ip

NAME
SYNOPSIS
DESCRIPTION
GATEWAY SELECTION AND ROUTE PERSISTENCE
SEE ALSO
AUTHOR
COPYRIGHT

NAME

ip - Manage IP addresses and routing configurations

SYNOPSIS

[1] ip [(internal [.<vlan-id] | external | auxiliary) [<ip> [<network-mask>]]]

[2] ip route [(add | add:<network-ip>/<network-mask>:<gateway-ip> | insert:<network-ip>/<network-mask>:<gateway-ip>) <network-ip> <network-mask> <gateway-ip> [<balance-weight> [<pinged-gateway>]]]

[3] ip route [move:(-|+)<ip>/<network-mask>:<gateway-ip> <network-ip> <network-mask> <gateway-ip> | move:<position>]

[4] ip route [raz | del <network-ip> <network-mask> <gateway-ip>]

[5] ip via [raz | (add | del) <gateway-ip> (master backup) [<priority>]]

[6] ip name [raz | (add | del) <name> <ip>]

[7] ip vlan

[8] ip neighbour

DESCRIPTION

The first [1] usage form is used to get or set the internal, external and auxiliary interface IP addresses. The internal interface is mainly used to connect clients or backend Web servers to the appliance and can be considered as a trusted and secure interface. The external interface is used to connect the system to the internet thus considered as an untrusted or non-secure interface. You can use the auxiliary interface for your specific needs (for instance to implement a DMZ or a Back Office zone). If a VLAN identifier is given for the internal interface, the command is applied to the 802.1q pseudo interface in the given VLAN. If no <network-mask> is specified the default network mask 255.255.255.0 is used.

The second [2] usage form allows you to add static IP routes. A static IP route is defined by the couple <network-ip> <network-mask> and followed by a gateway IP address. To set the default route use the keyword default instead of the couple <network-ip> <network-mask> . It is also possible to define the default route by giving the couple 0.0.0.0 0.0.0.0 as the network address.

To add a route at the end all existing routes, use the keyword add. To add a route after a given route, use the keyword add: followed by the route after which the new route should be inserted. To insert a route before a given route, use the keyword insert: followed by the route before which the new rule should be inserted. When adding after or inserting before a give route, the given route should be specified as a network IP address and a network mask separated by the character "/" followed by the character ":" and a gateway IP address.

The third [3] usage form allows you to move an existing route from one position to another in the routing table. To move a route before or after a given route use the keyword move: followed by the sign - (for before) or + (for after), the given route (<network-ip>/<network-mask>:<gateway-ip>) and the route to move (<network-ip> <network-mask> <gateway-ip>). Please note that white spaces are not allowed between the keyword move:, the signs - or + and the given route. To move a route to an absolute position use the move: followed by the position number and the route to move (the first position is the position number 1). Again white spaces are not allowed between the keyword move: and the position number.

The fourth [4] usage form allows you to delete a static route or completely erase the static route list.

If more than one gateway is specified for the same network to route, the traffic is balanced over those gateways. In this case the optional balance weight allows you to privilege a gateway over the others. The balance weight is an integer between 0 and 100. The higher the weigh is, the higher the probability is that the traffic takes a path via a gateway. Specifying the value 0 means that the gateway is in standby and is only activated if all other gateways are unavailable. For the same network to route, only one gateway with the weigh value of 0 allowed. If no weigh is specified, the weigh is set to 50. In order to avoid IP spoofing, multiple gateways for the same network to route should belong to the same connected network. In case of the unavailability of a gateway, the related route is automatically removed from the routing table. If a failed route is reinstated, it is automatically added to the routing table and the overall traffic is balanced over it again.

All routing changes are notified if the monitoring mode (SNMP or other) is activated (see the admin command for further information). A gateway is marked unavailable if it can’t reply to pings (ICMP protocol). In case where the optional <pinged-gateway> is specified, the gateway is marked unavailable if it can’t route pings to that gateway. A pinged gateway (or server) should be a valid IP address (and can’t be a name as ping results may be erroneous due to the non accessibility of DNS servers). It’s a good compromise to specify as pinged gateway, the default gateway configured on the specified gateway (concerned by the route definition). In this case the unavailability of the WAN can be quickly detected while the connectivity test goes beyond the local gateway outage.

When the appliance is behind more than one external gateway (connected to the external interface) that source NAT the traffic with their own (distinct) IP addresses, you should explicitly specify the gateways from which external users can access exposed services via the external interface. For some essential services, you have the possibility to configure specific via gateways per source or destination IP addresses. Those services are the reverse proxy (rweb mode) and the IPsec VPN (vpnipsec mode). For other services the fifth [5] usage form allows you to globally specify via gateways to use. Via gateways can have two roles: the master role and the backup role. When all gateways are available, a master gateway with the highest priority is elected to route the traffic for technical services. The elected gateway is then activated for those services. Please note that at a given point, one and only one gateway is considered as active for technical services. In case of a failure on the active gateway, a backup gateway (with the highest priority) is then elected to be activated. In case where a faulty gateway becomes operational again, the process of electing and activating via gateways is performed again.

To add a master via gateway, use the keywords via add followed by the gateway IP address to use, the keyword master and optionally the priority associated to the specified gateway. To add a backup gateway, use the keyword backup instead of the master keyword. To delete a gateway, use the keyword del instead of add. To erase the list of all via gateways, use the keywords raz. The priority is a numeric value between 0 and 255. If no priority is specified, the priority is set to 110 for a master gateway and to 100 for a backup gateway.

In certain situations, it may help that the system overrides the name to IP resolutions provided by DNS servers. The sixth [6] usage form allows you to manage such overrides with a list of specific name to IP associations. To add an entry to that list, use the keywords name add followed by the name (<name>) to resolve and the specific IP address (<ip>) to associate to it. To delete an entry, use the keywords name del followed by the name (<name>) to remove from that list. To erase the list of specific name to IP associations use the keywords name raz. Please note that some internal names (like localhost) can’t be override as well some IPs (like 127.0.0.1) can’t be associated to a name.

The seventh [7] usage forms prints all IPs associated to 802.1q pseudo network interfaces.

The eighth [8] usage form (ip neighbour) allows you to display the ARP cache entries.

GATEWAY SELECTION AND ROUTE PERSISTENCE

In a multi gateway configuration, default routes are persistent while other routes are not. This means that when for a given connection a default gateway is selected (according to its weight), all traffic related to that connection will pass via the same initial selected gateway. Traffic passing via non default routes can sometimes pass via a gateway and sometimes via another gateway according to their associated weights. When the appliance is behind more than one external gateway (connected to the external interface) that source NAT the traffic with their own (distinct) IP addresses, listening services on the appliance (such as reverse websites) should be explicitly configured to use the right external public gateways. Related commands to configure such services are using the via keyword to define the master and backup gateways to use.

SEE ALSO

admin (1) apply (1) domainname (1) hostname (1) link (1) rweb (1) vlan (1) vpnipsec (1)

AUTHOR

CacheGuard Technologies Ltd <www.cacheguard.com>

Send bug reports or comments to the above author.

COPYRIGHT

Copyright (C) 2009-2024 CacheGuard - All rights reserved