AXP 1.6 User Guide
Cisco AXP Advanced Networking
Downloads: This chapterpdf (PDF - 187.0KB) The complete bookPDF (PDF - 3.06MB) | Feedback

Cisco AXP Advanced Networking

Table Of Contents

Cisco AXP Advanced Networking

Source-based IP Routing

Access Control List

Verifying Access Control Lists

Configuring Source-Based Routing

Source-Based Routing Example

VLAN and Virtual Interfaces

Configuring a Virtual Interface

Configuring a VLAN Interface

VLAN Configuration Example


Cisco AXP Advanced Networking


Source-based IP Routing

Source-based IP routing, also known as static route configuration, is necessary for application initiated data transfer, such as client applications, and is used to determine an outbound interface when multiple interfaces are bound to an application instance.

Source-based routing is implemented for server applications to route response packets back through the incoming interface, and it is independent of the destination address.

Consider traffic entering the Cisco AXP service module through an ethernet interface, for example eth0.20, from an external IP address X. When the Cisco AXP application generates a reply, the system now contains a packet with source IP address, which is the address for eth0.20, and the destination IP address X.

If source-based routing is not applied, this packet is sent to a default route through eth0. Source-based routing routes traffic based on the source IP address and sends it through the originating interface, which, in our example above, is eth0.20.


Note For the Cisco AXP network configuration, the destination interface to which you send the response packet is the same as the incoming interface.


If an application specifies the source IP address when a socket is opened, it will use source-based routing to select the interface to send traffic.

Access Control List

Configuring an access control list (ACL) on the Cisco AXP platform is similar to configuring an ACL on Cisco IOS software.

Packet filtering helps control packet movement through the network by helping to limit network traffic and restrict network use by certain users or devices. Use ACLs to permit or deny packets from crossing specified interfaces.

Using the ip access-list standard command enables standard ACL configuration mode (config-std-nacl). You can then configure the permit command in ACL sub-mode (config-std-nacl) to set up the standard IP access list.

SUMMARY STEPS

1. configure terminal

2. ip access-list standard {acl-name | acl-num}

3. [line-num] permit {source-ip [wildcard]| host source-ip | any}[log]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure terminal

Example:

SE-Module> configure terminal

Enters global configuration mode.

Step 2 

ip access-list standard {acl-name | acl-num}

Example:

se_module (config)> ip access-list standard test

Enables standard ACL configuration mode (config-std-nacl). This command enters standard ACL configuration mode in which all subsequent commands apply to the current standard access list.

acl-name—Access list to which all commands entered from ACL configuration mode apply, using an alphanumeric string of up to 30 characters, beginning with a letter.

acl-num—Access list to which all commands entered from access list configuration mode apply, using a numeric identifier. For standard access lists, the valid range is
1 to 99.

Step 3 

[line-num] permit {source-ip [wildcard]| host source-ip|any}[log]

Example:

se-Module (confg-std-nacl)> permit 155.168.10.0 any

Adds a line to a standard access-list that specifies the type of packets to be permitted for further processing.

The permit command is used in standard ACL configuration mode (config-std-nacl).

line-num—Entry at a specific line number in the access list.

permit—Allows packets that match the specified conditions to be processed.

source-ip—Source IP address. Number of the network or host from which the packet is being sent, specified as a 32-bit quantity in 4-part dotted-decimal format (for example, 0.0.0.0).

wildcard—(Optional) Portions of the preceding IP address to match, expressed using 4-digit, dotted-decimal notation. Bits to match are identified by a digital value of 0; bits to ignore are identified by a 1.

For standard IP ACLs, the wildcard parameter of the ip access-list command is always optional. If the host keyword is specified for a standard IP ACL, then the wildcard parameter is not allowed.

host—Matches the next IP address.

any—Matches any IP address.

log—(Optional) Sends a logging message to the console about the packet matching the entry.

The message includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets.

The message is generated for the first packet that matches the entry, and then repeats at 5-minute intervals, including the number of packets permitted or denied in the previous 5-minute interval.

Verifying Access Control Lists

To use the show ip access-list command in Cisco AXP EXEC mode to view the access control lists configured on the platform, perform the following step.

SUMMARY STEPS

1. show ip access-list [<1-99> | <name> ][ interface intf ] [details]

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

show ip access-list [<1-99>|<name> ][ interface <intf>][details]

Example:

SE-Module>show ip access-list

Lists the rule set of an access-list specified by number or name. It also lists the access-list associated with a specific interface.

If a name or number of the interface is not entered, the command lists the entire rule-set of all the access lists configured in the system.

1-99—Access list number.

name—Access list name.

intf—Interface name.

details—The raw iptable format of display will be used to display the chain created by the ACL list.

Configuring Source-Based Routing

Route Map Policy

Configure only one route-map set because only one set is applied under the ip local policy command. Do not apply the second set to the CLI even if the second set is not used.

Example: 
set 1:
route-map APPCUSX 10
 match ip address 10
 set route table 10
 exit
 
route-map APPCUSX 20
 match ip address 20
 set route table 20
 exit

set 2:<-------Do not apply
route-map APPCUSY 10
 match ip address 10
 set route table 10
 exit
 
route-map APPCUSY 20
 match ip address 20
 set route table 20
 exit

SUMMARY STEPS

1. Configure the following Cisco IOS commands on the router. Configuration steps here include configuring the Virtual Private Network (VPN) routing/forwarding (VRF) tables. For more information on VRF-Lite, refer to Configuring VRF-Lite.

configure terminal

ip vrf vrf-name

rd ip-address

route-target export ip-address

route-target import ip-address

interface GigabitEthernet 0/1

ip address ip-address network-mask

duplex auto

speed auto

ip vrf forwarding vrf-name

interface Integrated-Service-Engine 1/0

ip unnumbered GigabitEthernet0/0

service-module ip address ip-address network-mask

service-module ip default-gateway ip-address

no keepalive

interface Integrated-Service-Engine 1/0.1

encapsulation dot 1q vlan-id

ip address ip-address network-mask

ip vrf forwarding vrf-name

exit

2. Configure the following Cisco AXP commands on the service module:

a. Create a connected route for the route table:

configure terminal

interface device-name

ip address ip-address network-mask

ip route table table-num

exit

b. Set up an access list to match the source address of eth0.x.

ip access-list standard {acl-name | acl-num}

[line-num] permit {source-ip [wildcard]| host source-ip|any}[log]

exit

c. Create a route map policy to associate source address matching.

route-map name number

match ip address {acl-num | acl-name }

set route table table-num

exit

ip local policy route-map map-tag

ip route table num dest-prefix net-mask default-gw

ip route table num dest-prefix net-mask blackhole

exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

Configure the following Cisco IOS commands on the router (Includes configuring routing/forwarding tables for VRF):

 

configure terminal

Router# configure terminal

Enters global configuration mode.


ip vrf vrf-name

Configures a VRF routing table and enters VRF configuration mode.

vrf-name—Name assigned to a VRF.


rd route-distinguisher

Router(config-vrf)# rd 200.7.7.1:10

Adds an 8-byte value to an IPv4 prefix to create a VPN IPv4 prefix.


route-target export ip-address

Exports routing information from the target VPN extended community.


route-target import ip-address

Imports routing information from the target VPN extended community.


exit

Exits VRF configuration mode.


interface GigabitEthernet 0/1

Selects an interface to configure and enters interface configuration mode.


ip address ip-address network-mask

Selects the IP address.


duplex auto

Configures the duplex operation on an interface.

auto—Specifies the autonegotiation capability. The interface automatically operates at half or full duplex, depending on:

Environmental factors, such as the type of media.

Transmission speeds for the peer routers, hubs, and switches used in the network configuration.


speed auto

Configures the speed for a Fast Ethernet interface.

auto—Turns on the Fast Ethernet autonegotiation capability.

The interface automatically operates at 10 or 100 Mbps depending on:

Environmental factors, such as the type of media.

Transmission speeds for the peer routers, hubs, and switches used in the network configuration.


ip vrf forwarding vrf-name

Associates a VRF with an interface or subinterface.

vrf-name—Name assigned to a VRF.


interface Integrated-Service-Engine 1/0

Selects an interface to configure and enters interface configuration mode.


ip unnumbered GigabitEthernet0/0

Enables IP processing on an interface without assigning an explicit IP address to the interface.


service-module ip address ip-address network-mask

Specifies the IP address for the module interface to the router.


service-module ip default-gateway ip-address

Specifies the IP address for the default gateway router for the module.


no keepalive

Disables the ability to send keepalive packets.


interface integrated-service-engine 1/0.1

Example:

Router(config)# interface integrated-service-engine 1/0.1

Enters sub-interface mode.


encapsulation dot 1q vlan-id 
Example:
Router(config-subif)# encapsulation dot 1q 10

Configures the subinterface as a VLAN subinterface.

dot1q—defines the encapsulation format as IEEE 802.1Q VLAN.

vlanid—number that identifies the VLAN. The router applies the service policy of the physical interface to all of the individual VLANs configured on the interface.


ip address ip-address network-mask 
Example:
Router(config-subif)# ip address 209.165.201.1 
255.255.255.224

Sets the IP address of the interface.


ip vrf forwarding vrf-name 
Example:
Router(config-subif)# ip vrf forwarding red

Configures the VRF forwarding table.

vrf-name—VRF table name.


exit

Exits configuration mode.

Step 2 

Configure the following Cisco AXP commands on the service module:

 

configure terminal

se-Module>config t

Enters global configuration mode.


interface device-name

se-Module(config-interface)>

Enters interface mode and configures the network interfaces.

device-name—Ethernet device name

For example, the device name can be eth0 or eth1 for a built-in physical interface, eth0:1 for a virtual interface, or eth0.1 for a VLAN interface.

You can configure the virtual or VLAN interfaces only if these interfaces are not bound to the virtual hosting environment.


ip address ip-address network-mask 

Sets the IP address.


ip route table table-num 

Sets up the connected route.

table-num—Select a route table number from 1 to 100.


exit 

Exits interface mode.


ip access-list standard {acl-name | acl-num}
se_Module(config t)> ip access-list standard 

Enables standard ACL configuration mode (config-std-nacl). This command enters standard ACL configuration mode in which all subsequent commands apply to the current standard access list.

acl-name—Access list to which all commands entered from ACL configuration mode apply. using an alphanumeric string of up to 30 characters, beginning with a letter.

acl-num—Access list to which all commands entered from access list configuration mode apply, using a numeric identifier. For standard access lists, the valid range is
1 to 99.

You can set further options under standard ACL configuration mode (config-std-nacl) as shown in the remaining steps.


[line-num] permit {source-ip [wildcard]| host 
source-ip|any}[log]
se-Module(config-std-nacl)>permit 

Configured in access-list configuration mode.

Adds a line to a standard access-list that specifies the type of packets to be permitted for further processing.

Use the permit command in standard ACL configuration mode (config-std-nacl).

line-num (optional)—Entry at a specific line number in the access list.

permit—Allows packets that match the specified conditions to be processed.

source-ip—Source IP address. The number of the network or host from which the packet is being sent, specified as a 32-bit quantity in 4-part dotted-decimal format (for example, 0.0.0.0).

wildcard—(Optional) Portions of the preceding IP address to match, expressed using 4-digit, dotted-decimal notation. Bits to match are identified by a digital value of 0; bits to ignore are identified by a 1.

Note For standard IP ACLs, the wildcard parameter of the ip access-list command is always optional. If the host keyword is specified for a standard IP ACL, then the wildcard parameter is not allowed.

host—Matches the following IP address.

any—Matches any IP address.

log—(Optional) Sends a logging message to the console about the packet matching the entry.

The message includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets.

The message is generated for the first packet that matches the entry, and then repeats at 5-minute intervals, including the number of packets permitted or denied in the previous 5-minute interval.


exit

Exits access list configuration mode.


route-map map-tag number 
se-Module(config t)> route-map 

Enters route map configuration mode. The route map is used to match source filtering with a specific routing table.

map-tag—Select a name for the route map.

number—Select a route map number from 1 to 100.


match ip address {acl-num|acl-name } 
se-Module(config-route-map)>match 

Matches the IP address for the route map using either the number or the name of the access control list.

acl-num—Access control list number.

acl-name—Name of the access control list.


set route table table-num 
se-Module(config-route-map)>set 

Sets the route table.

table-num—Same table number as in the ip route table command.


exit 

Exits route-map subcommand mode.


ip local policy route-map map-tag 
se-Module(config)> ip local policy route-map

Identifies a route map to use for policy routing.

map-tag—Name must match the map-tag in the route-map command.


ip route table table-num dest-prefix net-mask 
default-gw 

se-Module(config)> ip route table

Sets the route table for a specific destination prefix and default gateway.

table-num—Same table number as in the ip route table command.

dest-prefix—Destination prefix

net-mask—Network mask

default-gw—Default gateway


ip route table table-num dest-prefix net-mask 
blackhole 

se-Module(config)> ip route table

able-num—Same table number as in the ip route table command.

dest-prefix—Destination prefix

net-mask—Network mask

default-gw—Default gateway

blackhole—Sets a blackhole route for dropping packets.


exit

Exits global configuration mode.

Source-Based Routing Example

Source-Based IP Routing

interface eth0.100 
  ip route table 10   <-- sets up the connected route for table 10
  ip address 209.165.201.1 255.255.255.224 
  exit 
Interface eth0.200 
  ip route table 20 
  ip address 11.11.10.2 255.255.255.0 
  exit 
ip access-list standard 100  
  permit 10.7.8.9        <-- Source address that will be used for Source-Based routing
  exit 
ip access-list standard 200 
  permit 11.11.10.2 
  exit 
ip route table 10 0.0.0.0 0.0.0.0 10.7.8.10   <--- defines the default route in table 10
ip route table 20 0.0.0.0 0.0.0.0 11.11.10.3 
route-map CLASSIFY 10 
  match ip addr 100   <--- defines Source-Based routing address and routing table.
  set route table 10 
  exit 
route-map CLASSIFY 20 
  match ip addr 200 
  set route table 20 
  exit 
ip local policy route-map CLASSIFY 

VRF Configuration

In this example, the VRF is named red and dot1Q encapsulation is used with ID tag 10 to relay VRF traffic from the router to the service module.

ip vrf red
 rd 192.0.2.0:10
 route-target export 192.0.2.0:10
 route-target import 192.0.2.0:10
interface GigabitEthernet0/1
 ip address 10.7.7.7 255.255.255.0
 duplex auto
 speed auto
 ip vrf forwarding red
interface Integrated-Service-Engine1/0
 ip unnumbered GigabitEthernet0/0
 service-module ip address 209.165.201.1 255.255.255.224
 service-module ip default-gateway 209.165.201.2
 no keepalive
interface Integrated-Service-Engine1/0.1
 encapsulation dot1Q 10
 ip address 10.7.8.8 255.255.255.0
 ip vrf forwarding red 

VLAN and Virtual Interfaces

Virtual and VLAN interfaces can only be created on configured and nonvirtual interfaces. An appropriate route must be setup on the Cisco IOS software side to direct traffic to the new network.

Table 10 shows an example of VLAN and virtual interface naming differences between Cisco IOS and Cisco AXP (Linux).

Table 10 Differences between VLAN and Virtual Interface Names

Interface
Cisco IOS
Cisco AXP

VLAN

interface Integrated-Service-Engine 1/0.1 
encapsulation dot1Q 10 
ip address 172.23.101.1 255.255.255.0

eth<#>.<#>

Example—eth0.10 where 10 is the VLAN ID tag used to send traffic.

Virtual

interface Integrated-Service-Engine 1/0.1
ip address 172.23.101.1 255.255.255.0

eth<#>:<#>

Example—eth0:10 where 10 is a locally significant number to distinguish within the service module.


Configuring a Virtual Interface

To configure a virtual interface, perform the following steps.

SUMMARY STEPS

1. configure terminal

2. interface eth0:x

3. ip address ip-address

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure terminal

Enters global configuration mode.

Step 2 

interface eth0:x

Configures the virtual interface. Enters interface sub mode.

x—Interface number.

Note The colon (":") indicates this is a virtual interface.

Step 3 

ip address ip-address

Configures the IP address.

Configuring a VLAN Interface

VLAN needs to be configured on the router and Cisco AXP sides. In the configuration for the router configuration in Step 3 below, the dot "." in "port.x" indicates a sub interface. Refer to Table 10 for virtual and VLAN naming differences.

To configure an appropriate route for the Cisco IOS software to set up traffic to the VLAN interface, it is necessary to configure the interface to DOT1Q mode.

DOT1Q mode only affects traffic that flows through this interface; it does not inject the VLAN tag for end-to-end traffic. If no native VLAN is configured on an interface, Cisco IOS by default makes encapsulation 1 DOT 1Q the default native VLAN.

On the Cisco AXP service module, VLAN ID 1 is always the native interface.


Note It is not possible to ping the Cisco AXP service module from the router when using encapsulation 1 on the router, with a subinterface on the service module that has a matching native VLAN ID of 1 (eth0.1).

Recommendation

Try using a VLAN ID greater than 1 if it is not necessary to use VLAN ID 1 in your network. If you must use VLAN ID 1, add a native command to another DOT1Q interface and then use VLAN ID 1, as shown in the "VLAN Configuration Example" section.


To configure a VLAN interface, perform the following steps.

SUMMARY STEPS

1. On the router side:

configure terminal

ip routing

interface integrated-service-engine slot/port.x

encapsulation dot1q vlanid

ip address ip-address

2. On the Cisco AXP Service Module:

configure terminal

interface ethport.x

ip address ip-address

DETAILED STEPS

 
Command or Action
Purpose

On the router side:

 

Step 1 

configure terminal

Enters configuration mode.


ip routing

Enables IP routing on the router.


interface integrated-service-engine slot/port.x

Enters interface sub mode.

x—Interface number.

Note Use a value of x greater than 1.


encapsulation dot 1Q vlanid

Defines the encapsulation format as IEEE 802.1Q (dot1q), and specifies the VLAN identifier.

vlanid—VLAN identifier.


ip address ip-address 

Configures the IP address for the interface.


On the Cisco AXP service module:

 

Step 2 

configure terminal

Enters configuration mode.


interface ethport.x

Enters interface sub mode.

x—VLAN id.


ip address ip-address

Configures IP address.

VLAN Configuration Example

On the router:

interface Integrated-Service-Engine 1/0.1 <----- 1/0.1 for VLAN interface 
encapsulation dot1Q 10 <----------------------dot1Q encap for VLAN 
ip address 209.165.201.1 255.255.255.224

interface Integrated-Service-Engine 1/0.2
encapsulation dot1Q 20
ip address 209.165.202.1 255.255.255.224

On the Cisco AXP Module:

Interface eth0.10 <-------------------eth0.10 is VLAN interface syntax. 10 is the VLAN ID.
ip address 209.165.201.2 255.255.255.224

Interface eth0.20 
ip address 209.165.202.2 255.255.255.224