[Top][Contents][Prev][Next][Last]Search

Setting Up IP Routing for WAN Links

This chapter describes how to configure a RADIUS user profile for IP routing connections, and how to set up static IP routes. The chapter is divided into the following sections:

Before you begin
Introducing IP routing
Overview of IP-routing configuration tasks
Enabling IP routing
Specifying a caller's IP address
Specifying whether RIP sends and receives updates
Requiring that a caller accept an IP address
Defining a pool of addresses for dynamic assignment
Setting up IP redirection
Setting up access to specific DNS servers
Setting up default routes on a per-user basis
Setting up static IP routes
Summarizing host routes in an IP address pool
Setting up an interface-based IP routing connection
Setting up IP multicast forwarding

Before you begin

This section describes the tasks you must perform at the configuration interface and in RADIUS before you begin this chapter.

Preliminary MAX TNT tasks

Before you set up IP routing in RADIUS, you must set up the MAX TNT as a router.

In addition, you must set MAX TNT parameters if you plan to use RADIUS for any of the following tasks:

The sections that follow briefly describe the preliminary tasks. For detailed information, see the MAX TNT Network Configuration Guide.

Requiring a user to accept an IP address from the MAX TNT

Before you require a RADIUS user to accept an IP address from the MAX TNT, you must perform the following tasks at the MAX TNT configuration interface:

  1. Set Assign-Address=Yes in the IP-Answer subprofile of the Answer-Defaults profile. This parameter directs the MAX TNT to try to assign an IP address to a calling device.

  2. Set Must-Accept-Address-Assign=Yes in the IP-Global profile. This setting requires the calling station to accept an IP address. If the calling station rejects the assignment, the MAX TNT ends the call.

    If you set Must-Accept-Address-Assign=No, the MAX TNT accepts the IP address the caller specifies.

Providing DNS access

 Before you configure RADIUS to provide access to specific DNS servers, you must provide access to DNS on a system-wide basis by performing the following tasks in the IP-Global profile:

  1. To specify domain names for name lookups, set the Domain-Name and Sec-Domain-Name parameters.

  2. To specify the name servers that are accessible, set the DNS-Primary-Server and DNS-Secondary-Server parameters.

As an option, you can also configure client DNS by setting the Client-Primary-DNS-Server, Client-Secondary-DNS-Server, and Allow-As-Client-DNS-Info parameters in the IP-Global profile.

Turning on the pool-summary feature

Before setting up the pool-summary feature in RADIUS, set Pool-Summary=Yes in the IP-Global profile.

Setting multicast forwarding parameters

If you plan to configure a RADIUS user profile for multicast forwarding, you must set multicast parameters in the IP-Interface and IP-Global profiles at the MAX TNT configuration interface.

Preliminary RADIUS tasks

Before you set IP attributes, you must configure a RADIUS user profile containing:

Table 9-1 lists references for more information.

Table 9-1. Preliminary RADIUS tasks for IP routing

Task

Reference
Setting User-Name, Password, and other authentication attributes

 Chapter 3, Setting Up RADIUS Authentication

Configuring a PPP, MP, or MP+ connection

 Chapter 4, Setting Up PPP, MP, and MP+ Connections

Setting up a terminal-server connection

 Chapter 6, Setting Up Terminal-Server Connections

Setting up a Frame Relay connection

 Chapter 7, Setting Up Frame Relay Connections

Introducing IP routing

The MAX TNT supports IP routing over PPP, MP, MP+, raw TCP, and Frame Relay connections. You can configure IP routing along with IPX routing.

All Ascend products implement system-based routing, in which the entire unit has a single IP address. For systems that have a single backbone connection, system-based routing is the simplest way to configure the MAX TNT. With an alternative method called interface-based routing, each physical or logical interface on the unit has its own IP address. Unless otherwise specified, all sections in this chapter describe how to set up system-based IP routing. For information about setting up interface-based IP routing, see Setting up an interface-based IP routing connection.

Types of IP routes

The sections that follow describe the kinds of routes the MAX TNT uses.

Static routes

A static route is a path, from one network to another, that specifies:

Each IP routing Connection profile, IP-Interface profile, and RADIUS user profile that specifies an explicit IP address defines a static route to the remote or local IP network.

Multipath routes

A multipath route is a static route that distributes the traffic load to a single destination across multiple interfaces.

Dynamic routes

A dynamic route is a path to another network that is learned dynamically rather than configured in a profile. Routers that use RIP broadcast their entire routing table every 30 seconds, updating other routers about which routes are usable. Hosts that run ICMP can also send ICMP Redirects to offer a better path to a destination network. OSPF routers propagate link-state changes as they occur.

How the MAX TNT builds the routing table

When you power on or reset the MAX TNT, it creates a routing table containing all the routes it knows about, including the following:

The MAX TNT cannot read some static routes at power up. These routes do not become part of the routing table until they are up and usable. They include the following:

How the MAX TNT routes IP packets

 The MAX TNT routes IP packets between its Ethernet interfaces and across any WAN interface configured for IP routing. It consults its internal routing table to determine where to forward each IP packet it processes. First, the MAX TNT tries to find a match between the packet's destination address and a routing table Destination field. If it finds a match, it brings up the required connection (if necessary) to reach the next-hop router specified for that route, and forwards the packet.

If it does not find a match for the packet's destination address, it looks for a default route (destination address 0.0.0.0). If it finds a default route, it brings up the required connection (if necessary) and forwards the packet. If the routing table has no default route and no route that matches a packet's destination address, the MAX TNT drops the packet.

Overview of IP-routing configuration tasks

For all IP routing connections, you must:

All other tasks are optional, and depend upon the needs of your site. You can carry out one or more of the following:

Enabling IP routing

By default, IP routing is enabled for all user profiles. If you have disabled IP routing, you can re-enable it by setting Ascend-Route-IP=Route-IP-Yes in a user profile.

Specifying a caller's IP address

RADIUS authenticates an incoming call by matching its IP address to one you specify in the RADIUS user profile. To specify the caller's IP address, set the Framed-Address attribute, and optionally, the Framed-Netmask attribute. The settings you specify depend upon whether the remote device is a dial-in PPP host or an IP router.

Note: The most common cause of trouble in establishing an IP connection is incorrect configuration of the IP address or subnet-mask specification for the remote host or calling device.

When the remote device is a dial-in PPP host

When a device connecting to the MAX TNT is a host running PPP dial-in software, the MAX TNT adds a host route to its routing table and functions as an IP router between its local and WAN interfaces. A host route is an IP address with a subnet mask of 255.255.255.255. It represents a single host rather than a remote router. A host route connection enables the dial-in host to keep its own IP address when logging into the MAX TNT IP network.

If the dial-in host has its own IP address, specify the address as the value of the Framed-Address attribute, and set the Framed-Netmask attribute to 255.255.255.255. If the remote device is a dial-in host that accepts dynamic address assignment, accept the default values of 0.0.0.0 for the Framed-Address and Framed-Netmask attributes.

Example of configuring a host connection with a static IP address
In Figure 9-1, the PC is running PPP software and the TCP/IP stack and has an ISDN modem card. If a PC user telecommutes to one IP network and uses an ISP on another IP network, one of those connections can assign an IP address and the other can configure a host route to the PC.

Figure 9-1. Dial-in user requiring a static IP address (a host route)

The PPP software includes settings like the following:

Username=Emma

Accept Assigned IP=N/A (or No)

IP address=10.8.9.10

Netmask=255.255.255.255

Default Gateway=N/A (or None)

Name Server=10.7.7.1

Domain suffix=abc.com

VAN Jacobsen compression ON
In this example, you would set up the RADIUS user profile as follows:

Emma Password="m2dan", User-Service=Framed-User

     Framed-Protocol=PPP,

     Ascend-Route-IP=Route-IP-Yes,

     Framed-Address=10.8.9.10,

     Framed-Netmask=255.255.255.255,

     Framed-Routing=None,

     Framed-Compression=Van-Jacobson-TCP-IP,

     Ascend-Idle-Limit=20

When the remote device is an IP router

 When the device connecting to the MAX TNT is an IP router that belongs to an IP network, the connection results in a route to that remote network or subnet. For this type of configuration, set the Framed-Address attribute to the IP address of the router, and set the Framed-Netmask attribute to its subnet mask. If you omit the subnet mask, the MAX TNT inserts a default subnet mask that assumes that the entire remote network is accessible. In general, if the remote router's address includes a subnet mask, you should include it.

Example of configuring a router connection
In Figure 9-2, the MAX TNT is connected to a corporate IP network and needs a switched connection to another company that has its own IP configuration.

Figure 9-2. A router-to-router IP connection

In this example, to configure the MAX TNT for a connection to the remote site across the WAN, you could set up the RADIUS user profile as follows:

PipelineB Password="m2dan", User-Service=Framed-User

          Framed-Protocol=PPP,

          Ascend-Route-IP=Route-IP-Yes,

          Framed-Address=10.7.8.200,

          Framed-Netmask=255.255.252.0,

          Framed-Routing=Broadcast,

          Framed-Compression=Van-Jacobson-TCP-IP,

          Ascend-Idle-Limit=20

Specifying whether RIP sends and receives updates

You can specify whether RIP sends routing-table updates, receives updates, or both. If you enable RIP to both send and receive RIP updates on the WAN interface, the MAX TNT broadcasts its routing table to the remote network and listens for RIP updates from that network. Gradually, all routers on both networks have consistent routing tables (all of which can become quite large).

Setting the Framed-Routing attribute

To specify RIP behavior for the profile, set the Framed-Routing attribute. You can specify one of the values listed in Table 9-2.

Table 9-2. Framed-Routing settings

Setting

MAX TNT behavior
None (0)

Does not send or receive RIP updates. None is the default.

Many sites turn off RIP on the WAN interface in order to avoid storing very large local routing tables. If you turn off RIP, the MAX TNT does not listen to RIP updates across the connection. To route to other networks through that connection, the MAX TNT must rely on static routes you specify in a pseudo-user profile. (For details, see Setting up static IP routes.)

Broadcast (1)

Sends RIP version 1 updates, but does not receive them.

Listen (2)

Receives RIP version 1 updates, but does not send them.

Broadcast-Listen (3)

Sends and receives RIP version 1 updates.

Broadcast-v2 (4)

Sends RIP version 2 updates, but does not receive them. Ascend recommends that you specify RIP version 2 updates only.

Listen-v2 (5)

Receives RIP version 2 updates, but does not send them. Ascend recommends that you specify RIP version 2 updates only.

Broadcast-Listen-v2 (6)

Sends and receives RIP version 2 updates. Ascend recommends that you specify RIP version 2 updates only.

Special considerations

Because routers send RIP updates every 30 seconds, and RIP traffic resets the idle timer, WAN connections that use RIP never disconnect unless you carry out one of the following tasks:

Example of enabling RIP to send and receive updates
 Figure 9-3 shows the MAX TNT and a local client called Emma connecting to a remote access router across the WAN. Each device that acts as a router maintains its own routing table.

Figure 9-3. Enabling RIP to send and receive updates

In the following example, the MAX TNT is configured to send and receive RIP version 2 updates on the connection:

Emma Password="m2dan", User-Service=Framed-User

     Framed-Protocol=PPP,

     Ascend-Route-IP=Route-IP-Yes,

     Framed-Address=10.8.9.10,

     Framed-Netmask=255.255.255.255,

     Framed-Routing=Broadcast-Listen-v2,

     Framed-Compression=Van-Jacobson-TCP-IP,

     Ascend-Idle-Limit=20

Requiring that a caller accept an IP address

You have the option of requiring a caller to accept an IP address from the MAX TNT. The address can be static or dynamic. First, you must set the following parameters at the MAX TNT configuration interface:

Then, you must specify a static address or IP address pool in the RADIUS user profile.

If the calling end accepts the IP address, the MAX TNT sets the Remote-Address parameter (in a Connection profile) or Framed-Address attribute (in a RADIUS user profile) to the assigned address. If a static address is already specified in a Connection profile or RADIUS user profile, it overrides any IP address from an IP address pool.

Note: In some TCP/IP implementations, when the workstation must receive the IP address from the MAX TNT, you must set the workstation's address to 0.0.0.0. Setting the address to any other value tells the workstation to use that value and notify the MAX TNT.

Defining a pool of addresses for dynamic assignment

When the device connecting to the MAX TNT is a host running PPP dial-in software, the MAX TNT adds a host route to its routing table. If the host belongs to its own IP network, the MAX TNT must have a Connection profile or RADIUS user profile stating the host's address and assigning it a 32-bit subnet mask. If the host does not belong to an IP network, the MAX TNT can add it to the local IP network by assigning a local address from a designated pool of addresses. You can designate a pool of addresses on the MAX TNT or in RADIUS.

Introducing IP address pools

A pool is a range of contiguous IP addresses on your local network. The MAX TNT chooses an address from a pool and assigns it to an incoming call when Assign-Address=Yes, or when the calling station requests an address assignment. Assigning an address to a device is called performing dynamic IP. Dynamic IP can apply when the calling end is a station. However, if the calling end is a router, that router usually rejects attempts to perform dynamic IP.

When you set up a pool of addresses, make sure that you do not include addresses that are in use. Although the MAX TNT will inform you of a configuration error if you try to specify a pool whose addresses overlap or conflict with an existing pool, it does not have automatic protection against duplication. If you allocate IP addresses on a separate IP network or subnet, you must make sure that other IP hosts on the local network know about the route to that new network or subnet.

Note: An IP address pool you set up in RADIUS overrides an IP address pool you set up in the MAX TNT configuration interface, but only if you designate the two pools by the same number.

Overview of attributes for IP address pools

Table 9-3 lists the attributes you use for setting up IP address pools.

Table 9-3. IP address pool attributes

Attribute

Specifies

Possible values
Ascend-Assign-IP-Pool (218)

 Address pool used by incoming calls.

 Integer from 1 to 50. The default value is 1.

Ascend-IP-Pool-Definition (217)

 Pool number, first IP address, and the number of addresses in the pool.

 See Table 9-4.

Configuring IP address pools

To define a pool of IP addresses, you must create a pseudo-user profile that contains the IP address pool definitions. To perform this task:

Then, in a RADIUS user profile, you must specify the address pool from the which the caller receives an IP address.

Creating the first line of a pseudo-user profile for IP address pools

Create the first line of a RADIUS pseudo-user profile as follows:

pools-name Password="ascend", User-Service=Dialout-Framed-User
where name is the system name of the MAX TNT (the name specified by the Name parameter in the System profile).

Defining the IP address pools in the pseudo-user profile

To define an address pool, set the Ascend-IP-Pool-Definition attribute. You can specify multiple instances of the attribute. Use the following format:

Ascend-IP-Pool-Definition="num first_ipaddr max_entries"
Table 9-4 describes each Ascend-IP-Pool-Definition argument.

Table 9-4. Ascend-IP-Pool-Definition arguments

Argument

Specifies
num

 Number of the pool. The default value is 1.

Specify pool numbers starting with 1, unless you have defined pools with the Pool-Base-Address and Assign-Count parameters in the MAX TNT interface, and do not wish to override those settings. In that case, for the num argument, start with one plus the highest number you used for an IP address pool on the MAX TNT.

For example, if you set up address pools 1 through 5 on the MAX TNT, specify pool numbers starting with 6 in RADIUS.

first_ipaddr

 First IP address in the address pool. The address you indicate should not accept a subnet mask, because it always becomes a host route. The default value is 0.0.0.0.

max_entries

 Maximum number of IP addresses in the pool. The MAX TNT assigns addresses sequentially, from first_ipaddr on, up to the limit of addresses specified by max_entries. The default value is 0 (zero).

Specifying an IP address pool in a RADIUS user profile

In each RADIUS user profile requiring dynamic addressing for dial-in users, set the Ascend-Assign-IP-Pool attribute to specify the address pool from which RADIUS should assign each user an address. If you set Ascend-Assign-IP-Pool=0, RADIUS chooses an address from any pool that has one available.

Do not set the Framed-Address attribute. If you do, the MAX TNT will require the caller to use the static IP address that the attribute specifies.

Example of configuring IP address pools
Figure 9-4 shows a MAX TNT connected to a dial-in host with a modem and PPP software. The remote host requests a dynamic IP address, and the MAX TNT provides one.

Figure 9-4. An IP routing connection with a dial-in host requiring dynamic IP addressing

The RADIUS pseudo-user profile contains the IP pool definitions. In this example, the profile creates two IP address pools for the MAX TNT to use. Address pool #1 contains a block of 7 IP addresses from 10.1.0.1 to 10.1.0.7. Address pool #2 contains a block of 48 IP addresses from 10.2.0.1 to 10.2.0.48. You would configure the pseudo-user profile as follows:

pools-MAXTNT Password="ascend", User-Service=Dialout-Framed-User

    Ascend-IP-Pool-Definition="1 10.1.0.1 7",

    Ascend-IP-Pool-Definition="2 10.2.0.1 48"
In the user profile, you configure the host to request an address from address pool #1:

Emma Password="m2dan", User-Service=Framed-User

     Framed-Protocol=PPP,

     Ascend-Route-IP=Route-IP-Yes,

     Ascend-Metric=2, 

     Framed-Routing=None,

     Ascend-Assign-IP-Pool=1

Setting up IP redirection

You can configure a RADIUS user profile to automatically redirect incoming IP packets to a host you specify on the local IP network. When you specify IP redirection, the MAX TNT bypasses all internal routing tables, and simply sends all packets it receives on a connection's WAN interface to the specified IP address. IP redirection does not affect outbound packets.

To set up IP redirection:

  1. Specify the User-Name and Password attributes, authentication attributes, and WAN connection attributes.

  2. Set the Framed-Address attribute (and, optionally, the Framed-Netmask attribute) to specify the caller's IP address.

  3. Set Ascend-Route-IP=Route-IP-Yes.

  4. Set Ascend-IP-Direct to the IP address to which the MAX TNT redirects packets from the user. The default value is 0.0.0.0, which specifies that the MAX TNT does not perform IP redirection.

  5. Set Framed-Routing=None.

    Ascend-IP-Direct connections typically turn off RIP. If you configure the connection to receive RIP, the MAX TNT keeps all RIP packets it receives from the remote end and forwards them to the IP address you specify.

  6. Make certain that Framed-Protocol is not set to FR.

Note: Do not set Ascend-IP-Direct and Ascend-FR-Direct in the same user profile. If you do, an error occurs.

Example of configuring IP redirection
The following example shows IP redirection for a PPP link. In Figure 9-5, the MAX TNT redirects incoming packets from Emma to router A on the LAN side of the MAX TNT.

Figure 9-5. Directing incoming IP packets to one local host

Packets destined for Emma are routed normally by the MAX TNT, which means that this connection can receive packets from any source, not just from the IP address to which the incoming packets are sent. You would configure the user profile as follows:

Emma Password="m2dan", User-Service=Framed-User

          Framed-Protocol=PPP,

          Framed-Address=10.8.9.10,

          Framed-Netmask=255.255.252.0,

          Ascend-Route-IP=Route-IP-Yes,

          Ascend-IP-Direct=10.2.3.11,

          Ascend-Metric=2,

          Framed-Routing=None

Setting up access to specific DNS servers

Domain Name Service (DNS) is a TCP/IP service for centralized management of address resolution. Service providers can maintain multiple DNS servers, each one dedicated to a particular client or location. For security reasons, it might be important to ensure that connections are always directed to the correct DNS service. With per-connection DNS access, a service provider can direct specific users to the DNS server appropriate to their service or location.

What is client DNS?

Client DNS enables the MAX TNT to direct incoming connections to DNS servers belonging to a particular location or customer, and to prevent those users from accessing local DNS servers. The addresses configured for client DNS servers are presented to WAN connections during IPCP negotiation.

When you configure RADIUS user profiles, a connection can use one of the following DNS servers:

The MAX TNT uses the global addresses only if a RADIUS user profile does not specify any, or if you set the Ascend-Client-Assign-DNS attribute to DNS-Assign-No.

Overview of attributes for setting up access to specific DNS servers

Table 9-5 lists the attributes you use for setting up access to specific DNS servers.

Table 9-5. RADIUS attributes for specifying DNS servers

Attribute

Description

Possible values
Ascend-Client-Assign-DNS (137)

 Specifies whether the MAX TNT sends the values for Ascend-Client-Primary-DNS and Ascend-Client-Secondary-DNS during connection negotiation.

 DNS-Assign-No (0)
DNS-Assign-Yes (1)

DNS-Assign-No is the default.

Ascend-Client-Primary-DNS (135)

 Specifies a primary DNS server address to send to any client connecting to the MAX TNT.

 IP address in dotted decimal notation n.n.n.n, where n is a number from 0 to 255. The default value is 0.0.0.0.

Ascend-Client-Secondary-DNS (136)

 Specifies a secondary DNS server address to send to any client connecting to the MAX TNT.

 IP address in dotted decimal notation n.n.n.n, where n is a number from 0 to 255. The default value is 0.0.0.0.

Specifying DNS servers in a RADIUS user profile

To specify DNS servers in a RADIUS user profile:

  1. Specify the User-Name and Password attributes, authentication attributes, and WAN connection attributes.

  2. Set the Framed-Address attribute (and, optionally, the Framed-Netmask attribute) to specify the caller's IP address.

  3. Set Ascend-Route-IP=Route-IP-Yes.

  4. Set Ascend-Client-Assign-DNS=DNS-Assign-Yes.

  5. Set Ascend-Client-Primary-DNS to the IP address of the primary DNS server.

  6. Optionally, set Ascend-Client-Secondary-DNS to the IP address of the secondary DNS server.

Example of specifying DNS servers in a RADIUS user profile
 In Figure 9-6, the user Emma has access to two DNS servers across the WAN.

Figure 9-6. Accessing DNS servers

To specify that Emma can access the DNS servers, you would configure the profile as follows:

Emma Password="m2dan", User-Service=Framed-User

          Framed-Protocol=PPP,

          Framed-Address=11.8.9.10,

          Framed-Netmask=255.255.252.0,

          Ascend-Route-IP=Route-IP-Yes,

          Ascend-Client-Assign-DNS=DNS-Assign-Yes,

          Ascend-Client-Primary-DNS=10.8.9.20

          Ascend-Client-Secondary-DNS=10.8.9.21

Setting up default routes on a per-user basis

In each RADIUS user profile, you can specify the default route for IP packets coming from the user. The MAX TNT uses the per-user default under the following circumstances:

To specify the default route in a RADIUS user profile, set the Ascend-Client-Gateway attribute to the IP address of the next hop router. Enter the IP address in dotted decimal notation. The Ascend unit must have a direct route to the address you specify. The direct route can take place via a profile or an Ethernet connection. If the Ascend unit does not have a direct route, it drops the packets on the connection.

The default value is 0.0.0.0. If you accept this value, the Ascend unit routes packets as the routing table specifies, using the system-wide default route if it cannot find a more specific route.

The per-user default route applies to all packets the MAX TNT receives for a given profile, regardless of the specific IP source address. Therefore, you can use this feature when the profile belongs to another router, and all hosts behind that router use the default gateway. The MAX TNT handles packets from other users or from the Ethernet network in the usual fashion. The global routing table is not altered. Therefore, when you diagnose routing problems with a profile that implements this feature, an error in a per-user gateway address is not apparent from inspection of the global routing table.

Example of configuring a default route
In Figure 9-7, the default route goes through the device at IP address 10.0.0.3.

Figure 9-7. Using a default route

For example, suppose you specify the following setting in the profile Berkeley:

Emma Password="m2dan", User-Service=Framed-User

          Framed-Protocol=PPP,

          Framed-Address=11.8.9.10,

          Framed-Netmask=255.255.252.0,

          Ascend-Route-IP=Route-IP-Yes,

         Ascend-Client-Gateway=10.0.0.3
IP packets from the user Berkeley, with destinations through the default route, go through the router at 10.0.0.3.

Setting up static IP routes

A static route is a path from one network to another. The path specifies the destination network and the router the data uses to get to that network. For routes that must be reliable, you can configure more than one path. In this case, the MAX TNT uses an assigned metric to choose the route.

A dynamic route can hide a static route to the same network if the dynamic route's metric is lower than that of the static route. However, dynamic routes age. If the MAX TNT does not receive route updates, the dynamic routes eventually expire. In that case, the hidden static route reappears in the routing table.

If the MAX TNT has a RADIUS user profile that defines a static route to a destination for which there is also a route in the MAX TNT unit's IP Route profiles or a RADIUS pseudo-user profile, the metric in the RADIUS user profile overrides the metric in the other profiles, but only when the RADIUS user connects.

For example, suppose a MAX TNT has a static route to network 1.10.1.10, with a metric of 10. A user profile in RADIUS has a metric of 7 in a static route to the same network. When the RADIUS user's route is not in use, the MAX TNT routing table indicates that the route has a metric of 10. When the route is in use, the MAX TNT routing table indicates that the route has a metric of 7, with an r in the flags column to indicate that the route came from RADIUS. Furthermore, the route with a metric of 10 remains in the routing table, with an asterisk (*) in the flags column, indicating that it is a hidden route.

Overview of static-route configuration tasks

In RADIUS, you can create a static route:

The sections that follow describe how to set up each type of configuration.

Configuring static IP routes in a pseudo-user profile

When you turn off RIP in a RADIUS user profile (Framed-Routing=None), the MAX TNT does not listen to RIP updates across that connection. To route to other networks through that connection, the MAX TNT must rely on static routes you define in a RADIUS pseudo-user profile.

If you configure the MAX TNT with a subnet address on a backbone network (using the IP-Address parameter in the MAX TNT unit's IP-Interface profile), you must set up a static route to the backbone router on the main network. If you do not, the MAX TNT can only see the subnets to which it is directly connected.

You cannot create static routes for IP addresses the MAX TNT dynamically assigns, because the actual route to those addresses changes with each dynamic assignment.

To set up static IP routes in a RADIUS pseudo-user profile, you must perform the following tasks:

Creating the first line of a pseudo-user profile for static IP routes

 You can configure pseudo-users for both global and MAX TNT-specific configuration control of IP dialout routes. The MAX TNT adds the unit-specific dialout routes in addition to the global dialout routes.

For a unit-specific IP dialout route, specify the first line of a pseudo-user profile in the following format:

route-name-num Password="ascend", User-Service=Dialout-Framed-User
For a global IP dialout route, specify the first line of a pseudo-user profile in the following format:

route-num Password="ascend", User-Service=Dialout-Framed-User
The name argument is the system name of the MAX TNT (the name specified by the Name parameter in the System profile), and the num argument is a number in a sequential series, starting at 1.

Specifying static IP routes with the Framed-Route attribute

In each pseudo-user profile, specify one or more routes with the Framed-Route attribute. Use the following format:

Framed-Route="host_ipaddr [/subnet_mask] router_ipaddr metric 

[private] [profile_name]"
The MAX TNT fetches information from each pseudo-user profile in order to initialize its routing table. Table 9-6 describes each Framed-Route argument.

Table 9-6. Framed-Route arguments

Syntax element

Specifies
host_ipaddr
[/subnet_mask]

 IP address of the destination host or subnet reached by this route. The default value is 0.0.0.0/0. This setting represents the default route (the destination to which the MAX TNT forwards packets when no route to the packet's destination exists).

If the address includes a subnet mask, the remote router you specify is a router to that subnet, rather than to a whole remote network. To specify the entire remote network, do not specify a subnet mask.

router_ipaddr

 IP address of the router the MAX TNT uses to reach the target destination. The default value is 0.0.0.0.

The 0.0.0.0 address is a wildcard entry the MAX TNT replaces with the caller's IP address.When RADIUS authenticates a caller and sends the MAX TNT an Access-Accept message with a value of 0.0.0.0 for the router address, the MAX TNT updates its routing tables with the Framed-Route value, but substitutes the caller's IP address for the router. This setting is especially useful when the MAX TNT assigns an IP address from an address pool and RADIUS cannot know the IP address of the caller.

metric

 Metric for the route. If the MAX TNT has more than one possible route to a destination network, it chooses the one with the lower metric. The default value is 8.

private

 Value y if this route is private, or n if it is not private. If you specify that the route is private, the MAX TNT does not disclose the existence of the route when queried by RIP or another routing protocol. The default value is n.

profile_name

 Name of the outgoing user profile that uses the route. The default value is null.

How RADIUS adds static IP routes to the routing table

Whenever you power on or reset the MAX TNT, RADIUS adds IP dialout routes to the routing table as follows:

  1. RADIUS looks for profiles having the format route-name-1, where name is the system name.

  2. If at least one such profile exists, RADIUS loads all existing profiles with the format route-name-num to initialize the IP routing table. The variable num is a number in a sequential series starting with 1.

  3. The MAX TNT queries route-name-1, then route-name-2, and so on, until it receives an authentication reject from RADIUS.

  4. RADIUS loads the global configuration profiles. These configurations have the format route-num.

  5. The MAX TNT queries route-1, then route-2, and so on, until it receives an authentication reject from RADIUS.

Example of configuring a static IP route
 In Figure 9-8, the remote network for sites B and C does not use RIP, so the MAX TNT cannot learn about it dynamically.

Figure 9-8. A two-hop connection that requires a static route when RIP is off

To enable the MAX TNT to reach site C, you would configure the following static route:

route-1 Password="ascend", User-Service=Dialout-Framed-User

        Framed-Route="10.4.5.0/22 10.9.8.10 1 n inu-out"

Configuring multipath static IP routes in a pseudo-user profile

 Multipath static routes distribute the traffic to one destination across the aggregated bandwidth of multiple interfaces. A multipath route consists of two or more static routes that have same destination address, subnet mask, and metric, but different gateway addresses.

To create a multipath route, set up two or more routes by following the steps in Configuring static IP routes in a pseudo-user profile. Each Framed-Route specification must indicate the same value for host_ipaddr, subnet_mask, and metric, but a different value for router_ipaddr.

Example of configuring a multipath static route
In Figure 9-9, the MAX TNT uses a multipath route to reach the network at 10.4.5.0/22.

Figure 9-9. A connection that uses a multipath static route

To configure a multipath route to the network 10.4.5.0/22, you would configure the following pseudo-user profile:

route-1 Password="ascend", User-Service=Dialout-Framed-User

        Framed-Route="10.4.5.0/22 10.9.8.10 1 n inu-out",

        Framed-Route="10.4.5.0/22 10.9.8.11 1 n inu-out",

        Framed-Route="10.4.5.0/22 10.9.8.12 1 n inu-out"

Configuring static IP routes in a dial-in user profile

 You can specify a static route in a dial-in profile by setting either the Framed-Address attribute or the Framed-Route attribute.

Every RADIUS user profile containing a Framed-Address setting specifies a static route.

In addition, suppose you wish to update the MAX TNT unit's routing tables each time it connects to a user whose profile specifies User-Service=Framed-User. In this case, you can set the Framed-Route attribute in an incoming user profile to specify the user's IP address and subnet mask with the host_ipaddr and subnet_mask arguments, respectively. The route you specify in this manner exists only during the time the call is online. However, when you enter a nonzero router address for the router_ipaddr argument, and it is different from the caller's address, the static route of a dial-in framed-user persists even after the connection goes offline.

Summarizing host routes in an IP address pool

By default, the MAX TNT adds dynamically assigned IP addresses to the routing table as individual host routes. However, to reduce the size of routing table advertisements, you can summarize the entire pool. When you do so, the router advertises a single route for the network you define in an address pool, rather than an individual host route for each address. The MAX TNT routes packets to a valid host address, and rejects packets with an invalid host address.

To set up the pool-summary feature, you must perform the following tasks:

Making sure that each IP address pool is network aligned

 In the pseudo-user profile defining the address pools, set each Ascend-IP-Pool-Definition attribute to network align the IP address pool. (For instructions about setting up address pools, see Defining a pool of addresses for dynamic assignment.)

First, make sure that the first address in the pool is the first host address. The first_ipaddr argument specifies the first IP address in the pool. Subtracting 1 (one) from the first_ipaddr value yields the network alignment (the zero address on the subnet).

Second, the maximum number of entries you specify with the max_entries argument must be two less than the total number of addresses in the pool. The value of max_entries + 2 determines the total number of addresses in the subnet. You can calculate the subnet mask on the basis of this total. For example, suppose you have the following specification for Ascend-IP-Pool-Definition:

Ascend-IP-Pool-Definition="1 10.12.253.1 62"
Because first_ipaddr=10.12.253.1, the network alignment address is 10.12.253.0 (first_ipaddr - 1). Moreover, because max_entries=62, you must specify a subnet mask for 64 addresses (max_entries + 2). The subnet mask for 64 addresses is 255.255.255.192 (256-64=192). The Ascend notation for a 255.255.255.192 subnet mask is
/26.

The resulting address-pool network is 10.12.253.0/26. This address and subnet mask become the first values you specify for the Framed-Route attribute in Setting the Framed-Route attribute.

Configuring the static route for each summarized address pool

In a pseudo-user profile, you must set the Framed-Route attribute to create a static IP route to each summarized network. This section provides guidelines for specifying the router in the static route configuration, and describes how to set each argument of the Framed-Route attribute.

(For basic instructions about setting up the pseudo-user profile containing the static IP routes, see Setting up static IP routes.)

Guidelines for specifying the router

Because the MAX TNT creates a host route for every address assigned from the pools, and because host routes override subnet routes, the MAX TNT correctly routes packets whose destination matches an assigned IP address from the pool. However, because the MAX TNT advertises the entire pool as a route, and only knows privately which IP addresses in the pool are active, a remote network might improperly send the MAX TNT a packet with an inactive IP address. If your router is to handle packets with destinations to invalid hosts on the summarized network, the router you specify must be one of the internal interfaces listed in Table 9-7.

Table 9-7. Internal interfaces for invalid hosts

Interface

Description
The reject interface (rj0)

 The reject interface has an IP address of 127.0.0.2. When you specify this address as the router to the destination pool network, the MAX TNT rejects packets to an invalid host on that network, appending an ICMP Host Unreachable message.

The black-hole interface (bh0)

 The black-hole interface has an IP address of 127.0.0.3. When you specify this address as the router to the destination pool network, the MAX TNT silently discards packets to an invalid host on that network.

Setting the Framed-Route attribute

The Framed-Route attribute has the following format:

Framed-Route="host_ipaddr[/subnet_mask] router_ipaddr metric 

[private] [profile_name]"
For each Framed-Route attribute:

  1. Set the host_ipaddr argument to the address of the summarized network.

  2. Set the subnet_mask argument to the associated subnet mask, if any.

  3. Set the router_ipaddr argument to the router address for each summarized network. For a discussion of how to set this argument, see Guidelines for specifying the router.

  4. Set the metric argument to 0.

  5. Set the private argument to n for No.

  6. Set the profile_name argument to the name of the outgoing profile that uses the route.

For example, if you want to set up a static IP route with a reject interface for address pool network 10.12.253.0/26, enter the following setting:

Framed-Route="10.12.253.0/26 127.0.0.2 0 n Summary"

Setting up an interface-based IP routing connection

In some situations, it is useful to number some of the MAX TNT unit's interfaces, enabling the MAX TNT to operate partially as a system-based router and partially as an interface-based router. Reasons for using numbered interfaces include troubleshooting nailed-up point-to-point connections and forcing routing decisions between two links going to the same final destination. More generally, interface-based routing allows the MAX TNT to operate more as a multihomed Internet host behaves.

You can configure each link in RADIUS as numbered (interface-based) or unnumbered (system-based). If no interfaces are numbered, the MAX TNT operates as a purely system-based router. Before you carry out interface-based routing tasks, be sure to set up the WAN connection.

Special considerations

In system-based routing, each interface that supports TCP/IP has an IP address. The system routes traffic to and from the interface based on the destination address in packets. In interface-based routing, each side of the connection is assigned a unique address that applies only to the connection. Assignment of a unique address is a requirement for some applications, such as SNMP. Interface-based routing operations have the following special features:

Configuring interface-based IP routing attributes

 Table 9-8 lists the RADIUS attributes you set for interface-based IP routing.

Table 9-8. RADIUS attributes for interface-based routing

Attribute

Specifies

Possible values
Ascend-IF-Netmask (153)

 Subnet mask in use for the local numbered interface to the WAN.

 IP address in dotted decimal notation n.n.n.n, where n is a number from 0 to 255. The default value is 0.0.0.0.

Ascend-IF-Addr

 IP address of the local numbered interface to the WAN.

 IP address in dotted decimal notation n.n.n.n, where n is a number from 0 to 255. The default value is 0.0.0.0.

Ascend-Remote-Addr (154)

 IP address of the remote numbered interface to the WAN.

 IP address in dotted decimal notation n.n.n.n, where n is a number from 0 to 255. The default value is 0.0.0.0.

To configure an interface-based routing connection, proceed as follows

  1. Set up the user profile, specifying the appropriate user name, password, encapsulation method, authentication method, and IP routing parameters.

  2. Set Ascend-Remote-Addr to the IP address of the remote numbered interface.

  3. Set Ascend-IF-Addr to the IP address assigned to the local side of a numbered-interface connection. The address must be unique to the connection. You can assign a fake IP address or an IP address from one of the local subnets.The MAX TNT accepts IP packets destined for the specified address and treats them as destined for the system itself. (The packets may arrive on any interface, and the destination numbered interface need not be in the active state.)

    Note: Ascend-IF-Addr cannot be an address assigned in an IP-Interface profile to one of the MAX TNT unit's real, physical LAN interfaces. Assigning one of the MAX TNT IP addresses will cause routing problems.

  4. As an option, set Ascend-IF-Netmask to the subnet mask in use for the local numbered interface.

Example of configuring an interface-based IP routing connection
 Figure 9-10 shows a interface-based IP routing connection. The real, physical MAX TNT Ethernet interface has the IP address 10.5.6.7/24. The other two addresses represent the local and remote sides of the connection.

Figure 9-10. Configuring an interface-based IP routing connection

To configure the connection, you would set up the RADIUS user profile as follows:

Emma Password="m2dan", User-Service=Framed-User

     Framed-Protocol=PPP,

     Ascend-Route-IP=Route-IP-Yes,

     Ascend-Remote-Addr=11.123.4.5,

     Ascend-IF-Addr=10.9.1.212,

     Ascend-IF-Netmask=255.255.255.0,

     Framed-Routing=None,

     Framed-Compression=Van-Jacobson-TCP-IP,

     Ascend-Idle-Limit=20

Setting up IP multicast forwarding

The MAX TNT implements Internet Group Membership Protocol (IGMP) version-1 and version-2, along with configuration options that enable the MAX TNT to communicate with multicast backbone (MBONE) routers and to forward multicast traffic.

What is the MBONE?

The MBONE is a virtual network layered on top of the Internet to support IP multicast routing across point-to-point links. It is used for transmitting audio and video on the Internet in real-time, because multicasting is a much cheaper and faster way to communicate the same information to multiple hosts.

What is a multicast network?

A multicast network is a network in which a router sends packets to all addresses on a subscriber list. This type of network is different from both a unicast network (in which the router sends packets to one user at a time) and a broadcast network (in which the router sends packets to all users, whether they appear on subscription lists or not). The MBONE is a virtual network that actually consists of groups of networks called islands. The islands are connected by tunnels and support IP.

How does the MAX TNT interact with the MBONE?

The MBONE router can reside on the MAX TNT unit's Ethernet interface or across a WAN link. If the router resides across a WAN link, the MAX TNT can respond to multicast clients on its Ethernet interface as well as across the WAN. Figure 9-11 shows an MBONE router on the MAX TNT unit's WAN interface, and several WAN multicast clients. The MAX TNT accesses the MBONE network and starts receiving the MBONE multicasts. It resends the multicast packets to all of its own clients connected to it for MBONE service. The clients wanting MBONE service must implement IGMP.

Figure 9-11. MBONE configuration

To the MBONE, the MAX TNT looks like a multicast client. It responds as a client to IGMP packets it receives from an MBONE router.

To multicast clients on a WAN or Ethernet interface, the MAX TNT looks like a multicast router, although it simply forwards multicast packets on the basis of group memberships. In this implementation, multicast clients cannot source multicast packets-if they do, the MAX TNT discards the packets.

(For complete information about multicast forwarding, see the MAX TNT Network Configuration Guide.)

Configuring multicast forwarding attributes

To configure multicast forwarding in RADIUS, use the attributes listed in Table 9-9.

Table 9-9. Multicast forwarding attributes

Attribute

Description

Possible values
Ascend-Multicast-Client (155)

 Specifies whether the user is a multicast client of the MAX TNT.

 Multicast-No (0)
Multicast-Yes (1)

Multicast-No is the default.

Ascend-Multicast-GRP-Leave-Delay

 Specifies the number of seconds the MAX TNT waits before forwarding an IGMP version 2 leave group message from a multicast client. When the MAX TNT receives a leave group message, the unit sends an IGMP query to the WAN interface or client from which it received the message. If the MAX TNT does not receive a response from an active multicast client from the same group, it sends a leave group message when the time you specify expires.

A number from 0 to 120. The default is 0 (zero). If you accept the default, the MAX TNT forwards a leave group message immediately.

Ascend-Multicast-Rate-Limit (152)

 Specifies how many seconds the MAX TNT waits before accepting another packet from the multicast client. This attribute prevents multicast clients from creating response storms to multicast transmissions.

 Any number from 0 to 65,535. If you specify 0 (zero), the MAX TNT does not apply rate limiting. The default value is 100. You must set the rate limit to a number lower than 100 to enable the MAX TNT to forward multicast traffic.

To configure multicast forwarding:

  1. Set up the user profile, specifying the appropriate user name, password, encapsulation method, and IP routing parameters.

  2. Set Ascend-Multicast-Client=Multicast-Yes to specify that the user is a multicast client of the MAX TNT.

  3. Set Ascend-Multicast-GRP-Leave-Delay to specify how many seconds the MAX TNT waits before forwarding an IGMP version 2 leave group message from a multicast client. If users might establish multiple multicast sessions for identical groups, set Ascend-Multicast-GRP-Leave-Delay to a value of 10 to 20 seconds.

  4. Set Ascend-Multicast-Rate-Limit to specify how many seconds the MAX TNT waits before accepting another packet from the multicast client.

Example of configuring IP multicast forwarding
 Figure 9-12 shows a multicast router on one of the MAX TNT unit's Ethernet interfaces, and multicast clients across the WAN. Each client is running Video Audio Tools (VAT) or Windows 95.

Figure 9-12. Using IP multicast forwarding for WAN clients

To set up multicast forwarding on the WAN interfaces that support multicast clients, you would set up a RADIUS user profile for each client, such as the following:

VAT-1 Password="vat1", User-Service=Framed-User

           Framed-Protocol=PPP,

           Framed-Address=11.8.9.10,

           Framed-Netmask=255.255.252.0,

           Ascend-Route-IP=Route-IP-Yes,

          Ascend-Multicast-Client=Multicast-Yes,

      Ascend-Multicast-GRP-Leave-Delay=15,

      Ascend-Multicast-Rate-Limit=5

Win-1 Password="win1", User-Service=Framed-User

           Framed-Protocol=PPP,

           Framed-Address=11.8.9.11,

           Framed-Netmask=255.255.252.0,

           Ascend-Route-IP=Route-IP-Yes,

          Ascend-Multicast-Client=Multicast-Yes,

      Ascend-Multicast-GRP-Leave-Delay=15,

      Ascend-Multicast-Rate-Limit=5

Win-2 Password="win2", User-Service=Framed-User

           Framed-Protocol=PPP,

           Framed-Address=11.8.9.12,

           Framed-Netmask=255.255.252.0,

           Ascend-Route-IP=Route-IP-Yes,

          Ascend-Multicast-Client=Multicast-Yes,

      Ascend-Multicast-GRP-Leave-Delay=15,

      Ascend-Multicast-Rate-Limit=5

[Top][Contents][Prev][Next][Last]Search

techpubs@eng.ascend.com

Copyright © 1998, Ascend Communications, Inc. All rights reserved.