomous Systems
Networks can be grouped into areas. An area is a collection of network segments within an autonomous system (AS) that have been administratively assigned to the same group. An area’s topology is concealed from the rest of the AS, which results in a significant reduction in routing traffic.
Routing in the AS takes place on two levels, depending on whether the source and destination of a packet reside in the same area (intra-area routing) or different areas (inter-area routing). In intra-area routing, the packet is routed solely on information obtained within the area; no routing information obtained from outside the area can be used. This protects intra-area routing from the injection of bad routing information.
Routers that belong to more than one area are called area border routers. All routers in an AS do not have an identical topological database. An area border router has a separate topological database for each area it is connected to. Two routers, which are not area border routers, belonging to the same area, have identical area topological databases.
Autonomous systems share routing information, such as routes to each destination and information about the route or AS path, with other ASs using BGP. Routing tables contain lists of next hops, reachable addresses, and associated path cost metrics to each router. BGP uses the information and path attributes to compile a network topology.
| Note:
Within the router context, the 7705 SAR supports IBGP but does not support EBGP. Within the VPRN context, the 7705 SAR supports EBGP but does not support IBGP. For information on configuring BGP within the router context, refer to the 7705 SAR OS Routing Protocols Guide, “BGP”. For information on configuring BGP within the VPRN context, refer to the 7705 SAR OS Services Guide, “VPRN Services”. |
DHCP
DHCP is a configuration protocol used to communicate network information and configuration parameters from a DHCP server to a DHCP-aware client. DHCP is based on the BOOTP protocol, with additional configuration options and the added capability of allocating dynamic network addresses. DHCP-capable devices are also capable of handling BOOTP messages.
A DHCP client is an IP-capable device (typically a computer or base station) that uses DHCP to obtain configuration parameters such as a network address. A DHCP server is an Internet host or router that returns configuration parameters to DHCP clients. A DHCP/BOOTP Relay agent is a host or router that passes DHCP messages between clients and servers.
Home computers in a residential high-speed Internet application typically use the DHCP protocol to have their IP address assigned by their Internet service provider.
The 7705 SAR can act as a DHCP client, a DHCP Relay agent, or a local DHCP server.
When used as a CPE, the 7705 SAR can act as a DHCP client to learn the IP address of the network interface. Dynamic IP address allocation is supported on network interfaces only. System interfaces must be configured manually.
OSPF, IS-IS, or RIP is used to advertise the system IP address over the network interface to the next-hop router. Static routing cannot be used because the network interface IP address is dynamic and can change during normal operation.
The DHCP protocol requires the client to transmit a request packet with a destination address of 255.255.255.255 (broadcast) that is processed by the DHCP server. Since IP routers do not forward broadcast packets, this would suggest that the DHCP client and server must reside on the same network segment. However, for various reasons, it is sometimes impractical to have the server and client reside in the same IP network.
When the 7705 SAR is acting as a DHCP Relay agent, it processes these DHCP broadcast packets and relays them to a preconfigured DHCP server. Therefore, DHCP clients and servers do not need to reside on the same network segment.
When the 7705 SAR is acting as a local DHCP server, it processes these DHCP broadcast packets and allocates IP addresses for the DHCP client as needed.
The 7705 SAR supports a maximum of 16 servers per node on the 7705 SAR-8 with a CSMv1, and on the 7705 SAR-A, 7705 SAR-F, 7705 SAR-H, 7705 SAR-Hc, 7705 SAR-M, 7705 SAR-W, and 7705 SAR-Wx. The 7705 SAR supports a maximum of 62 servers per node on the 7705 SAR-8 with a CSMv2 and on the 7705 SAR-18. Any Layer 3 interface configured using the global routing table or Layer 3 services supports up to 8 servers.
DHCP Relay and DHCPv6 Relay
The 7705 SAR provides DHCP/BOOTP Relay agent services and DHCPv6 Relay agent services for DHCP clients. DHCP is used for IPv4 network addresses and DHCPv6 is used for IPv6 network addresses. Both DHCP and DHCPv6 are known as stateful protocols because they use dedicated servers to maintain parameter information.
In the stateful autoconfiguration model, hosts obtain interface addresses and/or configuration information and parameters from a server. The server maintains a database that keeps track of which addresses have been assigned to which hosts.
The 7705 SAR supports DHCP Relay on the base router, and on access IP interfaces associated with IES and VPRN. Each DHCP instance supports up to 8 DHCP servers.
The 7705 SAR supports DHCPv6 Relay on access IP interfaces associated with IES. Each DHCPv6 instance supports up to 8 DHCPv6 servers. For more information on DHCPv6 Relay, refer to the 7705 SAR OS Services Guide, “DHCP Relay”.
DHCP Relay Agent Options
DHCP options are codes that the 7705 SAR inserts in packets being forwarded from a DHCP client to a DHCP server. Some options have additional information stored in suboptions.
The 7705 SAR supports Option 60 and Option 61 as specified in RFC 2132. Option 60 is the vendor class identifier, which can contain information such as the client’s hardware configuration. Option 61 is the client identifier.
The 7705 SAR supports the Relay Agent Information Option 82 as specified in RFC 3046. The following suboptions are supported for the base router:
- action
- circuit ID
- copy-82
- remote ID
Local DHCP Server
The 7705 SAR supports local DHCP server functionality on the base router and on access IP interfaces associated with VPRN, by dynamically assigning IPv4 addresses to access devices that request them. This standards-based, full DHCP server implementation allows a service provider the option to decentralize IP address management into the network. The 7705 SAR can support public and private addressing in the same router, including overlapped private addressing in the form of VPRNs in the same router.
The 7705 SAR acts as a DHCP server only; it does not currently function as a DHCPv6 server.
An administrator creates pools of addresses that are available for assigned hosts. Locally attached hosts can obtain an address directly from the server. Routed hosts receive addresses through a relay point in the customer’s network.
When a DHCP server receives a DHCP message from a DHCP Relay agent, the server looks for a subnet to use for assigning an IP address. If configured with the use-pool-from-client command, the server searches Option 82 information for a pool name. If a pool name is found, an available address from any subnet of the pool is offered to the client. If configured with the use-gi-address command, the server uses the gateway IP address (GIADDR) supplied by the relay agent to find a matching subnet. If a subnet is found, an address from the subnet is offered to the client. If no pool or subnet is found, then no IP address is offered to the client.
IPv4 address assignments are temporary and expire when the configured lease time is up. The server can reassign addresses after the lease expires.
If both the no use-pool-from-client command and the no use-gi-address command are specified, the server does not act.
DHCP Server Options
Options and identification strings can be configured on several levels. DHCP servers support the following options, as defined in RFC 2132:
- Option 1—Subnet Mask
- Option 3—Default Routers
- Option 6—DNS Name Servers
- Option 12—Host Name
- Option 15—Domain Name
- Option 44—Netbios Name Server
- Option 46—Netbios Node Type Option
- Option 50—IP Address
- Option 51—IP Address Lease Time
- Option 53—DHCP Message Type
- Option 54—DHCP Server IP Address
- Option 55—Parameter Request List
- Option 58—Renew (T1) Timer
- Option 59—Renew (T2) Timer
DHCP servers also support Suboption 13 Relay Agent Information Option 82 as specified in RFC 3046, to enable the use of a pool indicated by the DHCP client.
These options are copied into the DHCP reply message, but if the same option is defined several times, the following order of priority is used:
- subnet options
- pool options
- options from the DHCP client request
A local DHCP server must be bound to a specified interface by referencing the server from that interface. The DHCP server will then be addressable by the IP address of that interface. A normal interface or a loopback interface can be used.
A DHCP client is defined by the MAC address and the circuit identifier. This implies that for a certain combination of MAC and circuit identifier, only one IP address can be returned; if more than one request is made, the same address will be returned.
ICMP and ICMPv6
Internet Control Message Protocol (ICMP) is part of the Internet Protocol Suite as defined in RFC 792, Internet Control Message Protocol, for IPv4 and RFC 4443, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification. The neighbor discovery capability of ICMPv6 is specified in RFC 4861, Neighbor Discovery for IP Version 6 (IPv6).
ICMP messages are typically generated in response to errors in IP datagrams or for diagnostic or routing purposes. The ICMP ping utility for IPv4 and IPv6 and the ICMP traceroute utility for IPv4 are described in the 7705 SAR OS OAM and Diagnostics Guide, “ICMP Diagnostics”.
The 7705 SAR supports the ICMP capabilities described in Table 3.
Table 3: ICMP Capabilities for IPv4
ICMP Message | Description |
Address mask reply | Used to reply to an address mask request with an appropriate subnet mask |
Time exceeded (TTL expired) | Generated by a router to inform the source of a packet that was discarded due to the time to live (TTL) field reaching zero Used by the traceroute utility to obtain a list of hosts that the packets traversed from source to destination |
Destination unreachable | Generated by a router to inform the source host that the destination is unreachable for a specified reason |
Echo request/Echo reply | Used by the ping utility to test whether a host is reachable across an IP network and to measure the roundtrip time for packets sent from the local host to a destination node |
The 7705 SAR supports the ICMPv6 capabilities described in Table 4.
Table 4: ICMPv6 Capabilities for IPv6
ICMPv6 Message | Description |
Destination unreachable | Generated by a router to inform the source host that the destination is unreachable for a specified reason, other than congestion |
Packet too big | Generated by a router in response to a packet that it cannot forward because the packet is larger than the MTU of the outgoing link. |
Time exceeded | Generated by a router to inform the source of a packet that was discarded because the hop limit was exceeded in transit |
Parameter problem | Generated by a router to inform the source of a packet that the packet was discarded due to a problem with a field in the IPv6 header or extension header that prevented it from processing the packet |
Echo request/Echo reply | Used by the ping utility to test whether a host is reachable across an IP network and to measure the roundtrip time for packets sent from the local host to a destination node |
Neighbor Discovery ICMPv6 Messages | |
Router solicitation | Sent by a host, when an interface is enabled, to request routers to generate router advertisements immediately rather than at their next scheduled time |
Router advertisement | Sent by a router to advertise its presence as well as link and Internet parameters, periodically or in response to a router solicitation message |
Neighbor solicitation | Sent by a node to determine the link-layer address of a neighbor or to verify that a neighbor is still reachable |
Neighbor advertisement | Sent by a node in response to a neighbor solicitation message Nodes can also send unsolicited neighbor advertisements to announce a link-layer address change |
Static Routes, Dynamic Routes, and ECMP
Static routes to next-hop addresses are supported on the 7705 SAR. Dynamic routing using the OSPF, RIP, IS-IS, or BGP protocols is also supported.
If the 7705 SAR chassis is equipped with two CSMs (Control and Switching modules) for redundancy, non-stop services are supported. Therefore, if the active CSM experiences an activity switch, all static route entries are maintained.
ECMP (Equal-Cost Multipath Protocol) refers to the distribution of packets over two or more outgoing links that share the same routing cost. The 7705 SAR load-balances traffic over multiple equal-cost links with a hashing algorithm that uses header fields from incoming packets to calculate which link to use. By adding additional fields to the algorithm, you can increase the randomness of the results and ensure a more even distribution of packets across available links. ECMP is supported on static routes and dynamic (OSPF, IS-IS, and BGP) routes. The 7705 SAR supports ECMP for LDP and IP traffic.
ECMP for LDP can be used to distribute MPLS traffic across the links in order to balance the traffic load for spoke SDPs. If ECMP for LDP is enabled and there is more than one pseudowire service configured, load balancing will take place on a per-pseudowire basis. ECMP for LDP will load-balance traffic across all equal-cost links on a per-service basis. VPRN traffic is processed again with the same set of hashing attributes to ensure per-flow load balancing across multiple equal-cost LDP links. For more information on ECMP for LDP, refer to the 7705 SAR OS MPLS Guide, “Label Distribution Protocol”.
ECMP for IP allows load balancing to be configured across all IP interfaces at the system level or interface level on the network side. IP ECMP has the option to include Layer 4 port attributes and/or the TEID (tunnel endpoint identifier) attribute in the hashing algorithm. Configuration at the interface level overrides the system-level settings for the specific interface.
IP ECMP is supported on all 7705 SAR adapter cards and platforms.
Interfaces on the system can have any mixture of load-balancing configurations, including having load balancing disabled. Router updates often cause interface load balancing configuration changes. The 7705 SAR will automatically continue processing packets using the new interface configuration.ECMP is configured on the interface but is agnostic to the underlying SAP, spoke SDP, or VPLS binding. ECMP configuration is maintained even if the binding type changes.
If multiple routes are learned with an identical preference using the same protocol, the lowest-cost route is used. If multiple routes are learned with an identical preference using the same protocol and the costs (metrics) are equal, the decision of which route to use is determined by the configuration of ECMP.
For information on configuring the 7705 SAR for LSR ECMP with the lsr-load- balancing command, see Router Interface Commands and the 7705 SAR OS Basic System Configuration Guide, “System Information and General Commands”.
For information on configuring the 7705 SAR for IP ECMP with the l4-load-balancing and teid-load-balancing commands, see Router Interface Commands, the 7705 SAR OS Basic System Configuration Guide, “System Information and General Commands”, and the 7705 SAR OS Services Guide, “IES Command Reference” and “VPRN Services Command Reference”.
Preferences are set on static routes in the config>router>static-route context. Preferences are set on OSPF routes in the config>router>ospf context, on RIP routes in the config>router>rip context, on IS-IS routes in the config>router>isis> level context, and on BGP routes in the config>router>bgp context (refer to the 7705 SAR OS Routing Protocols Guide for OSPF, IS-IS, and BGP configuration).
IGP-LDP and Static Route-LDP Synchronization
With LDP, FECs learned from an interface do not necessarily link to that interface state. As long as the router that advertised the label(s) is reachable, the learned labels are stored in the incoming label map (ILM) table.
Although this feature gives LDP a lot of flexibility, it can also cause problems. For example, when an interface comes back up from a failure or from a shutdown state, the static routes bound to that interface are installed immediately. However, the LDP adjacency to the next hop might not be up, which means that the LDP SDP remains down. In this case, the MPLS traffic will be blackholed until the LDP adjacency comes up.
The same issue is also applicable to dynamic routes (OSPF and IS-IS).
To resolve this issue, the LDP synchronization timer enables synchronization of IGP or static routes to the LDP state.
With IGP, when a link is restored after a failure, IGP sets the link cost to infinity and advertises it. The value advertised in OSPF is 0xFFFF (65535). The value advertised in IS-IS regular metric is 0x3F (63) and in IS-IS wide-metric is 0xFFFFFE (16777214).
After IGP advertises the link cost, the LDP hello adjacency is brought up with the neighbor. The LDP synchronization timer is started by IGP from the time the LDP session to the neighbor is up over the interface. This synchronization timer allows time for the label-FEC bindings to be exchanged.
When the LDP synchronization timer expires, the link cost is restored and is readvertised. IGP will announce a new best next-hop and LDP will use it if the label binding for the neighbor’s FEC is available.
The above behavior is similar for static routes. If the static route is enabled for ldp-sync, the route is not enabled immediately after the interface to the next hop comes up. Routes are suppressed until the LDP adjacency with the neighbor comes up and the synchronization timer expires. The timer does not start until the LDP adjacency with the neighbor node is fully established. For static routes, the ldp-sync-timer function requires LDP to use the interface address, not the system address, as its transport address.
Bidirectional Forwarding Detection (BFD)
BFD is a simple protocol for detecting failures in a network. BFD uses a “hello” mechanism that sends control messages periodically to the far end and receives periodic control messages from the far end. BFD is implemented for routes in asynchronous mode only, meaning that neither end responds to control messages; rather, the messages are sent in the time period configured at each end.
Due to the lightweight nature of BFD, it can detect failures faster than other detection protocols, making it ideal for use in applications such as mobile transport.
If the configured number of consecutive BFD missed messages is reached, the route to the peer is declared not active. For centralized and line card BFD sessions, failure detection is propagated to all impacted upper layer protocols within a few milliseconds. Upper layer protocols act on failure information as soon as it is made available by BFD.
The v-port on the 2-port 10GigE (Ethernet) Adapter card and on the 2-port 10GigE (Ethernet) module is linked to the ring ports through the add/drop port, therefore its operational status—always operationally up—is not dependent on the status of the ring ports. Hence, a ring port failure will not necessarily trigger an action at the v-port. To ensure that there is fast detection of any Layer 2 failure and that protocols on the v-port will react to the failure, you must run health-check tests or OAM tests with the peer or peers at the far end. For example, BFD must be configured between the v-port and the far-end IP interface. The use of health-check tests to the far-end interface will trigger upper layer protection mechanisms on the v-port, where the behavior will be comparable to an intermediate Layer 2 transport network failure on any other Ethernet port.
For IPv4, BFD is supported on static routes, OSPF, IS-IS, BGP, PIM, RSVP-TE, and T-LDP. For IPv6, BFD is supported on static routes and OSPFv3.
NAT
Network Address Translation (NAT) is used by mobile backhaul, enterprise, and SI (Strategic Industries) providers to provide expandability and security for private networks. Tier 1 providers can potentially run out of private IPv4 addresses, making it difficult to expand their existing networks. To address this issue, NAT can be used. NAT can hide multiple private IP addresses behind a single public IP address and therefore makes it possible to scale IP solutions in mobile backhaul, enterprise, and SI networks.
For example, when applying NAT to a typical metrocell deployment, the cell site network is divided into two separate segments, a private domain and a public domain. Private domain network IP addressing needs to be hidden from the public domain. NAT makes all metrocells accessible via a single IP address visible in the public domain. The IPSec tunnels generated from metrocells are uniquely identified using IPSec NAT traversal (NAT-T).
Besides conserving available IPv4 addresses, NAT can also be used as a security feature to hide the real IP addresses of hosts, securely providing private LAN users access to public addresses.
NAT is supported on the following cards and platforms:
- on the 7705 SAR-8 (with CSMv2) and the 7705 SAR-18:
- 8-port Gigabit Ethernet Adapter card
- 2-port 10GigE (Ethernet) Adapter card
- Packet Microwave Adapter card
- 10-port 1GigE/1-port 10GigE X-Adapter card (7705 SAR-18 only)
- 7705 SAR-H
- 7705 SAR-Hc
- 7705 SAR-Wx
Session Creation
A NAT session is established by extracting session packets to the CSM to match them against NAT rules. Packet extraction is based on zone configuration. If a packet is inbound to or outbound from a zone, the packet is passed to the CSM and checked against NAT rules. If the extracted packet matches a NAT policy and an accompanying NAT action, a NAT session is created. NAT sessions created on the CSM are downloaded to the datapath and the throughput of the session is constrained by the 7705 SAR datapath throughput.
A 6-tuple lookup (source IP, destination IP, source port, destination UDP or TCP port, protocol, and source zone) is performed for a packet arriving on the ingress datapath. If there is a match, the packet has NAT applied to it and is routed based on the datapath NAT session table.
Once the active session is downloaded (established) any subsequent packet will match the established session and a 6-tuple will not be extracted or checked against the NAT policy.
When the downloaded NAT session times out, or closes because of TCP connection termination, the session is deleted from the datapath.
On the 7705 SAR-8 and 7705 SAR-18, NAT sessions survive a CSM redundancy switch.
NAT Zones
NAT configuration is based on zones. Zones segment a network, making it easier to control and organize traffic. A zone consists of a group of Layer 3 interfaces with common criteria, bundled together. NAT policies, which define a set of rules that determine how NAT should direct traffic, can be applied to the entire zone.
With source NAT, a traffic session can only be initiated from a private domain to a public domain. Unless a session is created, packets from the public domain cannot be forwarded to the private domain. All arriving packets from the private domain, which are routed towards a public interface are checked to determine if they traverse a NAT zone. If so, the packets are examined against the NAT policy rules. If there is a match between the policy and the packet, NAT is applied to the packet. Source NAT changes the source IP address and the source port of the packet, based on the configured NAT pool.
Zones can be segmented as small as a single interface or as large as the maximum number of interfaces supported by 7705 SAR. For example, in metrocell applications, all the SAPs on the access point used to aggregate the metrocell can be placed in a single zone (zone 2) and the uplink public interface can be placed in another zone (zone 1). All traffic routed between the two zones uses NAT rules based on the NAT policies created for zone 1 and zone 2.
An example of the above zone configuration is shown in Figure 2.
| Note:
|
Figure 2: Zone Configuration in a Mobile Backhaul Network
In Figure 2, the OAM traffic from the metrocell is not encrypted. The OAM traffic is aggregated into a single VPRN service and IPSec functionality encrypts the OAM traffic. The encrypted traffic enters IES 10 with an IPSec header that has a routable IP destination address (typically to a security gateway) in addition to the encrypted payload. The far end destination IP address can be reached through IES uplink zone 1 or GRT uplink zone 1. Since the traffic from IES 10 to the uplink zone crosses a zone boundary, the zone policy is applied to the uplink interface, and NAT is applied to the packet. The source IP address in the packet is replaced with the IP address of the uplink Interface.
Similarly, in Figure 2, traffic from the metrocell (indicated by the dashed line), is encrypted by the metrocell with a valid IP header that contains a destination IP address (typically to a security gateway). The far end destination is reachable through IES uplink zone 1 or GRT uplink zone 1. The packet has NAT applied to it because the packet must cross a zone boundary. The source IP address of the metrocell packet that enters IES 2 is replaced with the source IP address of IES uplink zone 1 as it exits the 7705 SAR. In addition the source UDP/TCP port may also be replaced depending on the NAT policy configured for the zone.
In both of the cases described above, NAT is applied to the IP traffic according to NAT zone policy rules configured for IES uplink zone 1 or GRT uplink zone 1.
When using NAT in conjunction with IPSec, all IPSec tunnels need to be configured (enabled) with NAT Traversal (NAT-T) functionality. Enabling NAT-T on IPSec causes an insertion of the UDP port below the IPSec IP header. This UDP port can be used by NAT to uniquely identify each IPSec tunnel.
With static destination NAT, when packets from a public domain arrive at a zone, their source and destination IP addresses are evaluated to determine from which interface within the zone the packet will egress.
Zone Direction
NAT policies can be configured based on traffic direction entering (inbound) the zone or leaving (outbound) the zone. A zone can be configured so that all traffic inbound to the zone has NAT applied to it based on the configured NAT policy for that zone. Likewise, a zone can be configured so that all traffic leaving the zone has NAT applied to it.
An example of inbound zone direction is shown in Figure 3. All traffic entering zone 2 has NAT applied to it based on the configured NAT policy assigned to zone 2.
Figure 3: Zone Direction (Inbound)
An example of outbound zone direction is shown in Figure 4. All traffic leaving zone 1 has NAT applied to it based on the configured NAT policy assigned to zone 1.
Figure 4: Zone Direction (Outbound)
Zone Configuration
A zone can be configured within the router context or under the base router and/or within the IES or VPRN service context. A zone is configured by adding at least one Layer 3 interface to the zone configuration. Multiple zones can be created within each service or within the router context. Layer 3 interfaces from different services cannot be grouped into a single common zone.
NAT Security Profile
A NAT security profile defines security profile features such as session idle timeouts. Profiles can vary from subscriber to subscriber and are applied to policies, which are then applied to zones at the time the zone is created. All profile timeouts are defined in days, hours, minutes, and seconds. Profiles are referenced by NAT policies.
Profile timeouts are used for timing out datapath sessions within specified connection states. For example, in a TCP three-way handshake, each state has its own configurable timeout value. If the TCP connection has not transitioned from a state within the time period of the configured timeout, the session will automatically time out and be removed from the datapath.
| Note:
NAT security profile 1 is the default profile and cannot be modified. By default, this profile is assigned to any security policy that does not have a profile. |
NAT profile attributes are described in Table 5.
Table 5: NAT Profile Attributes
Attribute | Description | CLI Command |
timeouts | Command used to configure session idle timeouts for a profile | timeouts |
ICMP request | Specifies the timeout for a half-open NAT ICMP session. A half-open NAT ICMP session is created when an ICMP request is sent but no ICMP response is received. Default timeout: 1 min Minimum timeout: 1min Maximum timeout: 5 min | icmp-request |
TCP established | Specifies the timeout for a TCP session in the established state Default timeout: 2 hrs, 4 min Minimum timeout: 1 min Maximum timeout: 24 hr | tcp-established |
TCP SYN | Specifies the timeout applied to a TCP session in the SYN state Default timeout: 1 min Minimum timeout: 6 s Maximum timeout: 24 hr | tcp-syn |
TCP time wait | Specifies the timeout applied to a TCP session in a time-wait state Default timeout: n/a Minimum timeout: n/a Maximum timeout: 4 min | tcp-time-wait |
TCP transitory | Specifies the idle timeout applied to a TCP session in a transitory state Default timeout: 4 min Minimum timeout: 1 min Maximum timeout: 24 hr | tcp-transitory |
UDP | Specifies the UDP mapping timeout Default timeout: 5 min Minimum timeout: 1 min Maximum timeout: 24 hr | udp |
UDP DNS | Specifies the timeout applied to a UDP session with destination port 53 Default timeout: 15 s Minimum timeout: 15 s Maximum timeout: 24 hr | udp-dns |
UDP initial | Specifies the timeout applied to a UDP session in its initial state Default timeout: 15 s Minimum timeout: 10 s Maximum timeout: 5 min | udp-initial |
NAT Policies
A NAT policy defines the method by which NAT should be applied to traffic that is inbound to or outbound from a NAT zone. Policies can vary from subscriber to subscriber and are applied to zones at the time the zone is created. NAT policies are all of type NPAT, meaning that they use both a network address translation and port address translation mechanism.
Within a NAT policy, a specific set of matching criteria can be configured. If there is a match on a packet, an action is applied. If the action is NAT, the packet has NAT applied to it based on the configured NAT pool IP address and ports.
| Note:
A security policy is a template that can be applied to multiple zones. |
NAT policy attributes and packet matching criteria are described in Table 6.
Table 6: NAT Policy Attributes and Packet Matching Criteria
Attribute | Description | CLI Command |
Action | Specifies how a packet is handled if a criteria is matched. If the zone finds a match for all the specified criteria, then it performs the specified actions on the packet. If there is no match, the packet is dropped. The supported actions are forward, reject, and nat. | action |
Packet flow direction | Specifies whether the policy matching criteria is applied to packets that are inbound to a zone, outbound from a zone, or to both inbound and outbound packets. The supported directions are zone-inbound, zone-outbound, and both. | direction |
Match (protocol ID) | Specifies a protocol ID (TCP, UDP, ICMP) that the protocol specification of the packet must match | match |
Source IP | Specifies an explicit source IP address for the match criteria of the rule. Packets being processed by a zone are evaluated for a match to the specified source IP. | src-ip |
Destination IP | Specifies an explicit destination IP address for the match criteria of the rule. Packets destined for the specified IP address are evaluated for a match. | dst-ip |
Source Port | Specifies a source port to match in the IP packets when the match attribute is specified as protocol ID | src-port |
Destination Port | Specifies a destination port to match in the IP packets when the match attribute is specified as protocol ID | dst-port |
ICMP Code | Specifies the ICMP code when the protocol ID specified for the match attribute of the rule is set to ICMP | icmp-code |
ICMP Type | Specifies the ICMP type when the protocol ID specified for the match attribute of the rule is set to ICMP | icmp-type |
Profile | Specifies the profile ID applied to the policy | profile |
Concurrent Sessions | Specifies the number of concurrent NAT sessions that can be created under this policy | concurrent-sessions |
Dynamic Source NAT
Source NAT can be used to create sessions from inside a private network to an outside (public) network. If an arriving IP packet on the 7705 SAR matches the NAT policy rules, an internal mapping is created between the inside (private) source IP address/source port and an outside (public) source IP address/source port. The public IP address and port are configured in the NAT pool policy.
NAT automatically creates a reverse mapping for arriving traffic from the public domain to the private domain for the same connection. This reverse mapping is based on an outside destination IP address and destination port to an inside destination IP address and destination port.
The configurable outside NAT pool for the source IP address and source port can be either a range of addresses and ports or a unique IP address and port.
The 7705 SAR also supports a single public IP address so that all inside (private) source IP addresses can be mapped to a single outside IP address and a range of ports. In this case, the interface name can be assigned to the NAT pool configuration. For ease of configuration, any local interfaces on the 7705 SAR can be assigned to the NAT pool (for example, local Layer 3 interfaces, loopback interfaces).
By assigning the Layer 3 interface name, the NAT pool inherits the IP address of that specific interface. For a DHCP client, the NAT pool IP address can change based on the IP address assigned to the interface by the DHCP server. If the interface IP address changes, all associated NAT sessions are cleared and re-established.
Local Traffic and NAT
Source NAT does not support self-generated traffic such as OSPF, BGP, or LDP.
Only packets transiting the 7705 SAR node have NAT applied to them. Any packet arriving on the 7705 SAR with a local IP address will be checked against active NAT sessions on the datapath (6-tuple lookup), and if there is no match, the packet is sent to the CSM for processing as local traffic.
Port Forwarding (Static Destination NAT)
Port forwarding consists of mapping an outside destination port to an inside destination IP address and port. For example, a packet arriving from outside on port X and using a UDP protocol (from any IP address) is mapped to an inside destination port and destination IP address.
A typical use of port forwarding is shown in Figure 5. Each inside application is uniquely accessible via an outside port. For example, the surveillance camera behind the 7705 SAR can be reached via the UDP protocol and port 50. Any packet from any IP address arriving on destination port 50 is mapped to an internal destination IP address of 192.168.1.3 and destination port 50.
| Note:
Using port forwarding for well-known ports can disrupt in-band local management traffic. |
Figure 5: Static Port Forwarding with NAT
Static port forwarding can provide accessibility to applications behind a single IP address. Each application can be uniquely accessed via the public IP address and the destination port for that application.
Matching criteria for port forwarding includes local interface IP address, source IP address, and source UDP/TCP port.
Session Resource Alarms
The system monitors the overall session resource utilization. An alarm state is declared if the utilization exceeds the user-configurable high watermark (session-high-wmark). The alarm condition is only cleared when the utilization has dropped below the user-configurable low watermark (session-low-wmark).
If the thresholds are not configured, an alarm is raised if utilization reaches 100% and is cleared when utilization drops to 0%.
Session resource utilization alarms are described in Table 7.
Table 7: Session Resource Utilization Alarms
Event | Description | SNMP Notification |
All security session resources have been exhausted | This event is generated if all session resources have been exhausted (utilization reaches 100%) | aluSecSessionsExhausted |
Security session resource alarm detected | This event is generated when a resource alarm state is detected. The alarm state is detected when either the high watermark is crossed (if configured) or all session resources have been exhausted. | aluSecSessionHiWtrMrkCrossed |
Security session resource alarm cleared | This event is generated when a security session resource alarm state is cleared. This alarm state is cleared when either the low watermark is crossed (if configured) or all sessions have been cleared. | aluSecSessionLoWtrMrkCrossed |
Security session resource alarm threshold modified | This event is generated when the high or low thresholds for the alarm state are modified. | aluSecSessionWtrMrkModified |
NAT Support for Fragmented Packets
The NAT functionality on the 7705 SAR can process UDP packet fragments; however, the fragment containing the header must arrive first. If this condition is not met, the following actions occur:
- For source NAT packets traversing from a private network to a public network, fragmented packets that do not contain the UDP header are dropped.
- For source NAT packets traversing from a public network to a private network and destined to a local IP address on the 7705 SAR, fragmented packets that do not contain the UDP header are extracted to the CSM for processing and an ICMP error message is sent to the sender.
- For destination NAT (port forwarding) packets traversing from a public network to a private network and destined to a local IP address on the 7705 SAR, fragmented packets that do not contain the UDP header are extracted to the CSM for processing and an ICMP error message is sent to the sender.
On the 7705 SAR-8 and 7705 SAR-18, in addition to the condition requiring the fragment containing the header to arrive first, all fragments of a given packet must arrive on the same adapter card for processing.
For example, if an upstream router in the network performs IP ECMP load balancing and the load balancing takes Layer 4 port information into account in its hashing algorithm, it is possible that the algorithm will put the packet fragment that contains the UDP header information (that is, the first fragment of the packet) on one Layer 3 interface and the packet fragment that does not contain the UDP information (that is, the subsequent fragments of the packet) on a different Layer 3 interface. When packet fragments traverse different Layer 3 interfaces, depending on the interface latency, it is possible that the fragments will arrive out of sequence at the destination. Should this occur and the non-UDP packet fragments arrive ahead of the packet fragment that contains the UDP header, the 7705 SAR router will discard the packets that do not have UDP information because they arrived out of sequence. In order to avoid fragment sequencing issues caused by Layer 4 load balancing hashing algorithms such as IP ECMP or LAG, it is recommended that these algorithms be disabled on all routers in the network if it is foreseen that packet fragments might be arriving on the 7705 SAR router.
Router Configuration Process Overview
Figure 6 displays the process to configure basic router parameters.
Figure 6: IP Router Configuration Flow
Configuration Notes
The following information describes router configuration caveats.
- A system interface and associated IP address must be specified.
- Boot options file (BOF) parameters must be configured prior to configuring router parameters.
Reference Sources
For information on supported IETF drafts and standards, as well as standard and proprietary MIBs, refer to Standards and Protocol Support.