|
This section of the VPN 3002 Hardware Client Manager applies functions that are interface-specific, rather than system-wide.
You configure two network interfaces for the VPN 3002 to operate as a VPN device: the private interface and the public interface. If you used Quick Configuration as described in the VPN 3002 Hardware Client Getting Started manual, the system supplied many default parameters for the interfaces. Here you can configure them explicitly.
Configuring an Ethernet interface includes supplying an IP address and subnet mask, and setting speed and transmission mode.
The VPN 3002 includes some IP routing functions: static routes, DHCP, and PPPoE. You configure static routes, the default gateway, and DHCP in the IP Routing section; see the Configuration | System | IP Routing screens. PPPoE requires no further configuration than supplying a username and password in the Public Interface parameter.
Note Interface settings take effect as soon as you apply them. If the system is in active use, changes might affect tunnel traffic. |
The table on the Configuration | Interfaces screen shows all installed interfaces and their status.
To configure a module, either click the appropriate link in the status table; or use the mouse pointer to select the module on the back-panel image, and click anywhere in the highlighted area.
The VPN 3002 interface installed in the system. To configure an interface, click the appropriate link.
To configure Ethernet interface parameters, click the appropriate highlighted link in the table or click in a highlighted module on the back-panel image. See Configuration | Interfaces | Private/Public.
To configure DNS Server(s), click the highlighted link in the table. See Configuration | System |
Servers | DNS.
To configure DNS Server(s), click the highlighted link in the table. See Configuration | System |
Servers | DNS.
The operational status of this interface:
Configured, enabled, and operational; ready to pass data traffic. The IP address configured on this interface.
The subnet mask configured on this interface.
This is the unique hardware MAC (Media Access Control) address for this interface, displayed in 6-byte hexadecimal notation. You cannot change this address.
The IP routing subsystem routes data packets first using static routes, then the default gateway. If you do not specify a default gateway, the system drops packets it cannot otherwise route.
To configure a default gateway, click the appropriate highlighted link in the table or click in a highlighted module on the back-panel image. See Configuration | System | IP Routing | Default Gateways.
This screen lets you configure parameters for the private interface. It displays the current parameters, if any.
Caution If you modify any parameters of the private interface that you are currently using to connect to the VPN 3002, you will break the connection, and you will have to restart the Manager from the login screen. |
To make the interface offline, click Disabled. This state lets you retain or change its configuration parameters.
If the interface is configured but disabled (offline), the appropriate Ethernet Link Status LED blinks green on the VPN 3002 front panel.
To change the IP address of the private interface, click Static IP Addressing.
Enter the IP address for this interface, using dotted decimal notation (for example, 192.168.12.34). Note that 0.0.0.0 is not allowed. Be sure no other device is using this address on the network.
Enter the subnet mask for this interface, using dotted decimal notation (for example 255.255.255.0). The Manager automatically supplies a standard subnet mask appropriate for the IP address you just entered. For example, the IP address 192.168.12.34 is a Class C address, and the standard subnet mask is 255.255.255.0. You can accept this entry or change it. Note that 0.0.0.0 is not allowed.
This is the unique hardware MAC (Media Access Control) address for this interface, displayed in 6-byte hexadecimal notation. You cannot change this address.
click the drop-down menu button and select the interface speed:
Click the drop-down menu button and select the interface transmission mode:
Accept the default value, 1500 bytes per packet.
To apply your settings to the system and include them in the active configuration, click Apply. The Manager returns to the Configuration | Interfaces screen.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your settings, click Cancel. The Manager returns to the Configuration | Interfaces screen.
This screen lets you select a connection method—DHCP, PPPoE, or static IP addressing—for the public interface. It also allows you to disable the public interface.
To make the interface offline, click Disabled. This state lets you retain or change its configuration parameters.
Click this radio button if you want to obtain the IP address and subnet mask for this interface via DHCP. If you click this button, you do not make entries in the IP address and subnet mask parameters that follow.
click this radio button if you want to connect using PPPoE. If you select PPPoE, you do not make entries in the static IP addressing parameters that follow.
If you have selected PPPoE, enter a valid PPPoE username.
If you have selected PPPoE, enter the PPPoE password for the username you entered above.
If you have selected PPPoE, enter the PPPoE password again to verify it.
click this radio button if you want to use a static IP address.
If you are using static IP addressing, enter the IP address for this interface, using dotted decimal notation (for example, 192.168.12.34). Note that 0.0.0.0 is not allowed. Be sure no other device is using this address on the network.
If you are using static IP addressing, enter the subnet mask for this interface, using dotted decimal notation (for example, 255.255.255.0). The Manager automatically supplies a standard subnet mask appropriate for the IP address you just entered. For example, the IP address 192.168.12.34 is a Class C address, and the standard subnet mask is 255.255.255.0. You can accept this entry or change it. Note that 0.0.0.0 is not allowed.
This is the unique hardware MAC (Media Access Control) address for this interface, displayed in 6-byte hexadecimal notation. You cannot change this address.
If you are using static IP addressing, click the drop-down menu button and select the interface speed:
If you are using static IP addressing, click the drop-down menu button and select the interface transmission mode:
The MTU value specifies the maximum transmission unit (packet size) in bytes for the interface. Valid values range from 68 through 1500. The default value, 1500, is the MTU for IP.
Change this value only when the VPN 3002 is dropping large packets because of the additional 8 bytes that a PPPoE header adds, or when other intermediate devices drop large, fragmentable packets without issuing an ICMP message. In such cases, determine the largest packet size that can pass without being dropped, and set the MTU to that value. The object is to reduce overhead on the system by sending packets that are as large as possible, but that are not so large as to require fragmentation and reassembly.
A good way to find out the largest packet size that can be passed is to use the Ping utility as follows:
ping -f -l <packet size in bytes> <destination IP address>, where
For example: ping -f -l 1400 10.10.32.4
Note The value you use when pinging does not include IP, ICMP, or Ethernet headers, which total 42 bytes. You need to include these 42 bytes when you set the MTU value for the interface. |
If the interface is receiving large packets that require fragmentation, and the DF (Don't Fragment) bit is set, use the third option in the IPSec Fragmentation Policy field (see below). You can find out if the DF bit is set by using a traffic analyzer, or you may receive this ICMP message: "Fragmentation required but the DF bit is set."
Note Changing the MTU or the fragmentation option on any interface tears down all existing connections. For example, if 100 active tunnels terminate on the public interface, and you change the MTU on the private interface, all of the active tunnels on the public interface are dropped. |
The IPSec fragmentation policy specifies how to treat packets that exceed the MTU setting when tunneling traffic through the public interface. This feature provides a way to handle cases where a router or NAT device between the VPN 3002 and the VPN Concentrator rejects or drops IP fragments. For example, suppose a PC behind a VPN 3002 wants to FTP put a large file to an FTP server behind a VPN Concentrator. The PC transmits packets that when encapsulated would exceed the VPN 3002's MTU size on the public interface. The following options determine how the VPN 3002 processes these packets.
The fragmentation policy you set here applies to all traffic travelling out the VPN 3002 public interface to VPN Concentrators. The second and third options described below may affect performance rates.
The VPN 3002 encapsulates all tunneled packets. After encapsulation, the VPN 3002 fragments packets that exceed the MTU setting before transmitting them through the public interface. This option works for situations where fragmented packets are allowed through the tunnel without hindrance. For the FTP example, large packets are encapsulated and then fragmented at the IP layer. Intermediate devices may drop fragments or just out-of-order fragments. Load-balancing devices can introduce out-of-order fragments.
The VPN 3002 fragments tunneled packets that would exceed the MTU setting during encapsulation. For this option, the VPN 3002 drops large packets that have the Don't Fragment (DF) bit set, and sends an ICMP message "Packet needs to be fragmented but DF is set" to the packet's initiator. The ICMP message includes the maximum MTU size allowed. Path MTU Discovery means that an intermediate device (in this case the VPN 3002) informs the source of the MTU permitted to reach the destination.
If a large packet does not have the DF bit set, the VPN 3002 fragments prior to encapsulating, thus creating two independent non-fragmented IP packets, and transmits them out the public interface. This is the default policy for the VPN 3002 hardware client.
For this example, the PC that is the FTP client may use Path MTU Discovery to adjust the size of the packets it transmits to this destination.
The VPN 3002 fragments tunneled packets that exceed the MTU setting before encapsulating them. If the DF bit on these packets is set, the VPN 3002 clears the DF bit, fragments the packets, and then encapsulates them. This action creates two independent non-fragmented IP packets leaving the public interface and successfully transmits these packets to the peer site by turning the fragments into complete packets to be reassembled at the peer site.
In our example, the VPN 3002 overrides the MTU and allows fragmentation by clearing the DF bit.
To apply your settings to this interface and include your settings in the active configuration, click Apply. The Manager returns to the Configuration | Interfaces screen.
To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.
To discard your settings, click Cancel. The Manager returns to the Configuration | Interfaces screen.
Posted: Fri Jan 30 05:12:31 PST 2004
All contents are Copyright © 1992--2004 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.