Because concentrators are used in medium-to-large networks and these networks are composed of many subnets, you'll need to set up routing on your concentrator. The concentrator supports two types of routing: static and dynamic. You can create specific static routes or default routes. In addition, the concentrator supports two dynamic routing protocols: RIP and OSPF. The remaining subsections will discuss the configuration of routing on the concentrator.
Global routing configurations are performed on the IP Routing screen, which is accessed by clicking Configuration > System > IP Routing. The concentrator supports two types of static routes: default and static. Each is discussed in turn in the following sections.
A default route is a gateway of last resort: if a specific route is not found in the concentrator's routing table to reach a destination, the default route is used. To define a default route, click the Default Gateways hyperlink, which takes you to the screen in Figure 10-4.
Figure 10-4. Default Route
Within the screen, there are several parameters, as follows:
You would click the Apply button to accept your configuration.
Static routes typically are used when you aren't using a dynamic routing protocol to reach networks. To create a static route, from the IP Routing screen click the Static Routes hyperlink. This screen will display static routes you have configured. To create a static route, click the Add button, taking you to the screen in Figure 10-5.
Figure 10-5. Static Routes
Within the screen, there are several parameters, as follows:
Last, click the Add button to add the static route.
RIP Routing Protocol
RIP is one of the two dynamic routing protocols that the concentrator supports. Both RIPv1 and RIPv2 are supported, in addition to a compatibility mode. The configuration of RIP is done on the concentrator's interfaces: Configuration > Interfaces. From here, click the hyperlink of the interface; for example, the private interface.
On the Interface screen are four tabs at the top: to enable RIP, click the RIP tab, which displays the screen in Figure 10-6. This is the private interface of the concentrator, for which the default configuration is that inbound RIPv1/2 updates are accepted, but no RIP updates are sent out of the interface.
Figure 10-6. RIP Configuration
In Figure 10-6, the Inbound RIP parameter allows you to specify whether or not you want to learn RIP routes from neighboring RIP routers off this interface. This parameter can be set to "Disabled," "RIPv1 only," "RIPv2 only," or "RIPv2/v1." The Outbound RIP parameter allows you to specify whether or not you want to send RIP updates out of this interface.
Even though RIPv2 is supported, RIPv2 authentication is not; however, other features such as variable-length subnet masks (VLSM) and multicasting are. If you create a default route on the concentrator, it is not propagated via RIP on an interface; however, static routes that you configure on the concentrator are redistributed automatically into RIP and advertised out of interfaces configured for outbound RIP. This also applies to static routes learned via reverse route injection (RRI).
Also, inbound and outbound RIP on the public interface is denied by the public interface filterto allow inbound and outbound RIP, you must add these rules to the public interface filter. If you have filters on other concentrator interfaces, you'll need to add RIP rules to these also.
OSPF Routing Protocol
The second dynamic routing protocol supported by the concentrator is OSPF (defined in RFC 2328). The configuration of OSPF is slightly different than RIP. First, you must enable OSPF, assign the concentrator a router ID, and define the areas the concentrator is connected to. These tasks are performed from the IP Routing screen. Second, as with RIP, you must turn on OSPF on the concentrator's interface(s).
OSPF: IP Routing Screen
The IP Routing screen has two OSPF hyperlinks:
If you click the OSPF hyperlink, you're taken to the screen shown in Figure 10-7. To enable OSPF, click the Enabled check box. You must assign your concentrator a unique router ID that identifies the concentrator in the OSPF network. Normally, an IP address on one of the concentrator's interfaces is used. Once you assign the ID, you can't change it unless you first disable OSPF. The Autonomous System check box needs to be checked if the concentrator is going to be an autonomous system boundary router (ASBR). By enabling this, you can take RIP or static routes in the concentrator's routing table and advertise these into the OSPF process: this is necessary if you're using RRI. Click the Apply button to activate your changes.
Figure 10-7. OSPF Routing Process Configuration
If you click the OSPF Areas hyperlink from the IP Routing screen, you are taken to a screen that displays the areas the concentrator is connected to. To add an area, click the Add button; by default, area 0 (0.0.0.0) already exists on the screen.
Figure 10-8 shows an example of adding an area by clicking the Add button. At the top of the screen, enter the area number in the Area ID text box. Below this, if the concentrator is an area border router (ABR) and you want to generate summarized LSAs, click the Area Summary check box. To import routes (either RIP or static) into the concentrator's OSPF process, change the External LSA Import drop-down selector to "External."
Figure 10-8. OSPF Area Configuration
Once you have configured OSPF globally, you must enable it on your concentrator's interface or interfaces where you want to learn or share OSPF routes. Go to the Configuration > Interfaces screen and click the hyperlink of the interface; then click the OSPF tab. Part of this screen is shown in Figure 10-9.
Figure 10-9. OSPF Interface Configuration
To enable OSPF on the interface, select the OSPF Enabled check box. The only other required parameter is the OSPF area that the interface is associated with: this value defaults to area 0 (0.0.0.0). The other parameters are optional.
One security function you might want to enable in the screen shown in Figure 10-9 is OSPF authentication, which allows you to authenticate routing updates you receive or send. To enable this, set the OSPF Authentication parameter to "MD5," change the OSPF MD5 Authentication Key ID parameter to the correct key number, and set the OSPF Password to the key value used for creating the MD5 hashed output (digital signature). The key number and password will need to match what the other routers are using on the segment connected to this interface.
Also, inbound and outbound OSPF on the public interface are denied by the public interface filterto allow inbound and outbound OSPF, you must add these rules to the public interface filter. If you have filters on other concentrator interfaces, you'll need to add OSPF rules to these also.
Once you've configured routing on the concentrator, you can view the concentrator's routing table by going to the Monitoring > Routing Table.
If you're using OSPF as a routing protocol in your network and your internal Layer-3 devices are not seeing RRI routes from your concentrator, make sure that RRI has been enabled on the concentrator and that you have configured the concentrator as an ASBR for OSPF and have allowed OSPF external routes.
Part I: VPNs
Overview of VPNs
PPTP and L2TP
Part II: Concentrators
Concentrator Product Information
Concentrator Remote Access Connections with IPsec
Concentrator Remote Access Connections with PPTP, L2TP, and WebVPN
Concentrator Site-to-Site Connections
Verifying and Troubleshooting Concentrator Connections
Part III: Clients
Cisco VPN Software Client
Windows Software Client
3002 Hardware Client
Part IV: IOS Routers
Router Product Information
Router ISAKMP/IKE Phase 1 Connectivity
Router Site-to-Site Connections
Router Remote Access Connections
Troubleshooting Router Connections
Part V: PIX Firewalls
PIX and ASA Product Information
PIX and ASA Site-to-Site Connections
PIX and ASA Remote Access Connections
Troubleshooting PIX and ASA Connections
Part VI: Case Study