Table Of Contents
Cisco AXP Advanced Networking
Source-based IP Routing
Access Control List
Verifying Access Control Lists
Configuring Source-Based Routing
Source-Based Routing Example
VLAN and Virtual Interfaces
Configuring a Virtual Interface
Configuring a VLAN Interface
VLAN Configuration Example
Cisco AXP Advanced Networking
Source-based IP Routing
Source-based IP routing, also known as static route configuration, is necessary for application initiated data transfer, such as client applications, and is used to determine an outbound interface when multiple interfaces are bound to an application instance.
Source-based routing is implemented for server applications to route response packets back through the incoming interface, and it is independent of the destination address.
Consider traffic entering the Cisco AXP service module through an ethernet interface, for example eth0.20, from an external IP address X. When the Cisco AXP application generates a reply, the system now contains a packet with source IP address, which is the address for eth0.20, and the destination IP address X.
If source-based routing is not applied, this packet is sent to a default route through eth0. Source-based routing routes traffic based on the source IP address and sends it through the originating interface, which, in our example above, is eth0.20.
Note 
For the Cisco AXP network configuration, the destination interface to which you send the response packet is the same as the incoming interface.
If an application specifies the source IP address when a socket is opened, it will use source-based routing to select the interface to send traffic.
Access Control List
Configuring an access control list (ACL) on the Cisco AXP platform is similar to configuring an ACL on Cisco IOS software.
Packet filtering helps control packet movement through the network by helping to limit network traffic and restrict network use by certain users or devices. Use ACLs to permit or deny packets from crossing specified interfaces.
Using the ip access-list standard command enables standard ACL configuration mode (config-std-nacl). You can then configure the permit command in ACL sub-mode (config-std-nacl) to set up the standard IP access list.
SUMMARY STEPS
1. configure terminal
2. ip access-list standard {acl-name | acl-num}
3. [line-num] permit {source-ip [wildcard]| host source-ip | any}[log]
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
configure terminal
Example:
SE-Module> configure terminal
|
Enters global configuration mode.
|
Step 2
|
ip access-list standard {acl-name | acl-num}
Example:
se_module (config)> ip access-list standard
test
|
Enables standard ACL configuration mode (config-std-nacl). This command enters standard ACL configuration mode in which all subsequent commands apply to the current standard access list.
acl-name—Access list to which all commands entered from ACL configuration mode apply, using an alphanumeric string of up to 30 characters, beginning with a letter.
acl-num—Access list to which all commands entered from access list configuration mode apply, using a numeric identifier. For standard access lists, the valid range is
1 to 99.
|
Step 3
|
[line-num] permit {source-ip [wildcard]| host
source-ip|any}[log]
Example:
se-Module (confg-std-nacl)> permit 155.168.10.0
any
|
Adds a line to a standard access-list that specifies the type of packets to be permitted for further processing.
The permit command is used in standard ACL configuration mode (config-std-nacl).
line-num—Entry at a specific line number in the access list.
permit—Allows packets that match the specified conditions to be processed.
source-ip—Source IP address. Number of the network or host from which the packet is being sent, specified as a 32-bit quantity in 4-part dotted-decimal format (for example, 0.0.0.0).
wildcard—(Optional) Portions of the preceding IP address to match, expressed using 4-digit, dotted-decimal notation. Bits to match are identified by a digital value of 0; bits to ignore are identified by a 1.
For standard IP ACLs, the wildcard parameter of the ip access-list command is always optional. If the host keyword is specified for a standard IP ACL, then the wildcard parameter is not allowed.
host—Matches the next IP address.
any—Matches any IP address.
log—(Optional) Sends a logging message to the console about the packet matching the entry.
The message includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets.
The message is generated for the first packet that matches the entry, and then repeats at 5-minute intervals, including the number of packets permitted or denied in the previous 5-minute interval.
|
Verifying Access Control Lists
To use the show ip access-list command in Cisco AXP EXEC mode to view the access control lists configured on the platform, perform the following step.
SUMMARY STEPS
1. show ip access-list [<1-99> | <name> ][ interface intf ] [details]
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
show ip access-list [<1-99>|<name> ][ interface
<intf>][details]
Example:
SE-Module>show ip access-list
|
Lists the rule set of an access-list specified by number or name. It also lists the access-list associated with a specific interface.
If a name or number of the interface is not entered, the command lists the entire rule-set of all the access lists configured in the system.
1-99—Access list number.
name—Access list name.
intf—Interface name.
details—The raw iptable format of display will be used to display the chain created by the ACL list.
|
Configuring Source-Based Routing
Route Map Policy
Configure only one route-map set because only one set is applied under the ip local policy command. Do not apply the second set to the CLI even if the second set is not used.
set 2:<-------Do not apply
SUMMARY STEPS
1. Configure the following Cisco IOS commands on the router. Configuration steps here include configuring the Virtual Private Network (VPN) routing/forwarding (VRF) tables. For more information on VRF-Lite, refer to Configuring VRF-Lite.
configure terminal
ip vrf vrf-name
rd ip-address
route-target export ip-address
route-target import ip-address
interface GigabitEthernet 0/1
ip address ip-address network-mask
duplex auto
speed auto
ip vrf forwarding vrf-name
interface Integrated-Service-Engine 1/0
ip unnumbered GigabitEthernet0/0
service-module ip address ip-address network-mask
service-module ip default-gateway ip-address
no keepalive
interface Integrated-Service-Engine 1/0.1
encapsulation dot 1q vlan-id
ip address ip-address network-mask
ip vrf forwarding vrf-name
exit
2. Configure the following Cisco AXP commands on the service module:
a. Create a connected route for the route table:
configure terminal
interface device-name
ip address ip-address network-mask
ip route table table-num
exit
b. Set up an access list to match the source address of eth0.x.
ip access-list standard {acl-name | acl-num}
[line-num] permit {source-ip [wildcard]| host source-ip|any}[log]
exit
c. Create a route map policy to associate source address matching.
route-map name number
match ip address {acl-num | acl-name }
set route table table-num
exit
ip local policy route-map map-tag
ip route table num dest-prefix net-mask default-gw
ip route table num dest-prefix net-mask blackhole
exit
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
Configure the following Cisco IOS commands on the router (Includes configuring routing/forwarding tables for VRF):
|
|
|
|
configure terminal
Router# configure terminal
|
Enters global configuration mode.
|
|
|
ip vrf vrf-name
|
Configures a VRF routing table and enters VRF configuration mode.
vrf-name—Name assigned to a VRF.
|
|
|
rd route-distinguisher
Router(config-vrf)# rd 200.7.7.1:10
|
Adds an 8-byte value to an IPv4 prefix to create a VPN IPv4 prefix.
|
|
|
route-target export ip-address
|
Exports routing information from the target VPN extended community.
|
|
|
route-target import ip-address
|
Imports routing information from the target VPN extended community.
|
|
|
exit
|
Exits VRF configuration mode.
|
|
|
interface GigabitEthernet 0/1
|
Selects an interface to configure and enters interface configuration mode.
|
|
|
ip address ip-address network-mask
|
Selects the IP address.
|
|
|
duplex auto
|
Configures the duplex operation on an interface.
auto—Specifies the autonegotiation capability. The interface automatically operates at half or full duplex, depending on:
–Environmental factors, such as the type of media.
–Transmission speeds for the peer routers, hubs, and switches used in the network configuration.
|
|
|
speed auto
|
Configures the speed for a Fast Ethernet interface.
auto—Turns on the Fast Ethernet autonegotiation capability.
The interface automatically operates at 10 or 100 Mbps depending on:
–Environmental factors, such as the type of media.
–Transmission speeds for the peer routers, hubs, and switches used in the network configuration.
|
|
|
ip vrf forwarding vrf-name
|
Associates a VRF with an interface or subinterface.
vrf-name—Name assigned to a VRF.
|
|
|
interface Integrated-Service-Engine 1/0
|
Selects an interface to configure and enters interface configuration mode.
|
|
|
ip unnumbered GigabitEthernet0/0
|
Enables IP processing on an interface without assigning an explicit IP address to the interface.
|
|
|
service-module ip address ip-address
network-mask
|
Specifies the IP address for the module interface to the router.
|
|
|
service-module ip default-gateway ip-address
|
Specifies the IP address for the default gateway router for the module.
|
|
|
no keepalive
|
Disables the ability to send keepalive packets.
|
|
|
interface integrated-service-engine 1/0.1
Example:
Router(config)# interface
integrated-service-engine 1/0.1
|
Enters sub-interface mode.
|
|
|
encapsulation dot 1q vlan-id
Router(config-subif)# encapsulation dot 1q 10
|
Configures the subinterface as a VLAN subinterface.
dot1q—defines the encapsulation format as IEEE 802.1Q VLAN.
vlanid—number that identifies the VLAN. The router applies the service policy of the physical interface to all of the individual VLANs configured on the interface.
|
|
|
ip address ip-address network-mask
Router(config-subif)# ip address 209.165.201.1
255.255.255.224
|
Sets the IP address of the interface.
|
|
|
ip vrf forwarding vrf-name
Router(config-subif)# ip vrf forwarding red
|
Configures the VRF forwarding table.
vrf-name—VRF table name.
|
|
|
exit
|
Exits configuration mode.
|
Step 2
|
Configure the following Cisco AXP commands on the service module:
|
|
|
|
configure terminal
se-Module>config t
|
Enters global configuration mode.
|
|
|
interface device-name
se-Module(config-interface)>
|
Enters interface mode and configures the network interfaces.
device-name—Ethernet device name
For example, the device name can be eth0 or eth1 for a built-in physical interface, eth0:1 for a virtual interface, or eth0.1 for a VLAN interface.
•You can configure the virtual or VLAN interfaces only if these interfaces are not bound to the virtual hosting environment.
|
|
|
ip address ip-address network-mask
|
Sets the IP address.
|
|
|
|
Sets up the connected route.
table-num—Select a route table number from 1 to 100.
|
|
|
|
Exits interface mode.
|
|
|
ip access-list standard {acl-name | acl-num}
se_Module(config t)> ip access-list standard
|
Enables standard ACL configuration mode (config-std-nacl). This command enters standard ACL configuration mode in which all subsequent commands apply to the current standard access list.
acl-name—Access list to which all commands entered from ACL configuration mode apply. using an alphanumeric string of up to 30 characters, beginning with a letter.
acl-num—Access list to which all commands entered from access list configuration mode apply, using a numeric identifier. For standard access lists, the valid range is
1 to 99.
You can set further options under standard ACL configuration mode (config-std-nacl) as shown in the remaining steps.
|
|
|
[line-num] permit {source-ip [wildcard]| host
source-ip|any}[log]
se-Module(config-std-nacl)>permit
|
Configured in access-list configuration mode.
Adds a line to a standard access-list that specifies the type of packets to be permitted for further processing.
Use the permit command in standard ACL configuration mode (config-std-nacl).
line-num (optional)—Entry at a specific line number in the access list.
permit—Allows packets that match the specified conditions to be processed.
source-ip—Source IP address. The number of the network or host from which the packet is being sent, specified as a 32-bit quantity in 4-part dotted-decimal format (for example, 0.0.0.0).
wildcard—(Optional) Portions of the preceding IP address to match, expressed using 4-digit, dotted-decimal notation. Bits to match are identified by a digital value of 0; bits to ignore are identified by a 1.
Note For standard IP ACLs, the wildcard parameter of the ip access-list command is always optional. If the host keyword is specified for a standard IP ACL, then the wildcard parameter is not allowed.
host—Matches the following IP address.
any—Matches any IP address.
log—(Optional) Sends a logging message to the console about the packet matching the entry.
The message includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets.
The message is generated for the first packet that matches the entry, and then repeats at 5-minute intervals, including the number of packets permitted or denied in the previous 5-minute interval.
|
|
|
|
Exits access list configuration mode.
|
|
|
se-Module(config t)> route-map
|
Enters route map configuration mode. The route map is used to match source filtering with a specific routing table.
map-tag—Select a name for the route map.
number—Select a route map number from 1 to 100.
|
|
|
match ip address {acl-num|acl-name }
se-Module(config-route-map)>match
|
Matches the IP address for the route map using either the number or the name of the access control list.
acl-num—Access control list number.
acl-name—Name of the access control list.
|
|
|
set route table table-num
se-Module(config-route-map)>set
|
Sets the route table.
table-num—Same table number as in the ip route table command.
|
|
|
|
Exits route-map subcommand mode.
|
|
|
ip local policy route-map map-tag
se-Module(config)> ip local policy route-map
|
Identifies a route map to use for policy routing.
map-tag—Name must match the map-tag in the route-map command.
|
|
|
ip route table table-num dest-prefix net-mask
default-gw
se-Module(config)> ip route table
|
Sets the route table for a specific destination prefix and default gateway.
table-num—Same table number as in the ip route table command.
dest-prefix—Destination prefix
net-mask—Network mask
default-gw—Default gateway
|
|
|
ip route table table-num dest-prefix net-mask
blackhole
se-Module(config)> ip route table
|
able-num—Same table number as in the ip route table command.
dest-prefix—Destination prefix
net-mask—Network mask
default-gw—Default gateway
blackhole—Sets a blackhole route for dropping packets.
|
|
|
exit
|
Exits global configuration mode.
|
Source-Based Routing Example
Source-Based IP Routing
ip route table 10 <-- sets up the connected route for table 10
ip address 209.165.201.1 255.255.255.224
ip address 11.11.10.2 255.255.255.0
ip access-list standard 100
permit 10.7.8.9 <-- Source address that will be used for Source-Based routing
ip access-list standard 200
ip route table 10 0.0.0.0 0.0.0.0 10.7.8.10 <--- defines the default route in table 10
ip route table 20 0.0.0.0 0.0.0.0 11.11.10.3
match ip addr 100 <--- defines Source-Based routing address and routing table.
ip local policy route-map CLASSIFY
VRF Configuration
In this example, the VRF is named red and dot1Q encapsulation is used with ID tag 10 to relay VRF traffic from the router to the service module.
route-target export 192.0.2.0:10
route-target import 192.0.2.0:10
interface GigabitEthernet0/1
ip address 10.7.7.7 255.255.255.0
interface Integrated-Service-Engine1/0
ip unnumbered GigabitEthernet0/0
service-module ip address 209.165.201.1 255.255.255.224
service-module ip default-gateway 209.165.201.2
interface Integrated-Service-Engine1/0.1
ip address 10.7.8.8 255.255.255.0
VLAN and Virtual Interfaces
Virtual and VLAN interfaces can only be created on configured and nonvirtual interfaces. An appropriate route must be setup on the Cisco IOS software side to direct traffic to the new network.
Table 10 shows an example of VLAN and virtual interface naming differences between Cisco IOS and Cisco AXP (Linux).
Table 10 Differences between VLAN and Virtual Interface Names
Interface
|
Cisco IOS
|
Cisco AXP
|
VLAN
|
interface Integrated-Service-Engine 1/0.1
ip address 172.23.101.1 255.255.255.0
|
eth<#>.<#>
Example—eth0.10 where 10 is the VLAN ID tag used to send traffic.
|
Virtual
|
interface Integrated-Service-Engine 1/0.1
ip address 172.23.101.1 255.255.255.0
|
eth<#>:<#>
Example—eth0:10 where 10 is a locally significant number to distinguish within the service module.
|
Configuring a Virtual Interface
To configure a virtual interface, perform the following steps.
SUMMARY STEPS
1. configure terminal
2. interface eth0:x
3. ip address ip-address
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
configure terminal
|
Enters global configuration mode.
|
Step 2
|
interface eth0:x
|
Configures the virtual interface. Enters interface sub mode.
x—Interface number.
Note The colon (":") indicates this is a virtual interface.
|
Step 3
|
ip address ip-address
|
Configures the IP address.
|
Configuring a VLAN Interface
VLAN needs to be configured on the router and Cisco AXP sides. In the configuration for the router configuration in Step 3 below, the dot "." in "port.x" indicates a sub interface. Refer to Table 10 for virtual and VLAN naming differences.
To configure an appropriate route for the Cisco IOS software to set up traffic to the VLAN interface, it is necessary to configure the interface to DOT1Q mode.
DOT1Q mode only affects traffic that flows through this interface; it does not inject the VLAN tag for end-to-end traffic. If no native VLAN is configured on an interface, Cisco IOS by default makes encapsulation 1 DOT 1Q the default native VLAN.
On the Cisco AXP service module, VLAN ID 1 is always the native interface.
Note It is not possible to ping the Cisco AXP service module from the router when using encapsulation 1 on the router, with a subinterface on the service module that has a matching native VLAN ID of 1 (eth0.1).
Recommendation
Try using a VLAN ID greater than 1 if it is not necessary to use VLAN ID 1 in your network. If you must use VLAN ID 1, add a native command to another DOT1Q interface and then use VLAN ID 1, as shown in the "VLAN Configuration Example" section.
To configure a VLAN interface, perform the following steps.
SUMMARY STEPS
1. On the router side:
configure terminal
ip routing
interface integrated-service-engine slot/port.x
encapsulation dot1q vlanid
ip address ip-address
2. On the Cisco AXP Service Module:
configure terminal
interface ethport.x
ip address ip-address
DETAILED STEPS
| |
Command or Action
|
Purpose
|
|
|
On the router side:
|
|
Step 1
|
configure terminal
|
Enters configuration mode.
|
|
|
ip routing
|
Enables IP routing on the router.
|
|
|
interface integrated-service-engine slot/port.x
|
Enters interface sub mode.
x—Interface number.
Note Use a value of x greater than 1.
|
|
|
encapsulation dot 1Q vlanid
|
Defines the encapsulation format as IEEE 802.1Q (dot1q), and specifies the VLAN identifier.
vlanid—VLAN identifier.
|
|
|
|
Configures the IP address for the interface.
|
|
|
On the Cisco AXP service module:
|
|
Step 2
|
configure terminal
|
Enters configuration mode.
|
|
|
interface ethport.x
|
Enters interface sub mode.
x—VLAN id.
|
|
|
ip address ip-address
|
Configures IP address.
|
VLAN Configuration Example
On the router:
interface Integrated-Service-Engine 1/0.1 <----- 1/0.1 for VLAN interface
encapsulation dot1Q 10 <----------------------dot1Q encap for VLAN
ip address 209.165.201.1 255.255.255.224
interface Integrated-Service-Engine 1/0.2
ip address 209.165.202.1 255.255.255.224
On the Cisco AXP Module:
Interface eth0.10 <-------------------eth0.10 is VLAN interface syntax. 10 is the VLAN ID.
ip address 209.165.201.2 255.255.255.224
ip address 209.165.202.2 255.255.255.224
Feedback
