|
|
The Interfaces section of the VPN 3000 Concentrator Series Manager applies primarily to Ethernet network interfaces. In this section, you configure functions that are interface-specific, rather than system-wide. There is also a screen to configure power-supply and voltage-sensor alarms.
Typically, you configure at least two network interfaces for the VPN Concentrator to operate as a VPN device: usually the Ethernet 1 (Private) and the Ethernet 2 (Public) interfaces. If you used Quick Configuration as described in the VPN 3000 Series Concentrator Getting Started manual, the system supplied many default parameters for the interfaces. In the Interfaces section, you can customize the configuration.
The VPN Concentrator uses filters to control, or govern, data traffic passing through the system (see Configuration | Policy Management | Traffic Management). You apply filters both to interfaces and to groups and users. Group and user filters govern tunneled group and user data traffic; interface filters govern all data traffic.
Network interfaces usually connect to a router that routes data traffic to other networks. The VPN Concentrator includes IP routing functions: static routes, RIP (Routing Information Protocol), and OSPF (Open Shortest Path First). You configure RIP and interface-specific OSPF in the Interfaces section. You configure static routes, the default gateway, and system-wide OSPF in the IP Router section (see the Configuration | System | IP Routing screens).
RIP and OSPF are routing protocols that routers use to send messages to other routers to determine network connectivity, status, and optimum paths for sending data traffic. The VPN Concentrator supports RIP versions 1 and 2, and OSPF version 2. You can enable both RIP and OSPF on an interface.
Filter settings override RIP and OSPF settings on an interface; therefore, be sure settings in filter rules are consistent with RIP and OSPF use. For example, if you intend to use RIP, be sure you apply a filter rule that forwards TCP/UDP packets with the RIP port configured.
This section lets you configure the three VPN Concentrator Ethernet interface modules. You can also configure alarm thresholds for the power-supply modules.
Model 3005 comes with two Ethernet interfaces. Models 3015 through 3080 come with three Ethernet interfaces.
Configuring an Ethernet interface includes supplying an IP address, applying a traffic-management filter, setting the speed and transmission modes, and configuring RIP and OSPF routing protocols.
 |
Note Interface settings take effect as soon as you apply them. If the system is in active use, changes might affect tunnel traffic. |
The table shows all installed interfaces and their status.
To configure a module, either click the appropriate link in the status table; or use the mouse pointer to select the module on the back-panel image, and click anywhere in the highlighted area.
To update the screen contents, click the Refresh button. The date and time above this reminder indicate when the screen was last updated.
The VPN Concentrator interface installed in the system. To configure an interface, click the appropriate link.
To configure Ethernet interface parameters, click the appropriate highlighted link in the table or click in a highlighted module on the back-panel image. See Configuration | Interfaces | Ethernet 1 2 3.
This field appears under Ethernet 1, 2, or 3 if DHCP Client is enabled for that interface.
Renew: Renews the DHCP client lease for the interface.
Release: Releases the DHCP client lease for the interface.
This field displays the IP addresses of up to three configured DNS servers.
To view or edit DNS server information, click DNS Server. The Configuration | System | Servers | DNS window appears.
The registered domain in which the VPN Concentrator is located, for example: cisco.com.
To view or edit DNS Domain Name information, click DNS Domain Name. The Configuration | System | Servers | DNS window appears.
The operational status of this interface.
The IP address configured on this interface.
The subnet mask configured on this interface.
The unique hardware MAC (Medium Access Control) address for this interface, displayed in 6-byte hexadecimal notation.
This field displays the IP address of the default gateway for the subnet associated with this interface.
To view or edit default gateway information, click Default Gateway. The Configuration | System | IP Routing | Default Gateways window displays.
When you are not using DHCP to obtain a default gateway, you configure a default gateway manually. If DHCP client on the Ethernet 2 (Public) interface is enabled, the default gateway is automatically entered in the routing table, and not in the Configuration | System | IP Routing | Default Gateways screen.
When you configure a default gateway manually, the system automatically removes the DHCP-obtained default gateway from the routing table. To reverse this operation, renew the DHCP lease for the Ethernet 2 (Public) interface.
To configure alarm thresholds on system power supplies, click the appropriate highlighted link or click in a highlighted power-supply module in the back-panel image and see Configuration | Interfaces | Power.
To configure Ethernet interface parameters, click the appropriate highlighted Ethernet module in the back-panel image and see Configuration | Interfaces | Ethernet 1 2 3.
This screen lets you configure alarm thresholds for voltages in the system power supplies, CPU, and main circuit board. You set high and low thresholds for the voltages. (For recommended thresholds, see Table 3-1.) When the system detects a voltage outside a threshold value, it generates a HARDWAREMON (hardware monitoring) event. (See Configuration | System | Events.) If a power supply is faulty, the appropriate Power Supply LED on the front panel is amber.
Table 3-1 Recommended Power Thresholds
| Thresholds Monitor | Minimum-Maximum Range (in Centivolts) |
Tolerance |
|---|---|---|
 |
Warning If a voltage generates an alarm, shut down the system in an orderly way and contact Cisco support. Operating the system with out-of-range voltages, especially if they exceed the high threshold, might cause permanent damage. |
You can view system voltages and status on the Monitoring | System Status | Power screen.
The fields show default values for alarm thresholds in centivolts, for example, 361 = 3.61 volts. Enter or edit these values as desired.
The hardware sets voltage thresholds in increments that might not match an entered value. The fields show the actual thresholds, and the values might differ from your entries.
High and low thresholds for the voltage sensors on the CPU chip. The value is system dependent, either 2.5 or 1.9 volts.
High and low thresholds for the 3.3- and 5-volt outputs from the power supplies. You can enter values for the second power supply on Models 3015-3080 even if it is not installed.
High and low thresholds for the 3.3- and 5-volt sensors on the main circuit board.
To apply your settings to the system and include them in the active configuration, click Apply. The Manager returns to the Configuration | Interfaces screen.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your settings, click Cancel. The Manager returns to the Configuration | Interfaces screen.
This screen lets you configure parameters for the Ethernet interface you selected. It displays the current parameters, if any.
Configuring an Ethernet interface includes supplying an IP address, identifying it as a public interface, applying a traffic-management filter, setting speed and transmission mode, and configuring RIP and OSPF routing protocols.
To apply a custom filter, you must configure the filter first; see Configuration | Policy Management | Traffic Management.
 |
Caution If you modify any parameters of the interface that you are currently using to connect to the VPN Concentrator, you will break the connection, and you will have to restart the Manager from the login screen. |
This screen includes three tabbed sections. Click each tab to display its parameters. As you move from tab to tab, the Manager retains your settings. When you have finished setting parameters on all tabbed sections, click Apply or Cancel.
This tab lets you configure general interface parameters: DHCP client, IP address, subnet mask, public interface status, filter, speed, transmission mode, maximum transmission unit, and IPSec fragmentation policy.
To make the interface offline, click Disabled. This state lets you retain or change its configuration parameters
If the interface is configured but disabled (offline), the appropriate Ethernet Link Status LED blinks green on the VPN Concentrator front panel.
Check the DHCP Client check box if you want to obtain the IP address, the subnet mask, and the default gateway for this interface via DHCP. If you check this box, do not make entries in the IP address and subnet mask fields that follow.
|
Note Because some Internet service providers require that the host name be specified in DHCP requests, you might have to specify the system name when running the DHCP Client on the VPN Concentrator public interface. (Specify the system name on the Configuration | System | General | Identification screen.) The VPN Concentrator uses the system name as the host name in DHCP requests. |
If you want to set a static IP address for this interface, enter the IP address here, using dotted decimal notation (for example, 192.168.12.34). Note that 0.0.0.0 is not allowed. Be sure no other device is using this address on the network.
Enter the subnet mask for this interface, using dotted decimal notation (for example, 255.255.255.0). The Manager automatically supplies a standard subnet mask appropriate for the IP address you just entered. For example, the IP address 192.168.12.34 is a Class C address, and the standard subnet mask is 255.255.255.0. You can accept this entry or change it. Note that 0.0.0.0 is not allowed.
To make this interface a public interface, check the Public Interface check box. A public interface is an interface to a public network, such as the Internet. You must configure a public interface before you can configure NAT and IPSec LAN-to-LAN, for example. You should designate only one VPN Concentrator interface as a public interface.
This is the unique hardware MAC (Medium Access Control) address for this interface, displayed in six byte hexadecimal notation. You cannot change this address.
The filter governs the handling of data packets through this interface: whether to forward or drop, in accordance with configured criteria. Cisco supplies three default filters that you can modify and use with the VPN Concentrator. You can configure filters on the Configuration | Policy Management | Traffic Management screens.
Click the drop-down menu button and choose the filter to apply to this interface:
Other filters that you have configured also appear in this menu.
Click the Speed drop-down menu button and choose the interface speed:
Click the Duplex drop-down menu button and choose the interface transmission mode:
The MTU value specifies the maximum transmission unit (that is, packet size) in bytes for the interface. Valid values range from 68 through 1500. The default value, 1500, is the MTU for Ethernet.
The IPSec fragmentation policy specifies how to treat packets that exceed the MTU setting when tunneling traffic through the public interface. This feature provides a way to handle cases where a router or NAT device between the VPN Concentrator and the client rejects or drops IP fragments. For example, suppose a client wants to FTP get from an FTP server behind a VPN Concentrator. The FTP server transmits packets that when encapsulated would exceed the VPN Concentrator's MTU size on the public interface. The following options determine how the VPN Concentrator processes these packets.
The fragmentation policy you set here applies to all traffic travelling out the VPN Concentrator public interface to clients running version 3.6 or later software. The second and third options described below may affect performance.
|
Note Clients running software versions earlier than 3.6 or L2TP over IPSec clients can use only the first
option, "Do not fragment prior to IPSec encapsulation; fragment prior to interface transmission." The setting you configure applies to 3.6 clients only. The VPN Concentrator ignores the setting for clients running software versions earlier than 3.6 and protocols other than IPSec. For these clients the first option applies: "Do not fragment prior to IPSec encapsulation; fragment prior to interface transmission." |
The VPN Concentrator encapsulates all tunneled packets. After encapsulation, the VPN Concentrator fragments packets that exceed the MTU setting before transmitting them through the public interface. This is the default policy for the VPN Concentrator. This option works for situations where fragmented packets are allowed through the tunnel without hindrance. For the FTP example, large packets are encapsulated and then fragmented at the IP layer. Intermediate devices may drop fragments or just out-of-order fragments. Load-balancing devices can introduce out-of-order fragments.
The VPN Concentrator fragments tunneled packets that would exceed the MTU setting during encapsulation. For this option, the VPN Concentrator drops large packets that have the Don't Fragment (DF) bit set, and sends an ICMP message "Packet needs to be fragmented but DF is set" to the packet's initiator. The ICMP message includes the maximum MTU size allowed. Path MTU Discovery means that an intermediate device (in this case the VPN Concentrator) informs the source of the MTU permitted to reach the destination.
If a large packet does not have the DF bit set, the VPN Concentrator fragments prior to encapsulating thus creating two independent non-fragmented IP packets and transmits them out the public interface. This is the default policy for the VPN 3002 hardware client.
For this example, the FTP server may use Path MTU Discovery to adjust the size of the packets it transmits to this destination.
The VPN Concentrator fragments tunneled packets that exceed the MTU setting before encapsulating them. If the DF bit on these packets is set, the VPN Concentrator clears the DF bit, fragments the packets, and then encapsulates them. This action creates two independent non-fragmented IP packets leaving the public interface and successfully transmits these packets to the peer site by turning the fragments into complete packets to be reassembled at the peer site.
In our example, the VPN Concentrator overrides the MTU and allows fragmentation by clearing the DF bit.
RIP is a routing protocol that routers use for messages to other routers, to determine network connectivity, status, and optimum paths for sending data traffic. RIP uses distance-vector routing algorithms, and it is an older protocol that generates more network traffic than OSPF. The VPN Concentrator includes IP routing functions that support RIP versions 1 and 2. Many private networks with simple topologies still use RIPv1, although it lacks security features. RIPv2 is generally considered the preferred version; it includes functions for authenticating other routers, for example.
To use the Network Autodiscovery feature in IPSec LAN-to-LAN configuration, or to use the automatic list generation feature in Network Lists, you must enable Inbound RIPv2/v1 on Ethernet 1. (It is enabled by default.)
This parameter applies to RIP messages coming into the VPN Concentrator. It configures the system to listen for RIP messages on this interface.
Click the Inbound RIP drop-down menu button and choose the inbound RIP function:
This parameter applies to RIP messages going out of the VPN Concentrator; that is, it configures the system to send RIP messages on this interface.
Click the Outbound RIP drop-down menu button and choose the outbound RIP function:
OSPF is a routing protocol that routers use for messages to other routers, to determine network connectivity, status, and optimum paths for sending data traffic. OSPF uses link-state routing algorithms, and it is a newer protocol than RIP. It generates less network traffic and generally provides faster routing updates, but it requires more processing power than RIP. The VPN Concentrator includes IP routing functions that support OSPF version 2 (RFC 2328).
OSPF involves interface-specific parameters that you configure here, and system-wide parameters that you configure on the Configuration | System | IP Routing screens.
To enable OSPF routing on this interface, check the OSPF Enabled check box. (By default it is unchecked.)
To activate the OSPF system, you must also configure and enable OSPF on the Configuration | System | IP Routing | OSPF screen.
The area ID identifies the subnet area within the OSPF Autonomous System or domain. Routers within an area have identical link-state databases. While its format is that of a dotted decimal IP address, the ID is only an identifier and not an address.
The 0.0.0.0 area ID identifies a special area, the backbone, that contains all area border routers, which are the routers connected to multiple areas.
Enter the area ID in the field, using IP address format in dotted decimal notation (for example, 10.10.0.0). The default entry is 0.0.0.0, the backbone. Your entry also appears in the OSPF Area list on the Configuration | System | IP Routing | OSPF Areas screen.
This entry assigns a priority to the OSPF router on this interface. OSPF routers on a network elect one to be the Designated Router, which has the master routing database and performs other administrative functions. In case of a tie, the router with the highest priority number wins. A 0 entry means this router is ineligible to become the Designated Router.
Enter the priority as a number from 0 to 255. The default is 1.
This entry is the metric, or cost, of the OSPF router on this interface. The cost determines preferred routing through the network, with the lowest cost being the most desirable.
Enter the metric as a number from 1 to 65535. The default is 1.
This entry is the number of seconds between OSPF Link State Advertisements (LSAs) from this interface, which are messages that the router sends to describe its current state.
Enter the interval as a number from 0 to 3600 seconds. The default is 5 seconds, which is a typical value for LANs.
This entry is the number of seconds between Hello packets that the router sends to announce its presence, join the OSPF routing area, and maintain neighbor relationships. This interval must be the same for all routers on a common network.
Enter the interval as a number from 1 to 65535 seconds. The default is 10 seconds, which is a typical value for LANs.
This entry is the number of seconds for the OSPF router to wait before it declares that a neighboring router is out of service, after the router no longer sees the neighbor's Hello packets. This interval should be some multiple of the Hello Interval, and it must be the same for all routers on a common network.
Enter the interval as a number from 0 to 65535 seconds. The default is 40 seconds, which is a typical value for LANs.
This entry is the estimated number of seconds it takes to transmit a link state update packet over this interface, and it should include both the transmission and propagation delays of the interface. This delay must be the same for all routers on a common network.
Enter the delay as a number from 0 to 3600 seconds. The default is 1 second, which is a typical value for LANs.
This parameter sets the authentication method for OSPF protocol messages. OSPF messages can be authenticated so that only trusted routers can route messages within the domain. This authentication method must be the same for all routers on a common network.
Click the OSPF Authentication drop-down menu button and choose the authentication method:
If you chose Simple Password or MD5 for OSPF Authentication, enter the appropriate password or key in this field. Otherwise, leave the field blank.
To apply your settings to this interface and include your settings in the active configuration, click Apply. The Manager returns to the Configuration | Interfaces screen.
The Bandwidth Parameters Tab lets you enable bandwidth management on the selected interface, define the link rate for the interface and assign a bandwidth management policy to be used on the interface. Before you do these steps, you must have already created a bandwidth management policy. To create a bandwidth management policy, use the Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add screen.
For detailed information on the Bandwidth Management feature, see the Configuration | Policy Management | Traffic Management | Bandwidth Policies | Add or Modify section.
To enable bandwidth management on this interface, check the Bandwidth Management check box.
The link rate is the speed of the network connection through the Internet.
|
Note The defined link rate is the available Internet bandwidth, not the physical LAN connection rate. If the router in front of the VPN Concentrator has a T1 connection to the Internet, set the link rate to 1544 kbps. |
Enter a value for the speed of the network connection for this interface, and select a unit of measurement.
The default link rate is 1544 kbps.
Select a policy from the drop-down list. If there are no policies in this list, you must go to Configuration | Policy Management | Traffic Management | Bandwidth Policies and define one or more policies.
The policy you apply here is a default bandwidth policy for all users on this interface. This policy is applied to users who do not have a bandwidth management policy applied to their group.
To apply this change to the configuration, click Apply. To cancel the action, click Cancel.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your settings, click Cancel. The Manager returns to the Configuration | Interfaces screen.
Posted: Fri Apr 18 18:08:13 PDT 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
