Setting up a gateway on Cisco Routers: Difference between revisions
mNo edit summary |
No edit summary |
||
Line 9: | Line 9: | ||
The command is : | The command is : | ||
interface etherbet0 ip add <and here you give the ip of the commercial ip the router sit on > | |||
(it can be also IP of a network the router sit on (as long as this IP is accessible | (it can be also IP of a network the router sit on (as long as this IP is accessible | ||
to the outside world))> <The NetMask of the network> | to the outside world))> <The NetMask of the network> | ||
The interface name can vary depend on your router it can be Ethernet0 FastEthernet0 GigabitEthernet0/0 etc | |||
To see what interfaces you have in order to assign them the address use the command Show interface and identify the Ethernet card name | |||
Then you have to assign the 44 Net IP | Then you have to assign the 44 Net IP | ||
For router with one card the IP has to be secondary and the command is: | |||
int eth0 ip add <the AMPR IP > <the netmask of the network > secondary | int eth0 ip add <the AMPR IP > <the netmask of the network > secondary | ||
Now | Now some tunneling commands have to be added to redirect your outgoing traffic (via tunnel) to the main AMPRNET router , you do it because every ISP block outgoing IP's which is not a part of their network (and 44 net is not belong to any ISP) so in order to allow the 44 net IP traffic to gain access to the outside world you need to do a tunnel to the AMPR.ORG router to the outgoing traffic (traffic that intend to reach the internet (all other IP's that are not part of the 44 NET)) | ||
To open a tunnel | To open a tunnel channel you have to specify the tunnel source address (from where the tunnel is established) and tunnel destination (to where the tunnel establish to) | ||
This is done by a few commands here they are | This is done by a few commands here they are | ||
Line 37: | Line 41: | ||
(0.0.0.0 0.0.0.0 mean "everything") (will be explained latter) | (0.0.0.0 0.0.0.0 mean "everything") (will be explained latter) | ||
Another important command is a command to | Another important command is a command to route the tunneled traffic from the router to the main ampr.org router not via a tunnel (this important to establish tunnel) | ||
This command is more specific then the "everything" route command described before and say to the router pass the traffic belong to the other side of the tunnel | This command is more specific then the "everything" route command described before and say to the router pass the tunneled traffic belong to the other side of the tunnel direct and not via tunnel) | ||
The Command is : | The Command is : | ||
ip route <the ampr.org main tunnel IP > 255.255.255.255 Ethernet0 <your router commercial IP> | ip route <the ampr.org main tunnel IP > 255.255.255.255 Ethernet0 <your router commercial IP> | ||
This are the minimum Commands to be able to route your inside 44 Net ip to the outside world (but not to any other 44 net networks worldwide) | This are the minimum Commands to be able to route your inside 44 Net ip to the outside world (but not to any other 44 net networks worldwide) | ||
This method will redirect any outgoing traffic (no matter what local IP is used ) to the tunnel and since the AMPR.ORG tunnel deal with tunneling from only 44 Net IP it mean that if the router local Lan is sharing 44 and not 44 IP machines the non 44 Net machines will have no connectivity to the world | |||
To overcome this problem a route policy will have to be used (with the command route-map) because regular route command deal with route for destination IP without looking at the source (local net) and route policy can do it ... | |||
So two policy have to be created one for all addresses BESIDE the 44 net that needed to be routed direct to the internet (without tunnel) and second one specifically for the 44 net hosts that needed to redirect their outgoing traffic to the tunnels | |||
In order to route your traffic to other 44 net gateways you need to build a tunnel interface to every gateway (unlike JNOS that one tunnel deal with all tunnels) | In order to route your traffic to other 44 net gateways you need to build a tunnel interface to every gateway (unlike JNOS that one tunnel deal with all tunnels) |
Revision as of 19:11, 8 March 2016
To set a getway with Cisco you must have a Cisco Router (preferred from series 2600 and above)
Preferred with two Ethernet cards (but can be done also with one Ethernet card)
The example given here here is of one Ethernet card
You have to assign the router Ethernet card the Commercial IP
The command is :
interface etherbet0 ip add <and here you give the ip of the commercial ip the router sit on > (it can be also IP of a network the router sit on (as long as this IP is accessible to the outside world))> <The NetMask of the network>
The interface name can vary depend on your router it can be Ethernet0 FastEthernet0 GigabitEthernet0/0 etc
To see what interfaces you have in order to assign them the address use the command Show interface and identify the Ethernet card name
Then you have to assign the 44 Net IP
For router with one card the IP has to be secondary and the command is:
int eth0 ip add <the AMPR IP > <the netmask of the network > secondary
Now some tunneling commands have to be added to redirect your outgoing traffic (via tunnel) to the main AMPRNET router , you do it because every ISP block outgoing IP's which is not a part of their network (and 44 net is not belong to any ISP) so in order to allow the 44 net IP traffic to gain access to the outside world you need to do a tunnel to the AMPR.ORG router to the outgoing traffic (traffic that intend to reach the internet (all other IP's that are not part of the 44 NET))
To open a tunnel channel you have to specify the tunnel source address (from where the tunnel is established) and tunnel destination (to where the tunnel establish to) This is done by a few commands here they are
interface tunnel0 tunnel source <here you put the router commercial IP> tunnel destination <here you put the AMPR.ORG main tunnel router IP> tunnel mode ipip (this command is to tell the tunnel (cisco support lot of tunneling types) which mode to use)
In addition you must tell the router to pass all the outgoing 44 Net Traffic to the tunnel interface and not to route it just like that to the Internet (because as explained they will be probably blocked by the closest ISP you are connecting to )
The command to do it is
ip route 0.0.0.0 0.0.0.0 Tunnel0 <the ip address of the AMPR.ORG main tunnel router >
(0.0.0.0 0.0.0.0 mean "everything") (will be explained latter)
Another important command is a command to route the tunneled traffic from the router to the main ampr.org router not via a tunnel (this important to establish tunnel)
This command is more specific then the "everything" route command described before and say to the router pass the tunneled traffic belong to the other side of the tunnel direct and not via tunnel)
The Command is :
ip route <the ampr.org main tunnel IP > 255.255.255.255 Ethernet0 <your router commercial IP>
This are the minimum Commands to be able to route your inside 44 Net ip to the outside world (but not to any other 44 net networks worldwide)
This method will redirect any outgoing traffic (no matter what local IP is used ) to the tunnel and since the AMPR.ORG tunnel deal with tunneling from only 44 Net IP it mean that if the router local Lan is sharing 44 and not 44 IP machines the non 44 Net machines will have no connectivity to the world
To overcome this problem a route policy will have to be used (with the command route-map) because regular route command deal with route for destination IP without looking at the source (local net) and route policy can do it ...
So two policy have to be created one for all addresses BESIDE the 44 net that needed to be routed direct to the internet (without tunnel) and second one specifically for the 44 net hosts that needed to redirect their outgoing traffic to the tunnels
In order to route your traffic to other 44 net gateways you need to build a tunnel interface to every gateway (unlike JNOS that one tunnel deal with all tunnels) and the tunnel have to have a tunnel source tunnel destination (as explained above ) and tunnel mode
In addition two route lines have to be added
One is route command to route the specific 44 network of the gateway this tunnel deal into this tunnel
And another is to allow the tunnel traffic to go thorough the internet
Enclosed is example from router that is doing tunnel to the main AMPR router and to one gateway somewhere in the world
The tunnel0 interface is the Main AMPR.ORG router and the tunnel with 741916672 is one tunnel to a gateway
The section of tunnel74xxx have to duplicated to every 44 net gateway (of course with the corresponding ip of the specific gateway) (currently about 400 times)
TIP: If you are not familiar with Cisco Commands you can use the GUI Software called Cisco Configuration Professional (CCP)
to config the router with it
Later on we will deal of how to create these tunnels lines configuration using a script that takes the info from the ENCAP.TXT file and convert it to Cisco config
interface Tunnel0 ip unnumbered Ethernet0 no ip directed-broadcast tunnel source Ethernet0 tunnel destination 169.228.66.251 tunnel mode ipip ! interface Tunnel741916672 description Link to 44.56.192.0 ip unnumbered Ethernet0 ip access-group acl_44 in no ip directed-broadcast tunnel source 10.0.0.180 tunnel destination 24.229.88.253 tunnel mode ipip
interface Ethernet0 description connected to EthernetLAN_HAIFA ip address 44.138.1.1 255.255.255.0 secondary ip address 10.0.0.180 255.255.255.0 no ip directed-broadcast
ip classless ip route 0.0.0.0 0.0.0.0 Tunnel0 169.228.66.251 ip route 169.228.66.251 255.255.255.255 Ethernet0 10.0.0.138 ip route 44.56.192.0 255.255.255.0 Tunnel741916672 ip route 24.229.88.253 255.255.255.255 Ethernet0 10.0.0.138
Making the roue commands automaticly
Because the route info of the gateways (the encap file) changes periodically mainly because alot of gateway sit on dynamic ip
and because the tunnel ip as a result change you may loose the tunnel to these gateways
In order to be "updated" it is needed to take the new encap file periodically and put it into the cisco router
Because the encap file lines are not a format of commands that Cisco "understand" a fomat conversion need to be made in order to convert route info in the encap file to commands that cisco can "understand"
So a Script that take the encap file and make a new file of Cisco commands must be run
There are two scripts that do it available one is Perl and other is VBS
The example will give the results of the Perl Script
The Perl Script for the Cisco enclosed
#!/usr/bin/perl #encapconvert.pl V0.1 10-31-12 #Script created by Jason Begley KY9J ky9j.com ky9j@arrl.net #This script is used for converting the encap.txt file from the AMPR net #into a loadable config file for use on cisco routers. It is advised to use #this on a 2600 or better router due to interface limits. #
my ($line); my %nets = (); my $net = undef; my $mask = undef;
##### #Below are user defined varibles
my $loop = "Ethernet0"; #LOOPBACK INT CHANGE IF ALREADY IN USE my $outip = "10.0.0.180"; #YOUR PUBLIC IP ADDRESS my $loopip = "44.138.1.1"; #YOUR AMPR IP ADDRESS #EO user defined varibles #####
my $file = $ARGV[0]; my $debug = $ARGV[1]; if(!$file) { usage(); exit; } if($file =~ /--help/) { usage(); exit; }
open (MYFILE, '>cisco-config.txt'); print MYFILE "!\ninterface $loop\nip address $loopip 255.255.255.255\n!\n"; close (MYFILE); open(ENCAP, $file); @line = <ENCAP>; close (ENCAP); @line = grep (!/^\s*$/,@line); @line = grep (!/^#/,@line); chomp(@line);
foreach $line(@line) { $n1 = $n2 = $n3 = $n4 = undef; @ln = (split(/ +/, $line)); ($n, $s) = (split(/\//, $ln[2])); ($n1, $n2, $n3, $n4) = split(/\./, $n); $gw = $ln[4]; $gw =~ s/\s*$//; if ($n1 == ) { $n1='0'}; if ($n2 == ) { $n2='0'}; if ($n3 == ) { $n3='0'}; if ($n4 == ) { $n4='0'};
if ($s == '1') { $mask='128.0.0.0'}; if ($s == '2') { $mask='192.0.0.0'}; if ($s == '3') { $mask='224.0.0.0'}; if ($s == '4') { $mask='240.0.0.0'}; if ($s == '5') { $mask='248.0.0.0'}; if ($s == '6') { $mask='252.0.0.0'}; if ($s == '7') { $mask='254.0.0.0'}; if ($s == '8') { $mask='255.0.0.0'}; if ($s == '9') { $mask='255.128.0.0'}; if ($s == '10') { $mask='255.192.0.0'}; if ($s == '11') { $mask='255.224.0.0'}; if ($s == '12') { $mask='255.240.0.0'}; if ($s == '13') { $mask='255.248.0.0'}; if ($s == '14') { $mask='255.252.0.0'}; if ($s == '15') { $mask='255.254.0.0'}; if ($s == '16') { $mask='255.255.0.0'}; if ($s == '17') { $mask='255.255.128.0'}; if ($s == '18') { $mask='255.255.192.0'}; if ($s == '19') { $mask='255.255.224.0'}; if ($s == '20') { $mask='255.255.240.0'}; if ($s == '21') { $mask='255.255.248.0'}; if ($s == '22') { $mask='255.255.252.0'}; if ($s == '23') { $mask='255.255.254.0'}; if ($s == '24') { $mask='255.255.255.0'}; if ($s == '25') { $mask='255.255.255.128'}; if ($s == '26') { $mask='255.255.255.192'}; if ($s == '27') { $mask='255.255.255.224'}; if ($s == '28') { $mask='255.255.255.240'}; if ($s == '29') { $mask='255.255.255.248'}; if ($s == '30') { $mask='255.255.255.252'}; if ($s == '31') { $mask='255.255.255.254'}; if ($s == '32') { $mask='255.255.255.255'}; if ($s == ) { $mask='255.255.255.255'};
$net = "$n1.$n2.$n3.$n4"; $ifid = cipdec(1, $net); $wmask = do_subtract($mask); print "*ip info*\n"; print "NET:$n\nBITS:$s MASK:$mask-$wmask\nGW:$gw\nIF:$ifid\n\n"; open (MYFILE, '>>cisco-config.txt');
if ($debug != NULL) { print "LINE:$line"; print "\n!\n"; print "interface tunnel $ifid\n"; print "description Link to $net\n"; print "ip unnumbered $loop\n"; print "tunnel source $outip\n"; print "tunnel destination $gw\n"; print "tunnel mode ipip\n!\n"; }
if ($gw != $outip) {
print MYFILE "!\n"; print MYFILE "interface tunnel $ifid\n"; print MYFILE "description Link to $net\n"; print MYFILE "ip unnumbered $loop\n"; print MYFILE "tunnel source $outip\n"; print MYFILE "tunnel destination $gw\n"; print MYFILE "ip tcp adjust-mss 1436\n"; print MYFILE "ip access-group acl_44 in\n!\n"; print MYFILE "tunnel mode ipip\n!\n"; print MYFILE "ip route $net $mask tunnel$ifid\n!\n"; } print MYFILE "ip route $gw 255.255.255.255 Eth0 10.0.0.138\n"; } print MYFILE "!\nend\n!\n"; close (MYFILE);
sub usage { print << "EOT"; *** This script is for creating a loadable config (copy tftp run) for cisco routers *** *** Please note that this was tested to work on 2651XM or better, expect poor resp- *** *** -onse on smaller/slower platforms. *** *** Edit this file and change varibles as noted to your values. *** *** File \"cisco-config.txt\" will be generated in this directory for tftp upload *** *** Run as follows: *** *** perl encapconvert.pl encap.txt *** EOT }
######################################################## # Sub cipdec # USAGE: For converting IP to DEC values and reverse # # my ($err, $ret) = cipdec(1, $ip); #1 =from ip to dec, 2 = from dec to ip # if($err != 0) { print "MAIN: ERR ON \"$ret\"\n"; next; } # sub cipdec { my $debug = 0; my (@oct, $opt, $var, $err, $ret, $errmsg); my ($oct1, $oct2, $oct3, $oct4); my ($dec1, $dec2, $dec3); $opt = shift(@_); #1 =from ip to dec, 2 = from dec to ip $var = shift(@_); # IP or a DEC $err = 0; $ret = 0; if($debug == 1) { print "SUB TEST: OPT=\"$opt\"\n"; print "SUB TEST: VAR=\"$var\"\n"; } if($opt == 1) #1 =from ip to dec { my $ip = $var;
if(!($ip) || ($ip eq "") || !($ip =~ /\./)) { if($debug == 1) { print "NO . in IP.. Next\n"; } $err = 1; $ret = "ERR: IP WITH NO \".\""; return($err, $ret); } @oct = split(/\./, $ip); my $numoct = @oct; if($numoct != 4) { if($debug == 1) { print "--INVALID IP: \"$ip\"\n"; } $err = 1; $ret = "ERR: OCT CT \"$ip\""; return($err, $ret); } foreach my $val (@oct) { if(!(defined $val) || ($val eq "") || ($val =~ /\D/) || ($val > 255) || ($val < 0)) { if($debug == 1) { print "--INVALID IP: \"$ip\"\n"; } $err = 1; $ret = "ERR: OCT SIZE \"$ip:$val\""; return($err, $ret); } # EO IF oct container } #EO FOREACH OCT $ret += ($oct[0] * (256**3)); #Convert 1st octet to decimal and add $ret += ($oct[1] * (256**2)); #Convert 2nd octet to decimal and add $ret += $oct[2] * 256; #Convert 3rd octet to decimal and add $ret += $oct[3]; #Add the 4th octet to decimal if(($ret < 0) || ($ret > 4294967296)) #0.0.0.0 or 255.255.255.255 = Err { if($debug == 1) { print "--INVALID IP: \"$ip\"\n"; } $err = 1; $ret = "ERR: DEC SIZE \"$ip\""; return($err, $ret); } #EO DEC Size return($err, $ret); } #EO OPT == 1
if($opt == 2) #1 = dec to ip { $oct1 = 0; $oct2 = 0; $oct3 = 0; $oct4 = 0; my $dec = $var; if($debug == 1) { print "SUB TEST: DEC=\"$dec\"\n"; } if(!(defined $dec) || ($dec eq "") || ($dec < 1) || ($dec > 4294967295)) #0.0.0.0 or 255.255.255.255 = Err { if($debug == 1) { print "--INVALID DEC: \"$dec\"\n"; } $err = 1; $ret = "ERR: DEC SIZE \"$dec\""; return($err, $ret); } #EO DEC Size if($dec >= 256**3) { $oct1 = ($dec / 256**3); my @num = split(/\./, $oct1); $oct1 = $num[0]; if($debug == 1) { print "OCT1: \"$oct1\"\n"; } $dec1 = ($oct1 * 256**3); $dec = $dec - $dec1; } if($dec >= 256**2) { $oct2 = ($dec / 256**2); my @num = split(/\./, $oct2); $oct2 = $num[0]; if($debug == 1) { print "OCT2: \"$oct2\"\n"; } $dec2 = ($oct2 * 256**2); $dec = $dec - $dec2; }
if($dec >= 256) { $oct3 = ($dec / 256); my @num = split(/\./, $oct3); $oct3 = $num[0]; if($debug == 1) { print "OCT3: \"$oct3\"\n"; } $dec3 = $oct3 * 256; $dec = $dec - $dec3; } $oct4 = $dec; if($debug == 1) { print "OCT4: \"$oct4\"\n"; } $ret = "$oct1.$oct2.$oct3.$oct4"; return($err, $ret); } #EO If $opt == 2 $err = 1; $ret = "I'm lost and sent to leftovers"; return($err, $ret); } ################### EO SUB CIPDEC#################################
### wildcard sub ### sub do_subtract( ) { local($ip) = @_;
# break up the bytes of the incoming IP address $_ = $ip; ($a, $b, $c, $d) = split(/\./);
if ($a > 255 || $b > 255 || $c > 255 || $d > 255 || /[^0-9.]/) { print "invalid input mask or wildcard\n"; exit( ); }
$a = 255 - $a; $b = 255 - $b; $c = 255 - $c; $d = 255 - $d;
return ($a . "." . $b . "." . $c . "." . $d); }
### EO wildcard sub ###
Before you run the script make sure to take out the line of your gateway from the encap file
The result of the script is set of commands that look like that
interface tunnel 748306432 description Link to 44.154.64.0 ip unnumbered Ethernet0 tunnel source 10.0.0.180 tunnel destination 79.107.164.191 ip tcp adjust-mss 1436 ip access-group acl_44 in ! tunnel mode ipip ! ip route 44.154.64.0 255.255.255.0 tunnel748306432 ! ip route 79.107.164.191 255.255.255.255 Ethernet0 10.0.0.138 !
This section return on itself (with different IP , destination and route IPs's ) as the amount of lines in the encap file
When the file is ready (after running the perl script) you can copy it with editor and send it to the cisco or by terminal (with the config t command) or by TFTP
The Encap file can be taken automatically from the Portal using the API and you can push the commands to the cisco (after the encap convert to cisco commands after running perl) with TFTP
So with a small software work the whole procedure can be done fully automatic