Router Installation and Configuration Manual/Advanced Ethernet Configuration

From ImageStream Router Documentation

Jump to: navigation, search
This chapter describes how to configure the ImageStream router's Ethernet ports with VLAN subinterfaces and VRRP, and includes the following topics:
  • Configuring VRRP on an Ethernet Interface
  • Configuring Ethernet VLAN Subinterfaces

Contents

Configuring the Virtual Router Redundancy Protocol (VRRP)

Note: The information in this section is for advanced users only. VRRP configuration requires at least two routers or VRRP capable devices.
The configurations below are based on using two ImageStream router's, though any VRRP-capable device may be used in conjunction with an ImageStream router.

How Does ImageStream Implement VRRP?

  1. VRRP Routers are identified by group using a unique identifier.
  2. A single Master is chosen for the group.
  3. One or more VRRP Routers can be Backups of the group's Master.
  4. The Master communicates its status to the Backup devices.
  5. If the Master fails to communicate its status, VRRP tries each Backup in order of precedence. The responding Backup assumes the role of Master.
Note: VRRP enables redundancy for tunneled/forwarded connections only, so if a VRRP failover occurs, the Backup will only listen to tunneled/forwarded protocols and traffic. Pinging the Backup will not work, since it is not the IP Address Owner. The virtual addresses configured on the Backups for VRRP must match those configured on the interface addresses of the Master.

How to Configure VRRP

In the following configuration, VRRP is configured on the public and private interfaces. VRRP applies only to configurations where two or more devices operate in parallel. All participating router have identical VRRP and LAN-to-LAN settings. If the Master fails, the Backup begins to service traffic formerly handled by the Master. This switchover occurs in 3 to 10 seconds. While IPSec and Point-to-Point Tunnel Protocol (PPTP) client connections are disconnected during this transition, users need only to reconnect without changing the destination address of their connection profile. In a LAN-to-LAN connection, switchover is seamless.
Ethernet Configuration.png
Using the diagram above we will configure VRRP for this fictional network. In this example, there are two networks, 63.67.72.0/24 and 10.10.10.0/24. The "Master" router has the highest priority. To keep things simple, assume that all of the network segments use the same physical topology. Customers with dynamic routing environments (using BGP, OSPF or RIP) should not use virtual addresses from a VRRP ID in the dynamic routing configuration.
"Master" router configuration:
! 
interface Ethernet0 
 #Connects to DES-3326, Port 5 in 3rd floor wiring closet
 #Call Dave at x4653 for cable or port problems 
 description Office LAN 
 ip address 10.10.10.1 255.255.255.0 
 ip address 192.168.1.1 255.255.255.128 secondary 
 ip address 192.168.10.1 255.255.254.0 secondary
 vrrp 1 ip 10.10.10.3 
 vrrp 1 ip 63.67.72.155 secondary vrrp 1 priority 200 
 vrrp 1 authentication isis
!
interface Ethernet1
 #NOC phone: 800-555-1212 - Our account #58935
 description Connection to co-lo
 ip address 63.67.72.155 255.255.255.0
!


"Backup" router configuration:
! 
interface Ethernet0 
 description Office LAN 
 ip address 10.10.10.2 255.255.255.0
 vrrp 1 ip 10.10.10.3 
 vrrp 1 ip 63.67.72.155 secondary vrrp 1 priority 100 
 vrrp 1 authentication isis
!
interface Ethernet1 
 description Connection to co-lo 
 ip address 63.67.72.154 255.255.255.0 
! 
The VRRP configuration is identical for the two routers, except for the priority. The "Master" router has its priority set to 200, which will place the second router into a backup mode. There are no limits on the number of Virtual Routers that can be configured using VRRP. There are no limits on the number of Virtual Routers of which a particular VRRP Router can be a member.
The values in the configuration sample above are explained below. For a complete list of VRRP commands see the Command Reference.
vrrp 1 ip 10.10.10.3 - Sets a primary IP address for the virtual router. This address is used by the "Master", and can be taken over by the Backup in the event of the Master VRRP Router's failure. The 1 in the configuration indicates that this virtual router will use a Virtual Router Identification (VRID) of 1.
vrrp 1 ip 63.67.72.155 secondary - Sets a secondary IP address for the virtual router. This address is used by the "Master", and can be taken over by the Backup in the event of the "Master" VRRP Router's failure. The secondary keyword is used for all addresses on a Virtual Router other than the primary address. Only one primary address can be configured on a Virtual Router. Configuring more than one primary address or leaving the secondary keyword off of a secondary address configuration will cause the last primary IP address to be used when the Virtual Router is configured by SAND.
vrrp 1 priority { 100 | 200 } - Set the VRRP Router's priority in the group. A value of 100 is the default priority, though any number from 0 (lowest) to 254 (highest) may be used for a VRRP Router that is not the IP address owner.
vrrp 1 authentication isis - Requires the members of the group to use simple text password authentication and to use the password isis. The password may be any string of up to 8 characters. Passwords of longer than 8 characters will be truncated.

Configuring Virtual LAN (VLANS)

A VLAN is an administratively configured LAN or broadcast domain. Instead of moving devices between different physical LAN's, network administrators can configure a Ethernet port on an ImageStream router or an 802.1Q-compliant Ethernet switch to belong to a different VLAN. The ability to move end stations to different broadcast domains by setting membership profiles for each port on centrally managed devices is one of the main advantages of 802.1Q VLAN's.
Ethernet VLAN subinterfaces are configured in the same manner as the on-board Ethernet0 device. Add an additional interface command for each Ethernet VLAN port, separating each section with a ! symbol. The syntax of the interface command for VLAN devices is:
     interface DeviceName.VLANid 
In the default example below, we have added a VLAN subinterface on Ethernet0 at VLAN ID 10. Valid VLAN ids are 1 through 4094.
     ! 
     interface Ethernet0 
     #Connects to DES-3326, Port 5 in 3rd floor wiring closet 
     description Office LAN 
     ip address 10.10.10.1 255.255.255.0 
     ip address 192.168.1.1 255.255.255.128 secondary 
     ip address 192.168.10.1 255.255.254.0 secondary 
     ! 
     interface Ethernet0.10 
     description Customer servers VLAN 
     ip address 63.67.72.155 255.255.255.0 
     ! 
If you want your Ethernet device to transmit and receive only on a VLAN and not transmit or receive untagged frames, set the primary device's IP address to all zeros or omit the ip address line from the configuration. The example below shows Ethernet0 and with two VLAN subinterfaces and no IP address configured on Ethernet0:
     ! 
     interface Ethernet0 
     #Connects to DES-3326, Port 5 in 3rd floor wiring closet  
     description Office LAN  
     ! 
     interface Ethernet0.10 
     description Customer servers VLAN #10 
     ip address 63.67.72.155 255.255.255.0 
     ! 
     interface Ethernet0.11 
     description Office servers VLAN #11 
     ip address 12.45.22.1 255.255.255.0 
     ! 
VLAN devices appear as regular devices within the ImageStream router. All Ethernet configuration options, including VRRP configurations, firewall and Quality of Service, are valid for VLAN devices.
Personal tools
Router software releases