Cisco Security Appliance Command Line Configuration Guide, Version 7.0
Configuring IP Routing and DHCP Services
Downloads: This chapterpdf (PDF - 394.0KB) The complete bookPDF (PDF - 15.34MB) | Feedback

Configuring IP Routing and DHCP Services

Table Of Contents

Configuring IP Routing and DHCP Services

Configuring Static and Default Routes

Configuring a Static Route

Configuring a Default Route

Configuring OSPF

OSPF Overview

Enabling OSPF

Redistributing Routes Between OSPF Processes

Adding a Route Map

Redistributing Static, Connected, or OSPF Routes to an OSPF Process

Configuring OSPF Interface Parameters

Configuring OSPF Area Parameters

Configuring OSPF NSSA

Configuring Route Summarization Between OSPF Areas

Configuring Route Summarization When Redistributing Routes into OSPF

Generating a Default Route

Configuring Route Calculation Timers

Logging Neighbors Going Up or Down

Displaying OSPF Update Packet Pacing

Monitoring OSPF

Restarting the OSPF Process

Configuring RIP

RIP Overview

Enabling RIP

Dynamic Routing and Failover

Configuring Multicast Routing

Multicast Routing Overview

Enabling Multicast Routing

Configuring IGMP Features

Disabling IGMP on an Interface

Configuring Group Membership

Configuring a Statically Joined Group

Controlling Access to Multicast Groups

Limiting the Number of IGMP States on an Interface

Modifying the Query Interval and Query Timeout

Changing the Query Response Time

Changing the IGMP Version

Configuring Stub Multicast Routing

Configuring a Static Multicast Route

Configuring PIM Features

Disabling PIM on an Interface

Configuring a Static Rendezvous Point Address

Configuring the Designated Router Priority

Filtering PIM Register Messages

Configuring PIM Message Intervals

For More Information about Multicast Routing

Configuring DHCP

Configuring a DHCP Server

Enabling the DHCP Server

Configuring DHCP Options

Using Cisco IP Phones with a DHCP Server

Configuring DHCP Relay Services

Configuring the DHCP Client


Configuring IP Routing and DHCP Services


This chapter describes how to configure IP routing and DHCP on the security appliance. This chapter includes the following sections:

Configuring Static and Default Routes

Configuring OSPF

Configuring RIP

Dynamic Routing and Failover

Configuring Multicast Routing

Configuring DHCP

Configuring Static and Default Routes

This section describes how to configure static routes on the security appliance.

Multiple context mode does not support dynamic routing, so you must use static routes for any networks to which the security appliance is not directly connected; for example, when there is a router between a network and the security appliance.

You might want to use static routes in single context mode in the following cases:

Your networks use a different router discovery protocol from RIP or OSPF.

Your network is small and you can easily manage static routes.

You do not want the traffic or CPU overhead associated with routing protocols.

The simplest option is to configure a default route to send all traffic to an upstream router, relying on the router to route the traffic for you. However, in some cases the default gateway might not be able to reach the destination network, so you must also configure more specific static routes. For example, if the default gateway is outside, then the default route cannot direct traffic to any inside networks that are not directly connected to the security appliance.

In transparent firewall mode, for traffic that originates on the security appliance and is destined for a non-directly connected network, you need to configure either a default route or static routes so the security appliance knows out of which interface to send traffic. Traffic that originates on the security appliance might include communications to a syslog server, Websense or N2H2 server, or AAA server. If you have servers that cannot all be reached through a single default route, then you must configure static routes.

The security appliance supports up to three equal cost routes on the same interface for load balancing.

This section includes the following topics:

Configuring a Static Route

Configuring a Default Route

For information about configuring IPv6 static and default routes, see the "Configuring IPv6 Default and Static Routes" section on page 9-3.

Configuring a Static Route

To add a static route, enter the following command:

hostname(config)# route if_name dest_ip mask gateway_ip [distance]

The dest_ip and mask is the IP address for the destination network and the gateway_ip is the address of the next-hop router.The addresses you specify for the static route are the addresses that are in the packet before entering the security appliance and performing NAT.

The distance is the administrative distance for the route. The default is 1 if you do not specify a value. Administrative distance is a parameter used to compare routes among different routing protocols. The default administrative distance for static routes is 1, giving it precedence over routes discovered by dynamic routing protocols but not directly connect routes. The default administrative distance for routes discovered by OSPF is 110. If a static route has the same administrative distance as a dynamic route, the static routes take precedence. Connected routes always take precedence over static or dynamically discovered routes.

Static routes remain in the routing table even if the specified gateway becomes unavailable. If the specified gateway becomes unavailable, you need to remove the static route from the routing table manually. However, static routes are removed from the routing table if the specified interface goes down. They are reinstated when the interface comes back up.


Note If you create a static route with an administrative distance greater than the administrative distance of the routing protocol running on the security appliance, then a route to the specified destination discovered by the routing protocol takes precedence over the static route. The static route is used only if the dynamically discovered route is removed from the routing table.


The following example creates a static route that sends all traffic destined for 10.1.1.0/24 to the router (10.1.2.45) connected to the inside interface:

hostname(config)# route inside 10.1.1.0 255.255.255.0 10.1.2.45 1

You can define up to three equal cost routes to the same destination per interface. ECMP is not supported across multiple interfaces. With ECMP, the traffic is not necessarily divided evenly between the routes; traffic is distributed among the specified gateways based on an algorithm that hashes the source and destination IP addresses.

The following example shows static routes that are equal cost routes that direct traffic to three different gateways on the outside interface. The security appliance distributes the traffic among the specified gateways.

hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.1
hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.2
hostname(config)# route outside 10.10.10.0 255.255.255.0 192.168.1.3

Configuring a Default Route

A default route identifies the gateway IP address to which the security appliance sends all IP packets for which it does not have a learned or static route. A default route is simply a static route with 0.0.0.0/0 as the destination IP address. Routes that identify a specific destination take precedence over the default route.


Note In ASA software Versions 7.0 and later, if you have two default routes configured on different interfaces that have different metrics, the connection to the ASA firewall that is made from the higher metric interface fails, but connections to the ASA firewall from the lower metric interface succeed as expected. PIX software Version 6.3 supports connections from both the the higher and the lower metric interfaces.


You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route to be distributed among the specified gateways. When defining more than one default route, you must specify the same interface for each entry.

If you attempt to define more than three equal cost default routes, or if you attempt to define a default route with a different interface than a previously defined default route, you receive the message "ERROR: Cannot add route entry, possible conflict with existing routes."

You can define a separate default route for tunneled traffic along with the standard default route. When you create a default route with the tunneled option, all encrypted traffic that arrives on the security appliance and cannot be routed using learned or static routes is sent to this route. Otherwise, if the traffic is not encrypted, the standard default route entry is used. You cannot define more than one default route with the tunneled option; ECMP for tunneled traffic is not supported.

To define the default route, enter the following command:

hostname(config)# route if_name 0.0.0.0 0.0.0.0 gateway_ip [distance | tunneled]


Tip You can enter 0 0 instead of 0.0.0.0 0.0.0.0 for the destination network address and mask, for example: hostname(config)# route outside 0 0 192.168.1 1


The following example shows a security appliance configured with three equal cost default routes and a default route for tunneled traffic. Unencrypted traffic received by the security appliance for which there is no static or learned route is distributed among the gateways with the IP addresses 192.168.2.1, 192.168.2.2, 192.168.2.3. Encrypted traffic receive by the security appliance for which there is no static or learned route is passed to the gateway with the IP address 192.168.2.4.

hostname(config)# route outside 0 0 192.168.2.1
hostname(config)# route outside 0 0 192.168.2.2
hostname(config)# route outside 0 0 192.168.2.3
hostname(config)# route outside 0 0 192.168.2.4 tunneled

Configuring OSPF

This section describes how to configure OSPF. This section includes the following topics:

OSPF Overview

Enabling OSPF

Redistributing Routes Between OSPF Processes

Configuring OSPF Interface Parameters

Configuring OSPF Area Parameters

Configuring OSPF NSSA

Configuring Route Summarization Between OSPF Areas

Configuring Route Summarization When Redistributing Routes into OSPF

Generating a Default Route

Configuring Route Calculation Timers

Logging Neighbors Going Up or Down

Displaying OSPF Update Packet Pacing

Monitoring OSPF

Restarting the OSPF Process

OSPF Overview

OSPF uses a link-state algorithm to build and calculate the shortest path to all known destinations. Each router in an OSPF area contains an identical link-state database, which is a list of each of the router usable interfaces and reachable neighbors.

The advantages of OSPF over RIP include the following:

OSPF link-state database updates are sent less frequently than RIP updates, and the link-state database is updated instantly rather than gradually as stale information is timed out.

Routing decisions are based on cost, which is an indication of the overhead required to send packets across a certain interface. The security appliance calculates the cost of an interface based on link bandwidth rather than the number of hops to the destination. The cost can be configured to specify preferred paths.

The disadvantage of shortest path first algorithms is that they require a lot of CPU cycles and memory.

The security appliance can run two processes of OSPF protocol simultaneously, on different sets of interfaces. You might want to run two processes if you have interfaces that use the same IP addresses (NAT allows these interfaces to coexist, but OSPF does not allow overlapping addresses). Or you might want to run one process on the inside, and another on the outside, and redistribute a subset of routes between the two processes. Similarly, you might need to segregate private addresses from public addresses.

Redistribution between the two OSPF processes is supported. Static and connected routes configured on OSPF-enabled interfaces on the security appliance can also be redistributed into the OSPF process. You cannot enable RIP on the security appliance if OSPF is enabled. Redistribution between RIP and OSPF is not supported.

The security appliance supports the following OSPF features:

Support of intra-area, interarea, and external (Type I and Type II) routes.

Support of a virtual link.

OSPF LSA flooding.

Authentication to OSPF packets (both password and MD5 authentication).

Support for configuring the security appliance as a designated router or a designated backup router. The security appliance also can be set up as an ABR; however, the ability to configure the security appliance as an ASBR is limited to default information only (for example, injecting a default route).

Support for stub areas and not-so-stubby-areas.

Area boundary router type-3 LSA filtering.

Advertisement of static and global address translations.

Enabling OSPF

To enable OSPF, you need to create an OSPF routing process, specify the range of IP addresses associated with the routing process, then assign area IDs associated with that range of IP addresses.


Note You cannot enable OSPF if RIP is enabled.


To enable OSPF, perform the following steps:


Step 1 To create an OSPF routing process, enter the following command:

hostname(config)# router ospf process_id

This command enters the router configuration mode for this OSPF process.

The process_id is an internally used identifier for this routing process. It can be any positive integer. This ID does not have to match the ID on any other device; it is for internal use only. You can use a maximum of two processes.

Step 2 To define the IP addresses on which OSPF runs and to define the area ID for that interface, enter the following command:

hostname(config-router)# network ip_address mask area area_id


The following example shows how to enable OSPF:

hostname(config)# router ospf 2
hostname(config-router)# network 10.0.0.0 255.0.0.0 area 0

Redistributing Routes Between OSPF Processes

The security appliance can control the redistribution of routes between OSPF routing processes. The security appliance matches and changes routes according to settings in the redistribute command or by using a route map. See also the "Generating a Default Route" section for another use for route maps.


Note The security appliance cannot redistribute routes between routing protocols. However, the security appliance can redistribute static and connected routes.


This section includes the following topics:

Adding a Route Map

Redistributing Static, Connected, or OSPF Routes to an OSPF Process

Adding a Route Map

To define a route map, perform the following steps:


Step 1 To create a route map entry, enter the following command:

hostname(config)# route-map name {permit | deny} [sequence_number]

Route map entries are read in order. You can identify the order using the sequence_number option, or the security appliance uses the order in which you add the entries.

Step 2 Enter one or more match commands:

To match any routes that have a destination network that matches a standard ACL, enter the following command:

hostname(config-route-map)# match ip address acl_id [acl_id] [...]

If you specify more than one ACL, then the route can match any of the ACLs.

To match any routes that have a specified metric, enter the following command:

hostname(config-route-map)# match metric metric_value

The metric_value can be from 0 to 4294967295.

To match any routes that have a next hop router address that matches a standard ACL, enter the following command:

hostname(config-route-map)# match ip next-hop acl_id [acl_id] [...]

If you specify more than one ACL, then the route can match any of the ACLs.

To match any routes with the specified next hop interface, enter the following command:

hostname(config-route-map)# match interface if_name 

If you specify more than one interface, then the route can match either interface.

To match any routes that have been advertised by routers that match a standard ACL, enter the following command:

hostname(config-route-map)# match ip route-source acl_id [acl_id] [...]

If you specify more than one ACL, then the route can match any of the ACLs.

To match the route type, enter the following command:

hostname(config-route-map)# match route-type {internal | external [type-1 | type-2]}

Step 3 Enter one or more set commands.

If a route matches the match commands, then the following set commands determine the action to perform on the route before redistributing it.

To set the metric, enter the following command:

hostname(config-route-map)# set metric metric_value

The metric_value can be a value between 0 and 294967295

To set the metric type, enter the following command:

hostname(config-route-map)# set metric-type {type-1 | type-2}


The following example shows how to redistribute routes with a hop count equal to 1. The security appliance redistributes these routes as external LSAs with a metric of 5, metric type of Type 1.

hostname(config)# route-map 1-to-2 permit
hostname(config-route-map)# match metric 1
hostname(config-route-map)# set metric 5
hostname(config-route-map)# set metric-type type-1

Redistributing Static, Connected, or OSPF Routes to an OSPF Process

To redistribute static, connected, or OSPF routes from one process into another OSPF process, perform the following steps:


Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to redistribute into by entering the following command:

hostname(config)# router ospf process_id

Step 2 To specify the routes you want to redistribute, enter the following command:

hostname(config-router)# redistribute {ospf process_id 
[match {internal | external 1 | external 2}] | static | connect} [metric metric-value] 
[metric-type {type-1 | type-2}] [tag tag_value] [subnets] [route-map map_name]

The ospf process_id, static, and connect keywords specify from where you want to redistribute routes.

You can either use the options in this command to match and set route properties, or you can use a route map. The tag and subnets options do not have equivalents in the route-map command. If you use both a route map and options in the redistribute command, then they must match.


The following example shows route redistribution from OSPF process 1 into OSPF process 2 by matching routes with a metric equal to 1. The security appliance redistributes these routes as external LSAs with a metric of 5, metric type of Type 1, and a tag equal to 1.

hostname(config)# route-map 1-to-2 permit
hostname(config-route-map)# match metric 1
hostname(config-route-map)# set metric 5
hostname(config-route-map)# set metric-type type-1
hostname(config-route-map)# set tag 1
hostname(config-route-map)# router ospf 2
hostname(config-router)# redistribute ospf 1 route-map 1-to-2

The following example shows the specified OSPF process routes being redistributed into OSPF process 109. The OSPF metric is remapped to 100.

hostname(config)# router ospf 109
hostname(config-router)# redistribute ospf 108 metric 100 subnets

The following example shows route redistribution where the link-state cost is specified as 5 and the metric type is set to external, indicating that it has lower priority than internal metrics.

hostname(config)# router ospf 1
hostname(config-router)# redistribute ospf 2 metric 5 metric-type external

Configuring OSPF Interface Parameters

You can alter some interface-specific OSPF parameters as necessary. You are not required to alter any of these parameters, but the following interface parameters must be consistent across all routers in an attached network: ospf hello-interval, ospf dead-interval, and ospf authentication-key. Be sure that if you configure any of these parameters, the configurations for all routers on your network have compatible values.

To configure OSPF interface parameters, perform the following steps:


Step 1 To enter the interface configuration mode, enter the following command:

hostname(config)# interface interface_name

Step 2 Enter any of the following commands:

To specify the authentication type for an interface, enter the following command:

hostname(config-interface)# ospf authentication [message-digest | null]

To assign a password to be used by neighboring OSPF routers on a network segment that is using the OSPF simple password authentication, enter the following command:

hostname(config-interface)# ospf authentication-key key

The key can be any continuous string of characters up to 8 bytes in length.

The password created by this command is used as a key that is inserted directly into the OSPF header when the security appliance software originates routing protocol packets. A separate password can be assigned to each network on a per-interface basis. All neighboring routers on the same network must have the same password to be able to exchange OSPF information.

To explicitly specify the cost of sending a packet on an OSPF interface, enter the following command:

hostname(config-interface)# ospf cost cost

The cost is an integer from 1 to 65535.

To set the number of seconds that a device must wait before it declares a neighbor OSPF router down because it has not received a hello packet, enter the following command:

hostname(config-interface)# ospf dead-interval seconds

The value must be the same for all nodes on the network.

To specify the length of time between the hello packets that the security appliance sends on an OSPF interface, enter the following command:

hostname(config-interface)# ospf hello-interval seconds

The value must be the same for all nodes on the network.

To enable OSPF MD5 authentication, enter the following command:

hostname(config-interface)# ospf message-digest-key key_id md5 key

Set the following values:

key_id—An identifier in the range from 1 to 255.

key—Alphanumeric password of up to 16 bytes.

Usually, one key per interface is used to generate authentication information when sending packets and to authenticate incoming packets. The same key identifier on the neighbor router must have the same key value.

We recommend that you not keep more than one key per interface. Every time you add a new key, you should remove the old key to prevent the local system from continuing to communicate with a hostile system that knows the old key. Removing the old key also reduces overhead during rollover.

To set the priority to help determine the OSPF designated router for a network, enter the following command:

hostname(config-interface)# ospf priority number_value

The number_value is between 0 to 255.

To specify the number of seconds between LSA retransmissions for adjacencies belonging to an OSPF interface, enter the following command:

hostname(config-interface)# ospf retransmit-interval seconds

The seconds must be greater than the expected round-trip delay between any two routers on the attached network. The range is from 1 to 65535 seconds. The default is 5 seconds.

To set the estimated number of seconds required to send a link-state update packet on an OSPF interface, enter the following command:

hostname(config-interface)# ospf transmit-delay seconds

The seconds is from 1 to 65535 seconds. The default is 1 second.


The following example shows how to configure the OSPF interfaces:

hostname(config)# router ospf 2
hostname(config-router)# network 2.0.0.0 255.0.0.0 area 0
hostname(config-router)# interface inside
hostname(config-interface)# ospf cost 20
hostname(config-interface)# ospf retransmit-interval 15
hostname(config-interface)# ospf transmit-delay 10
hostname(config-interface)# ospf priority 20
hostname(config-interface)# ospf hello-interval 10
hostname(config-interface)# ospf dead-interval 40
hostname(config-interface)# ospf authentication-key cisco
hostname(config-interface)# ospf message-digest-key 1 md5 cisco
hostname(config-interface)# ospf authentication message-digest

The following is sample output from the show ospf command:

hostname(config)# show ospf

Routing Process "ospf 2" with ID 20.1.89.2 and Domain ID 0.0.0.2
Supports only single TOS(TOS0) routes
Supports opaque LSA
SPF schedule delay 5 secs, Hold time between two SPFs 10 secs
Minimum LSA interval 5 secs. Minimum LSA arrival 1 secs
Number of external LSA 5. Checksum Sum 0x 26da6
Number of opaque AS LSA 0. Checksum Sum 0x     0
Number of DCbitless external and opaque AS LSA 0
Number of DoNotAge external and opaque AS LSA 0
Number of areas in this router is 1. 1 normal 0 stub 0 nssa
External flood list length 0
    Area BACKBONE(0)
        Number of interfaces in this area is 1
        Area has no authentication
        SPF algorithm executed 2 times
        Area ranges are
        Number of LSA 5. Checksum Sum 0x 209a3
        Number of opaque link LSA 0. Checksum Sum 0x     0
        Number of DCbitless LSA 0
        Number of indication LSA 0
        Number of DoNotAge LSA 0
        Flood list length 0

Configuring OSPF Area Parameters

You can configure several area parameters. These area parameters (shown in the following task table) include setting authentication, defining stub areas, and assigning specific costs to the default summary route. Authentication provides password-based protection against unauthorized access to an area.

Stub areas are areas into which information on external routes is not sent. Instead, there is a default external route generated by the ABR, into the stub area for destinations outside the autonomous system. To take advantage of the OSPF stub area support, default routing must be used in the stub area. To further reduce the number of LSAs sent into a stub area, you can configure the no-summary keyword of the area stub command on the ABR to prevent it from sending summary link advertisement (LSA type 3) into the stub area.

To specify area parameters for your network, perform the following steps:


Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to configure by entering the following command:

hostname(config)# router ospf process_id

Step 2 Enter any of the following commands:

To enable authentication for an OSPF area, enter the following command:

hostname(config-router)# area area-id authentication

To enable MD5 authentication for an OSPF area, enter the following command:

hostname(config-router)# area area-id authentication message-digest

To define an area to be a stub area, enter the following command:

hostname(config-router)# area area-id stub [no-summary]

To assign a specific cost to the default summary route used for the stub area, enter the following command:

hostname(config-router)# area area-id default-cost cost

The cost is an integer from 1 to 65535. The default is 1.


The following example shows how to configure the OSPF area parameters:

hostname(config)# router ospf 2
hostname(config-router)# area 0 authentication
hostname(config-router)# area 0 authentication message-digest
hostname(config-router)# area 17 stub
hostname(config-router)# area 17 default-cost 20

Configuring OSPF NSSA

The OSPF implementation of an NSSA is similar to an OSPF stub area. NSSA does not flood type 5 external LSAs from the core into the area, but it can import autonomous system external routes in a limited way within the area.

NSSA imports type 7 autonomous system external routes within an NSSA area by redistribution. These type 7 LSAs are translated into type 5 LSAs by NSSA ABRs, which are flooded throughout the whole routing domain. Summarization and filtering are supported during the translation.

You can simplify administration if you are an ISP or a network administrator that must connect a central site using OSPF to a remote site that is using a different routing protocol using NSSA.

Before the implementation of NSSA, the connection between the corporate site border router and the remote router could not be run as an OSPF stub area because routes for the remote site could not be redistributed into the stub area, and two routing protocols needed to be maintained. A simple protocol such as RIP was usually run and handled the redistribution. With NSSA, you can extend OSPF to cover the remote connection by defining the area between the corporate router and the remote router as an NSSA.

To specify area parameters for your network as needed to configure OSPF NSSA, perform the following steps:


Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to configure by entering the following command:

hostname(config)# router ospf process_id

Step 2 Enter any of the following commands:

To define an NSSA area, enter the following command:

hostname(config-router)# area area-id nssa [no-redistribution] 
[default-information-originate]

To summarize groups of addresses, enter the following command:

hostname(config-router)# summary address ip_address mask [not-advertise] [tag tag]

This command helps reduce the size of the routing table. Using this command for OSPF causes an OSPF ASBR to advertise one external route as an aggregate for all redistributed routes that are covered by the address.

OSPF does not support summary-address 0.0.0.0 0.0.0.0.

In the following example, the summary address 10.1.0.0 includes address 10.1.1.0, 10.1.2.0, 10.1.3.0, and so on. Only the address 10.1.0.0 is advertised in an external link-state advertisement:

hostname(config-router)# summary-address 10.1.1.0 255.255.0.0

Before you use this feature, consider these guidelines:

You can set a type 7 default route that can be used to reach external destinations. When configured, the router generates a type 7 default into the NSSA or the NSSA area boundary router.

Every router within the same area must agree that the area is NSSA; otherwise, the routers will not be able to communicate.


Configuring Route Summarization Between OSPF Areas

Route summarization is the consolidation of advertised addresses. This feature causes a single summary route to be advertised to other areas by an area boundary router. In OSPF, an area boundary router advertises networks in one area into another area. If the network numbers in an area are assigned in a way such that they are contiguous, you can configure the area boundary router to advertise a summary route that covers all the individual networks within the area that fall into the specified range.

To define an address range for route summarization, perform the following steps:


Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to configure by entering the following command:

hostname(config)# router ospf process_id

Step 2 To set the address range, enter the following command:

hostname(config-router)# area area-id range ip-address mask [advertise | not-advertise]


The following example shows how to configure route summarization between OSPF areas:

hostname(config)# router ospf 1
hostname(config-router)# area 17 range 12.1.0.0 255.255.0.0

Configuring Route Summarization When Redistributing Routes into OSPF

When routes from other protocols are redistributed into OSPF, each route is advertised individually in an external LSA. However, you can configure the security appliance to advertise a single route for all the redistributed routes that are covered by a specified network address and mask. This configuration decreases the size of the OSPF link-state database.

To configure the software advertisement on one summary route for all redistributed routes covered by a network address and mask, perform the following steps:


Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to configure by entering the following command:

hostname(config)# router ospf process_id

Step 2 To set the summary address, enter the following command:

hostname(config-router)# summary-address ip_address mask [not-advertise] [tag tag]

OSPF does not support summary-address 0.0.0.0 0.0.0.0.


The following example shows how to configure route summarization. The summary address 10.1.0.0 includes address 10.1.1.0, 10.1.2.0, 10.1.3.0, and so on. Only the address 10.1.0.0 is advertised in an external link-state advertisement:

hostname(config)# router ospf 1
hostname(config-router)# summary-address 10.1.0.0 255.255.0.0

Generating a Default Route

You can force an autonomous system boundary router to generate a default route into an OSPF routing domain. Whenever you specifically configure redistribution of routes into an OSPF routing domain, the router automatically becomes an autonomous system boundary router. However, an autonomous system boundary router does not by default generate a default route into the OSPF routing domain.

To generate a default route, perform the following steps:


Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to configure by entering the following command:

hostname(config)# router ospf process_id

Step 2 To force the autonomous system boundary router to generate a default route, enter the following command:

hostname(config-router)# default-information originate [always] [metric metric-value] 
[metric-type {1 | 2}] [route-map map-name]


The following example shows how to generate a default route:

hostname(config)# router ospf 2
hostname(config-router)# default-information originate always

Configuring Route Calculation Timers

You can configure the delay time between when OSPF receives a topology change and when it starts an SPF calculation. You also can configure the hold time between two consecutive SPF calculations.

To configure route calculation timers, perform the following steps:


Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to configure by entering the following command:

hostname(config)# router ospf process_id

Step 2 To configure the route calculation time, enter the following command:

hostname(config-router)# timers spf spf-delay spf-holdtime

The spf-delay is the delay time (in seconds) between when OSPF receives a topology change and when it starts an SPF calculation. It can be an integer from 0 to 65535. The default time is 5 seconds. A value of 0 means that there is no delay; that is, the SPF calculation is started immediately.

The spf-holdtime is the minimum time (in seconds) between two consecutive SPF calculations. It can be an integer from 0 to 65535. The default time is 10 seconds. A value of 0 means that there is no delay; that is, two SPF calculations can be done, one immediately after the other.


The following example shows how to configure route calculation timers:

hostname(config)# router ospf 1
hostname(config-router)# timers spf 10 120

Logging Neighbors Going Up or Down

By default, the system sends a system message when an OSPF neighbor goes up or down.

Configure this command if you want to know about OSPF neighbors going up or down without turning on the debug ospf adjacency command. The log-adj-changes router configuration command provides a higher level view of the peer relationship with less output. Configure log-adj-changes detail if you want to see messages for each state change.

To log neighbors going up or down, perform the following steps:


Step 1 If you have not already done so, enter the router configuration mode for the OSPF process you want to configure by entering the following command:

hostname(config)# router ospf process_id

Step 2 To configure logging for neighbors going up or down, enter the following command:

hostname(config-router)# log-adj-changes [detail]


Note Logging must be enabled for the the neighbor up/down messages to be sent.



The following example shows how to log neighbors up/down messages:

hostname(config)# router ospf 1
hostname(config-router)# log-adj-changes detail

Displaying OSPF Update Packet Pacing

OSPF update packets are automatically paced so they are not sent less than 33 milliseconds apart. Without pacing, some update packets could get lost in situations where the link is slow, a neighbor could not receive the updates quickly enough, or the router could run out of buffer space. For example, without pacing packets might be dropped if either of the following topologies exist:

A fast router is connected to a slower router over a point-to-point link.

During flooding, several neighbors send updates to a single router at the same time.

Pacing is also used between resends to increase efficiency and minimize lost retransmissions. You also can display the LSAs waiting to be sent out an interface. The benefit of the pacing is that OSPF update and retransmission packets are sent more efficiently.

There are no configuration tasks for this feature; it occurs automatically.

To observe OSPF packet pacing by displaying a list of LSAs waiting to be flooded over a specified interface, enter the following command:

hostname# show ospf flood-list if_name

Monitoring OSPF

You can display specific statistics such as the contents of IP routing tables, caches, and databases. You can use the information provided to determine resource utilization and solve network problems. You can also display information about node reachability and discover the routing path that your device packets are taking through the network.

To display various routing statistics, perform one of the following tasks, as needed:

To display general information about OSPF routing processes, enter the following command:

hostname# show ospf [process-id [area-id]]

To display the internal OSPF routing table entries to the ABR and ASBR, enter the following command:

hostname# show ospf border-routers

To display lists of information related to the OSPF database for a specific router, enter the following command:

hostname# show ospf [process-id [area-id]] database

To display a list of LSAs waiting to be flooded over an interface (to observe OSPF packet pacing), enter the following command:

hostname# show ospf flood-list if-name

To display OSPF-related interface information, enter the following command:

hostname# show ospf interface [if_name]

To display OSPF neighbor information on a per-interface basis, enter the following command:

hostname# show ospf neighbor [interface-name] [neighbor-id] [detail]

To display a list of all LSAs requested by a router, enter the following command:

hostname# show ospf request-list neighbor if_name

To display a list of all LSAs waiting to be resent, enter the following command:

hostname# show ospf retransmission-list neighbor if_name

To display a list of all summary address redistribution information configured under an OSPF process, enter the following command:

hostname# show ospf [process-id] summary-address

To display OSPF-related virtual links information, enter the following command:

hostname# show ospf [process-id] virtual-links

Restarting the OSPF Process

To restart an OSPF process, clear redistribution, or counters, enter the following command:

hostname(config)# clear ospf pid {process | redistribution | counters 
[neighbor [neighbor-interface] [neighbor-id]]}

Configuring RIP

This section describes how to configure RIP. This section includes the following topics:

RIP Overview

Enabling RIP

RIP Overview

Devices that support RIP send routing-update messages at regular intervals and when the network topology changes. These RIP packets contain information about the networks that the devices can reach, as well as the number of routers or gateways that a packet must travel through to reach the destination address. RIP generates more traffic than OSPF, but is easier to configure initially.

RIP has advantages over static routes because the initial configuration is simple, and you do not need to update the configuration when the topology changes. The disadvantage to RIP is that there is more network and processing overhead than static routing.

The security appliance uses a limited version of RIP; it does not send out RIP updates that identify the networks that the security appliance can reach. However, you can enable one or both of the following methods:

Passive RIP—The security appliance listens for RIP updates but does not send any updates about its networks out of the interface.

Passive RIP allows the security appliance to learn about networks to which it is not directly connected.

Default Route Updates—Instead of sending normal RIP updates that describe all the networks reachable through the security appliance, the security appliance sends a default route to participating devices that identifies the security appliance as the default gateway.

You can use the default route option with passive RIP, or alone. You might use the default route option alone if you use static routes on the security appliance, but do not want to configure static routes on downstream routers. Typically, you would not enable the default route option on the outside interface, because the security appliance is not typically the default gateway for the upstream router.

Enabling RIP

To enable RIP on an interface, enter the following command:

hostname(config)# rip interface_name {default | passive} [version {1 | 2 
[authentication {text | md5key key_id]}]

You can enable both the passive and default modes of RIP on an interface by entering the rip command twice, one time for each method. For example, enter the following commands:

hostname(config)# rip inside default version 2 authentication md5 scorpius 1
hostname(config)# rip inside passive version 2 authentication md5 scorpius 1

If you want to enable passive RIP on all interfaces, but only enable default routes on the inside interface, enter the following commands:

hostname(config)# rip inside default version 2 authentication md5 scorpius 1
hostname(config)# rip inside passive version 2 authentication md5 scorpius 1
hostname(config)# rip outside passive version 2 authentication md5 scorpius 1


Note Before testing your configuration, flush the ARP caches on any routers connected to the security appliance. For Cisco routers, use the clear arp command to flush the ARP cache.

You cannot enable RIP if OSPF is enabled.


Dynamic Routing and Failover

Dynamic routes are not replicated to the standby unit or failover group in a failover configuration. Therefore, immediately after a failover occurs, some packets received by the security appliance may be dropped because of a lack of routing information or routed to a default static route while the routing table is repopulated by the configured dynamic routing protocols.

Configuring Multicast Routing

This section describes how to configure multicast routing. This section includes the following topics:

Multicast Routing Overview

Enabling Multicast Routing

Configuring IGMP Features

Configuring Stub Multicast Routing

Configuring a Static Multicast Route

Configuring PIM Features

For More Information about Multicast Routing

Multicast Routing Overview

The security appliance supports both stub multicast routing and PIM multicast routing. However, you cannot configure both concurrently on a single security appliance.

Stub multicast routing provides dynamic host registration and facilitates multicast routing. When configured for stub multicast routing, the security appliance acts as an IGMP proxy agent. Instead of fully participating in multicast routing, the security appliance forwards IGMP messages to an upstream multicast router, which sets up delivery of the multicast data. When configured for stub multicast routing, the security appliance cannot be configured for PIM.

The security appliance supports both PIM-SM and bi-directional PIM. PIM-SM is a multicast routing protocol that uses the underlying unicast routing information base or a separate multicast-capable routing information base. It builds unidirectional shared trees rooted at a single Rendezvous Point per multicast group and optionally creates shortest-path trees per multicast source.

Bi-directional PIM is a variant of PIM-SM that builds bi-directional shared trees connecting multicast sources and receivers. Bi-directional trees are built using a DF election process operating on each link of the multicast topology. With the assistance of the DF, multicast data is forwarded from sources to the Rendezvous Point, and therefore along the shared tree to receivers, without requiring source-specific state. The DF election takes place during Rendezvous Point discovery and provides a default route to the Rendezvous Point.


Note If the security appliance is the PIM RP, use the untranslated outside address of the security appliance as the RP address.


Enabling Multicast Routing

Enabling multicast routing lets the security appliance forward multicast packets. Enabling multicast routing automatically enables PIM and IGMP on all interfaces. To enable multicast routing, enter the following command:

hostname(config)# multicast-routing

The number of entries in the multicast routing tables are limited by the amount of RAM on the system. Table 8-1 lists the maximum number of entries for specific multicast tables based on the amount of RAM on the security appliance. Once these limits are reached, any new entries are discarded.

Table 8-1 Entry Limits for Multicast Tables

Table
16 MB
128 MB
128+ MB
MFIB

1000

3000

5000

IGMP Groups

1000

3000

5000

PIM Routes

3000

7000

12000


Configuring IGMP Features

IP hosts use IGMP to report their group memberships to directly connected multicast routers. IGMP uses group addresses (Class D IP address) as group identifiers. Host group address can be in the range 224.0.0.0 to 239.255.255.255. The address 224.0.0.0 is never assigned to any group. The address 224.0.0.1 is assigned to all systems on a subnet. The address 224.0.0.2 is assigned to all routers on a subnet.

When you enable multicast routing on the security appliance, IGMP Version 2 is automatically enabled on all interfaces.


Note Only the no igmp command appears in the interface configuration when you use the show run command. If the multicast-routing command appears in the device configuration, then IGMP is automatically enabled on all interfaces.


This section describes how to configure optional IGMP setting on a per-interface basis. This section includes the following topics:

Disabling IGMP on an Interface

Configuring Group Membership

Configuring a Statically Joined Group

Controlling Access to Multicast Groups

Limiting the Number of IGMP States on an Interface

Modifying the Query Interval and Query Timeout

Changing the Query Response Time

Changing the IGMP Version

Disabling IGMP on an Interface

You can disable IGMP on specific interfaces. This is useful if you know that you do not have any multicast hosts on a specific interface and you want to prevent the security appliance from sending host query messages on that interface.

To disable IGMP on an interface, enter the following command:

hostname(config-if)# no igmp

To reenable IGMP on an interface, enter the following command:

hostname(config-if)# igmp


Note Only the no igmp command appears in the interface configuration.


Configuring Group Membership

You can configure the security appliance to be a member of a multicast group. Configuring the security appliance to join a multicast group causes upstream routers to maintain multicast routing table information for that group and keep the paths for that group active.

To have the security appliance join a multicast group, enter the following command:

hostname(config-if)# igmp join-group group-address

Configuring a Statically Joined Group

Sometimes a group member cannot report its membership in the group, or there may be no members of a group on the network segment, but you still want multicast traffic for that group to be sent to that network segment. You can have multicast traffic for that group sent to the segment in one of two ways:

Using the igmp join-group command (see Configuring Group Membership). This causes the security appliance to accept and to forward the multicast packets.

Using the igmp static-group command. The security appliance does not accept the multicast packets but rather forwards them to the specified interface.

To configure a statically joined multicast group on an interface, enter the following command:

hostname(config-if)# igmp static-group group-address

Controlling Access to Multicast Groups

To control the multicast groups that hosts on the security appliance interface can join, perform the following steps:


Step 1 Create an access list for the multicast traffic. You can create more than one entry for a single access list. You can use extended or standard access lists.

To create a standard access list, enter the following command:

hostname(config)# access-list name standard [permit | deny] ip_addr mask

The ip_addr argument is the IP address of the multicast group being permitted or denied.

To create an extended access list, enter the following command:

hostname(config)# access-list name extended [permit | deny] protocol src_ip_addr 
src_mask dst_ip_addr dst_mask

The dst_ip_addr argument is the IP address of the multicast group being permitted or denied.

Step 2 Apply the access list to an interface by entering the following command:

hostname(config-if)# igmp access-group acl

The acl argument is the name of a standard or extended IP access list.


Limiting the Number of IGMP States on an Interface

You can limit the number of IGMP states resulting from IGMP membership reports on a per-interface basis. Membership reports exceeding the configured limits are not entered in the IGMP cache and traffic for the excess membership reports is not forwarded.

To limit the number of IGMP states on an interface, enter the following command:

hostname(config-if)# igmp limit number

Valid values range from 0 to 500, with 500 being the default value. Setting this value to 0 prevents learned groups from being added, but manually defined memberships (using the igmp join-group and igmp static-group commands) are still permitted. The no form of this command restores the default value.

Modifying the Query Interval and Query Timeout

The security appliance sends query messages to discover which multicast groups have members on the networks attached to the interfaces. Members respond with IGMP report messages indicating that they want to receive multicast packets for specific groups. Query messages are addressed to the all-systems multicast group, which has an address of 224.0.0.1, with a time-to-live value of 1.

These messages are sent periodically to refresh the membership information stored on the security appliance. If the security appliance discovers that there are no local members of a multicast group still attached to an interface, it stops forwarding multicast packet for that group to the attached network and it sends a prune message back to the source of the packets.

By default, the PIM designated router on the subnet is responsible for sending the query messages. By default, they are sent once every 125 seconds. To change this interval, enter the following command:

hostname(config-if)# igmp query-interval seconds

If the security appliance does not hear a query message on an interface for the specified timeout value (by default, 255 seconds), then the security appliance becomes the designated router and starts sending the query messages. To change this timeout value, enter the following command:

hostname(config-if)# igmp query-timeout seconds


Note The igmp query-timeout and igmp query-interval commands require IGMP Version 2.


Changing the Query Response Time

By default, the maximum query response time advertised in IGMP queries is 10 seconds. If the security appliance does not receive a response to a host query within this amount of time, it deletes the group.

To change the maximum query response time, enter the following command:

hostname(config-if)# igmp query-max-response-time seconds

Changing the IGMP Version

By default, the security appliance runs IGMP Version 2, which enables several additional features such as the igmp query-timeout and igmp query-interval commands.

All multicast routers on a subnet must support the same version of IGMP. The security appliance does not automatically detect version 1 routers and switch to version 1. However, a mix of IGMP Version 1 and 2 hosts on the subnet works; the security appliance running IGMP Version 2 works correctly when IGMP Version 1 hosts are present.

To control which version of IGMP is running on an interface, enter the following command:

hostname(config-if)# igmp version {1 | 2}

Configuring Stub Multicast Routing

A security appliance acting as the gateway to the stub area does not need to participate in PIM. Instead, you can configure it to act as an IGMP proxy agent and forward IGMP messages from hosts connected on one interface to an upstream multicast router on another. To configure the security appliance as an IGMP proxy agent, forward the host join and leave messages from the stub area interface to an upstream interface.

To forward the host join and leave messages, enter the following command from the interface attached to the stub area:

hostname(config-if)# igmp forward interface if_name


Note Stub Multicast Routing and PIM are not supported concurrently.


Configuring a Static Multicast Route

When using PIM, the security appliance expects to receive packets on the same interface where it sends unicast packets back to the source. In some cases, such as bypassing a route that does not support multicast routing, you may want unicast packets to take one path and multicast packets to take another.

Static multicast routes are not advertised or redistributed.

To configure a static multicast route for PIM, enter the following command:

hostname(config)# mroute src_ip src_mask input_if_name [distance]

To configure a static multicast route for a stub area, enter the following command:

hostname(config)# mroute src_ip src_mask input_if_name [dense output_if_name] [distance]


Note The dense output_if_name keyword and argument pair is only supported for stub multicast routing.


Configuring PIM Features

Routers use PIM to maintain forwarding tables for forwarding multicast diagrams. When you enable multicast routing on the security appliance, PIM and IGMP are automatically enabled on all interfaces.


Note PIM is not supported with PAT. The PIM protocol does not use ports and PAT only works with protocols that use ports.


This section describes how to configure optional PIM settings. This section includes the following topics:

Disabling PIM on an Interface

Configuring a Static Rendezvous Point Address

Configuring the Designated Router Priority

Filtering PIM Register Messages

Configuring PIM Message Intervals

Disabling PIM on an Interface

You can disable PIM on specific interfaces. To disable PIM on an interface, enter the following command:

hostname(config-if)# no pim

To reenable PIM on an interface, enter the following command:

hostname(config-if)# pim


Note Only the no pim command appears in the interface configuration.


Configuring a Static Rendezvous Point Address

All routers within a common PIM sparse mode or bidir domain require knowledge of the PIM RP address. The address is statically configured using the pim rp-address command.


Note The security appliance does not support Auto-RP or PIM BSR; you must use the pim rp-address command to specify the RP address.


You can configure the security appliance to serve as RP to more than one group. The group range specified in the access list determines the PIM RP group mapping. If an access list is not specified, then the RP for the group is applied to the entire multicast group range (224.0.0.0/4).

To configure the address of the PIM PR, enter the following command:

hostname(config)# pim rp-address ip_address [acl] [bidir]


The ip_address argument is the unicast IP address of the router to be a PIM RP. The acl argument is the name or number of a standard access list that defines which multicast groups the RP should be used with. Do not use a host ACL with this command. Excluding the bidir keyword causes the groups to operate in PIM sparse mode.


Note The security appliance always advertises the bidir capability in the PIM hello messages regardless of the actual bidir configuration.


Configuring the Designated Router Priority

The DR is responsible for sending PIM register, join, and prune messaged to the RP. When there is more than one multicast router on a network segment, there is an election process to select the DR based on DR priority. If multiple devices have the same DR priority, then the device with the highest IP address becomes the DR.

By default, the security appliance has a DR priority of 1. You can change this value by entering the following command:

hostname(config-if)# pim dr-priority num

The num argument can be any number from 1 to 4294967294.

Filtering PIM Register Messages

You can configure the security appliance to filter PIM register messages. To filter PIM register messages, enter the following command:

hostname(config)# pim accept-register {list acl | route-map map-name}

Configuring PIM Message Intervals

Router query messages are used to elect the PIM DR. The PIM DR is responsible for sending router query messages. By default, router query messages are sent every 30 seconds. You can change this value by entering the following command:

hostname(config-if)# pim hello-interval seconds

Valid values for the seconds argument range from 1 to 3600 seconds.

Every 60 seconds, the security appliance sends PIM join/prune messages. To change this value, enter the following command:

hostname(config-if)# pim join-prune-interval seconds

Valid values for the seconds argument range from 10 to 600 seconds.

For More Information about Multicast Routing

The following RFCs from the IETF provide technical details about the IGMP and multicast routing standards used for implementing the SMR feature:

RFC 2236 IGMPv2

RFC 2362 PIM-SM

RFC 2588 IP Multicast and Firewalls

RFC 2113 IP Router Alert Option

IETF draft-ietf-idmr-igmp-proxy-01.txt

Configuring DHCP

DHCP provides network configuration parameters, such as IP addresses, to DHCP clients. The security appliance can provide a DHCP server or DHCP relay services to DHCP clients attached to security appliance interfaces. The DHCP server provides network configuration parameters directly to DHCP clients. DHCP relay passes DHCP requests received on one interface to an external DHCP server located behind a different interface.

This section includes the following topics:

Configuring a DHCP Server

Configuring DHCP Relay Services

Configuring a DHCP Server

This section describes how to configure DHCP server provided by the security appliance. This section includes the following topics:

Enabling the DHCP Server

Configuring DHCP Options

Using Cisco IP Phones with a DHCP Server

Enabling the DHCP Server

The security appliance can act as a DHCP server. DHCP is a protocol that supplies network settings to hosts including the host IP address, the default gateway, and a DNS server.


Note The security appliance DHCP server does not support BOOTP requests.

In multiple context mode, you cannot enable the DHCP server or DHCP relay on an interface that is used by more than one context.


You can configure a DHCP server on each interface of the security appliance. Each interface can have its own pool of addresses to draw from. However the other DHCP settings, such as DNS servers, domain name, options, ping timeout, and WINS servers, are configured globally and used by the DHCP server on all interfaces.

You cannot configure a DHCP client or DHCP Relay services on an interface on which the server is enabled. Additionally, DHCP clients must be directly connected to the interface on which the server is enabled.

To enable the DHCP server on a given security appliance interface, perform the following steps:


Step 1 Create a DHCP address pool. Enter the following command to define the address pool:

hostname(config)# dhcpd address ip_address-ip_address interface_name

The security appliance assigns a client one of the addresses from this pool to use for a given length of time. These addresses are the local, untranslated addresses for the directly connected network.

The address pool must be on the same subnet as the security appliance interface.

Step 2 (Optional) To specify the IP address(es) of the DNS server(s) the client will use, enter the following command:

hostname(config)# dhcpd dns dns1 [dns2]

You can specify up to two DNS servers.

Step 3 (Optional) To specify the IP address(es) of the WINS server(s) the client will use, enter the following command:

hostname(config)# dhcpd wins wins1 [wins2]

You can specify up to two WINS servers.

Step 4 (Optional) To change the lease length to be granted to the client, enter the following command:

hostname(config)# dhcpd lease lease_length

This lease equals the amount of time (in seconds) the client can use its allocated IP address before the lease expires. Enter a value between 300 to 1,048,575. The default value is 3600 seconds.

Step 5 (Optional) To configure the domain name the client uses, enter the following command:

hostname(config)# dhcpd domain domain_name

Step 6 (Optional) To configure the DHCP ping timeout value, enter the following command:

hostname(config)# dhcpd ping_timeout milliseconds

To avoid address conflicts, the security appliance sends two ICMP ping packets to an address before assigning that address to a DHCP client. This command specifies the timeout value for those packets.

Step 7 (Transparent Firewall Mode) Define a default gateway. To define the default gateway that is sent to DHCP clients, enter the following command:

hostname(config)# dhcpd option 3 ip gateway_ip

If you do not use the DHCP option 3 to define the default gateway, DHCP clients use the IP address of the management interface. The management interface does not route traffic.

Step 8 To enable the DHCP daemon within the security appliance to listen for DHCP client requests on the enabled interface, enter the following command:

hostname(config)# dhcpd enable interface_name


For example, to assign the range 10.0.1.101 to 10.0.1.110 to hosts connected to the inside interface, enter the following commands:

hostname(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
hostname(config)# dhcpd dns 209.165.201.2 209.165.202.129
hostname(config)# dhcpd wins 209.165.201.5
hostname(config)# dhcpd lease 3000
hostname(config)# dhcpd domain example.com
hostname(config)# dhcpd enable inside

Configuring DHCP Options

You can configure the security appliance to send information for the DHCP options listed in RFC 2132. The DHCP options fall into one of three categories:

Options that return an IP address.

Options that return a text string.

Options that return a hexadecimal value.

The security appliance supports all three categories of DHCP options. To configure a DHCP option, do one of the following:

To configure a DHCP option that returns one or two IP addresses, enter the following command:

hostname(config)# dhcpd option code ip addr_1 [addr_2]

To configure a DHCP option that returns a text string, enter the following command:

hostname(config)# dhcpd option code ascii text

To configure a DHCP option that returns a hexadecimal value, enter the following command:

hostname(config)# dhcpd option code hex value 


Note The security appliance does not verify that the option type and value that you provide match the expected type and value for the option code as defined in RFC 2132. For example, you can enter dhcpd option 46 ascii hello, and the security appliance accepts the configuration although option 46 is defined in RFC 2132 as expecting a single-digit, hexadecimal value. For more information about the option codes and their associated types and expected values, refer to RFC 2132.


Specific options, DHCP option 3, 66, and 150, are used to configure Cisco IP Phones. See the "Using Cisco IP Phones with a DHCP Server" section topic for more information about configuring those options.

Using Cisco IP Phones with a DHCP Server

Enterprises with small branch offices that implement a Cisco IP Telephony Voice over IP solution typically implement Cisco CallManager at a central office to control Cisco IP Phones at small branch offices. This implementation allows centralized call processing, reduces the equipment required, and eliminates the administration of additional Cisco CallManager and other servers at branch offices.

Cisco IP Phones download their configuration from a TFTP server. When a Cisco IP Phone starts, if it does not have both the IP address and TFTP server IP address preconfigured, it sends a request with option 150 or 66 to the DHCP server to obtain this information.

DHCP option 150 provides the IP addresses of a list of TFTP servers.

DHCP option 66 gives the IP address or the hostname of a single TFTP server.

Cisco IP Phones might also include DHCP option 3 in their requests, which sets the default route.

Cisco IP Phones might include both option 150 and 66 in a single request. In this case, the security appliance DHCP server provides values for both options in the response if they are configured on the security appliance.

You can configure the security appliance to send information for most options listed in RFC 2132. The following table shows the syntax for any option number, as well as the syntax for commonly-used options 66,150, and 3:

To provide information for DHCP requests that include an option number as specified in RFC-2132, enter the following command:

hostname(config)# dhcpd option number value

To provide the IP address or name of a TFTP server for option 66, enter the following command:

hostname(config)# dhcpd option 66 ascii server_name

To provide the IP address or names of one or two TFTP servers for option 150, enter the following command:

hostname(config)# dhcpd option 150 ip server_ip1 [server_ip2]

The server_ip1 is the IP address or name of the primary TFTP server while server_ip2 is the IP address or name of the secondary TFTP server. A maximum of two TFTP servers can be identified using option 150.

To provide set the default route, enter the following command:

hostname(config)# dhcpd option 3 ip router_ip1 

Configuring DHCP Relay Services

A DHCP relay agent allows the security appliance to forward DHCP requests from clients to a router connected to a different interface.

The following restrictions apply to the use of the DHCP relay agent:

The relay agent cannot be enabled if the DHCP server feature is also enabled.

Clients must be directly connected to the security appliance and cannot send requests through another relay agent or a router.

For multiple context mode, you cannot enable DHCP relay on an interface that is used by more than one context.


Note DHCP Relay services are not available in transparent firewall mode. A security appliance in transparent firewall mode only allows ARP traffic through; all other traffic requires an ACL. To allow DHCP requests and replies through the security appliance in transparent mode, you need to configure two ACLs, one that allows DCHP requests from the inside interface to the outside, and one that allows the replies from the server in the other direction.


To enable DHCP relay, perform the following steps:


Step 1 To set the IP address of a DHCP server on a different interface from the DHCP client, enter the following command:

hostname(config)# dhcprelay server ip_address if_name

You can use this command up to 4 times to identify up to 4 servers.

Step 2 To enable DHCP relay on the interface connected to the clients, enter the following command:

hostname(config)# dhcprelay enable interface

Step 3 (Optional) To set the number of seconds allowed for relay address negotiation, enter the following command:

hostname(config)# dhcprelay timeout seconds

Step 4 (Optional) To change the first default router address in the packet sent from the DHCP server to the address of the security appliance interface, enter the following command:

hostname(config)# dhcprelay setroute interface_name

This action allows the client to set its default route to point to the security appliance even if the DHCP server specifies a different router.

If there is no default router option in the packet, the security appliance adds one containing the interface address.


The following example enables the security appliance to forward DHCP requests from clients connected to the inside interface to a DHCP server on the outside interface:

hostname(config)# dhcprelay server 201.168.200.4
hostname(config)# dhcprelay enable inside
hostname(config)# dhcprelay setroute inside

Configuring the DHCP Client

To configure the security appliance interface as a DHCP client, perform the following steps:

hostname(config-if)# ip address dhcp [retry num] [setroute]

The optional retry num argument specifies the number of times the interface will attempt to contact a DHCP server. The default value is 4, the maximum value is 48. The setroute keyword causes the security appliance to set the default route using the default gateway the DHCP server returns.


Note You cannot enable a DHCP server or DHCP Relay services on an interface that is configured as a DHCP client.