Advanced IP network design [1st ed.] 9781578700974, 1578700973

Citation preview

Adva n ce d I P N e t w or k D e sign ( CCI E Pr ofe ssiona l D e ve lopm e nt ) Alvaro Ret ana Don Slice Russ Whit e Publisher : Cisco Pr ess First Edit ion June 17, 1999 I SBN: 1- 57870 -0 9 7- 3, 368 pages

Fr on t Mat t er Table of Cont ent s I n dex About t he Aut hor Advanced I P Net w ork Design pr ov ides t he solut ions net w or k engineer s and m anager s need t o grow and st abilize large I P net w or k s. Technology adv ancem ent s and cor por at e gr ow t h inev it ably lead t o t he necessit y for net w or k ex pansion. This book pr esent s design concept s and t echniques t hat enable net w or k s t o ev olv e int o suppor t ing lar ger , m or e com plex applicat ions w hile m aint aining cr it ical st abilit y . Advanced I P Net w or k Design pr ov ides y ou w it h a basic foundat ion t o under st and and im plem ent t he m ost efficient net w or k design ar ound t he net w or k cor e, dist r ibut ion and access layers, and t he com m on and ed ge net w or k ser v ices. Aft er est ablishing an efficient hier ar chical net w or k design, y ou will learn t o apply OSPF, I S- I S, EI GRP, BGP, NHRP, and MPLS. Case st udies suppor t each pr ot ocol t o pr ov ide y ou w it h v aluable solut ions t o com m on st um bling block s en cou n t ered when im plem ent ing an I GP- or EGP- based net work.

1

Advanced I P Net work Design ( CCI E Professional Developm ent ) About t he Aut hors About t he Technical Rev iew er s Ack now ledgm ent s I nt r oduct ion What I s Covered Mot iv at ion for t he Book I : Foundat ion for St abilit y: Hierarchical Net w orks 1. Hierarchical Design Principles Wher e Do You St ar t ? The Right Topology The Net work Core The Dist r ibut ion Lay er The Access Lay er Connect ions t o Com m on Ser v ices Sum m ary Case St udy: I s Hier ar chy I m por t ant in Sw it ched Net w or ks? Review 2. Addr essing & Sum m ar izat ion Sum m arizat ion St r at egies for Successful Addr essing I Pv6 Addressing Gener al Pr inciples of Addr essing Sum m ary Case St udy : Default Rout es t o I nt er faces Case St udy : Net w or k Addr ess Tr anslat ion Review 3. Redu n dan cy I ssues and St r at egies of Redundancy Cor e Redundancy Dist r ibut ion Redundancy Access Redundancy Connect ions t o Com m on Ser v ices Sum m ary Case St udy: What 's t he Best Rout e? Case St udy : Redundancy at Lay er 2 Using Sw it ches Case St udy: Dial Backup wit h a Single Rout er Case St udy: Dial Backup wit h Two Rout ers Review 4. Applying t he Principles of Net w ork Design Reform ing an Unst able Net w ork Review

2

I I : Scaling w it h I nt er ior Gat ew ay Pr ot ocols 5. OSPF Net w ork Design Div iding t he Net w or k for OSPF I m plem ent at ion Case St udy : Tr oubleshoot ing OSPF Adj acency Problem s Case St udy: Which Area Should This Net w ork Be I n? Case St udy: Det erm ining t he Area in Which t o Place a Link Case St udy: Dial Backup Case St udy: OSPF Ex t er nals and t he Nex t Hop Review 6. I S- I S Net work Design Dividing t he Net w or k Analyzing Rout er s on t he DMZ for Ext er nal Connect ions Ot her Fact ors in I S- I S Scaling Troubleshoot ing I S- I S Neighbor Relat ionships Case St udy : The Single Ar ea Opt ion Case St udy : The Tw o- Lay er Net w or k Review 7. EI GRP Net work Design Analyzing t he Net w or k Cor e for Sum m ar izat ion Analyzing t he Net w or k's Dist r ibut ion Layer for Sum m ar izat ion Analyzing Rout ing in t he Net w ork's Access Lay er Analyzing Rout es t o Ext er nal Connect ions Analyzing Rout es t o t he Com m on Ser v ices Ar ea Analy zing Rout es t o Dial- I n Client s Sum m ar y of EI GRP Net w or k Design Case St udy: Sum m ar izat ion Met hods Case St udy: Cont rolling Query Propagat ion Case St udy: A Plet hor a of Topology Table Ent r ies Case St udy: Troubleshoot ing EI GRP Neighbor Relat ionships Case St udy : Tr oubleshoot ing St uck- in- Act iv e Rout es Case St udy : Redist r ibut ion Case St udy: EI GRP/ I GRP Redist ribut ion Case St udy: Ret ransm issions and SI A Case St udy: Mult iple EI GRP ASs Review I I I : Scaling bey ond t he Dom ain 8. BGP Cor es and Net w or k Scalabilit y BGP in t he Core Scaling beyond t he Core Div iding t he Net w or k int o Pieces BGP Net work Growing Pains Case St udy: Rout e Reflect ors as Rout e Servers Case St udy: Troubleshoot ing BGP Neighbor Relat ionships Case St udy : Condit ional Adv er t isem ent Case St udy : Dual- Hom ed Connect ions t o t he I nt er net Case St udy: Rout e Dam pening Review

3

9. Ot her Lar ge Scale Cor es NHRP Case St udy : NHRP in an ATM Net w or k MPLS Review I V: Appendixes A. OSPF Fundam ent als How OSPF Works Rout er I Ds LSA Ty pes Reliable Flooding of LSAs Building Adj acencies Adj acencies on Mult i- Access Net w or ks OSPF and Nonbr oadcast Mult i- Access Net works Areas Ext ernal Rout e I nj ect ion Virt ual Links On- Dem and Rout ing B. I S- I S Fundam ent als How I S- I S Works End Syst em s and I nt erm ediat e Syst em s CLNS Addressing Rout ing in an I S- I S Net w or k Met rics & Ext ernal Rout es in I S- I S Net works Building Adj acencies LSP Flooding and SPF Recalculat ion Tim ers Neighbor Loss and LSP Regenerat ion I P I nt egrat ion int o I S- IS Mult iple net St at em ent s C. EI GRP Fundam ent als DUAL Operat ion Est ablishing Neighbor Relat ionships in an EI GRP Net work Met rics in an EI GRP Net w ork Loop Free Rout es in EI GRP Net works Split - Horizon in EI GRP Clearing t he Topology Table and Querying Neighbors in EI GRP Net w orks St u ck- in- Act ive Rout es Bounding Queries in EI GRP Net works EI GRP Sum m ar izat ion Changing Met rics in EI GRP for Reliable Transport Load Balancing in EI GRP Net works D. BGP Fundam ent als Mechanics of a Pat h Vect or Pr ot ocol Pat h Decision Com m unit y St rings Neighbor Relat ionships Rout e Filt ering in BGP iBGP Synchronizat ion

4

BGP Sum m ar izat ion E. Answ er s t o t he Rev iew Quest ions Answ er s t o Chapt er 1 Review Quest ions Answ er s t o Chapt er 2 Review Quest ions Answers t o Chapt er 3 Review Quest ions Answ er s t o Chapt er 4 Review Quest ions Answ er s t o Chapt er 5 Review Quest ions Answ er s t o Chapt er 6 Review Quest ions Answers t o Chapt er 7 Review Quest ions Answ er s t o Chapt er 8 Review Quest ions Answ er s t o Chapt er 9 Review Quest ions Glossary A B C D E F G– H I –J K–L M N O–P Q–R S T U–Z

Abou t t h e Au t h or s Our exper ience in t he net w or k ing indust r y com es fr om bot h sides of t he fence; w e hav e m anaged net w or k s, and w e'v e t ak en calls fr om panick ed engineer s w hen t he net w or k m elt s. We have w or ked t oget her on r esolving issues in bot h lar ge and sm all net w or k s t hr oughout t he w or ld, w hich r ange fr om m inor annoyances t o m aj or m elt dow ns. We'v e analy zed w hat w ent w r ong aft er t he m elt dow n, and w e'v e helped r edesign som e lar ge net w or k s. All of us cur r ent ly w or k for Cisco Sy st em s in v ar ious capacit ies. Alva r o Re t a n a , CCI E # 1609, is current ly a Developm ent Test Engineer in t he Lar ge Scale Sw it ching and Rout ing Team , w her e he w or k s fir st hand on adv anced feat ur es in r out ing pr ot ocols. For m er ly , Alv ar o w as a t echnical lead for bot h t he I nt er net Ser v ice Pr ov ider Suppor t Team and t he Rout ing Pr ot ocols Team at t he Technical Assist ance Cent er in Resear ch Tr iangle Par k, Nor t h Car olina. He is an acknow ledged ex per t in BGP and I nt er net ar chit ect ur e.

5

D on Slice , CCI E # 1929, is an Escalat ion Engineer at RTP, Nor t h Car olina, and w as for m er ly a Senior Engineer on t he Rout ing Pr ot ocols Team in t he RTP TAC. He is an ack now ledged ex per t in EI GRP, OSPF, and gener al I P r out ing issues and is w ellk now n for his k now ledge of DECnet , CLNS/ I SI S, DNS, am ong ot her t hings. Don pr ov ides escalat ion suppor t t o Cisco engineers w or ldw ide. Ru ss W h it e , CCI E # 2635, is an Escalat ion Engineer focusing on Rout ing Pr ot ocols and Ar chit ect ur e t hat suppor t s Cisco engineer s w or ldw ide. Russ is w ell- know n w it hin Cisco for his know ledge of EI GRP, BGP, and ot her I P rout ing issues.

About t he Te ch n ica l Re vie w e r s W illia m V . Ch e r n ock I I I , CCI E is a Senior Consult ant specializing in Net w ork Ar chit ect ur e and Design. Dur ing t he past eight year s, he has const r uct ed lar ge- scale st r at egic net w or k s for t he t op t en com panies w it hin t he Financial and Healt h Care I ndust r ies. William can be r eached at w ch er n ock @aol. com. V ij a y Bolla p r a g a d a , CCI E is a Senior Engineer on t he I nt er net Ser v ice Pr ov ider t eam w it h Cisco Sy st em s. He w or k s w it h Cor e Ser v ice Pr ov ider s on lar ge- scale net w or k design and ar chit ect ur al issues. Vij ay can be r eached at v bollapr @cisco.com.

Ack n ow le dgm e n t s Thank s t o t he gr eat folk s at Cisco Pr ess, w ho w or k ed t hr ough t his ent ir e pr oj ect w it h us and gave us a lot of guidance and help.

I nt r oduct ion The inev it able law of net w or k s seem s t o be t he follow ing: Any t hing t hat is sm all w ill gr ow lar ge, any t hing t hat is lar ge w ill gr ow int o som et hing huge, and any t hing t hat is huge w ill gr ow int o a m ult inat ional j ugger naut . The cor ollar y t o t his law seem s t o be as follow s: Once a net w or k has becom e a m ult inat ional j ugger naut , som eone w ill com e along and decide t o sw it ch fr om one r out ing pr ot ocol t o anot her . They w ill add one m ore applicat ion, or a m aj or core link will flap, and it w ill m elt ( dur ing dinner , of cour se) . I n CCI E Professional Developm ent : Advanced I P Net w ork Design, w e int end t o pr esent t he basic concept s necessar y t o build a scalable net w or k . Because w e w or k in t he " it 's br oken, fix it ( yest er day! ) " side of t he indust r y, t hese basics w ill be cov er ed t hr ough case st udies as w ell as t heor et ical discussion. This book cov er s good w ay s t o design t hings, som e bad w ay s t o design t hings, and gener al design pr inciples. When it seem s appr opr iat e, w e'll even t hr ow in som e t r o ubleshoot ing t ips for good m easur e. You w ill find t he foundat ion t hat is necessar y for scaling your net w or k int o w hat ever size it needs t o be ( huge is pr efer r ed, of cour se) .

6

W h a t I s Cov e r e d CCI E Pr ofessional Dev elopm ent : Adv anced I P Net w or k Design is t arget ed t o net w or k ing pr ofessionals w ho alr eady under st and t he basics of r out ing and r out ing pr ot ocols and w ant t o m ove t o t he next st ep. A list of w hat 's not cover ed in t his book follows: • •

• •

• •

•

An y t h in g ot h e r t h a n Cisco r ou t e r s — You w ouldn't ex pect Cisco Pr ess t o publish a book w it h sam ple configur at ions fr om som e ot her v endor , w ould you? Rou t e r con f ig u r a t ion— You w on't lear n how t o configur e a Cisco r out er in CCI E Pr ofessional Dev elopm ent : Adv anced I P Net w or k Design. The pr im ar y focus is on ar chit ect ur e and pr inc iples. We ex pect t hat ev er y one w ho r eads t his book w ill be able t o find t he configur at ion infor m at ion t hat t hey need in t he st andard Cisco m anuals. Rou t in g p r ot ocol op e r a t ion— The appendix es cov er t he basic oper at ion of t he pr ot ocols used in t he case st udies, but t his isn't t he pr im ar y focus of our work. Rou t in g p r ot ocol ch oice — All adv anced r out ing pr ot ocols hav e st r engt hs and w eak nesses. Our int ent isn't t o help y ou decide w hich one is t he best , but w e m ight help y ou decide w hich one is t he best fit for y our net w or k . ( St at ic r out es hav e alw ay s been a fav or it e, t hough.) RI P a n d I GRP — These ar e older pr ot ocols t hat w e don't t hink ar e w ell suit ed t o lar ge scale net w or k design. They m ay be m ent ioned her e, but t her e isn't any ext ensive t r eat m ent of t hem . Rout e r siz in g , ch oosin g t h e r ig h t r ou t e r f or a g iv e n t r a f f ic loa d , a n d so for t h — These ar e specific im plem ent at ion det ails t hat ar e best left t o anot her book . Ther e ar e plent y of book s on t hese t opics t hat ar e r eadily available. LAN or W AN m e d ia ch oice , cir c u it sp e e d s, or ot h e r p h y sica l la y e r r e qu ir e m e n t s— While t hese ar e im por t ant t o scalabilit y , t hey ar e not r elat ed t o I P net w or k design dir ect ly and ar e cover ed in var ious ot her books on building net w or k s fr om a Lay er 1 and 2 per spect iv e.

OSPF, I S- I S, EI GRP, and BGP ar e included because t hey ar e adv anced pr ot ocols, each w it h v ar ious st r engt hs and w eak nesses t hat ar e w idely deploy ed in lar ge- scale net w or ks t oday. We don't doubt t hat ot her pr ot ocols w ill be designed in t he fut ur e. Good design is focused on in t his book because t he foundat ions of good design r em ain t he sam e r egar dless of t he link speeds, phy sical t echnologies, sw it ching t echnology , sw it ching speed, or r out ing pr ot ocol used. You w on't get net w or k st abilit y by inst alling shiny , new Lay er 2 sw it ches or shiny, new super- fast r out er s. You w on't get net w or k st abilit y by sw it ching fr om one adv anced r out ing pr ot ocol t o anot her ( unless y our net w or k design j ust doesn't w or k w ell w it h t he one y ou ar e using) . Net w or k st abilit y doesn't ev en com e fr om m ak ing c er t ain t hat no one t ouches any of t he r out er s ( alt hough, som et im es it helps) . You w ill get long night s of good sleep by put t ing t oget her a w ell- designed net work t hat is built on solid pr inciples pr ov en w it h t im e and ex per ience.

7

M ot iv a t ion for t h e Book Th e m ain r eason t hat w e w r ot e t his book is because w e couldn't find any ot her books w e lik ed t hat cov er ed t hese t opics. We also w r ot e it because w e believ e t hat Lay er 3 net w or k design is one of t he m ost im por t ant and least cov er ed t opics in t he net w or k ing field. We hope y ou enj oy r eading CCI E Pr ofessional Developm ent : Advanced I P Net w ork Design and w ill use it as a r efer ence for y ear s t o com e. So, sit back in y our fav or it e easy chair and per use t he pages. You can t ell y our boss t hat y ou'r e scaling t he net w or k !

8

Pa r t I : Fou n da t ion for St a bilit y: H ie r a r chica l N e t w or k s Chapt er 1 Hierarchical Design Principles Chapt er 2 Addr essing & Sum m ar izat ion Chapt er 3 Redu n dan cy Chapt er 4 Apply ing t he Principles of Net w ork Design

9

Ch a pt e r 1 . H ie r a r ch ica l D e sign Pr in ciple s Your boss w alk s int o y our cube, t hr ow s a pur chase or der on y our desk , and say s, " Her e, it 's signed. Pur chasing say s a t housand r out er s ar e going t o t ak e up a lot of space ov er t her e, so y ou need t o hav e y our people pick t hem up as soon as t hey com e in. Now m ake it w ork." I s t his a dream or a night m are? I t cer t ainly isn't r eal—r eal net w or ks st ar t w it h t w o r out er s and a link, not w it h a t housand r out er pur chase or der . But a net w or k w it h ev en t en r out er s is so sm all t hat net w or k design isn't an issue. Right ? Wr ong. I t 's never t oo ear ly t o begin planning how your net w or k w ill look as it gr ow s.

W h e r e D o You St a r t ? Ok ay , y ou'v e decided y ou need t o st ar t t hink ing about net w or k design. The best place t o st ar t w hen designing a net w or k is at t he bot t om : t he phy sical lay er . For t he m ost par t , phy sical lay er design is about bit s and by t es, how t o size a link pr oper ly , w hat t y pe of m edia t o use, and w hat signaling m et hod t o use t o get t he dat a ont o and off of t he w ir e. These t hings ar e all im por t ant because y ou m ust hav e st able phy sical link s t o get t r affic t o pass ov er t he net w or k . Unst able phy sical link s cause t he changes t hat t he rout ers in t he net w ork m ust adapt t o. But t he t opology—t he layout —of your net w or k has a gr eat er im pact on it s st abilit y t han w het her ATM or Fr am e Relay is used for t he wide- ar ea connect ions. A w e ll- d e sig n e d t op olog y is t h e b a sis f or a ll st a b le n e t w or k s. To under st and w hy , consider t he quest ion: " Why do net w or ks m elt ?" The sim ple answ er is net w or k s m elt because t he r out ing pr ot ocol nev er conv er ges. Since all r out ing pr ot ocols pr oduce r out ing loops w hile t hey conv er ge, and no r out ing pr ot ocol can pr ov ide cor r ect for w ar ding infor m at ion w hile it 's in a st at e of t r ansit ion, it 's im por t ant t o conv er ge as quick ly as possible aft er any change in t he net w or k . The am ount of t im e it t ak es for a r out ing pr ot ocol t o conv er ge depends on t w o fact or s: • •

The num ber of r out er s par t icipat ing in conv er gence The am ount of infor m at ion t hey m ust pr ocess

The num ber of r out er s par t icipat ing in conv er gence depends on t he ar ea t hr ough w hich t he t opology change m ust pr opagat e. Sum m ar izat ion hides infor m at ion fr om r out er s, and r out er s t hat don't k now about a giv en dest inat ion don't hav e t o r ecalculat e t heir r out ing t ables w hen t he pat h t o t hat dest inat ion changes or is no longer reachable. The am ount of infor m at ion a r out er m ust pr ocess t o find t he best pat h t o any dest inat ion is dependent on t he num ber of pat hs av ailable t o any giv en dest inat ion. Sum m ar izat ion, coincident ally , also r educes t he am ount of infor m at ion a r out er has t o w or k w it h w hen t he t opology of t he net w or k changes.

10

So, sum m ar izat ion is t he k ey t o r educing t he num ber of r out er s par t icipat ing in conv er genc e and t he am ount of dat a r out er s have t o deal w it h w hen conver ging. Sum m ar izat ion, in t ur n, r elies on an addr essing schem e t hat is laid out w ell w it h good sum m ar izat ion point s. Addr essing schem es t hat ar e laid out w ell alw ay s r ely on a good under ly ing t opology . I t 's difficult t o assign addr esses on a poor ly const r uct ed net w or k in or der for sum m ar izat ion t o t ak e place. While m any people t r y t o fix t he pr oblem s gener at ed by a poor t opology and addr essing schem e w it h m or e pow er ful r out er s, cool addr essing sche m e fixes, or bigger and bet t er r out ing pr ot ocols, not hing can subst it ut e for hav ing a w ell t hought out t opology .

Th e Righ t Topology So w hat 's t he r ight t opology t o use? I t 's alw ays easier t o t ackle a pr oblem if it is broken int o sm aller pieces, and large- scale net w or k s ar e no ex cept ion. You can br eak a lar ge net w or k int o sm aller pieces t hat can be dealt w it h separ at ely . Most successful lar ge net w or k s ar e designed hier ar chically , or in lay er s. Lay er ing cr eat es separ at e pr oblem dom ains, w hich focuses t he design of each layer on a single goal or set of goals. This concept is sim ilar t o t he OSI m odel, w hich br eak s t he pr ocess of com m unicat ion bet w een com put er s int o lay er s, each w it h differ ent design goals and cr it er ia. Lay er s m ust st ick t o t heir design goals as m uch as possible; t r ying t o add t oo m uch funct ionalit y int o one lay er gener ally ends up pr oducing a m ess t hat is difficult t o docum ent and m aint ain. Ther e ar e gener ally t hr ee lay er s defined w it hin a hier ar chical net w or k . As indicat ed in Figur e 1- 1, each layer has a specific design goal:

Figu r e 1 - 1 H ie r a r ch ica l N e t w or k D e sign

11

• • •

The net w or k cor e for w ar ds t r affic at ver y high speeds; t he pr im ar y j ob of a dev ice in t he cor e of t he net w or k is t o sw it ch pack et s. Th e dist ribut ion layer sum m ar izes r out es and aggr egat es t r affic. Th e access lay er feeds t r affic int o t he net w or k , perform s net work ent ry cont r ol, and pr ov ides ot her edge ser v ices.

Now t hat y ou k now t he nam es of t he lay er s, st ep back and look at how t hey r elat e t o t he fundam ent al design pr inciples pr ev iously out lined. The follow ing ar e t w o r est at ed fundam ent al design pr inciples. The nex t t ask is t o see if t hey fit int o t he hier ar chical m odel. • •

The ar ea affect ed by a t opology change in t he net w or k should be bound so t hat it is as sm all as possible. Rout er s ( and ot her net w or k dev ices) should car r y t he m inim um am ount of infor m at ion possible.

You can achiev e bot h of t hese goals t hr ough sum m ar izat ion, and sum m ar izat ion is done at t he dist r ibut ion lay er . So, y ou gener ally w ant t o bound t he conv er gence ar ea at t he dist r ibut ion layer . For exam ple, a failing access layer link sho uldn't affect t he r out ing t able in t he cor e, and a failing link in t he cor e should pr oduce m inim al im pact on t he r out ing t ables of access lay er r out er s. I n a hier ar chical net w or k, t r affic is aggr egat ed ont o higher speed links m oving fr om t he access lay er t o t he cor e, and it is split ont o sm aller links m oving fr om t he cor e t ow ar d t he access layer as illust r at ed in Figur e 1- 2. Not only does t his im ply access layer rout ers can be sm aller dev ices, it also im plies t hey ar e r equir ed t o spend less t im e sw it ching pack et s. Ther efor e, t hey hav e m or e pr ocessing pow er , w hich can be used t o im plem ent net w or k policies.

12

Figu r e 1 - 2 Tr a ffic Aggr e ga t ion a n d Rou t e Su m m a r iz a t ion a t La ye r Bou n da r ie s

The one m aj or w eak ness inher ent in hier ar chical net w or k design is t hat it im plies ( or cr eat es) single point s of failur e w it hin t he phy sical lay er . The st r onger t he hierarchical m odel, t he m ore likely you are t o find places w here a single device or a br ok en link can cause m aj or hav oc. Of cour se, if y ou don't lik e hav oc, y our net w or k m ust hav e som e m easur e of r edundancy t o com pensat e for t his w eakness. We'll cover t his in Chapt er 3,

Th e N e t w or k Cor e The cor e of t he net w or k has one goal: sw it ching pack et s. Lik e engines r unning at w ar p speed, cor e dev ices should be fully fueled w it h dilit hium cr yst als and r unning at peak per for m ance; t his is w her e t he heav y ir on of net w or k ing can be found. The follow ing t w o basic st r at egies w ill help accom plish t his goal: • •

No net w or k policy im plem ent at ion should t ak e place in t he cor e of t he net work. Ever y device in t he cor e should have full r eachabilit y t o ever y dest inat ion in t he net work.

N o Policy I m plem ent at ion Any for m of policy im plem ent at ion should be done out side t he cor e; pack et filt er ing and policy r out ing ar e t w o per fect ex amples. Ev en if t he cor e dev ices can filt er and

13

policy- r out e pack et s at high r at es of speed, t he cor e is not t he r ight place for t hese funct ions. The goal of t he net w or k cor e is t o sw it ch pack et s, and any t hing t hat t ak es pr ocessing pow er fr om cor e dev ices or incr eases pack et sw it ching lat encies is ser iously discour aged. Bey ond t his, t he com plex it y added t o cor e r out er configur at ions should be av oided. I t is one t hing t o m ake a m ist ake w it h som e policy at t he edge of t he net w ork and cause one gr oup of user s t o lose connect ivit y, but t o m ake a m ist ake w hile im plem ent ing a change in policy at t he cor e can cause t he ent ir e net w or k t o fail. Place net w or k policy im plem ent at ions on edge devices in t he access layer or , in cer t ain cir cum st ances, on t he bor der bet w een t he access layer and t he dist ribut ion lay er . Only in ex cept ional cir cum st ances should y ou place t hese cont r ols in t he cor e or bet w een t he dist r ibut ion lay er and t he cor e.

Ca se St udy: Policy- Ba se d Rout ing Nor m ally , r out er s for w ar d t r affic based only on t he final dest inat ion addr ess, but t her e ar e t im es w hen y ou w ant t he r out er t o m ak e a for w ar ding decision based on t he sour ce addr ess, t he t y pe of t r affic, or som e ot her cr it er ia. These t y pes of for w ar ding decisions, based on som e cr it er ia or policy t he sy st em adm inist r at or has configur ed, ar e called policy- based rout ing. A r out er can be configur ed t o m ake a for w ar ding decision based on sever al t hings, including • • • • • •

Sour ce addr ess Sour ce/ dest inat ion addr ess pair Dest inat ion addr ess I P pack et t y pe ( TCP, UDP, I CMP, and so on) Ser v ice t y pe ( Telnet , FTP, SMTP) Pr ecedence bit s in t he I P header

Ty pically , configur ing policy- based r out ing consist s of t he follow ing t hr ee st eps: 1. Build a filt er t o separ at e t he t r affic t hat needs a specific policy applied fr om t he nor m al t r affic . 2. Build a policy . 3. I m plem ent t he policy . On a Cisco rout er, a policy is built using rout e m aps and is im plem ent ed w it h int er face com m ands. For exam ple, in t he net w or k illust r at ed in Figur e 1- 3, t he sy st em adm inist r at or has decided it w ould be best t o send Telnet over t he low er speed Fr am e Relay link and send t he r em aining t r affic over t he sat ellit e link.

Figu r e 1 - 3 Acce ss Con t r ol Filt e r s

14

To apply t his policy , t he net w or k adm inist r at or can apply t he follow ing configur at ions t o bot h r out er s: 1. Build a filt er t o separ at e t he t r affic: 2. 3. access-list 150 permit tcp any eq telnet any 4. access-list 150 permit tcp any any eq telnet 5.

The first line in t his a cce ss- list select s any TCP t r affic dest ined t o t he Telnet por t ; t he second one select s any TCP t r affic w it h t he Telnet por t as it s sour ce. 6. Build a policy: 7. 8. route-map telnetthroughframe permit 10 9. match ip address 150 10. set ip next-hop 192.168.10.x 11.

These lines build a r out e m ap t hat m at ches any pack et s select ed in t he pr ev ious st ep ( all pack et s sour ced fr om or dest ined t o t he TCP Telnet por t )

15

and set t he nex t hop for t hese pack et s t o t he I P addr ess of t he r out er on t he ot her end of t he Fram e Relay link. 12. Apply t he policy t o t he t r affic: 13. 14. interface ethernet 0 15. ip policy route-map telnetthroughframe 16.

17. Finally , t ell t he r out er t hat ev er y pac k et r eceiv ed on t he Et her net 0 int er face needs t o hav e t he policy built in t he pr ev ious st ep applied t o it . Packet s t hat ar e policy r out ed ar e pr ocess sw it ched in all ver sions of I OS unt il 11.3. Pr ocess sw it ching packet s t ypically have a lar ge negat ive im p act on t he r out er . Ev er y pack et t hat needs t o be pr ocess sw it ched m ust be scheduled for sw it ching r at her t han pr ocessed t hr ough one of t he opt im ized sw it ching pat hs.

Fu ll Re a ch a bilit y Dev ices in t he cor e should hav e enough r out ing infor m at ion t o int elligent ly sw it ch a pack et dest ined t o any end dev ice in t he net w or k ; cor e r out er s should not use default r out es t o r each int er nal dest inat ions. How ev er , t his doesn't m ean a r out er in t his lay er should hav e a pat h t o each indiv idual subnet in ev er y cor ner of t he net w or k . Sum m ar y r out es can, and should, be used t o r educe t he size of t he cor e r out ing t able. Default r out es should be used for r eaching ex t er nal dest inat ions, such as host s on t he I nt er net . The r eason for t he no default r out es st r at egy is t hr eefold: • • •

Fac ilit at ing cor e r edundancy Reducing subopt im al r out ing Prevent ing rout ing loops

Tr affic v olum e is at it s gr eat est in t he cor e; ev er y sw it ching decision count s. Subopt im al r out ing can be dest abilizing in t his t y pe of an env ir onm ent . A perfect exam ple of t his st r at egy is t he st r uct ur e of t he net w or k access point s ( NAP) on t he I nt er net . Dev ices t hat ar e connect ed t o t he NAPs ar en't allow ed t o use default r out es t o r each any dest inat ion. Ther efor e, ev er y at t ached dev ice m ust carry a full I nt er net r out ing t able. The full r out ing t able, t hough, doesn't include ever y possible subnet ; inst ead, aggr egat ion is used heavily in t he dist r ibut ion layer ( t he r out er s t hat feed int o t he NAPs) t o r educe t he size of t he I nt er net 's r out ing t able at t he cor e.

Type s of Cor e s When net w or k s ar e sm all, t hey t end t o use collapsed cor es, which m eans t hat a single r out er act s as t he net w or k cor e connect ing w it h all ot her r out er s in t he dist r ibut ion layer . ( I f t he net w or k is sm all enough, t he collapsed cor e r out er m ay connect dir ect ly t o t he access layer r out er s, and t her e m ay be no dist r ibut ion layer .)

16

Collapsed cor es ar e easy t o m anage ( it 's j ust one r out er , aft er all) , but t hey don't scale w ell ( it is j ust one r out er ) . They don't scale w ell because ev er y pack et t hat is car r ied t hr ough t he net w or k w ill cr oss t he backplane of t he cent r al r out er ; t his w ill ev ent ually ov er w helm ev en t he lar gest and fast est r out er s. Collapsed cor es also r esult in a single point of failur e alm ost t oo good for Mur phy's Law t o r esist : I f only one rout er in t he ent ire net work goes down, it will be t his single core rout er. Because a single r out er collapsed cor e cannot handle t he needs of a lar ge net w or k , m ost lar ge net w or k s use a gr oup of r out er s int er connect ed w it h a high speed localarea net work ( LAN) or a m esh of high speed WAN links t o for m a cor e net w or k. Using a net w or k as a cor e r at her t han a single r out er allow s r edundancy t o be incor por at ed int o t he cor e design and t o scale t he cor e's capabilit ies by adding addit ional rout ers and links. A well- designed core net w or k can be j ust as easy t o m anage as a single r out er cor e ( collapsed cor e) . I t also can pr ovide m or e r esiliency t o var ious t ypes of pr oblem s and can scale bet t er t han a single r out er cor e. Cor e net w or k designs ar e cov er ed fully in Chapt er 3.

Th e D ist r ibu t ion La y e r The dist r ibut ion lay er has t he follow ing t hr ee pr im ar y goals: • • •

Topology change isolat ion Cont r olling t he r out ing t able size Tr affic aggr egat ion

Use t he follow ing t w o m ain st r at egies in t he dist r ibut ion lay er t o accom plish t hese goals: • •

Rout e sum m ar izat ion Minim izing cor e t o dist r ibut ion lay er connect ions

Most of t he funct ions t he dist r ibut ion lay er per for m s ar e dealt w it h in Chapt er 2, " Addr essing & Sum m ar izat ion" ; Chapt er 3, " Redundancy " ; and Chapt er 4, " Apply ing t he Pr inciples of Net w or k Design" ; m any funct ions w on't be cover ed in t his chapt er . The dist r ibut ion lay er aggr egat es t r affic. This is accom plished by funneling t r affic from a large num ber of low speed links ( connect ions t o t he access lay er dev ices) ont o a few high bandw idt h link s int o t he cor e. This st r at egy pr oduces effect iv e sum m ar izat ion point s in t he net w or k and r educes t he num ber of pat hs a cor e dev ice m ust consider w hen m aking a sw it ching decision. The im por t ance of t his w ill be discussed m ore in Chapt er 3.

Th e Acce ss La y e r The access layer has t hr ee goals: • •

Feed t r affic int o t he net w or k Cont r ol access

17

•

Per for m ot her edge funct ions

Access lay er dev ices int er connect t he high speed LAN link s t o t he w ide ar ea link s car r y ing t r affic int o t he dist r ibut ion lay er . Access lay er dev ices ar e t he v isible par t of t he net w or k ; t his is w hat y our cust om er s associat e w it h " t he net w or k ."

Fe e ding Tr a ffic int o t he N et w ork I t 's im por t ant t o m ak e cer t ain t he t r affic pr esent ed t o t he access lay er r out er doesn't over flow t he link t o t he dist r ibut ion layer . While t his is pr im ar ily an issue of link sizing, it can also be r elat ed t o ser v er / ser v ice placem ent and pack et filt er ing. Tr affic t hat isn't dest ined for som e host out side of t he local net w or k shouldn't be for w ar ded by t he access lay er dev ice. Nev er use access lay er dev ices as a t hr ough- point for t r affic bet w een t w o dist r ibut ion layer rout ers—a sit uat ion y ou oft en see in highly r edundant net w or k s. Chapt er 3 cov er s av oiding t his sit uat ion and ot her issues concer ning access lay er r edundancy .

Cont rolling Access Since t he access la yer is w here your cust om ers act ually plug int o t he net w ork, it is also t he per fect place for int r uder s t o t r y t o br eak int o your net w or k. Packet filt er ing should be applied so t r affic t hat should not be passed upst r eam is blocked, including pack et s t hat do not or iginat e on t he locally at t ached net w or k. This pr event s var ious t ypes of at t acks t hat rely on falsified ( or spoofed) sour ce addr esses fr om or iginat ing on one of t hese v ulner able segm ent s. The access lay er is also t he place t o configur e packet filt er ing t o pr ot ect t he dev ices at t ached t o t he local segm ent fr om at t ack s sour ced fr om out side ( or even w it hin) your net w or k.

Acce ss La y e r Se cu r it y While m ost secur it y is built on int er connect ions bet w een y our net w or k and t he out side w or ld, par t icular ly t he I nt er net , pack et lev el filt er s on access lay er dev ices r egulat ing w hich t r affic is allow ed t o ent er y our net w or k can enhance secur it y t r em endously . For exam ple, in t he net w or k in Figur e 1- 4, y ou need t o apply filt er s on t he access lay er r out er t o pr ov ide basic secur it y .

Figu r e 1 - 4 Ba sic Acce ss La y e r Se cu r it y

18

The basic filt ers t hat should be applied are • • •

No spoofing No br oadcast sour ces No dir ect ed br oadcast

N o Spoofin g I n Figur e 1- 4, only pack et s sour ced fr om 10.1.4.0/ 24 should be pe r m it t ed t o pass t hrough t he rout er.

N o Br oa dca st Sou r ce s The br oadcast addr ess 255.255.255.255 and t he segm ent br oadcast addr ess 10.1.4.255 ar e not accept able sour ce addr esses and should be filt er ed out by t he access dev ice.

N o D ir e ct e d Br oa dca st A d ir ect ed broadcast is a pack et t hat is dest ined t o t he br oadcast addr ess of a segm ent . Rout er s t hat ar en't at t ached t o t he segm ent t he br oadcast is dir ect ed t o w ill for w ar d t he pack et as a unicast , w hile t he r out er t hat is at t ached t o t he segm ent t he br oadcast is dir ect ed t o w ill conver t t he dir ect ed br oadcast int o a nor m al br oadcast t o all host s on t he segm ent . For exam ple, in Figur e 1- 4, PC C could send a pack et w it h a dest inat ion address of 10.1.4.255. The r out er s in t he net w or k cloud w ould for w ar d t he pack et t o Rout er A, w hich w ould r eplace t he dest inat ion I P and phy sical lay er addr esses w it h t he

19

br oadcast addr ess ( 255.255.255.255 for I P and FF.FF.FF.FF.FF for Et her net ) and t r ansm it t he pack et ont o t he locally at t ached Et her net . Dir ect ed br oadcast s ar e oft en used w it h net w or k oper at ing sy st em s t hat use br oadcast s for client - t o- ser v er com m unicat ions. A dir ect ed br oadcast can be gener at ed using an I P helper addr ess on t he int er face of t he r out er t o w hich t he w or k st at ions ar e connect ed. I f y ou don't need dir ect ed br oadcast s t o r each ser v er s or ser v ices on t he local segm ent , use t he int er face lev el com m and n o ip d ir e ct e d b r oa d ca st t o pr ev ent t he r out er fr om conv er t ing dir ect ed br oadcast s int o local br oadcast s and for w ar ding t hem . Configur ing n o ip d ir e ct e d b r oa d ca st on t he Et her net r esult s in t he r out er dr opping pack et s dest ined t o 10.1.4.255 fr om any sour ce on t he net w or k . One opt ion t o r educe t he use of dir ect ed br oadcast s is t o use t he act ual I P address of t he ser v er w hen configur ing I P helper s inst ead of t he br oadcast addr ess of t he ser v er 's segm ent . Ev en if y ou ar e using dir ect ed br oadcast s t o r each a dev ice on t he locally at t ached segm ent , y ou can st ill block dir ect ed br oadcast s fr om unk now n sources or sources out side your net work. Configur ing t hese basic pack et filt er s on y our access lay er dev ices w ill pr ev ent a m ult it ude of at t ack s t hat can be launched t hr ough and against y our net w or k .

Ot her Edge Services Som e ser v ices ar e best per for m ed at t he edge of t he net w or k befor e t he pack et s ar e passed t o any ot her r out er . These ar e called edge ser v ices and include ser vices such as: •

• • •

Ta g g in g p a ck e t s f or Qu a lit y of Se r v ice ( QoS) b a se d f or w a r d in g— I f y ou ar e using v oice- ov er- I P or video confer encing, y ou w ill pr obably w ant t o t ag t he r eal t im e t r affic w it h a high I P pr ecedence flag so t hat t hey ar e for w ar ded t hr ough t he net w or k w it h less delay ( assum ing t he r out er s ar e configur ed t o t r eat such t r affic pr efer ent ially ) . Te r m in a t in g t u n n e ls — Tunnels ar e t y pically used for car r y ing m ult icast t r affic, pr ot ocols t hat ar en't sw it ched on t he cor e, and secur e t r affic ( v ir t ual privat e links) . Tr a f f ic m e t e r in g a n d a ccou n t in g — These ser v ices include Net Flow ser vices in Cisco r out er s. Policy - b a se d ro u t in g— Refer t o " Case St udy : Policy- Based Rout ing" earlier in t his chapt er.

Con n e ct ion s t o Com m on Se r v ice s Com m on ser v ices consist of any t hing a lar ge num ber of user s on t he net w or k access on a r egular basis, such as ser v er far m s, connect ions t o ex t er nal r out ing dom ains ( par t ner s or t he I nt er net , for ex am ple) , and m ainfr am es. The follow ing ar e t w o t ypical m et hods of at t aching t hese t ypes of r esour ces t o your net w or k: • •

At t aching t hem dir ect ly t o y our net w or k 's cor e At t aching t hem t hr ough a DeMilit ar ized Zone ( DMZ)

20

Wher e t hese ser v ices ar e connect ed depends on net w or k t opology issues ( such as addr essing and r edundancy, w hich w ill be cover ed in Chapt er s 2 t hr ough 4 in m or e det ail) , t r affic flow , and ar chit ect ur e issues. I n t he case of connect ions t o ex t er nal rout ing dom ains, it 's alm ost alw ay s best t o pr ov ide a buffer zone bet w een t he ex t er nal dom ain and t he net w or k cor e. Ot her com m on ser v ices, such as m ainfr am es and ser v er far m s, ar e oft en connect ed m or e dir ect ly t o t he cor e. Figur e 1- 5 illust r at es one possible set of connect ions t o com m on ser v ices. All ext er nal r out ing dom ains in t his net w or k ar e at t ached t o a single DMZ, and highspeed dev ices, w hich a lar ge por t ion of t he ent er pr ise m ust access, ar e placed on a com m on high- speed segm ent off t he cor e.

Figu r e 1 - 5 Con n e ct ion s t o Com m on Se r v ice s

One very st rong reason for pr ov iding a DMZ fr om t he per spect iv e of t he phy sical lay er is t o buffer t he t r affic. A r out er can hav e pr oblem s w it h handling r adically differ ent t r affic speeds on it s int er faces—for ex am ple, a set of FDDI connect ions t o t he cor e feeding t r affic acr oss a T1 t o t he I nt er net . Ot her aspect s of connect ing t o com m on ser v ices and ex t er nal r out ing dom ains w ill be cov er ed in Chapt er s 2 t hr ough 4.

Su m m a r y Hierarchical rout ing is t he m ost efficient basis for large scale net w ork designs becau se it :

21

•

Breaks one large pr oblem int o sev er al sm aller pr oblem s t hat can be solv ed separat ely Reduces t he size of t he ar ea t hr ough w hich t opology change infor m at ion m ust be pr opagat ed Reduces t he am ount of infor m at ion r out er s m ust st or e and pr ocess Pr ov ides nat ur al point s of r out e sum m ar izat ion and t r affic aggr egat ion

• • •

The t hr ee lay er s of a hier ar chical net w or k design ar e descr ibed in Table 1- 1.

Table 1-1. Summary of Goals and Strategies of Layers and Hierarchical Network Design Layers Core

Goals Sw it ching speed

Strategies Full r eachabilit y: No default r out es t o int er nal dest inat ions and r educt ion of subopt im al r out ing No policy im plem ent at ion:

Dist r ibut ion Topology change isolat ion Cont r olling t he rout ing t able size

Access cont r ol, no policy r out ing, and r educt ion of processor and m em ory overhead Rout e sum m ar izat ion: Pr ov ides t opology change isolat ion, hides det ail fr om t he net w or k cor e, and hides det ail fr om access lay er dev ices

Tr affic aggr egat ion Minim izing cor e int er connect ions: Reduces sw it ching decision com plex it y and pr ov ides nat ur al sum m ar izat ion and aggr egat ion point s Access

Feed t r affic int o t he net w or k

Prevent ing t hrough t raffic Packet level filt er ing

Cont r ol access Ot her edge ser v ices include flagging packet s for QoS and t unnel t er m inat ion So w hen should y ou begin consider ing t he hier ar chy of y our net w or k ? Now. I t 's im por t ant t o im pose hier ar chy on a net w or k in t he beginning w hen it 's sm all. The lar ger a net w or k gr ow s, t he m or e difficult it is t o change. Car eful planning now can save m any hours of correct ional w ork lat er.

22

Ca se St u dy : I s H ie r a r ch y I m por t a n t in Sw it ch e d N e t w or k s? Sw it ched net w or k s ar e flat , so hier ar chy doesn't m at t er , r ight ? Well, look at Figure 1- 6 and see if t his is t r ue or not .

Figu r e 1 - 6 A Sw it ch e d N e t w or k

Assum e t hat Sw it ch C becom es t he r oot br idge on t his net w or k . The t w o net w or k s t o w hich bot h Sw it ches B and C ar e connect ed w ill be looped if bot h sw it ches for w ar d on bot h por t s. Because t he r oot br idge nev er block s a por t , it m ust be one of t he t w o port s on Swit ch B. I f t he port m arked by t he arrow on Sw it ch B is blocking, t he net w ork m ay w ork fine, but t he t r affic fr om Wor k st at ion E t o Wor k st at ion A w ill need t o t r av el one ex t r a sw it ch hop t o r each it s dest inat ion. Because Sw it ch B is block ing on one por t , t he t r affic m ust pass t hr ough Sw it ch B, acr oss t he Et her net t o Sw it ch C, and t hen t o Sw it ch A. I f Sw it ch B w er e t o block t he por t connect ed t o t he ot her Et her net bet w een it and Sw it ch C, t his w ouldn't be a problem . You could go ar ound m anually configur ing t he por t pr ior it ies on all t he sw it ches in t he net w or k t o pr event t his fr om occur r ing, but it 's m uch easier t o adj ust t he br idge so t hat a par t icular br idge is alw ay s elect ed as t he r oot .

23

This w ay , y ou can be cer t ain befor ehand w hat pat h w ill be t ak en bet w een any t w o link s in t he net w or k . To pr ev ent one link fr om becom ing ov er w helm ed and t o pr ov ide logical t r affic flow t hr ough t he net w or k , y ou need t o build hier ar chy int o t he design of t he sw it ched net w or k t o pr ov ide good spanning- t r ee r ecalculat ion t im es and logical t r affic flow . I t 's im por t ant t o r em em ber t hat sw it ched net w or ks ar e flat only at Layer 3; t hey st ill r equir e sw it ches t o choose w hich Lay er 2 pat h t o use t hr ough t he net w or k .

Re vie w 1:

Why is t he t opology of t he net w or k so im por t ant ? Ar e t he t opology and t he logical layout of a net w or k t he sam e t hing?

2:

Why ar e hier ar chical net w or k s bu ilt in " layers" ?

3:

Not e t he lay er of t he net w or k in w hich each of t hese funct ions/ ser v ices should be per for m ed and w hy: • • • • • • • •

Sum m ar ize a set of dest inat ion net w or k s so t hat ot her rout ers have less infor m at ion t o pr ocess. Tag pack et s for qualit y of ser v ice pr ocessing. Reduce ov er head so t hat pack et s ar e sw it ched as r apidly as possible. Met er t r affic. Use a default r out e t o r each int er nal dest inat ions. Cont r ol t he t r affic t hat is adm it t ed int o t he net w or k t hr ough pack et lev el filt ering. Aggregat e a num ber of sm aller links int o a single larger link. Ter m inat e a t unnel.

4:

What t w o fact or s is speed of conv er gence r eliant on?

5:

What t y pes of cont r ols should y ou t y pically place on an access lay er r out er t o block at t ack s fr om w it hin t he net w or k ?

6:

What ar e t he posit iv e and negat iv e aspect s of a single rout er collapsed cor e?

7:

What aspect s of policy- based rout ing are different t han t he rout ing a rout er nor m ally per for m s?

8:

Should y ou nor m ally allow dir ect ed br oadcast s t o be t r ansm it t ed ont o a segm en t ?

9:

What det er m ines t he num ber of r o ut er s par t icipat ing in conv er gence?

10:

Should a failing dest inat ion net w or k in t he access lay er cause t he r out er s in t he cor e t o r ecom put e t heir r out ing t ables?

11:

What is t he pr im ar y goal of t he net w or k cor e? What ar e t he st r at egies used t o r each t hat goal?

24

12:

Why is opt im um r out ing so im por t ant in t he cor e?

13:

What ar e t he pr im ar y goals of t he dist r ibut ion lay er ?

14:

What st r at egies ar e used in t he dist r ibut ion lay er t o achiev e it s goals?

15:

What ar e t he pr im ar y goals of t he access lay er ?

25

Ch a pt e r 2 . Addr e ssin g & Su m m a r iza t ion Now t hat y ou'v e laid t he gr oundw or k t o build y our net w or k , w hat 's nex t ? Deciding how t o allocat e addr esses. This is sim ple, r ight ? Just st ar t w it h one and use t hem as needed? Not so fast ! Allocat ing addr esses is one of t he t hor niest issues in net w or k design. I f you don't address your net w ork right , you have no hope of scaling t o t ruly large sizes. You m ight get som e gr ow t h out of it , but you w ill hit a w all at som e point . This chapt er highlight s som e of t he issues y ou should consider w hen deciding how t o allocat e addr esses. Allocat ing addr esses is one of t he t hor niest issues in net w or k design because: • •

Addr ess allocat ion is gener ally consider ed an adm inist r at iv e funct ion, and t he im pact of addr essing on net w or k st abilit y is gener ally nev er consider ed. Aft er addr esses ar e allocat ed, it 's v er y difficult t o change t hem because individual host s m ust oft en be r econfigur ed.

I n fact , poor addr essing cont r ibut es t o alm ost all large- scale net w or k failur es. Why? Because r out ing st abilit y ( and t he st abilit y of t he r out er s) is dir ect ly t ied t o t he num ber of r out es pr opagat ed t hr ough t he net w or k and t he am ount of w or k t hat m ust be done each t im e t he t opology of t he net w or k changes. Bot h of t hese fact or s ar e im pact ed by sum m ar izat ion, and sum m ar izat ion is dependent on addr essing ( see Figur e 2- 1) . See t he sect ion " I P Addr essing and Sum m ar iz at ion" lat er in t his chapt er for an ex planat ion of how sum m ar izat ion w or k s in I P.

Figu r e 2 - 1 . Figu r e 2 - 1 N e t w or k St a bilit y I s D e pe n de n t on Topology , Addr e ssin g, a n d Su m m a r iz a t ion

Addr essing should, in r ealit y , be one of t he m ost car efully designed ar eas of t he net w or k . When deciding how t o allocat e addr esses, k eep t w o pr im ar y goals in m ind: • •

Cont rolling t he size of t he rout ing t able Cont rolling t he dis t ance t opology change infor m at ion m ust t r av el ( by cont r olling t he w or k r equir ed w hen t he t opology changes)

26

The pr im ar y t ool for accom plishing t hese goals is sum m ar izat ion. I t is necessar y t o com e back t o sum m ar izat ion again because it is t he fundam ent al t ool used t o achiev e r out ing st abilit y .

Su m m a r iz a t ion Chapt er 1, " Hier ar chical Design Pr inciples," st at ed t hat net w or k st abilit y is dependent , t o a lar ge degr ee, on t he num ber of r out er s affect ed by any change. Sum m ar izat ion hides det ailed t opology infor m at ion, bounding t he ar ea affect ed by changes in t he net w or k and r educing t he num ber of r out er s inv olv ed in conv er gence. I n Figur e 2- 2, for ex am ple, if t he link t o eit her 10.1.4.0/ 24 or 10.1.7.0/ 24 w er e t o fail, Rout er H w ould need t o learn about t hese t opology changes and part icipat e in conver gence ( r ecalculat e it s r out ing t able) . How could you hide infor m at ion fr om Rout er H so t hat it w ouldn't be affect ed by changes in t he 10.1.4.0/ 24, 10.1.5.0/ 24, 10.1.6.0/ 24, and 10.1.7.0/ 24 link s?

Figu r e 2 - 2 H idin g Topology D e t a ils fr om a Rou t e r

You could sum m ar ize 10.1.4.0/ 24, 10.1.5.0/ 24, 10.1.6.0/ 24, and 10.1.7.0/ 24 int o one r out e, 10.1.4.0/ 22, at Rout er G and adv er t ise t his one sum m ar y r out e only t o Rout er H. What w ould y ou accom plish by sum m ar izing t hese r out es on Rout er G?

27

Rem ove det ailed know ledge of t he subnet s behind Rout er G from Rout er H's rout ing t able. I f any one of t hese individual links behind Rout er G changes st at e, Rout er H w on't need t o r ecalculat e it s r out ing t able. Sum m ar izing t hese four rout es also r educes t he num ber of r out es w it h w hich Rout er H m ust w or k; sm aller r out ing t ables m ean low er m em or y and pr ocessing r equir em ent s and fast er conv er gence w hen a t opology change affect ing Rout er H does occur .

I P Addressing and Sum m arizat ion IP addr esses consist of four par t s, each one r epr esent ing eight binar y digit s ( bit s) , or an oct et . Each oct et can r epr esent t he num ber s bet w een 0 and 255, so t her e ar e 23 2 , or 4,294,967,296 possible I P addr esses. To pr ovide hier ar chy, I P addr esses ar e divided int o t w o par t s: t he net w or k and t he host . The net w or k por t ion r epr esent s t he net w or k t he host is at t ached t o; t his lit er ally r epr esent s a w ir e or phy sical segm ent . The host por t ion uniquely ident ifies each host on t he net w or k . The I P addr ess is div ided int o t hese t w o par t s by t he m ask ( or t he subnet m ask) . Each bit in t he I P addr ess, w her e t he cor r esponding bit in t he m ask is set t o one, is par t of t he net w or k addr ess. Each bit in t he I P addr ess, w her e t he cor r esponding bit in t he m ask is set t o zer o, is par t of t he host addr ess. For exam ple, Figur e 2- 3 show s 172. 16. 100. 10 conv er t ed t o binar y for m at .

Figu r e 2 - 3 I P Addr e ssin g in Bin a r y For m a t

Next , use a subnet m ask of 255.255.240.0; t he binar y for m of t his subnet m ask is show n in Figur e 2- 4.

Figu r e 2 - 4 I P Su bn e t M a sk in Bin a r y For m a t

By per for m ing a logical AND ov er t he subnet m ask and t he host addr ess, y ou can see w hat net work t his host is on, as shown in Figur e 2- 5.

Figu r e 2 - 5 Logica l AN D of H ost Addr e ss a n d M a sk

28

The num ber of bit s set in t he m ask is also called t he pr efix lengt h and is represent ed by a / xx aft er t he I P addr ess. This host addr ess could be w r it t en as eit her 172.16.100.10 w it h a m ask of 255.255.240.0 or as 172.16.100.10/ 20. The net w or k t his host is on could be w r it t en 172.16.96.0 w it h a m ask of 255.255.240.0 or as 172.16.96.0/ 20. Because t he net w or k m ask can end on any bit , t her e is a confusing ar r ay of possible net w or k s and host s. Sum m arizat ion is based on t he abilit y t o end t he net w or k m ask on any bit ; it 's t he use of a single, shor t pr efix adver t isem ent t o r epr esent a num ber of longer pr efix dest inat ion net w or k s. For exam ple, assum e you have t he I P net w orks in Figur e 2- 6, all w it h a pr efix lengt h of 20 bit s ( a m ask of 255.255.240.0) .

Figu r e 2 - 6 N e t w or k s Th a t Ca n Be Su m m a r iz e d

You can see t hat t he only t w o bit s t hat change ar e t he t hir d and four t h bit s of t he t hir d oct et . I f y ou w er e t o som ehow m ak e t hose t w o bit s par t of t he host addr ess por t ion r at her t han t he net w or k addr ess por t ion of t he I P addr ess, y ou could r epr esent t hese four net w or k s w it h a single adv er t isem ent . Sum m ar izat ion does j ust t hat by shor t ening t he pr efix lengt h. I n t his case, y ou can shor t en t he pr efix lengt h by t w o bit s t o 18 bit s t ot al t o pr oduce a net w or k of

29

172.16.0.0/ 18, w hich includes all four of t hese net works. The prefix lengt h has been short ened in Figur e 2- 7 as an ex am ple.

Figu r e 2 - 7 Su m m a r iz e d N e t w or k

I t 's possible t o sum m ar ize on any bit boundar y , for ex am ple: 10.100.12.0/ 25 and 10.100.12.128/ 25 = 10.100.12.0/ 24 10.20.0.0/ 16 and 10.21.0.0/ 16 = 10.20.0.0/ 15 172.16.24.0/ 27 t hr ough 172.16.24.96/ 27 = 172.16. 24.0/ 25 192.168.32.0/ 24 t hr ough 192.168.63.0/ 24 = 192.168.32.0/ 19 This last exam ple is com m only called a classless int er dom ain r out ing ( CI DR) block because it is a super net of Class C addr esses.

W here Should Sum m a riza t ion Ta k e Pla ce? When deciding w her e t o sum m ar ize, follow t his r ule of t hum b: Only pr ovide full t opology infor m at ion w her e it 's needed in t he net w or k. I n ot her words, hide any infor m at ion t hat isn't necessar y t o m ak e a good r out ing decision. For exam ple, r out er s in t he cor e don't need t o know about every single net w ork in t he access lay er . Rat her t han adv er t ising a lot of det ailed infor m at ion about indiv idual dest inat ions int o t he cor e, dist r ibut ion lay er r out er s should sum m ar ize each gr oup of access layer dest inat ions int o a single shor t er pr e fix r out e and adv er t ise t hese sum m ar y r out es int o t he cor e. Lik ew ise, t he access lay er r out er s don't need t o k now how t o r each each and ev er y specific dest inat ion in t he net w or k ; an access lay er r out er should hav e only enough inform at ion t o forw ard it s t ra ffic t o one of t he few ( m ost lik ely t w o) dist r ibut ion r out er s it is at t ached t o. Ty pically , an access lay er r out er needs only one r out e ( t he default r out e) , alt hough dual- hom ed access dev ices m ay need special consider at ion t o r educe or elim inat e subopt im al r out ing. This t opic w ill be cover ed m or e t hor oughly in Chapt er 4, " Apply ing t he Pr inciples of Net w or k Design." As y ou can see fr om t hese ex am ples, t he dist r ibut ion lay er is t he m ost nat ural sum m ar izat ion point in a hier ar chical net w or k . When being adv er t ised int o t he cor e, dest inat ions in t he access lay er can be sum m ar ized by dist r ibut ion r out er s, r educing t he ar ea t hr ough w hich any t opology change m ust pr opagat e t o only t he local dist r ibut ion r egion. Sum m ar izat ion fr om t he dist r ibut ion lay er t ow ar d access lay er

30

r out er s can dr am at ically r educe t he am ount of infor m at ion t hese r out er s m ust deal w it h. Look at Figure 2- 8 for a m or e concr et e exam ple. Rout er A, w hich is in t he dist r ibut ion lay er , is r eceiv ing adv er t isem ent s for :

Figu r e 2 - 8 Su m m a r iz in g fr om t h e D ist r ibu t ion La y e r in t o t h e Cor e

• • • •

10. 1. 1. 0/ 26 10.1.1.64.26 10. 1. 1. 128/ 26 10. 1. 1. 192/ 26

Rout er A is, in t ur n, sum m ar izing t hese four r out es int o a single dest inat ion, 10.1.1.0/ 24, and adv er t ising t his int o t he cor e. Because t he four longer pr efix net w or k s 10.1.1.0/ 26, 10.1.1.64/ 26, 10.1.1.128/ 26, and 10.1.192/ 26 ar e hidden fr om t he cor e r out er s, t he cor e w on't be affect ed if one of t hese net w or k s fails, so none of t he r out er s on t he cor e w ill need t o r ecalculat e t heir rout ing t ables. Hiding det ailed t opology infor m at ion fr om t he cor e has r educed t he ar ea t hr ough w hich t he changes in t he net w or k m ust pr opagat e.

31

Not e t hat all t he addr esses in a r ange don't need t o be used t o sum m ar ize t hat r ange; t hey j ust can't be used elsew her e in t he net w ork . You could sum m ar ize 10.1.1.0/ 24, 10.1.2.0/ 24, and 10.1.3.0/ 24 int o 10.1.0.0/ 16 as long as 10.1.4.0 t hr ough 10.1.255.255 ar en't being used. Figur e 2- 9 is an exam ple of a dist r ibut ion lay er r out er sum m ar izing t he r out ing infor m at ion being adv er t ised t o access lay er dev ices. I n Figur e 2- 8, t he ent ir e rout ing t able on Rout er A has been sum m ar ized int o one dest inat ion, 0.0.0.0/ 0, w hich is called t he default r out e.

Figu r e 2 - 9 Su m m a r iz in g fr om t h e D ist r ibu t ion La y e r in t o t h e Acce ss La y e r

Because t his default r out e is t he only r out e adv er t ised t o t he access lay er r out er s, a dest inat ion t hat becom es unr eachable in anot her par t of t he net w or k w on't cause t hese access lay er r out er s t o r ecom put e t heir r out ing t ables. I n ot her w or ds, t hey w on't par t icipat e in conv er gence. The dow nside t o adv er t ising t he default r out e only t o t hese r out er s is t hat subopt im al rout ing m ay result from doing so.

32

St r a t e gie s for Su cce ssfu l Addr e ssin g You can allocat e addr esses in four w ay s: • • • •

Fir st com e , f ir st se r v e — St ar t w it h a lar ge pool of addr esses and hand t hem out as t hey ar e needed. Polit ica lly — Div ide t he av ailable addr ess space up so ev er y or ganizat ion w it hin t he organizat ion has a set of addresses it can draw from . Ge ogr a ph ica lly — Divide t he available addr ess space up so t hat each of t he or ganizat ion's locat ions has an office t hat has a set of addr esses it w ill dr aw from . Topologica lly — This is based on t he point of at t achm ent t o t he net w or k . ( This m ay be geogr aphically t he sam e on som e net w or ks.)

First Com e, First Serve Address Allocat ion Suppose y ou ar e building a sm all pack et sw it ching net w or k ( one of t he fir st ) in t he 1970s. You don't t hink t his net w or k w ill gr ow t oo m uch because it 's r est r ict ed t o only a few academ ic and gov er nm ent or ganizat ions, an d it 's exper im ent al. ( This pr ot ot ype w ill be r eplaced by t he r eal t hing w hen you'r e done w it h your t est ing.) No one r eally has any exper ience in building net w orks like t his, so you assign I P addr esses on a fir st com e, fir st ser ve basis. You give each or gan izat ion a block of addr esses, w hich seem s t o cov er t heir addr essing needs. Thus, t he fir st gr oup t o appr oach t he net w or k adm inist r at or s for a block of addr esses r eceiv es 10.0.0.0/ 8, t he second r eceives 11.0.0.0/ 8, and so on. This for m of addr ess allocat ion is a tim e - honor ed t r adit ion in net w or k design; fir st com e, fir st ser v e is, in fact , t he m ost com m on addr ess assignm ent schem e used. The dow nside t o t his addr ess allocat ion schem e becom es appar ent only as t he net w or k becom es larger. Over t im e, a huge m ult inat ional net w or k could gr ow t o look like t he I nt ernet —a m ess in t er m s of addr essing. Next , look at w hy t his isn't a ver y good addr ess allocat ion schem e. I n Figur e 2- 10, t he net w or k adm inist r at or s hav e assigned addr esses as t he depart m ent s have asked for t hem .

Figu r e 2 - 1 0 Fir st Com e , Fir st Se r v e Addr e ss Alloca t ion

33

This sm all cross- sect ion of t heir r out er s show s: • • • •

Rout er Rout er Rout er Rout er

A B C D

has has has has

two two two two

net w or k s net w or k s net w or k s net w or k s

connect ed: connect ed: connect ed: connect ed:

10.1.15.0/ 24 and 10.2.1.0/ 24 10.2.12.0/ 24 and 10.1.1.0/ 24 10.1.2.0/ 24 and 10.1.41.0/ 24 10.1.40.0/ 24 and 10.1.3.0/ 24

Ther e isn't any easy w ay t o sum m ar ize any of t hese net w or k pair s int o a single dest inat ion, and t he m ore you see of t he net w ork, t he harder it becom es. I f a net w or k addr essed t his w ay gr ow s lar ge enou gh, it w ill ev ent ually hav e st abilit y pr oblem s. At t his point , at least eight r out es w ill be adv er t ised int o t he cor e.

Addressing by t he Organizat ional Chart ( Polit ically) Now , st ar t ov er w it h t his net w or k . I nst ead of assigning addr esses as t he v ar ious depar t m ent s ask ed for t hem , t he net w or k adm inist r at or s decided t o put som e st r uct ur e int o t heir addr essing schem e; each depar t m ent w ill hav e a pool of addresses t o pull net w orks from : • • • • •

Headquar t er s: 10.1.0.0/ 16 Resear ch: 10.2.0.0/ 16 Qualit y: 10.3.0.0/ 16 Sales: 10.4.0.0/ 16 Manufact ur ing: 10.5.0.0/ 16

Wit h t his addr essing schem e in place, t he net w or k now look s lik e Figur e 2- 11.

Figu r e 2 - 1 1 Addr e ssin g on t h e Or ga n iz a t ion a l Ch a r t

34

Now , t her e m ay be som e oppor t unit ies for sum m ar izat ion. I f 10.1.3.0/ 24 isn't assigned, it m ight be possible t o sum m ar ize t he t w o headquar t er s net w orks int o one adver t isem ent . I t 's not a big gain, but enough lit t le gains like t his can m ake a big difference in t he st abilit y of a net w ork. I n gener al, t hough, t his addr essing schem e leav es y ou in t he sam e sit uat ion as t he fir st com e, fir st ser v e addr essing schem e —t he net w or k w on't scale w ell. I n Figur e 211, t her e w ill st ill be at least sev en or eight r out es adv er t ised int o t he cor e of t he net work.

Addr e ssing Ge ogr a phica lly Once again, y ou can r enum ber t his net w or k ; t his t im e assign addr esses based on t he geogr aphic locat ion. The r esult ing net w or k w ould look like Figur e 2- 12.

Figu r e 2 - 1 2 Addr e ssin g by Ge ogr a ph ic Loca t ion

Not e t he addr ess space has been div ided geogr aphically ; Japan is assigned 10.2.0.0/ 16, t he Unit ed St at es is assigned 10.4.0.0/ 16, and so on. While it 's pr obable t hat som e gains can be m ade using geogr aphic dist r ibut ion of addr esses, t her e w ill st ill be a lot of r out es t hat cannot be sum m ar ized.

35

Just w or k ing w it h t he net w or k s illust r at ed her e, y ou can sum m ar ize t he t w o US net w or k s, 10.4.1.0/ 24 and 10.4.2.0/ 24 int o 10.4.0.0/ 16, so Rout er A can adv er t ise a single r out e int o t he cor e. Lik ew ise, y ou can sum m ar ize t he t w o Japan r out es, 10.2.1.0/ 24 and 10.2.2.0/ 24, int o 10.2.0.0/ 16, and Rout er D can adver t ise a single rout e int o t he cor e. London, how ev er , pr esent s a pr oblem . London Resear ch, 10.1.2.0/ 24, is at t ached t o Rout er C, and t he r em ainder of t he London offices ar e at t ached t o Rout er B. I t isn't possible t o sum m ar ize t he 10.1.x .x addr esses int o t he cor e because of t his split .

Addressing by Topology The m ost effect iv e w ay of m ak ing cer t ain t hat r out es can be sum m ar ized is t o assign addr esses based on t he r out er t o w hich t he net w or k is at t ached or , r at her , t he t opology of t he net w or k . Addr essing t his net w or k based on t he t opology result s in Figur e 2- 13.

Figu r e 2 - 1 3 Topologica l Addr e ss Assign m e n t

Sum m arizat ion can now be configured easily on Rout er A, Rout er B, Rout er C, and Rout er D, r educing t he num ber of r out es adv er t ised int o t he r est of t he net w or k t o t he m inim um possible. This is easy t o m aint ain in t he long t er m because t he configur at ions on t he r out er s ar e sim ple and st r aight for w ar d. Topological addr essing is t he best assignm ent m et hod for ensur ing net w or k st abilit y .

Com bining Addr e ssing Sche m e s One com plaint about assigning addresses t opologically is it 's m uch m ore diffic ult t o det er m ine any cont ex t w it hout som e t y pe of char t or dat abase—for ex am ple, t he depar t m ent t o w hich a par t icular net w or k belongs. Com bining t opological addr essing w it h som e ot her addr essing schem e, such as or ganizat ional addr essing, can m inim ize t his. Because an I P addr ess is m ade up of four oct et s, it 's possible t o use t he left t w o oct et s for geogr aphic num ber ing and t he t hir d for depar t m ent s ( or som e ot her

36

com binat ion) . For exam ple, if you assign t he follow ing num ber s t o t he follow ing depar t m ent s: • • • •

Ad m inist r at ion: 0- 31 Resear ch: 32- 63 Sales: 64- 95 Manufact ur ing: 96- 1 2 7

and t he follow ing at t achm ent point s t o t he follow ing num ber s: • • • •

Rout er Rout er Rout er Rout er

A: B: C: D:

4 1 3 2

som e sam ple addr esses w ould be: • • •

Adm inist r at ion off of Rout er A: 10.4.0.0/ 24 t hr ough 10.4.31.0/ 24 Resear ch off of Rout er A: 10.4.32.0/ 24 t hr ough 10.4.63.0/ 24 Manufact ur ing off of Rout er C: 10.3.96.0/ 24 t hr ough 10.3.127.0/ 24

Com bining addr essing schem es w ill allow less sum m ar izat ion t han assigning addr esses st r ict ly based on t he connect ion point int o t he net work, but it m ay be useful in som e sit uat ions.

I Pv 6 Ad d r e ssin g When you r un out of addr esses, w hat do you do? I f you'r e t he I nt er net , you cr eat e a new v er sion of I P t hat has a lar ger addr ess space! To t he av er age end user of t he I nt er net , t he m ain differ ence bet w een I Pv 4 ( t he one t hat is st andar d on t he I nt er net r ight now ) and I Pv 6 is j ust t hat —m ore address space. While an I Pv4 address has 32 bit s and is w r it t en in decim al oct et s ( 172.16.10.5/ 24) , an I Pv 6 addr ess has 128 bit s and is w r it t en as eight 16- bit sect ions ( FE81: 2345: 6789: ABCD: EF12: 3456: 789A: BCDE/ 96) . The / xx on t he end st ill denot es t he num ber of bit s in t he subnet ( w hich can be r at her long since t her e ar e now 128 bit s in t he addr ess space) . Because t hese addresses are so long, and it w ill t ak e som e t im e t o conv er t fr om I Pv 4 t o I Pv 6, t her e ar e som e special conv ent ions t hat can be used w hen w r it ing t hem . For ex am ple, any single sect ion t hat is all 0s m ay be replaced w it h a double colon. FE80: 0000: 0000: 0000: 1111: 2222: 3333: 444 4 can be w r it t en as FE80: : 1111: 2222: 3333: 4444 Not e t hat only one ser ies of 0s m ay be r eplaced in t his w ay because t her e is no w ay t o det erm ine how m any 0s have been replaced ot herw ise. Also, t he last 32 bit s m ay be w r it t en as an I Pv4 addr ess:

37

FE80: : 172.16. 1 0 . 4 Ot her differ ences in addr essing ar e not r eadily appar ent ; for ex am ple, in I Pv 4, t he class of an addr ess is det er m ined by t he fir st few bit s in t he addr ess: 0 Class A ( 0.0.0.0 t hr ough 126.255.255.255) 10 Class B ( 128.0.0.0 t hr ough 191.255.255.255) 110 Class C ( 192.0.0.0 t hr ough 223.255.255.255) 1110 Class D ( m ult icast , 224.0.0.0 t hr ough 239.255.255.255) 1111 Class E ( ex per im ent al, 240.0.0.0 t hr ough 255.255.255.255) I n I Pv 6, t he fir st few bit s of t he addr ess det er m ine t he t y pe of I P address: 010 —ser v ice pr ov ider allocat ed unicast addr esses ( 4000: : 0 t hr ough 5FFF: FFFF: FFFF: FFFF: FFFF: FFFF: FFFF: FFFF) 100 —geogr aphically assigned unicast addr esses ( 8000: : 0 t hr ough 9FFF: FFFF: FFFF: FFFF: FFFF: FFFF: FFFF: FFFF) 1111 1110 10 —link local addr esses ( FE80: : 0 t hr ough FEBF: FFFF: FFFF: FFFF: FFFF: FFFF: FFFF: FFFF) 1111 1110 11 —sit e local addr esses ( FEC0: : 0 t hr ough FEFF: FFFF: FFFF: FFFF: FFFF: FFFF: FFFF: FFFF) 1111 1111—m ult icast addr esses ( FF00: : 0 t hr ough all F's) There are also som e special addresses in I Pv6: 0: : 0—unspecified 0: : 1.1.1. 1 t hr ough 0: : 255.255.255.255—I Pv4 addr esses 0 : : 0 0 0 1—loopback Not e t hat t her e is no br oadcast addr ess defined any longer ; t he all host s m ult icast is used inst ead. Ther e ar e m any ot her differ ences bet w een I Pv 4 and I Pv 6—ev er y t hing fr om pack et for m at s t o how a host det er m ines it s addr ess. Sever al books and RFCs cov er I Pv 6; y ou should consult t hem t o lear n m or e about t hese differ ences.

Ge n e r a l Pr in ciple s of Addr e ssin g I t 's obv ious w hen ex am ining t he net w or k addr essed w it h sum m ar izat ion and st abilit y as goals t hat t her e w ould be som e am ount of w ast ed addr ess space; t his is a fact of life in hier ar chical net w or ks. For exam ple, by t he m iddle of t he 1990s, w it h about 10

38

m illion connect ed host s, t he I nt er net w as hav ing pr oblem s finding enough addr esses t o go around even t hough t her e ar e about 4.2 billion possible addr esses. When y ou fact or in connect ing net w or k s ( link s bet w een r out er s w it h no host s at t ached) , w ast ed addr esses, and r eser v ed addr esses, y ou see how addr ess space could be quickly deplet ed. The key is t o st ar t off w it h a v er y lar ge addr ess space— m uch lar ger t han you t hink you w ill ever need. I n pr inciple, addr essing for sum m ar izat ion and gr ow t h is diam et r ically opposed t o addr essing t o conser v e addr ess space. Lar ge addr ess spaces also allow y ou t o leav e r oom for gr ow t h in y our addr essing. I t 's of lit t le use t o t hor oughly plan t he addr essing in y our net w or k only t o r un out of addresses lat er and end up w it h a m ess. The pr oblem w it h using a lar ge addr ess space is t hat public addr esses ar e scar ce, and t hey probably w ill be unt il I Pv 6 is im plem ent ed. ( Hopefully , t her e w ill be a new edit ion of t his book by t hen.) I t 's difficult t o obt ain a single block of r egist er ed addr esses of alm ost any size, and t he lar ger t he addr ess r ange you need, t he m or e difficult it is t o obt ain. One possible solut ion t o t his addr essing dilem m a is t o use pr ivat e addr ess blocks in y our net w or k and t hen use Net w or k Addr ess Tr anslat ion ( NAT) t o t r anslat e t he pr iv at e addr esses w hen connect ing t o ex t er nal dest inat ions. The pr iv at e I Pv 4 addresses defined by t he I ETF ar e • • •

1 0 .0 .0 .0 t h r ou g h 1 0 .2 5 5 .2 5 5 .2 5 5 — a single Class A net w or k 1 7 2 .1 6 .0 .0 t h r ou g h 1 7 2 .3 1 .2 5 5 .2 5 5 — 16 Class B net works 1 9 2 .1 6 8 .0 .0 t h r ou g h 1 9 2 .1 6 8 .2 5 5 .2 5 5 — 256 Class C net w or ks

Using NAT does hav e pr oblem s: Som e applicat ions don't w ork well wit h it , and t here is t he added com plex it y of configur ing NAT on t he edges of t he net w or k .

Su m m a r y The pr im ar y goals of addr essing and sum m ar izat ion ar e cont r olling t he size of t he r out ing t able and cont r olling t he dist ance t hat t opology change infor m at ion m ust t r av el. The size of t he r out ing t able should be fair ly const ant t hr oughout t he net w or k w it h t he ex cept ion of r em ot e dev ices t hat use a single default r out e t o r out e all t r affic. See Figure 2- 14 for a gr aphical r epr esent at ion of t his pr inciple.

Figu r e 2 - 1 4 Rou t in g Ta ble Siz e Sh ou ld Re m a in Re la t iv e ly Con st a n t Th r ou gh ou t t h e N e t w or k

39

Addr essing and sum m ar izat ion ar e cr it ical t o a st able net w or k . Addr essing m ust be car efully planned t o allow for sum m ar izat ion point s; sum m ar izat ion, in t ur n, hides infor m at ion, pr om ot ing net w or k st abilit y . These pr inciples ar e cov er ed in Table 2- 1 for fut ur e r efer ence.

Table 2-1. Summarization Points and Strategies Summarization Points Dist r ibut ion lay er t o core

Strategies Sum m arize m any access lay er dest inat ions int o a few adv er t isem ent s int o t he cor e. Hide det ailed dist r ibut ion lay er and access lay er t opology infor m at ion fr om t he cor e.

Dist r ibut ion lay er t o access lay er

Sum m ar ize ent ir e net w or k t opology dow n t o a v er y sm all set of adv er t isem ent s t o access lay er dev ices ( default r out e if possible) . Pr ov ide r out e t o near est dist r ibut ion lay er r out er w it h access t o t he cor e. Hide t opology of cor e and dist r ibut ion lay er fr om access lay er dev ices.

The gener al pr inciples of addr essing ar e • •

Use a large address space if possible Leav e r oom for fut ur e gr ow t h

Ther e ar e four com m on w ay s of allocat ing t he addr ess space in a net w or k : fir st com e, fir st ser v e, polit ically , geogr aphically , and t opologically . These ar e cov er ed in Table 2- 2.

40

Table 2-2. Summary of Addressing Schemes Addressing Scheme First com e, first ser ve Polit ically

Advantages and Disadvantages Doesn't r equir e any planning. Alm ost alw ays r esult s in an im possib le t o m anage net work. Requires m inim al planning. Easy t o r esolve an addr ess t o a par t icular par t of t he or ganizat ion. I f t he or ganizat ion is subdiv ided geogr aphically , t his schem e w or k s w ell; ot her w ise, it can pr oduce a net w or k t hat w ill not scale.

Geographically

Requir es planning.

Topologically

Enables som e degr ee of sum m ar izat ion. Requir es planning. Enables sum m ar izat ion, dr ast ically r educes r out ing t able sizes in t he cor e in lar ge- scale net w or k s. Scales well. Gener ally easy t o configur e an d m aint ain.

Allocat ion schem es can som et im es be com bined t o pr ov ide a solut ion t hat is easy t o m anage and scale.

Ca se St u d y : D e f a u lt Rou t e s t o I n t e r f a ce s Fr om t im e t o t im e, r out er s ar e configur ed w it h a default r out e point ing t o an int er face. I n som e sit uat ions, t his is fine, but in ot her s, t his can be disast r ous. The pr oblem s have t o do w it h t he link t ype, ARP, and pr oxy ARP, w hich is not w ell under st ood. I n Figur e 2- 15, Rout er A has a default r out e configur ed out int er face Et her net 0:

ip route 0.0.0.0 0.0.0.0 Ethernet 0

Rout er B has a default rout e configured out int erface serial 0:

ip route 0.0.0.0 0.0.0.0 serial 0

41

The com plaint is t hat Rout er A seem s t o hav e ex t r em ely high pr ocessor ut ilizat ion and is pr ov iding sluggish per for m ance at best . Exam ine t he act ions of Rout er B w hen w s2, w hich is configur ed t o use Rout er B as it s default gat ew ay , sends a pack et t o t he I nt er net . Seeing t hat t he dest inat ion it seek s is not on t he local segm ent , w s2 sends t he pack et t o it s default gat ew ay ; w hen B r eceives t he packet , it exam ines it s r out ing t able t o find a for w ar ding ent r y for t he dest inat ion. Assum ing it has no ent r y, it w ill for w ar d t he packet along it s default r out e, w hich is point ing t o it s ser ial int er face.

Figu r e 2 - 1 5 D e f a u lt Rou t e t o a Br oa dca st I n t e r fa ce

Given t hat t he serial int erface on Rout er B is at t ached t o a point - t o- point cir cuit , t here is no place for Rout er B t o forw ard t he pack et ot her t han t he ot her end of t he cir cuit . Rout er B's decision is clear- cut : place t he pack et on t he point - t o- point cir cuit . Now , consider w hat t ak es place w hen w s1 sends a pack et t hat is dest ined t o som e host on t he I nt er net . Not ing t he final dest inat ion is not on it s local net w ork, w s1 for w ar ds t he packet t o it s default gat ew ay ( in t his case, Rout er A) . When Rout er A r eceives t he packet , it exam ines it s for w ar ding t able for a r out e t o t his dest inat ion and decides t o use it s default r out e, w hich point s t o it s Et her net 0 por t . The pr oblem for Rout er A is t his: Et her net 0 is connect ed t o a m ult i- access link, and Rout er A doesn't k now w hich nex t hop t o use t o get t o t he dest inat ion in quest ion ( because t he r out e point s t o t he int er face r at her t han a specific I P addr ess) . So, Rout er A w ill ARP t he Et her net segm ent . Essent ially , Rout er A believ es t hat ev er y t hing for w hich it does not hav e a specific r out e is act ually connect ed t o it s Et her net 0 por t . Rout er B will receive t he ARP request and exam ine it s ro ut ing t able t o see if it k now s how t o reach t his dest inat ion. Rout er B finds a default rout e in it s t able, w hich w ill do nicely , so it r eplies t o Rout er A's ARP r equest . Rout er A inst alls an ARP cache ent r y for t his dest inat ion I P addr ess bound t o Rout er B's Et hernet address. Rout er B's ARP reply is called a proxy ARP because Rout er B is essent ially pr oxying for ever y dest inat ion on t he I nt er net .

42

This w or ks fine, except t hat Rout er A w ill at t em pt t o hold ever y dest inat ion w s1 ever t ries t o reach in it s ARP cach e—and w hile it m ay succeed, it w ill pay a heavy price in m em or y usage and pr ocessor ut ilizat ion. Rout er A w ill ev ent ually begin aging out ARP cache ent ries sim ply t o m ake room for new request s, and over t im e it w ill begin t hr ashing t he ARP cache. This can cause v er y poor r out ing per for m ance. So if t his is t he pr oblem , w hy w ould y ou ev er w ant t o point a st at ic r out e t o an int er face? Go back and exam ine Rout er B t o see w hy. I n t his case, t he default r out e point s t o a point - t o- point int erface, w hich m eans t her e w ill not be any ARP cache ent r ies against t his int er face. ( Ther e ar e no MAC- layer addresses on a point - t o- point link.) Ther e is one adv ant age t o Rout er B's configur at ion—speed. Suppose t hat Rout er B has a dial backup link t o t he I nt er net , w hich is act iv at ed t hr ough a float ing st at ic r out e. I f ser ial 0 goes dow n, Rout er B w ill t ak e t he dir ect ly connect ed net w or k out of it s r out ing t able im m ediat ely . The st at ic r out e t o t he nex t hop, how ev er , could t ak e up t o one second t o r em ov e fr om t he r out ing t able because Rout er B w ill need t o go t hr ough t he pr ocess of r ealizing t hat t he r ecur siv e r out e t o t he nex t hop is dow n. Using t he st at ic r out e point ing dir ect ly t o t he int er face could decr ease t he am ount of t im e t he r out er w ill w ait befor e br inging up a back up link ( an I SDN link, for ex am ple) .

Ca se St u d y : N e t w or k Ad d r e ss Tr a n sla t ion Net w or k Addr ess Tr anslat ion ( NAT) allow s a net w or k adm inist r at or t o t r anslat e one set of I P addr esses int o anot her—for ex am ple, allow ing a host w it h a pr iv at e addr ess t o appear on t he I nt er net w it h a r egist er ed addr ess. NAT can also be used t o load balance bet w een ser v er s, pr ov ide ser v er r edundancy , and connect com panies t hat use t he sam e addr ess space. The host in Figure 2- 16, 10.1.4.1, w ant s t o r each 109.10.1.4, w hich is a ser v er on t he I nt er net . How ev er , it s addr ess, 10.1.4.1, is a pr iv at e addr ess and cannot be r out ed on t he I nt er net . To r esolv e t his addr essing pr oblem , Rout er A can t r anslat e t he pack et s sour ced fr om 10.1.4.1 so t hey appear t o be sour ced fr om a r egist er ed I nt ernet address, 127.10.1.10.

Figu r e 2 - 1 6 N AT N e t w or k

The r esult ing sour ce and dest inat ion addr esses ar e show n in Figur e 2- 17.

Figu r e 2 - 1 7 N AT Sou r ce a n d D e st in a t ion Addr e sse s

43

10.1.4.1 ( t he inside addr ess) appear s as 127.10.1.10 ( t he out side addr ess) on t he I nt er net aft er t r anslat ion. On Cisco r out er s, 10.1.4.1 is called t he inside local addr ess, 127.10.1.10 is called t he inside global addr ess, and 109.10.1.4 is called t he out side global addr ess. The configur at ion of t he r out er r unning NAT ( Rout er A) m ay look lik e t his:

ip nat pool tothenet 127.10.1.10 127.10.1.10 prefix-length 24 ip nat inside source list 1 pool tothenet ! interface Eternet 0 ip nat inside ! interface Serial 0 ip nat outside ! access-list 1 permit 10.0.0.0 0.255.255.255

This one- t o- one t r anslat ion of inside local addr esses t o inside global addr esses is useful, but it doesn't help m uch w hen you have a large num ber of host s on t he inside net w or k and only a few addr esses t o use on t he out side. Because it 's com m on t o hav e a lar ge num ber of inside addr esses t r anslat ed int o a m uch sm aller pool of out side addr esses, m ost NAT im plem ent at ions allow a finer gr anular it y of addr ess assignm ent called Por t Addr ess Tr anslat ion ( PAT) , or over loading. I n PAT, for each session t he inside host init iat es, it 's assigned a por t num ber on t he inside global ( or t r anslat ed) addr ess. This allow s about 32,000 sim ult aneous sessions fr om t he inside t o t he out side using one inside global addr ess. See Figur e 2- 18 for an ex am ple of PAT t r anslat ed addr ess.

Figu r e 2 - 1 8 PAT Tr a n sla t ion s

44

Assum ing t hat each inside host is lik ely t o hav e 10 open sessions t o out side host s at any t im e, about 3,000 inside host s could be r epr esent ed by one out side addr ess. Th e configur at ion on Rout er A ( r efer t o Figur e 2- 16) m ay look like t his:

ip nat pool tothenet 127.10.1.10 127.10.1.10 prefix-length 30 ip nat inside source list 1 pool tothenet overload ! interface Ethernet 0 ip nat inside ! interface Serial 0 ip nat outside ! access-list 1 permit 10.0.0.0 0.255.255.255.

Cisco r out er s don't assign t he por t on t he inside global addr ess r andom ly; t he r out er assigns port s from a ser ies of pools. The r anges ar e 1–511 512 –1 0 2 3 1024– 4999 5000– 6 5 5 3 5 I f t he inside host s used por t 500 as it s sour ce por t , for inst ance, t he r out er w ill choose a por t bet w een 1 and 511 for t he sour ce por t w hen it t r anslat es t he addr ess.

Re vie w 1:

Why is it difficult t o change addr esses aft er t hey 'v e been assigned?

2:

Why is addr ess allocat ion so closely t ied t o net w or k st abilit y ?

3:

What ar e t he goals you should keep in m ind w hen allocat ing addr esses?

4:

What does it m ean t o say t hat sum m ar izat ion hides t opology det ails?

45

5:

How does hiding t opology det ails im pr ov e st abilit y?

6:

Wher e should sum m ar izat ion t ak e place?

7:

What is t he one case w here access layer devices should be passed m ore t han a default r out e? Why?

8:

An I P addr ess can be div ided int o t w o par t s; w hat ar e t hey ?

9:

What is t he prefix lengt h of a net w ork?

10:

Find t he longest pr efix sum m ar y for t hese addr esses. • • • •

Set A: 172.16.1.1/ 30, 172.16.1.5/ 30, 172.16.1.9/ 30, 172.16.1.14/ 30 Set B: 10.100.40.14/ 24, 10.100.34.56/ 24, 10.100.59.81/ 24 Set C: 172.18.10.10/ 23, 172.31.40.8/ 24, 172.24.8.1/ 22, 172. 30. 200. 1/ 24 Set D: 192.168.8.10/ 27, 192.168.60.14/ 27, 192.168.74.90/ 27, 1 9 2 . 16 8 . 1 0 1 . 4 8 / 2 7

11:

Ex plain t he effect s of point ing a default r out e t o a br oadcast net w or k int er face.

12:

What does a pair of colons w it h no num ber s in bet w een signify in an I Pv6 addr ess? How m any t im es can you use t his sym bol in an addr ess?

13:

Ex plain t he differ ence bet w een Net w or k Addr ess Tr anslat ion ( NAT) and Por t Address Trans lat ion ( PAT) .

14:

Addr ess t he net w or k depict ed in Figur e 2- 19 by

Figu r e 2 - 1 9 Ex e r cise N e t w or k

46

• • •

15:

Or ganizat ion Geogr aphical locat ion Topology

Which addr essing schem e is t he best ? I s t her e any w ay t o com bine t w o differ enet addr essing schem es t o pr ov ide adm inist r at iv e ease?

47

Ch a pt e r 3 . Re du n da n cy A single point of failur e is any device, int er face on a device, or link t hat can isolat e user s fr om t he ser vices t hey depend on if it fails. Net w or ks t hat follow a st r ong, hier ar chical m odel t end t o hav e m any single point s of failur e because of t he em phasis on sum m ar izat ion point s and clean point s of ent r y bet w een t he net w or k lay er s. For ex am ple, in a st r ict hier ar chical net w or k , such as t he one depict ed in Figur e 3- 1, ever y device and ever y link is a single point of failur e.

Figu r e 3 - 1 . Fig ur e 3 - 1 Ev e r y D e v ice a n d Lin k in Th is N e t w or k I s a Sin gle Poin t of Fa ilu r e

How ev er , t his net w or k w ill be safe if it 's pr ot ect ed by dial back up. Redundan cy can sav e t he day . Redundancy pr ov ides alt er nat e pat hs ar ound t hese failur e point s, pr ov iding som e m easur e of safet y against loss of ser v ice. Be car eful, t hough: Redundancy , if not designed and im plem ent ed pr oper ly , can cause m or e t r ouble t han it is w or t h. Each r edundant link and each r edundant connect ion point in a net w or k w eak ens t he hier ar chy and r educes st abilit y. How do y ou im plem ent r edundant designs w it hout dest r oy ing y our net w or k 's st abilit y? Fir st , st ar t w it h som e issues, st r at egies, and desig n goals and t hen exam ine r edundant designs in each layer of t he hier ar chical m odel.

48

I ssu e s a n d St r a t e gie s of Re du n da n cy Keep t he follow ing t w o goals in m ind w hen adding r edundancy t o a hier ar chical design: •

•

Redundant pat hs should be used only w hen t he nor m a l pat h is br oken, unless t he pat hs ar e car efully engineer ed for load balancing. Alt hough a net w or k can use r edundant link s for load shar ing as w ell as r edundancy , t his should be t he ex cept ion r at her t han t he r ule. Load shar ing m ust be car efully engineer ed t o ant icipat e and pr ev ent net w or k inst abilit y w hen failur es occur . Tr affic shouldn't pass t hr ough dev ices or link s t hat ar en't designed t o handle t hr ough t r affic. Pr ev ent ing back up pat hs fr om being used for nor m al t r affic flow nor m ally inv olv es hiding t hem as long as t he m ain ( or norm al) pat h is av ailable. Float ing st at ic r out es ( see " Case St udy : What 's t he Best Rout e?" lat er in t his chapt er ) , dial- on- dem and cir cuit s, and m et r ic adj ust m ent s ar e good w ays t o hide a backup pat h unt il it 's needed.

Cor e Re du n da n cy Cor e r edundancy design is gener ally sim plified because all dev ices should hav e com plet e r out ing infor m at ion ( full r eachabilit y ) . The only ex cept ion t o t his gener al r ule should be t he default r out e used t o r each ex t er nal r out ing dom ains ( such as t he I nt er net or a cor por at e par t ner ) . Because all devices have full r out ing infor m at ion, t her e is lit t le chance of a r out ing loop for m ing w it hin t he cor e it self under nor m al cir cum st ances. ( Not e t hat r unning m ult iple int er ior r out ing pr ot ocols w it hin t he cor e is not considered a norm al cir cum st ance.) I t is possible t o for w ar d pack et s along a subopt im al r out e, but loops w it h full r out ing infor m at ion ar en't ver y likely.

Redunda nt Core Design Num er ous designs pr ov ide r edundancy in t he cor e. I f y our ent ir e cor e net w or k is in one building, it 's gener ally easy t o connect each r out er t o t w o high speed LANs, such as high speed Et her net or a fiber r ing, w hich Figur e 3- 2 illust r at es. Not e t hat t his t ype of design logically appear s as a full m esh t opology ( descr ibed lat er in t his chapt er ) and can exhibit m any of t he sam e scaling issues.

Figu r e 3 - 2 Re du n da n t H igh Spe e d LAN s I n t e r con n e ct in g Cor e Rou t e r s

49

I f your cor e r out er s ar en't all in one building ( or on one cam pus) , your opt ions becom e m or e lim it ed ( and m or e ex pensiv e, of cour se) . Wit h lar ger scale cor e net w or k s, t hr ee com pet ing goals m ust be balanced for good design: • • •

Reducing hop count Reducing av ailable pat hs I ncr easing t he num ber of failur es t he cor e can w it hst and

The follow ing sect ions depict som e designs t hat illust r at e t hese pr inciples.

Ring Core Design Ring cor e designs, such as t he one pict ured in Figur e 3- 3, ar e r elat ively com m on; t hey ar e easy t o design and m aint ain ( for t he m ost par t ) . Not e t hat t his r ing cor e is t he t ype form ed using m ult iple point - t o- point links t o int er connect m ult iple r out er s. Ther e ar e som e designs t hat r ely on a r ing at t he low er ( phy sical) lay er . ( To t he r out er s, t hey appear t o be a single high- speed br oadcast net w or k —see t he follow ing " Redundant Fiber Ring Technolo gies" sect ion.)

Figu r e 3 - 3 A Rin g Cor e

50

Follow ing ar e t he pr oper t ies of t he r ing cor e design show n in Figur e 3- 3: • • • •

Ther e ar e t w o pat hs t o any giv en dest inat ion fr om ev er y cor e dev ice. A pack et cr osses a m ax im um of four hops w it h t he ent ir e cor e int act . Losing a single link incr eases t he m axim um num ber of hops t hr ough t he cor e t o six. Losing any t w o links isolat es at least one piece of t he net w or k.

Ring cor e designs do w ell w it h r educing t he num ber of av ailable pat hs w hile st ill pr oviding r edundancy, but t hey fail m iser ably at t he ot her goals. The num ber of possible ro ut es t hr ough t he net w or k is low dur ing nor m al oper at ion, but t he num ber of hops a packet m ay have t o cr oss w it h a single link dow n is unr easonable. A t w o- hop pat h t o reach a server could becom e a six- hop pat h if a single link fails. A big j um p lik e t his can cause session t im eout s and ot her pr oblem s. Ther e's not a lot of r edundancy affor ded w it h a r ing design; losing any t w o links on t he cor e w ill isolat e som e piece of t he net w or k . Ther e ar e w ay s of cir cum v ent ing t his, but t hey inv olv e back ups of back ups, or ot her t y pes of k ludges, w hich w ill end up being difficult t o m aint ain and scale in t he long t er m . I t 's bet t er t o design it r ight t he first t im e.

Re du n da n t Fibe r Rin g Te ch n ologie s While r ing cor es t y pically t end t o hav e m any disadv ant ages, som e r ing t echnologies hav e r edundancy designed in. One of t hese t echnologies is Sy nchr onous Opt ical

51

Net w or k ( SONET) , also k now n as Sy nchr onous Digit al Hier ar chy ( SDH) . This t echnology w as st andardized by t he CCI TT as G.707, G.708, and G.709. SONET net w or k s consist of a pair of fiber opt ic links bet w een each node on t he r ing. The fir st fiber is nor m ally used t o pass dat a at speeds of up t o OC- 48 ( 2488.32 Mbps) . The second fiber is used as a r edundant pat h. I f t he fir st fiber is cut or becom es ot her w ise unusable, t r affic is aut om at ically shift ed t o t he second fiber . FDDI is anot her t echnology t hat pr ov ides t his sor t of r edundancy w it h t w o r ings on w hich t he dat a r ot at es in opposit e dir ect ions ( t w o count er r ot at ing r ings) . I f t he fiber fails at any point bet w een t w o dual at t ached nodes ( dev ices t hat ar e at t ached t o bot h rings) , t he ring w ill w rap, healing t he break. These t echnologies pr ov ide t he r edundancy at Lay er 2 in t he OSI m odel, r esolv ing m any of t he issues w it h pr ov iding r edundancy at t he net w or k lay er . This t y pe of t echnology could be em ulat ed w it h nor m al point - t o- point t echnologies by inst alling t w o link s bet w een each dev ice in t he cor e r ing and only adv er t ising t he back up pat h w hen t he pr im ar y pat h becom es unusable. These m et hods do not , how ev er , pr ov ide r edundancy for t he dev ices on t he cor e; t hey only pr ov ide r edundancy for t he link s bet w een t he dev ices. Redundancy for device failur es alm ost alw ays r equir es a net w or k layer solut ion or Layer 2 sw it ching.

Full M esh Core Design Full m esh designs, w her e ev er y cor e r out er has a connect ion t o ev er y ot her cor e r out er , pr ovide t he m ost r edundancy possible. The design in Figur e 3- 4 pr ov ides t he follow ing:

Figu r e 3 - 4 A Fu ll M e sh Cor e

52

• • • •

A lar ge num ber of alt er nat e pat hs t o any dest inat ion. A t w o hop pat h t o any dest inat ion under nor m al use. A four hop m ax im um pat h in t he w or st case scenario ( m ult iple link s dow n w it h full connect iv it y ) . Ex cept ional r edundancy ; because ev er y r out er has a link t o ev er y ot her r out er , t his net w or k w ould hav e t o lose at least t hr ee link s befor e any dest inat ion becam e unr eachable.

Full m esh designs do well in t he hop count and m ax im um r edundancy ar eas. Unfor t unat ely, full m esh designs can pr ovide t oo m uch r edundancy in lar ger net w or k s, for cing a cor e r out er t o choose bet w een a lar ge num ber of pat hs t o any dest inat ion, w hich incr eases conv er gence t im es. I n Figur e 3- 4, Rout er A has five pat hs t o Rout er C: • • • • •

Rout er Rout er Rout er Rout er Rout er

A A A A A

to to to to to

Rout er Rout er Rout er Rout er Rout er

C B D B D

to to to to

Rout er Rout er Rout er Rout er

C C D t o Rout er C B t o Rout er C

Adding anot her r out er t o t he net w or k in Figur e 3- 4 w ould incr ease t he num ber of pat hs bet w een Rout er A and Rout er C t o nine; t he addit ion of a sixt h rout er w ould incr ease t he num ber of pat hs t o four t een. I n gener al, full m esh net w or ks w it h n nodes will have ( n( n– 1) ) / 2 links ( w hich is alm ost exponent ial) . By t he t im e you inst all eight or nine nodes on t his full m esh core, t her e could be t oo m any pat hs t o consider, as you can see from Figur e 3- 5.

53

Figu r e 3 - 5 Rou t e r s V e r su s Pa t h s in a Fu ll M e sh

Full m esh net w or ks can be expensive because of t he num ber of links r equir ed. These net w or k s also need a lot of configur at ion m anagem ent because t her e ar e m any places t o m ake m ist akes w hen im plement ing a change. I t 's difficult t o engineer t r affic on a full m esh net w or k ; t he pat h t hat t r affic nor m ally t ak es can be confusing, m aking it difficult t o decide how t o size physical links ( see " Case St udy: What 's t he Best Rout e?" at t he end of t his chapt er for fur t her infor m at ion) .

Pa rt ia l M esh Core Design Par t ial m esh cor es t end t o be a good com pr om ise in hop count , r edundancy , and t he num ber of pat hs t hr ough t he net w or k. I n Figur e 3- 6, t her e ar e four pat hs bet w een any t w o point s on t he net w or k, for exam ple, bet w een Rout er A and Rout er F:

Figu r e 3 - 6 Pa r t ia l M e sh Cor e

54

• • • •

Rout er Rout er Rout er Rout er

A A A A

to to to to

Rout er Rout er Rout er Rout er

D C D C

to to to to

Rout er Rout er Rout er Rout er

F F E t o Rout er C t o Rout er F B t o Rout er D t o Rout er F

Ther e is a clear differ ence in t he lengt hs of t he four pat hs available, which m eans only t he t w o equal lengt h pat hs w ill be used at any t im e for norm al t raffic flow . No m or e t han t hr ee hops w ill be r equir ed t o t r av er se t he net w or k dur ing nor m al oper at ion; if any single link fails, t he m axim um num ber of hops t o t r aver se t he net w or k w ill incr ease t o four . These low hop count s t end t o st ay low as a par t ial m esh core grow s. The redundancy provided by a part ial m esh design is good, as w ell: The net w ork in Figur e 3- 6 pr ovides full connect ivit y w it h t hr ee links dow n as long as no single r out er loses bot h of it s connect ions t o t he m esh. The m aj or dr aw back for par t ial m esh cor es is t hat som e r out ing pr ot ocols don't handle m ult ipoint part ial m esh designs w ell, so it 's m uch bet t er t o st ick w it h point t o- point links of som e t ype in t he cor e ( such as point - t o- point subint er faces for ATM or Fram e Relay) .

Rou t in g Pr ot ocols a n d Pa r t ia l M e sh Te ch n ologie s Each rout er in Figur e 3- 7 only has one phy sical int er face, w hich connect s t o t he Fr am e Relay net w or k. The Fr am e Relay int er face on Rout er A has t w o per m anent v ir t ual cir cuit s ( PVCs) configur ed t hr ough one int er face: one t o Rout er B, and t he ot her t o Rout er C. Rout er s B and C each connect t o one PVC. Each r out er sees t his Fram e Relay cloud as a logical subnet . Fram e Relay, ATM, and Prim ary Rat e I SDN

55

int er faces t y pically pr ov ide t his t y pe of connect iv it y , called point - t o- m ult ipoint or nonbr oadcast m ult i- access ( NBMA) .

Figu r e 3 - 7 Rou t in g Pr ot ocols in a Pa r t ia l M e sh Topology

By default , OSPF t r eat s NBMA net w or k s as if t hey w er e broadcast links, which m eans a designat ed r out er w ill be elect ed. ( See Appendix A, " OSPF Fundam ent als," for m or e infor m at ion on designat ed r out er s.) This isn't r eally a br oadcast net w or k , t hough. Because Rout er A has dir ect connect ions t o bot h Rout er B and Rout er C, Rout er A w ill r eceive any br oadcast s Rout er B or Rout er C send. Rout er B, how ever, w on't receive any broadcast s Rout er C t r ansm it s because t her e is no link bet w een t hem ; lik ew ise, Rout er C w on't r eceiv e any broadcast s t ransm it t ed by Rout er B. For OSPF, t his m eans only Rout er A will receive Rout er B's and Rout er C's Hellos; Rout er B w on't receive Rout er C's Hellos, and Rout er C w on't receive Rout er B's Hellos. Rout er A, Rout er B, and Rout er C w ill all hav e differ ent v iew s of t he designat ed r out er elect ion pr ocess. Rout er A m ight t hink t hat Rout er B is t he designat ed r out er , but Rout er C w ouldn't k now t his because it doesn't r eceiv e Rout er B's hello pack et s.

56

Then how do you handle NBMA net w or ks in an OSPF envir onm ent ? Ther e ar e t hr ee w ay s, each w it h adv ant ages and disadv ant ages. You can configur e t he OSPF r out er pr ior it ies so t hat only Rout er A can becom e t he designat ed rout er. This is an easy solut ion, w hich allo w s all t he addr esses on t his one m ult ipoint cir cuit t o be in t he sam e I P subnet . The disadv ant age is t hat one m isconfigured rem ot e rout er can bring t his ent ire link dow n. I t 's also possible, on Cisco r out er s, t o configur e logical subint er faces and t r eat each PVC as a point - t o- point link. Using point - t o- point subint er faces is v er y clean, allow ing differ ent cost s t o be associat es w it h each PVC, differ ent out put queues, and bet t er t r ack ing of t he int er face st at us against t he PVC st at us. The disadv ant age of using point - t o- point subint erfaces is each point - t o- point subint erface m ust be in it s ow n I P subnet , w hich m eans using a fair am ount of addr ess space j ust for t hese point - t o- point serial links. The final w ay t o handle NBMA net w or k s in an OSPF env ir onm ent is t o hav e each r out er configur ed w it h an OSPF net w or k t ype of point - t o- m ult ipoint . The adv ant ages of a point - t o- m ult ipoint configur at ion ar e it 's easy t o configur e, and it allow s all t he links in t he m ult ipoint net w or k t o shar e t he sam e I P subnet . The disadvant age is t hat a host r out e w ill be cr eat ed for each neighbor t he hub or cor e r out er has, w hich could add a lot of r out es t o your r out ing t ables. What 's t he best solut ion for OSPF? I t depends. The net w or k designer should car efully consider each opt ion and decide w hich one fit s int o t he net w or k at lar ge. Differ ent solut ions w ill m ost lik ely be appr opr iat e for differ ent sit uat ions. I n t he case of I S- I S, NBMA clouds like t his w on't w ork at all. The only solut ion is t o use point - t o- point subint er faces. That 's a sim ple decision! Because EI GRP is an adv anced dist ance v ect or pr ot ocol, it w ill w or k w ell on NBMA net w or ks; t her e ar e no special configur at ions r equir ed for eit her point - t o- m ult ipoint or point - t o- point subint erfaces. Point - t o- point subint erfaces allow m ore cont r ol over t he m et r ic used bet w een t he hub or cor e r out er and each endpoint r out er . Ther efor e, it m ight be bet t er in som e sit uat ions.

D ist r ibu t ion Re du n da n cy Now t hat som e cor e designs hav e been cov er ed, t he r edundant designs for t he dist r ibut ion lay er w ill be discussed. The dist r ibut ion layer is cover ed m or e t hor oughly in Chapt er 4, " Apply ing t he Pr inciples of Net w or k Design." Addit ional issues w it h r edundancy and addr essing ar e discussed in t hat chapt er . The t w o m ost com m on m et hods for pr oviding r edundancy at t he dist r ibut ion layer are dual hom ing and backup links t o ot her dist ribut ion layer rout ers. The m ain consider at ion w hen designing r edundancy in t he dist r ibut ion lay er is unex pect ed t r affic pat t er ns.

57

Dual H om ing t o t he Core I n Figur e 3- 8, Rout er A has t w o connect ions t o t he cor e t hr ough separ at e r out er s. While t his pr ovides ver y good r edu n dan cy—t he loss of a single core rout er or a single link w on't m ake any dest inat ions behind Rout er A unreachable —it can also cr eat e som e pr oblem s.

Figu r e 3 - 8 D u a l H om in g in t h e D ist r ibu t ion La y e r

I f Rout er A w er e connect ed only t o one cor e r out er , Rout er D w ould hav e t w o pat hs t o 172.16.0.0/ 16: • •

Rout er D t o Rout er B t o Rout er A Rout er D t o Rout er C t o Rout er B t o Rout er A

Wit h Rout er A dual- hom ed t o t he cor e, Rout er D has four pat hs t o t his dest inat ion: • • • •

Rout er Rout er Rout er Rout er

D D D D

to to to to

Rout er Rout er Rout er Rout er

C B C B

to to to to

Rout er Rout er Rout er Rout er

A A B t o Rout er A C t o Rout er A

58

Dual hom ing Rout er A t o t he cor e effect iv ely doubles t he num ber of pat hs available t o 172.16.0.0/ 16 in t he cor e. This doubling of possible r out es for ev er y dual- hom ed dist r ibut ion lay er r out er slow s net w or k conv er gence. I t 's som et im es possible t o for ce t he m et r ic or cost of one of t he t w o pat hs t o be w or se so t hat t r affic w ill nor m ally flow ov er only one link . The num ber of pat hs is st ill doubled, so t his isn't a v er y effect iv e solut ion for adv anced r out ing pr ot ocols. A bet t er solut ion w ould be t o only adv er t ise 172.16.0.0/ 16 ov er one link unless t h at link becom es unusable. Condit ional adv er t isem ent and float ing st at ic r out es can be used t o only adv er t ise a r out e w hen necessar y . Dual hom ing also present s one ot her problem : I f t he link bet w een Rout er B and Rout er C goes dow n, Rout er A could be effec t ively dr aw n int o a cor e r ole, passing t ransit t raffic bet ween Rout er B and Rout er C. This m ay be a valid design if it 's ant icipat ed and planned for , but it 's gener ally not . The easiest w ay t o pr ev ent t his from occurring is t o configure Rout er D so it doesn't adv er t ise r out es lear ned fr om Rout er C back t o Rout er B, and so it doesn't advert ise rout es learned from Rout er D back t o Rout er C.

Redunda nt Link s t o Ot her Dist ribut ion La yer Devices I nst alling links bet w een dist r ibut ion layer r out er s t o pr ovide r edundan cy h as t h e follow ing dr aw back s ( see Figur e 3- 9) :

Figu r e 3 - 9 Re du n da n t Lin k s be t w e e n D ist r ibu t ion La y e r D e vice s

59

•

•

•

•

D ou b lin g t h e cor e ' s r ou t in g t a b le siz e — As w as discussed w hen look ing at dual hom ing dist r ibut ion lay er dev ices t o t he cor e, adding t he link bet w een Rout er A and Rout er B in Figur e 3- 9 doubles t he size of t he cor e r out ing t able because Rout er D now has pat hs t hr ough bot h Rout er A and Rout er C t o t he 172.16.0.0/ 16 net w or k. Possib le u se of t h e r e d u n d a n t p a t h f or t r a f f ic t r a n sit in g t h e cor e — I f t he link bet ween Rout er D and Rout er C fails in Figur e 3- 9, it 's possible t hat Rout er D could begin for w ar ding t r affic t o Rout er A, w hich is dest ined som eplace bey ond Rout er C, r at her t han for w ar ding t he t r affic t o Rout er E. Rout er A and Rout er B can be effect ively drawn int o a core rout ing role. Pr e f e r r in g t h e r e d u n d a n t lin k t o t h e cor e p a t h— Dist ribut ion layer r out er s m ay end up pr efer r ing t he r edundant pat h t hr ough t he dist r ibut ion lay er , r at her t han t he pat h t hr ough t he cor e. I n Figur e 3- 9, it 's possible t hat Rout er B w ould pr efer t he r edundant link t o t he pat h t hr ough t he cor e t o r each t he 172.16.0.0/ 16 net w or k. Rou t in g in for m a t ion le a k s — Rout ing infor m at ion w ill leak bet w een t he dist r ibut ion lay er br anches because t he r out er s in one br anch w ill need t o be able t o adv er t ise t he dest inat ions in anot her br anch as r eachable t hr ough t he r edundant link. I n Figur e 3- 9, t his can r esult in inst abilit ies occur r ing beyond Rout er A and spr eading t hr ough all t he dist r ibut ion layer br anches, r at her t han being cont ained. I t can also slow conv er gence t im e because r out ing t ables in t he dist ribut ion layer rout ers becom e larger.

60

Acce ss Re du n da n cy The access layer pr esent s m any of t he sam e challenges and issues as t he dist r ibut ion layer, and it also shar es som e of t he sam e st r at egies for r esolv ing t hese dr aw back s. Dual hom ing access lay er dev ices ar e t he m ost com m on w ay of pr ov iding r edundancy t o r em ot e locat ions, but it 's also possible t o int er connect access lay er devices t o provide redu n dan cy . I n Figur e 3- 10, Rout er G and Rout er H are access layer rout ers t hat are dual- hom ed w it h t he back up cir cuit connect ed t o differ ent br anches of t he dist r ibut ion layer. I f t hese r edundant link s ar e act ually const ant ly up and car r y ing t r affic, t he num ber of pat hs bet w een 10.2.1.0/ 24 and 10.1.1.0/ 24 is ex cessiv e:

Figu r e 3 - 1 0 Acce ss La y e r Re du n da n cy —D u a l H om in g t h r ou gh D iffe r e n t D ist r ibu t ion Br a n ch e s

• • • •

Rout er Rout er Rout er Rout er

H H H H

to to to to

Rout er Rout er Rout er Rout er

F t o Rout er B t o Rout er A t o Rout er C t o Rout er G F t o Rout er B t o Rout er E t o Rout er G D t o Rout er A t o Rout er B t o Rout er E t o Rout er G D t o Rout er A t o Rout er C t o Rout er G

61

Wit h each addit ion of a dual- hom ed access lay er r out er , t hings get w or se. This plet hor a of pat hs causes m aj or pr oblem s in t he cor e; t he size of t he r out ing t able in t he c or e w ill m ushr oom . This is t he gener al r ule: I f t he r edundant link cr osses t he boundar y of a dist r ibut ion lay er br anch, it should not be adv er t ised as a nor m al pat h. Anot her opt ion t o pr ov ide access lay er r edundancy ( and anot her illust r at ion of t he gen er al r ule abov e) is t o pr ov ide link s bet w een t he access lay er r out er s t hem selv es. I n Figur e 3- 11, t his sav es one link , and it also r educes t he num ber of pat hs bet w een 10.1. 1.0/ 24 and 10.2.1.0/ 24 dow n t o t w o. I f access layer r edundancy is pr ovided using link s bet w een access dev ices, it 's im por t ant t o pr ov ide enough bandw idt h t o handle t he t r affic fr om bot h r em ot e sit es t ow ar d t he cor e.

Figu r e 3 - 1 1 Re d u n d a n cy t h r ou g h I n t e r con ne ct e d Acce ss La y e r D e vice s

Eit her of t hese solut ions w ould w or k w ell as long as t he r edundant r out e is not adv er t ised unt il needed, so t r affic w on't nor m ally flow acr oss t he r edundant link. Dial- on- dem and cir cuit s w or k w ell for t hese t ypes of applicat ions. I t is possible t o design load shar ing and r edundancy w it hin t he access lay er , as Figur e 3- 12 illust r at es. I n t his case, bot h link s t o Rout er G ar e connect ed t o r out er s w it hin t he sam e dist r ibut ion layer br anch, as ar e bot h links t o Rout er H.

62

Figu r e 3 - 1 2 Acce ss La y e r Re du n da n cy t h r ou gh t h e Sa m e D ist r ibu t ion La y e r Br a n ch

I t 's st ill possible for packet s t r aveling fr om Rout er C t o Rout er D t o pass t hr ough Rout er G, but t his can be r em edied w it h r out e filt er ing. Rout er G and Rout er H should only adver t ise t he net w or ks below t hem in t he hier ar chy. I n Figur e 3- 12, t his is 10.1.1.0/ 24 for Rout er G and 10.2.1.0/ 24 for Rout er H. I f correct filt ering is inst alled in Rout er G, Rout er C will not learn any pat hs t hrough Rout er D by way of Rout er G. One w ay t o get ar ound all of t he pr oblem s associat ed w it h dual hom ing is t o use dial back up. Ther e ar e t w o sect ions at t he end of t his chapt er, " Case St udy: Dial Backup w it h a Single Rout er " and " Case St udy: Dial Backup w it h Tw o Rout er s," t hat cover t hese opt ions.

Con n e ct ion s t o Com m on Se r v ice s As w as briefly m ent ioned in Chapt er 1, " Hier ar chical Design Pr inciples," com m on use r esour ces, such as ser v er far m s and connect ions t o t he I nt er net , can be connect ed dir ect ly t o t he cor e of t he net w or k or t hr ough a DMZ. I f t hese com m on ser v ices ar e at t ached dir ect ly t o t he core, t he m ost visible single point of failur e w ill be t he

63

net w or k t hese com m on ser v ices ar e at t ached t o. Side A of Figure 3- 13 illust r at es t his single point of failur e.

Figu r e 3 - 1 3 Re du n da n cy t o Com m on Sh a r e d Re sou r ce , Such a s a Se r ve r Fa r m

I n t he net w ork illust rat ed by Side B of Figur e 3- 13, t he ser ver far m has been connect ed t o t w o cor e r out er s, so t he failur e of a single r out er w ill not affect t he reachabilit y of t he server farm . I n a sim ilar w ay, Figur e 3- 14 illust r at es m ult iple connect ions t o an ext er nal r out ing dom ain for r edundancy. I n t his case, t he links t o t he ext er nal r out ing dom ain ar e dir ect ly at t ached t o t he cor e.

Figu r e 3 - 1 4 Re du n d a n cy t o a n Ex t e r n a l D om a in

64

65

Pr ov iding r edundancy for link s t hr ough a DMZ is m or e com plicat ed because t her e ar e t w o point s of failur e t hat need t o be consider ed: t he link bet w een t he cor e and t he DMZ, and t he link bet w een t he DMZ and t he ex t er nal dom ain. Figur e 3- 15 illust r at es an ex t er nal r out ing dom ain at t ached t hr ough a r edundant DMZ.

Figu r e 3 - 1 5 Re du n da n t D M Zs

66

List ed below ar e som e issues w it h having r edundant links t o ext er nal r out ing dom ains: • • •

Any r out es t he ext ernal rout ing dom ain is inj ect ing int o your net work will be in j ect ed t w ice—once t hr ough each connect ion. Car e m ust be t ak en so t he cor e of y our net w or k doesn't becom e a t r ansit net w or k for t r affic bet w een t w o dest inat ions in t he ex t er nal dom ain. This is par t icular ly t r ue for connect ions t o t he I nt er net . I f m ult iple DMZs ar e used w it h separ at e fir ew all devices, eit her t he fir ew all devices m ust coor dinat e t heir act ivit ies or som e effor t m ust be m ade t o pr ev ent a session, w hich init ially uses t he pat h t hr ough one fir ew all, fr om sw it ching t o t he pat h t hrough t he ot her firew all in t he m iddle of t he session.

Su m m a r y St r ong hier ar chical design t ends t o cr eat e a lot of places in a net w or k w her e a single link or dev ice failing can cause por t ions of t he net w or k t o becom e unr eachable; t hese ar e single point s of failur e. Redundancy pr ov ides back ups and alt er nat es t o t hese single point s of failur e, but t oo m uch r edundancy can be w or se t han no r edundancy at all. Table 3- 1 highlight s im por t ant concept s about r edundancy at t he v ar ious lay er s.

Table 3-1. Summary of Issues and Strategies at Various Layers in a Network Layer Core

Method Ring

Issues & Strategies Hop count t oo lar ge w it h single link loss. Only t olerat es one broken device or link.

Full m esh

Rout ing t able t oo lar ge.

Part ial m esh

Good com pr om ise bet w een hop count , r edundancy , and r out ing t able size.

Dist r ibut ion Dual- hom ed t o cor e

Be car eful w it h r out ing pr ot ocols t hat m ay not handle par t ial m esh w ell. Be car eful w it h cor e r out ing t able size. Mak e cer t ain t hat r out e leak age bet w een t he br anches of t he dist r ibut ion lay er doesn't occur.

Access

Dual- hom ed t o sam e dist r ibut ion lay er br anch

Rest r ict s dest inat ions adv er t ised t o pr ev ent t r ansit t r affic t hr ough t he access lay er rout er.

Alt er nat e pat h t o anot her access lay er dev ice

Don't use t he r edundant link for nor m al t r affic flow . Rest r ict s dest inat ions adv er t ised t o pr ev ent t r ansit t r affic t hr ough t he access lay er r out er.

Dual- hom ed t o differ ent

Don't use t he r edundant link for nor m al

67

dist r ibut ion lay er br anches t r affic flow . Rest r ict s dest inat ions adv er t ised t o pr ev ent t r ansit t r affic t hr ough t he access lay er rout er.

Ca se St u d y : W h a t ' s t h e Be st Rou t e ? Float ing st at ic r out es have been discussed quit e a bit in t his chapt er , so it m ight help t o under st and how t hey w or k . The k ey t o under st anding float ing st at ic r out es is in under st anding how a Cisco r out er chooses w hich r out e t o place in it s for w ar ding t able ( which rout e t o use) . I f a Cisco r out er has t he follow ing fiv e pat hs av ailable t o 10.1.1.1, w hich w ould it use: • • • • •

10.1.1.0/ 24, m et r ic 44560, EI GRP, adm inist r at iv e dist ance 90 10.1.1.0/ 24, m et r ic 56540, EI GRP, adm inist r at iv e dist ance 90 10.1.1.0/ 24, m et ric 2, RI P, adm i nist r at iv e dist ance 120 10.0.0.0/ 8, m et r ic 12500, EI GRP, adm inist r at iv e dist ance 90 10.0.0.0/ 8, m et r ic 1, st at ic, adm inist r at ive dist ance 200

A r out er fir st look s at t he pr efix lengt h of t he pat hs and chooses t he one w it h t he longest pr efix ( t he m ost bit s set , or t he m ost 1s) . Because t he t hr ee r out es t o 10.1.1.0/ 24 hav e a longer pr efix lengt h t han 10.0.0.0/ 8, t he 10.1.1.0/ 24 r out es ar e preferred. But w hich of t he t hr ee 10.1.1.0/ 24 r out es should t he r out er use? Tw o of t hese r out es ar e lear ned t hr ough EI GRP, and t he t hird t hrough RI P. Because RI P uses hop count as it 's m et r ic, and EI GRP uses a m et r ic based on bandw idt h and delay, t he m et r ics can't be com par ed bet w een pr ot ocols. Because t he r out er has no w ay t o dir ect ly com par e t he v ar ious m et r ics and cost s each pr ot ocol uses int er nally , it uses an ex t er nal m easur e of t he r eliabilit y of a pr ot ocol—t h e adm inist r at iv e dist ance. Low er adm inist r at ive dist ances ar e pr efer r ed. I n t his case, t he pat h w it h an adm inist r at iv e dist ance of 120 is r em ov ed fr om t he running, leav ing t he t w o pat hs w it h an adm inist r at iv e dist ance of 90. The r out er chooses bet w een t hese t w o pat hs by look ing at t he int er nal m et r ic of t he pr ot ocol accor ding t o t he r ules of t hat pr ot ocol ( in t his case EI GRP) and choosing t he one w it h t he bet t er m et r ic. I n t his case, t he fir st r out e is pr efer r ed. Because t he adm inist r at iv e dist ance is so im por t ant in m ak ing r out ing decisions, it w ill be cover ed in a bit m or e det ail. How is t he adm inist r at ive dist ance det er m ined? Each r out ing pr ot ocol has a default ad m inist r at iv e dist ance: • • • • •

connect ed: 0 st at ic: 1 EI GRP Sum m ar y : 5 BGP Ext ernal: 20 EI GRP I nt ernal: 90

68

• • • • • • • •

I GRP: 100 OSPF: 110 IS- I S: 115 RI P: 120 EGP: 140 EI GRP Ex t er nal: 170 BGP I nt ernal: 200 Unknow n: 255

The adm inist r at iv e dist ance for connect ed r out es cannot be changed, but it can be changed for ot her pr ot ocols. Each of t he r out ing pr ot ocol's adm inist r at iv e dist ances can be changed using t he dist a n ce com m and in r out er configur at ion m ode. The adm inist r at iv e dist ance for each st at ic r out e can be set using an opt ion in t he ip r out e com m and:

ip route 10.1.1.0 255.255.255.0 x.x.x.x 200

The abilit y t o change t he adm inist r at iv e dist ance of a st at ic r out e t his w ay has led t o t he concept of a float ing st at ic r out e, which is a st at ic rout e wit h a high adm inist ra t iv e dist ance, t y pically 200 or abov e. These float ing st at ics ar e useful for back ing up pr im ar y r out es or condit ionally adv er t ising a r out e.

Ca se St u dy : Re du n da n cy a t La y e r 2 Usin g Sw it ch e s I t 's oft en possible t o build r edundancy int o a net w or k at t he dat a link layer rat her t han t he net w or k lay er . One ex am ple of t his is t he FDDI r ing, w hich has t w o phy sical pat hs bet w een each st at ion on t he r ing. Anot her possibilit y is t o use sw it ches r unning t he Spanning- Tr ee Algor it hm t o choose bet w een r edundant pat hs. For exam ple, in t he net w or k in Figur e 3- 16 t her e ar e act ually eight pat hs fr om Rout er G t o t he FDDI r ing, but Rout er G w ould see only t w o of t hem . Spanning t r ee r unning bet w een Sw it ches C and D w ould block som e por t s t o elim inat e any loops.

Figu r e 3 - 1 6 Re du n da n cy a t La ye r 2

69

Follow ing is an ex am ple of one pair of pat hs t hr ough t he net w or k . Ther e ar e t w o possible pat hs bet w een Rout er A and Rout er E: Rout er A t o Sw it ch C t o Rout er E and Rout er A t o Sw it ch D t o Rout er E, crossing VLAN 1. I f bot h sw it ches w er e t o for w ar d t r affic on all por t s, t her e w ould be a br idging loop bet w een t hese link s: Fr om Sw it ch C's por t on VLAN 1 t o Sw it ch D's por t on VLAN 1 t o Sw it ch D's por t on VLAN 1 and finally t o Sw it ch C's por t on VLAN 1. Aft er r unning spanning- t r ee calculat ions, one of t he t w o sw it ches w ould block t r affic on one of t h ese four por t s t o br eak t he loop, leaving only one pat h bet w een Rout er A and Rout er E.

70

Assum e t hat t he por t w hich blocks is Sw it ch D's por t ont o VLAN 1. I f Sw it ch C fails, Sw it ch C w ould r ecalculat e spanning t r ee and begin for w ar ding t r affic acr oss VLAN 1. Th e r out er s w ouldn't even know t hat a net w or k failur e had occur r ed. I f Rout er E w ere t o fail, Rout er G w ould begin using t he alt ernat e rout ed pat h t hr ough Rout er F t o r each t he FDDI r ing. No single link or equipm ent failur e w ould cause an out age on t his net w ork. While t his ex am ple show s LANs ( specifically Et her net VLANs) being used as int er m ediat e link s, it 's also possible t o use sw it ches t o pr ov ide r edundancy ov er w ide ar ea links, such as Fr am e Relay or ATM. When using sw it ched v ir t ual cir cuit s r at her t han per m anent vir t ual cir cuit s ( or in com binat ion w it h per m anent v ir t ual cir cuit s) , it 's possible t o hav e a m esh of r edundant connect ions bet w een sw it ches t hat ar e com plet ely t r anspar ent t o t he r out er s on t he edges of t he net w or k cloud. Phy sical lay er r edundancy is oft en easier t o im plem ent and can pr ov ide fast er r ecov er y t han pr ov iding r edundancy at t he net w or k layer . I t can also be less com plicat ed t o m aint ain and m anage. Phy sical lay er r edundancy doesn't pr ov ide fallback s for failur e in t he r out er s at t he edge, how ever . Because r out er s ar e Layer 3 devices, r out er r edundancy m ust be pr ov ided for at Lay er 3 w it h a r out ing pr ot ocol ( or som et hing along t he lines of float ing st at ic r out es) .

Ca se St u dy : D ia l Ba ck u p w it h a Sin gle Rou t e r While BGP is capable of condit ional adv er t isem ent , m ost ot her r out ing pr ot ocols ar en't . You need t o find a w ay t o adver t ise backup links only under cer t ain condit ions, par t icular ly if t hey ar e dial- on- dem and, such as I SDN. Figur e 3- 17 depict s a com m on scenar io; Rout er B has a point - t o- point link t hrough Ser ial 0 t o Rout er A, and a dial- on- dem and backup link t hrough BRI 0 t o Rout er C. The rout ing prot ocol is EI GRP, and Rout er B is only receiving 0.0.0. 0/ 0 adver t ised fr om Rout er A ( t he default r out e) . The net w or k adm inist r at or doesn't w ant t he I SDN link up unless t he serial link fails.

Figu r e 3 - 1 7 I SD N D ia l - on - D e m a n d

71

Ther e ar e t w o possibilit ies for br inging t he I SDN dial- on- dem and link up w hen t he ser ial int er face fails: 1. Configur ing t he I SDN link as a back up int er face. Configur ing an int er face as a back up, as t he nam e im plies, inst r uct s t he r out er t o bring a dial int erface up in r esponse t o anot her int er face's line st at e changing t o dow n. 2. Using a com binat ion of float ing st at ic r out es and a dy nam ic r out ing pr ot ocol t o r edir ect t r affic over t he I SDN link. I t 's r elat iv ely sim ple t o configur e t he I SDN int er face as a backup int er face for Ser ial 0 in Figur e 3- 17. On Rout er B:

isdn switch-type basic-ni1 ! interface BRI0 ip address 172.16.10.33 255.255.255.252 encapsulation ppp no ip route-cache no ip mroute-cache

72

bandwidth 128 dialer idle-timeout 600 dialer map ip 172.16.10.34 name C 5551212 dialer-group 1 isdn spid1 91955588880100 isdn spid2 91955588880100 no fair-queue no cdp enable ppp authentication chap ppp multilink ! interface Serial 0 ip address 172.16.10.29 255.255.255.252 encapsulation frame-relay backup interface bri 0 backup delay 10 120 ! router eigrp 1 network 172.16.0.0 ! ip classless access-list 101 deny eigrp any any access-list 101 permit ip any any dialer-list 1 protocol ip list 101

Configur ing t he I SDN link as a backup int er face r elies on t he ser ial int er face act ually going dow n t o t r igger t he sw it ch fr om t he ser ial link . Unfor t unat ely , t he condit ion of t he int er face doesn't necessar ily r eflect t he condit ion of Lay er 3 connect iv it y , par t icular ly for Fr am e Relay net w or ks. When t he phy sical lay er can't be used t o indicat e I P connect iv it y acr oss a link , it 's bet t er t o use r out ing t o br ing t he back up link int o oper at ion—a j ob for float ing st at ic r out es. The configur at ion follow s:

isdn switch-type basic-ni1 ! interface BRI0 ip address 172.16.10.33 255.255.255.252 encapsulation ppp no ip route-cache no ip mroute-cache bandwidth 128 dialer idle-timeout 600 dialer map ip 172.16.10.34 name C 5551212 dialer-group 1 isdn spid1 91955588880100 isdn spid2 91955588880100 no fair-queue no cdp enable ppp authentication chap ppp multilink !

73

interface Serial 0 ip address 172.16.10.29 255.255.255.252 encapsulation frame-relay ! ip route 0.0.0.0 0.0.0.0 172.16.10.34 200 access-list 101 deny eigrp any any access-list 101 permit ip any any dialer-list 1 protocol ip list 101

The num ber at t he end of t he I P r out e com m and indicat es an adm inist r at iv e dist ance. Because Rout er C w ould nor m ally have a 0.0.0.0/ 0 r out e fr om Rout er A t hr ough EI GRP, t his st at ic r out e w ill not nor m ally be used ( placed in t he r out ing t able) . I f Rout er A w er e lost as an EI GRP neighbor , t hough, Rout er C w ould begin using t his st at ic, w hich point s out t hr ough t he I SDN link. Once int er est ing t r affic begins t o be for w ar ded out of int er face BRI 0 ( as defined by d ia le r- list 1 ) , t he r out er w ill begin t he I SDN link up. Once t he ser ial link is r est or ed, t he 0.0.0.0/ 0 r out e lear ned t hr ough EI GRP fr om Rout er A should onc e again be inst alled in t he r out ing t able, and all t r affic should be for w ar ded t hr ough t he ser ial int er face. Because EI GRP is not consider ed int er est ing t r affic, t he r out er w ill ev ent ually br ing t he I SDN link down. Not e t hat in bot h of t hese configur at ions, I P r ou t e- cache is disabled on t he I SDN int er face. I t 's im por t ant t hat t he r out er not cache any dest inat ions as r eachable t hr ough t he I SDN int er face because it w ill cont inue sending t r affic for t hose dest inat ions t hr ough t he I SDN int er face, r egar dless of t he st at e of t he ser ial int er face, unt il t he r out e cache ent r y t im es out .

Ca se St u dy : D ia l Ba ck u p w it h Tw o Rou t e r s Dial backup using a single r out er at t he r em ot e sit e st ill leaves a single point of failure —t he r out er at t he r em ot e sit e. The obv ious solut ion is t o inst all t w o r out er s at t he r em ot e sit e, as illust r at ed in Figur e 3- 18.

Figu r e 3 - 1 8 D ia l Ba ck u p w it h Tw o Rou t e r s

74

Ther e ar e t w o pr oblem s w it h t his solut ion; t he fir st is t hat host s on t he 172.16.9.0/ 24 net w or k m ust set t heir default gat ew ay s t o eit her Rout er B's or Rout er D's Et her net I P addr ess t o r each t he rest of t he net w ork. No m at t er w hich one is used, if t hat r out er fails com plet ely, all connect ivit y t o t his segm ent w ill effect iv ely be lost . The second is Rout er B m ust be able t o signal Rout er D t hat it s serial link t o Rout er A has failed. The first pro blem can be resolved using Hot St andby Rout er Prot ocol ( HSRP) . HSRP allows Rout er B and Rout er D t o share a virt ual I P address bet ween t hem wit h only t he act iv e HSRP r out er accept ing ( and for w ar ding) t r affic dest ined t o t hat I P addr ess. Following is an exa m ple of how t his would work. On Rout er B, t he configurat ion is as follow s:

interface e0 ip address 172.16.9.2 255.255.255.0 standby ip 172.16.9.1 standby priority 10 standby preempt

75

On Rout er D, t he configurat ion is as follows:

interface e0 ip address 172.16.9.3 255.255.255.0 standby ip 172.16.9.1 standby priority 20 standby preempt

Rout er B and Rout er D ar e bot h configur ed t o act as st andby r out er s for 172.16.9.1. They w ill also cr eat e a v ir t ual phy sical lay er addr ess bet w een t hem , and t he act iv e r out er w ill for w ar d or pr ocess t r affic t r ansm it t ed t o t hat phy sical lay er addr ess. Because Rout er B needs t o be t he act ive r out e in nor m al oper at ion, st a n d b y pr ior it y and st a n d b y p r e e m p t hav e been configur ed. The host s on t he 172.16.9.0/ 24 segm ent w ill be configur ed t o use 172.16.9.1 as t heir default gat ew ay . When a host on t he 172.16.9.0/ 24 net w or k at t em pt s t o t r ansm it a pack et t o a dest inat ion t hat is off t he local segm ent , it w ill ARP for it s default gat ew ay 's phy sical addr ess, and t he HSRP act iv e r out er w ill answ er w it h t he v ir t ual addr ess. The host w ill t hen send all off- segm ent t raffic t o t he virt ual address. I f Rout er B fails, Rout er D w ill t ake over as t he act ive HSRP rout er and w ill begin for w ar ding t r affic acr oss t he I SDN link. This r esolv es t he fir st pr oblem—how t o configur e t he host 's default gat ew ay —but doesn't resolve t he second problem . How w ould Rout er B not ify Rout er D t hat it s ser ial link has failed? The sim plest w ay is t o configur e HSRP t o t r ack t he st at e of t he ser ial int erface on Rout er B; if t he serial int erface fails, Rout er D should t ake over. On Rout er B, t he configurat ion is as follow s:

interface e0 ip address 172.16.9.2 255.255.255.0 standby ip 172.16.9.1 standby priority 10 standby preempt standby track serial 0 20

When Rout er B's serial int erface fails, it w ill increase it s st andby priorit y t o 30, and Rout er D w ill t ake over as t he HSRP act ive r out er . Not e t his solut ion st ill r elies on t he physical layer failing on Rout er B's Ser ial 0; on som e t ypes of links, it is possible t o lose I P connect iv it y w hile phy sical lay er connect iv it y st ill appear s t o be good.

76

To t r ack I P connect iv it y , use a r out ing pr ot ocol. Assum ing a single default r out e ( 0.0.0.0/ 0) is t he only rout e Rout er B is learning from Rout er A, Rout er B's configur at ion could be:

interface e0 ip address 172.16.9.2 255.255.255.0 standby ip 172.16.9.1 standby priority 10 standby preempt standby track serial 0 20 ! router ospf 1 network 172.16.0.0 0.0.255.255 area 0 ! ip classless ip route 0.0.0.0 0.0.0.0 172.16.9.3 200

Not e t hat Rout er B is st ill t racking t he st at e of it s serial int erface and w ill resign t he HSRP act ive r ole if it s ser ial int er face fails. The addit ion of t he float ing st at ic r out e m eans Rout er B w ill forw ard packet s t o Rout er D if it loses it s OSPF neighbor across Serial 0 as well. On Rout er D, you could have:

interface e0 ip address 172.16.9.3 255.255.255.0 standby ip 172.16.9.1 standby priority 20 ! interface BRI0 ip address 172.16.10.33 255.255.255.252 encapsulation ppp no ip route-cache no ip mroute-cache bandwidth 128 dialer idle-timeout 600 dialer map ip 172.16.10.34 name C 5551212 dialer-group 1 isdn spid1 91955588880100 isdn spid2 91955588880100 no fair-queue no cdp enable ppp authentication chap ppp multilink ! router ospf 1 network 172.16.0.0 0.0.255.255 area 0 ! ip classless ip route 0.0.0.0 0.0.0.0 172.16.10.34 200 access-list 101 deny ospf any any

77

access-list 101 permit ip any any dialer-list 1 protocol ip list 101

Norm ally, Rout er D w ould learn a default rout e t hrough Rout er B from OSPF, so t he float ing st at ic t o 0.0.0.0/ 0 t hr ough 172.16.10.34 w on't be used. I f Rout er B loses it s neighbor r elat ionship w it h Rout er A, t hen Rout er D w ould st op lear ning t his default r out e t hr ough OSPF. It w ould t hen inst all t his default r out e and st ar t for w ar ding t raffic t hrough t he I SDN link. So, any possible failur e condit ion is account ed for using bot h t he float ing st at ic and HSRP. I f t he serial link bet ween Rout er A and Rout er B fails ent irely ( or Rout er B fails ent ir ely) , Rout er D w ill t ake over as t he HSRP act ive r out er and begin for w ar ding t raffic t hrough t he backup I SDN link. I f t he OSPF neighbor relat ionship bet w een Rout er A and Rout er B fails for any ot her reason, Rout er B st ill act s as t he HSRP act iv e r out er , but it for w ar ds all t r affic t o Rout er D. Rout er D forw ards all t raffic t hrough it s BRI int erface t o Rout er C.

Re vie w 1:

Why is it im por t ant t o consider link capacit ies w hen designing r edundancy ?

2:

Why is designing r edundancy in t he cor e easier t han at ot her lay er s?

3:

I f all t he cor e r out er s ar e in one building, w hat is a nat ur al w ay t o pr ovide r edundancy ?

4:

How m any link s on a r ing cor e can fail befor e at least one sect ion of t he cor e is isolat ed?

5:

Do r ing designs pr ov ide consist ent hop count t hr ough t he cor e net w or k w hen a link fails?

6:

What r ing t echnologies pr ov ide r edundancy at Lay er 2?

7:

Do redundant ring t echnologies pr ov ide r edundancy against failed dev ices?

8:

Given a full m esh core w it h 25 rout ers, how m any pat hs w ould t here be t hrough t he net work?

9:

What m et hod does a Cisco r out er use t o differ ent iat e bet w een r out es fr om t w o differ ent r out ing pr ot ocols?

10:

What is t he fir st , and m ost im por t ant fact or , used in deciding w hich r out e t o use for a par t icular dest inat ion?

11:

What m echanism in OSPF needs t o be considered when it is being configured on a part ial m esh net w ork?

12:

What ar e t he possible t echniques you can use in OSPF par t ial m esh net w or k

78

designs t o get ar ound t his problem ? 13:

When dual hom ing a dist r ibut ion lay er or access lay er r out er , w hat m aj or pr oblem should y ou be car eful of?

14:

When int er connect ing dist r ibut ion or access lay er r out er s t o pr ov ide r edundancy , w hat issues should y ou be car eful of?

15:

What ar e t he t w o m ain goals you m ust be car eful t o addr ess w hen building r edundancy int o a net w or k?

79

Ch a pt e r 4 . Applyin g t h e Pr in ciple s of N e t w or k D e sign The elem ent s of net w or k design—hier ar chy , r edundancy , addr essing, and sum m ar izat ion —hav e been addr essed in r elat iv e isolat ion up t o t his point . The follow ing list groups t hem t oget her: • • • • •

H ie r a r ch y — Pr ov ides a logical foundat ion, t he " sk elet on" on w hich addr esses " hang." Ad d r e ssin g— I sn't j ust for finding net w orks and host s; it also provides point s of sum m ar izat ion. Su m m a r iz a t ion — The pr im ar y t ool used t o bound t he ar ea affect ed by net w or k changes. St a bilit y / Re lia bilit y — Pr ov ided by bounding t he ar ea affect ed by changes in t he net work. Re du n da n cy — Pr ov ides alt er nat e r out es ar ound single point s of failur e.

Figur e 4- 1 show s t he t r affic and r out ing t able pat t er ns t hr oughout a w ell- designed hier ar chical net w or k. ( You m ay r ecogn ize Figur e 4- 1 because y ou hav e seen pieces of it in pr evious chapt er s.) Not e t hat t he r out ing t able size is m anaged t hr ough sum m ar izat ion; so, no single lay er has an ov er w helm ing num ber of r out es, and no single r out er m ust com put e r out es t o ev er y dest inat ion in t he net w or k if a change does occur.

Figu r e 4 - 1 . Figu r e 4 - 1 Tr a ffic a n d Rou t e s in a W e llD e sign e d N e t w or k

80

How do y ou design a net w or k so t hat t he r out es and t r affic ar e w ell- behaved? By m anaging t he size of t he r out ing t able. Managing t he size of t he r out ing t able is crit ical in large- scale net w or k design. The prim ary m eans of cont rolling t he rout ing t able size in a net w ork is t hrough sum m ar izat ion, w hich w as cov er ed in det ail in Chapt er 3, " Redundancy ." Sum m arizat ion is highly dependent on cor r ect addr essing. Ther efor e, t he r out ing t able size, sum m ar izat ion, and addr essing ( t he t hr ee basics of highly scalable net w or k s) ar e closely r elat ed. To illust r at e t hese pr inciples, t his chapt er begins w it h a net w or k t hat is ex per iencing st abilit y pr oblem s and " r efor m s" it t o m ake it st able and scalable. This exer cise applies t he pr inciples discussed in t he fir st t hr ee chapt er s of t his book.

Re for m in g a n Un st a ble N e t w or k This sect ion of t he chapt er r efor m s t he net w or k show n in Figur e 4- 2. Because t his is a r at her lar ge net w or k , only one sm all sect ion is t ack led at a t im e. This chapt er cov er s how t o im plem ent changes in t he t opology and addr essing, w hich can im pr ov e t his net w or k . Chapt er 5, " OSPF Net w or k Design," Chapt er 6, " I S- I S Net work Design , " and Chapt er 7, " EI GRP Net w or k Design" addr ess how t o im plem ent r out ing prot ocols on t his net work.

Figu r e 4 - 2 An Un st a ble N e t w or k

81

This ex er cise begins w it h t he cor e of t he net w or k and w or k s out w ar d t o t he dist r ibut ion and access lay er s as det ailed in t he follow ing sect ions.

Exam ining t he N et w ork Core As y ou consider t he cor e of t his net w or k , it 's good t o r em em ber t he design goals t hat you w or ked t hr ough for net w or k cor es back in Chapt er 1, " Hier ar chical Design Pr inciples. " As y our pr im ar y concer ns, focus on sw it ching speed and pr oviding full r eachabilit y w it hout policy im plem ent at ions in t he net w or k cor e. The first problem in t he net w ork illust rat ed in Figur e 4- 2 is t hat t he cor e has t oo m uch r edundancy—t his is a fully - m eshed design wit h 5× ( 5 –1) = 20 pat hs. The pr im ar y ex er cise her e is t o det er m ine w hich link s can be elim inat ed. To do t his, y ou

82

need t o nar r ow y our focus a bit ; Figure 4- 3 show s only t he cor e and it s dir ect connect ions.

Figu r e 4 - 3 Th e N e t w or k Cor e

Net w or k t r affic in t he net w or k illust r at ed in Figur e 4- 3 flow s bet w een t he com m on ser v ices and ex t er nal connect ions t o and fr om t he HQ VLANs and t he net w or k s behind t he dist ribut ion lay er . A diagr am of t his net w or k t r affic r ev eals t hat m ost t r affic flow s: • •

From t he net w orks behind Rout ers A, C, and D t o t he net w orks behind Rout er E From t he net w orks behind Rout ers A, C, and D t o t he net w orks behind Rout er B

Because t her e w on't be m uch t raffic flow ing bet w een Rout er A and Rout er C or Rout er A and Rout er D, t hese ar e t he t w o best links t o r em ove. Rem oving t hese t w o links w ill reduce t he core t o a part ially - m eshed net work wit h fewer pat hs and m ore st abilit y . The t ot al num ber of pat hs t hr ough t he cor e w ill be cut fr om 20 t o 6, at m ost , for any par t icular dest inat ion. Bey ond t he hy per- r edundancy , t her e ar e also net w or k segm ent s w it h host s connect ed dir ect ly t o Rout er A—t he cor por at e LAN VLAN t r unk s. Ter m inat ing t he cor por at e VLANs dir ect ly int o Rout er A m eans: • •

Rout er A m ust r eact t o any changes in t he st at us of cor por at e VLAN. Any access cont r ols t hat need t o be applied t o host s at t ached t o one of t he corporat e VLANs m ust be configured ( and m anaged) on a core rout er.

83

For t hese r easons, a r out er w ill be placed bet w een Rout er A and t he cor por at e VLANs. Adding t his r out er m ov es sum m ar izat ion and policy im plem ent at ion ont o t he new r out er , w hich helps t o m aint ain t he goals of t he cor e. Rem em ber , t he cor e's pr im ar y funct ion should be sw it ching pack et s and not sum m ar izat ion or policy im plem ent at ion. Finally , aft er dealing w it h t he phy sical t opology issues, y ou can ex am ine t he I P addr esses used in t he cor e of t he net w or k; t hey ar e all in t he 172.16.3.x r ange of addr esses. Can y ou sum m ar ize t his add r ess space out t ow ar d t he dist r ibut ion lay er ( and t he ot her out lying pieces of t he net w or k) ? To answ er t his quest ion, you'll need t o see if ot her net w or ks ar e in t he sam e r ange of addr esses. I n t his case, 172.16.2.x and 172.16.4.x ar e bot h cor por at e VLANs ( r efer t o Figur e 4- 2) , w hich effect iv ely elim inat es t he capabilit y t o sum m ar ize not only link s in and ar ound t he cor e of t he net w or k but also t he net w or k s w it hin t he c orporat e VLAN. You hav e t w o opt ions: Leav e t he addr esses as t hey ar e, w hich could act ually w or k in t his sit uat ion, or r enum ber t he link s in t he cor e. Because y ou don't w ant t o w or r y about t his pr oblem again, r eaddr essing t he link s bet w een t he cor e r out er s is t he pr efer r ed opt ion. You need t o r eplace t he 172.16.3.x addr ess space t hat is cur r ent ly used in t he cor e w it h som et hing t hat isn't used elsew her e in t he net w or k and t hat w on't affect t he capabilit y t o sum m ar ize in any ot her ar ea of t he net w or k . Unfor t unat ely , choosing a good addr ess space in a net w or k t hat is alr eady in daily use is difficult . A quick perusal of t he I P addresses in use show s t he follow ing: • • • • • •

172.16.0.x t hr ough 172.16.15.x ar e cor por at e VLANs; t o m ak e t his a block t hat can be sum m ar ized, y ou can end it at 172.16.15.x , sum m ar ized t o 172.16.0.0/ 20. 172.16.17.x t hr ough 172.16.19.x consist of ser v er far m and m ainfr am e connect iv it y ; t o m ak e t his a block t hat can be sum m ar ized, y ou can end it at 172.16.23.x , sum m ar ized t o 172.16.16.0/ 21. Subnet s of 172.16.20.x ar e all used for connect ions t o ex t er nal net w or k s. 172.16.22.x is used for dial- in client s and ot her connect ions. 172.16.25.x t hr ough 172.16.43.x ar e used for one set of r em ot e sit es. 172.16.66.x t hr ough 172.16.91.x ar e used for anot her set of r em ot e sit es.

These ar e all t he 172.16.xx.x's cur r ent ly in use. The point - t o- point links in and ar ound t he cor e use 30- bit m asks, so you need a block of only 255 addr esses ( a block t hat can be sum m ar ized int o a single, Class C r ange) . The low est such blo ck not cur r ent ly in use is 172.16.21.0/ 24; t her efor e, t he link s in and ar ound t he cor e using t his addr ess space need t o be r enum ber ed. I f You D id n ' t Re a d d r e ss t h e Cor e Lin k s. . . I t 's possible t o r ely on t he w ay r out er s choose t he best pat h t o ov er com e t he ov er lapping addr ess space bet w een t he cor e and t he HQ VLANs w it hout r eaddr essing t he link s in t he net w or k cor e.

84

You do, how ev er , need t o sum m ar ize t he r out es adv er t ised fr om t he HQ VLANs anyw ay. Because t he r out er s w it hin t he cor e ar e going t o have m or e specific ( longer pr efix) r out es t o any dest inat ion w it hin t he cor e, ever yt hing w ill w or k. Rely ing on leak ed, longer pr efix es t o pr ov ide cor r ect r out ing because t he pr efixes can be difficult t o m aint ain, and sim ple c an cause m aj or side effect s. But it is useful t o consider t his posit ion w her e net w or k s can't be r enum ber ed t o sum m ar ize

is not r ecom m ended configur at ion m ist akes opt ion if you ar e in a cor r ect ly .

Figur e 4- 4 prov ides an illust r at ion of w hat t he r edesigned cor e fr om Figur e 4- 2 looks lik e aft er t hese changes:

Figu r e 4 - 4 Re de sign e d N e t w or k Cor e

• • •

Rem ov ing t he ex cessiv e r edundancy in t he cor e by r em ov ing t w o point - t opoint links Adding a single r out er bet w een t he cor e and t he HQ VLANs t o m ov e policy im plem ent at ion and sum m ar izat ion out of t he cor e Renum ber ing t he point - t o- point links in t he core

Aft er r edesigning t he cor e and im pr oving net w or k st abilit y for t he net w or k show n in Figur e 4- 2, y ou need t o look at t he dist r ibut ion and access layer s for possible im pr ov em ent s.

85

Dist ribut ion La yer a nd Access La yer Topology As you w or k t hr ough t he access and dist r ibut ion ar ea of t his net w or k, keep t he goals of t he layers in m ind. The goals for t he dist ribut ion layer are as follow s: • •

Cont r ol t he r out ing t able size by isolat ing t opology changes t hr ough sum m ar izat ion. Aggr egat e t r affic.

The goals for t he access layer ar e as follow s: • •

Feed t raffic int o t he net w ork. Cont r ol access int o t he net w or k , im plem ent any net w or k policies, and per for m ot her edge ser v ices as needed.

Because t he design of t he dist r ibut ion and access lay er s is so t ight ly coupled, y ou need t o ex am ine t hem t oget her . Figur e 4- 5 focuses on t he dist r ibut ion and access layer s and t he Fr am e Relay links t hat connect t hem . This w ay you can m or e easily under st and t hem in cont ex t w it h t he discussion t hat follow s.

Figu r e 4 - 5 D ist r ibu t ion a n d Acce ss La y e r s

At t he dist r ibut ion layer , Rout er s A, B, C, and D ar e cur r ent ly cr oss connect ed, and t hey each hav e only one connect ion t o t he cor e. This pr oduces m aj or pr oble m s in sum m ar izat ion and t he num ber of pat hs t o a giv en net w or k w it hin t he cor e. For

86

ex am ple, t o r each 172.16.98.0/ 24, a r out er in t he cor e has t he follow ing possible pat hs: • • • • • • • •

Core, Core, Core, Core, Core, Core, Core, Core,

Rout er Rout er Rout er Rout er Rout er Rout er Rout er Rout er

B, A, C, D, C, D, B, A,

Cloud H Rout er B, Cloud H Rout er B, Cloud H Rout er C, Rout er B, Cloud H Cloud J Rout er C, Cloud J Rout er C, Cloud J Rout er B, Rout er C, Cloud J

Fur t her m or e, if a host t hat is connect ed t o t he 172. 16. 98. 0/ 24 net wor k sends a pack et t ow ar d t he 172.16.66.0/ 24 net w or k , it w ill m ost lik ely end up t r av eling acr oss t he link bet w een Rout er C and Rout er B r at her t han t r av er sing t he cor e. This can defeat t r affic engineer ing and cause ot her st abilit y pr oblem s. The m ost obvio us solut ion is t o sim ply dual hom e each of t he dist r ibut ion lay er r out er s t o t he cor e r at her t han connect ing dir ect ly bet w een t hem . ( Dual hom e m eans t o connect each dist r ibut ion lay er r out er t o t w o cor e r out er s r at her t han one.) Aft er t his change, t her e is st ill a single point of failur e t o consider : I f Rout er A fails, t he r em ot e net w or ks 172.16.25.0/ 24 t hr ough 172.16.43.0/ 24 w ill lose all connect iv it y t o t he r est of t he net w or k . You can r esolv e t his pr oblem by sim ply pr ov iding t hese net w or k s w it h anot her link t o t he dist ribut ion layer t hrough Rout er B. Adding t his link m eans Rout er B now has t hree Fram e Relay connect ions; Rout er A and Rout er C have t wo; and Rout er D has one. Depending on t he t ype of rout er and t r affic handling fact or s, y ou m ay need t o ev en out how m any connect ions each r out er has. The follow ing adj ust m ent s t o w her e t he fr am e link s connect leav e t w o connect ions per dist ribut ion layer rout er: • •

Move t he link bet ween Cloud H and Rout er B t o Rout er C; t his leaves Rout er B w it h only t w o Fram e Relay connect ions. Move t he link bet w een Cloud J and Rout er C t o Rout er D; t his leaves Rout er C w it h t w o Fr am e Relay connect ions and adds one t o Rout er D for a t ot al of t w o.

Not e t hat m ov ing t hese link s ar ound is necessar y only if t her e ar e issues w it h t r affic handling or por t densit y on t he dist r ibut ion lay er r out er s. Load balancing m ight also be im pr ov ed by t hese link s. Mov ing t he link s uncov er s som e possibilit ies in ev ening out t he link s at t ached t o each r out er . Figur e 4- 6 illust r at es w hat t he net w or k looks like aft er m aking t hese link changes.

Figu r e 4 - 6 M odifie d D ist r ibu t ion a n d Acce ss La y e r s

87

These m odificat ions leav e a plet hor a of pat hs; nor m ally , t her e ar e four w ay s t o r each any access lay er net w or k fr om t he cor e. For ex am ple, t he 172.16.25.0/ 24 net w or k has t he follow ing pat hs: • • • •

Cloud Cloud Cloud Cloud

E, Rout er A, Core ( t hrough 172. 16. 21. 12/ 30) E, Rout er A, Cor e ( t hr ough 10.1.1.26/ 26) M, Rout er B, Core ( t hrough 172.16.21.8/ 30) M, Rout er B, Core ( t hrough t he alt ernat e link)

A single failur e ( for exam ple, Rout er A) leaves t w o pat hs t hr ough Rout er B. A second failure ( Fr am e Relay Cloud M, for ex am ple) isolat es t he r em ot e net w or k s. I f t he second failur e isolat es t he r em ot e net w or k any w ay , w hy leav e in t he ex t r a r edundancy ? Figur e 4- 7 show s t he net w or k aft er r em ov ing t he ex t r a ( r edundant ) link s bet w een t he cor e and t he dist r ibut ion lay er r out er s, w hich leav es t w o pat hs bet w een t he cor e and any rem ot e net work.

Figu r e 4 - 7 Fin a l Topology M odifica t ion s in D ist r ibu t ion a n d Acce ss La y e r s

88

So far, t hen, you have m oved som e links around in bet ween t he dist ribut ion layer and t he cor e t o pr ov ide bet t er point s of sum m ar izat ion. You hav e also rem ov ed som e r edundancy , w hich, it t ur ns out , is ov er k ill. The nex t st ep is t o m ak e any possible changes in addr essing in t he dist r ibut ion and access lay er s t o im pr ov e st abilit y . Ov e r h e a d in Rou t in g Pr ot ocols Ther e ar e t w o t hings engineer s year n for in a good r out ing pr ot ocol: inst ant aneous conv er gence and no ov er head. Since t hat is not possible, it is necessar y t o set t le for a low ov er head pr ot ocol w it h v er y fast conv er gence. But w hat defines low ov er head? One m aj or com ponent of rout ing prot ocol overhead is int er r upt ion due t o updat es. You don't w ant t o use a r out ing pr ot ocol t hat int er r upt s ev er y host on t he net w or k ev er y 30 seconds w it h a r out ing updat e ( lik e Rout ing I nfor m at ion Pr ot ocol [ RI P] does) . To com bat updat e ov er head, r out ing pr ot ocols at t em pt t o r educe t he scope and t he fr equency of int er r upt ions. One t echnique used by r out ing pr ot ocols is t o r educe t he scope of t he updat es, w hich m eans t o r educe t he num ber of host s t hat w ill hear t he updat e pack et . Br oadcast is t he w or st possible m edium for sendin g u pdat es—ev er y host on t he w ir e is for ced t o look at t he pack et and decide w het her or not it is int er est ing. Only a few host s on a net w or k ar e int er est ed in t he r out ing updat es, so using t he br oadcast m echanism t o send r out ing updat es is a m assive w ast e of t im e and r esour ces.

89

To get ar ound t his pr oblem , r out ing pr ot ocols use eit her m ult icast or unicast r out ing updat es. Open Shor t est Pat h Fir st ( OSPF) , Enhanced I nt er ior Gat ew ay Rout ing Pr ot ocol ( EI GRP) , and I nt er m ediat e Sy st em- t o- I nt erm ediat e Syst em ( I S- IS) all use well- k now n m ult icast addr esses for t heir r out ing updat es so t hat host s and ot her com put er s t hat ar en't int er est ed in t he updat es can filt er t hem out at t he har dw ar e layer . Bor der Gat ew ay Pr ot ocol ( BGP) uses unicast r out ing updat es, w hich is even bet t er , but does r equir e special configur at ion t o w or k ( n e ig h b o r st at em ent s) . Anot her t echnique used t o r educe t he ov er head in a r out ing pr ot ocol is t o r educe t he fr equency of t he updat es. RI P, w hich adv er t ises all k now n dest inat ions ev er y 30 seconds, uses a great deal of bandw idt h. OSPF is periodic, t im ing it s t able out every 30 m inut es; 30 m inut es is m uch m ore efficient t han 30 seconds. I n bet w een t hese 30- m inut e int er v als, OSPF count s on flooding unr eachables as a m echanism for discov er ing inv alid pat hs. EI GRP and BGP never t im e t heir t ables out . BGP r elies on a w it hdr aw m echanism t o discov er inv alid pat hs, and EI GRP r elies on a sy st em of queries t o discov er inv alid pat hs. Rout ing pr ot ocols r educe net w or k ov er head by r educing t he num ber of pack et s require d t o pr ovide ot her r out er s w it h t he r out ing infor m at ion t hey need. Rout ing pr ot ocols use fancy encoding schem es t o fit m or e infor m at ion int o each pack et . For ex am ple, w her eas RI P can fit 25 r out e updat es in a single r out ing updat e pack et , I GRP can fit 104. Rout ing pr ot ocols also use incr em ent al updat es t o r educe t he num ber of pack et s r equir ed t o do t he j ob. Rat her t han a r out er adver t ising it s full r out ing t able ever y so oft en, it only adv er t ises changes in it s r out ing t able. This r educes t he am ount of processing t im e r equir ed t o r ecalculat e w hen changes occur in t he net w or k , and it also r educes t he am ount of bandw idt h t he r out ing pr ot ocol consum es. For m or e infor m at ion on how OSPF, EI GRP, and BGP oper at e, please see Appendix A, " OSPF Fundam ent als; " Appendix C, " EI GRP Fundam ent als; " and Appendix D, " BGP Fundam ent als. " These appendix es ex plain in fur t her det ail how each of t hese pr ot ocols decides w hen t o send r out ing updat es. I n gener al, r out ing pr ot ocol ov er head should be consider ed w hen choosing w hich pr ot ocol t o use. Because t he design of t he net w or k has som e bear ing on w hat t he ov er head w ill be, t her e is no absolut e answ er . You need t o under st and t he bur den t hat ev er y pr ot ocol w ill place on y our net w or k befor e deciding.

Dist ribut ion a nd Access La yer Addressing Now t hat y ou'v e built good phy sical connect iv it y , y ou need t o addr ess t he dist r ibut ion and access lay er s. The addr essing of t he link s bet w een t he cor e and t he dist r ibut ion lay er look s ok ay ; t hese link s ar e addr esses fr om t he cor e's addr ess space. Because t he only r eal sum m ar izat ion t hat can t ak e place is t he sum m ar izat ion of t he ent ir e cor e int o one adv er t isem ent for all t he out ly ing ar eas of t he net w or k , t he addressing t hat 's in place w ill w ork.

90

The addr essing bet w een t he access and dist r ibut ion r out er s, how ev er, is a m ess. Som e of t he Fr am e Relay clouds ar e using 172.16.x .x addr esses, w hich fit int o t he sam e addr ess space as t he dial- in client s, w hile ot her clouds ar e using addr ess space t hat isn't used any place else in t he net w or k , such as 192.168.10.0/ 26. How do you m ake sense out of t his? I f you num ber t hese links fr om an addr ess space not alr eady in use som eplace else, as you did for t he cor e, you w on't be able t o sum m ar ize t hem in, or gr oup t hem w it h anyt hing else, at t he dist r ibut ion layer . I n t his case, not being able t o sum m arize t hese net w orks m eans only six ext ra rout es in t he cor e —but if t his net w or k gr ow s ( r em em ber t hat t he ent ir e obj ect iv e of net w or k design is t o m ake it possible t o grow) , t hen t his a problem . One solut ion is t o st eal addresses from t he r em ot e sit e addr ess space t o num ber t hese link s. The r em ot e sit es ar e gr ouped int o block s t hat can be sum m ar ized as follows: • • • •

172.16.25.0/ 24 t hr ough 172.16.43.0/ 24 can be sum m ar ized t o 172.16.24.0/ 21 and 172.16.32.0/ 20. 172.16.66.0/ 24 t hr ough 172.16.91. 0/ 24 can be sum m ar ized t o 172.16.64.0/ 20. 172.16.98.0/ 24 t hr ough 172.16.123.0/ 24 can be sum m ar ized t o 172.16.96.0/ 20. 172.17.1.0/ 24 t hr ough 172.17.27.0/ 24 can be sum m ar ized t o 172.17.0.0/ 19.

Not e t he fir st set of addr esses can be sum m ar ized int o only t w o block s, not one. Looking for sum m ar izat ions w hen r ew or king a net w or k like t his one is useful because t he addr ess space pr obably w asn't par celed out w it h sum m ar izat ion in m ind. The easiest w ay t o find addr esses for t he Fr am e Relay clouds is t o st eal addr esses fr om t he sum m ar izable block s cit ed in t he pr eceding list . For inst ance: • • • • • • • •

Cloud Cloud Cloud Cloud Cloud Cloud Cloud Cloud

E can be addr essed using 172.16.24.0/ 26. M can be addressed using 172.16.24.64/ 26. F can be addr essed using 172.16.64.0/ 26. G can be addressed using 172.16.64.64/ 26. H can be addressed using 172.16.96.0/ 26. J can be addr essed using 172.16.96.64/ 26. K can be addressed using 172.17.0.0/ 26. L can be addr essed using 172.16.0.64/ 26.

Wher eas st ealing addr esses fr om t he r em ot e net w or k addr ess space t o num ber t he link s bet w een t he access and dist r ibut ion lay er r out er s is good for sum m ar izat ion, it does hav e one possible dr aw back : You can lose connect iv it y t o a r em ot e net w or k ev en t hough all possible pat hs t o t hat net w or k ar e not dow n. As an exam p le, consider t he r em ot e r out er and it s pat hs t o t he net w or k cor e as illust r at ed in Figur e 4- 8.

Figu r e 4 - 8 An I n dividu a l Re m ot e Rou t e r a n d I t s Con n e ct ion s t o t h e N e t w or k Cor e

91

Assum e t hat bot h Rout er s A and B ar e adver t ising a sum m ar y of 172.16.24.0/ 21, w hich is t he addr ess space fr om 172.16.24.0 t hr ough 172.16.31.0. Ther efor e, t he sum m ar y cov er s t he r em ot e net w or k and t he link s bet w een t he access and dist r ibut ion lay er r out er s show n in Figur e 4- 8. Fur t her m or e, assum e t hat Rout er B is used by t he cor e r out er s as t he pr efer r ed pat h t o t his sum m ar y for w hat ev er r eason ( link speed, and so for t h) . Given t hese condit ions, if t he r em ot e r out er 's link ont o fr am e Cloud M fails, all connect iv it y w it h t he r em ot e net w or k 172.16.25.0/ 24 w ill be lost , ev en t hough t he alt er nat e pat h is st ill available. I t m ight be ver y unlikely, of cour se, t hat t his could happen, but it is possible and w or t h consider ing. The only solut ion t o t his t ype of pr oblem is for Rout er A t o r ecognize t he condit ion and adver t ise t he m or e specific r out e t o t he r em ot e net w or k . Unfor t unat ely , t his capabilit y doesn't exist t oday in any I nt er ior Gat ew ay Pr ot ocol ( I GP) ; you sim ply have t o be aw ar e t hat t his t ype of pr oblem can occur and know w hat t o look for .

92

Ex t e r na l Conne ct ions This sect ion separ at ely ex am ines t he ex t er nal connect ions t o t he net w or k , as w as done for t he net w or k cor e and dist r ibut ion and access lay er s ( see Figure 4- 9) .

Fig u r e 4 - 9 Ex t e r n a l Con n e ct ion s

I t only t ak es a quick look t o see t hat t her e ar e t oo m any link s bet w een t he cor e of t his net w or k and t he ext er nal net w or ks —t hr ee connect ions t o four par t ner net w or k s, an I nt er net connect ion, and a bank of dial- in client s. Having t his m any connect ions t o ext er nal net w or ks causes pr oblem s in t w o ar eas: addr essing and r out ing.

Ex t e r n a l Con n e ct ion Addr e ssin g

93

I f one of t he par t ners illust r at ed in Figur e 4- 9 inst alls a net w or k t hat happens t o use t he sam e addr ess space as an int er nal net w or k , how do y ou handle it ? You m ust eit her coor dinat e t he use of addr ess space w it h t he ot her net w or k par t ner s, use only r egist er ed addr esses, or use Net w or k Addr ess Tr anslat ion ( NAT) ( r efer t o Chapt er 2, " Addr essing & Sum m ar izat ion" ) . Because t his net w or k uses pr iv at e addr ess space, y ou'r e pr obably alr eady using NAT t o get t o t he I nt er net . Ther efor e, it 's logical t o use NAT t o get t o ext er nal par t ner net w or ks as w ell. But w it h t his m any connect ions t o par t ner net w or k s, w her e do y ou run NAT? I t 's never a good idea t o r un it on a cor e r out er—don't ev en consider t hat . You can r un it on Rout ers B, C, and D, but t his connect ion is very difficult t o configure and m aint ain ( especially consider ing you m ay need t o t r anslat e addr esses in bot h dir ect ions) . I t is m uch easier t o connect t he ex t er nal par t ner net w or k s t o t he DeMilit ar ized Zone ( DMZ) and put t he net w or k t r anslat ion on t he r out er s t her e. You can t r anslat e t he int er nal addr esses t o a r egist er ed addr ess space on t he w ay out ( as y ou ar e m ost lik ely alr eady doing) and t r anslat e t he ex t er nal addr esses, if needed, int o som et hing accept able for t he int ernal address space on Rout ers B, C, and D. From an addr essing per spect ive, t he best solut ion is t o at t ach Rout er s B, C, and D t o t he DMZ.

Ex t er n a l Con n e ct ion Rou t in g The r out ing side of t he equat ion is t his: Even if t he int er nal and ext er nal addr ess spaces don't ov er lap, y ou don't w ant t o car r y r out es t o t hese ex t er nal net w or k s in all your rout ers. I t is m uch bet t er t o carry a single default rout e fr om all ex t er nal net w or ks int o t he cor e of t he net w or k. Once again, fr om a r out ing per spect iv e, t he best solut ion is t o connect Rout er s B, C, and D t o t he DMZ.

D ia l- I n Clie nt s What about t he dial- in client s? Should y ou connect t hese t o t he DMZ as w ell? Because t hese client s ar e assigned addr esses w it hin t he int er nal addr ess space, t he addr essing pr oblem s and r out ing pr oblem s out lined for t he net w or k par t ner s don't ex ist for t hese client s. Rem em ber t hat t hese client s w ill lik ely w ant t o connect t o int er nal host s t hat ot her ex t er nally connect ed client s ar en't allow ed t o see, w hich m eans special secur it y consider at ions ar e necessar y on Rout er A. All in all, it 's bet t er t o leave t he dial- in client s dir ect ly connect ed t o t he cor e. How ever, you should not allo w t he link bet w een Rout er E and t he cor e t o be a single point of failure. For t his reason, you need t o add a dial backup link from Rout er E t o t he cor e. You also need t o r enum ber t he link bet w een Rout er E and t he cor e so t hat it fit s int o t he addr essing sc hem e for t he cor e. Figure 4- 10 illust r at es t he net w or k or iginally illust r at ed in Figur e 4- 2 w it h all t he changes cov er ed t hus far in t his chapt er .

94

Figu r e 4 - 1 0 Th e Re v ise d N e t w or k w it h Ch a n ge s t o t h e Cor e , D ist r ibu t ion La y e r , Acce ss La y e r , a n d Ex t e r n a l Con n e ct ion s

Re vie w 1:

What does hier ar chy pr ovide in a w ell- designed net or k ?

2:

What is t he pr im ar y t ool used t o bound t he ar ea affect ed by net w or k changes?

3:

How can y ou det er m ine w hich link s can be r em ov ed fr om a fully - m eshed cor e net w or k t o decr ease t he num ber of link s?

95

4:

What pr ovides w ays ar ound failur e point s in t he net w or k?

5:

What t w o t hings ar e m ost desir able in a r out ing pr ot ocol?

6:

What can a r out ing pr ot ocol do t o decr ease it 's bur den t o host s t hat ar e not running rout ing on a net work?

7:

List t he addr essing pr oblem s t hat ar e caused by hav ing m ult iple link s t o ext ernal net w orks .

8:

Given t he net w or k show n in Figur e 4- 10, how m any r out es do y ou t hink a cor e rout er will have in it s t able if no sum m ar izat ion is applied?

9:

How m any rout es do you t hink a core rout er w ill have in it s t able if all possible sum m arizat ion is done?

10:

Defin e t h e cor e, dist r ibut ion, and access layer s of t he net w or k show n in Figure 4- 11.

Figu r e 4 - 1 1 Re vie w Ex e r cise N e t w or k

11:

Cor r ect any pr oblem s in t he t opology t hat w ill affect t he st abilit y of t he net w ork pict ured in Figur e 4- 11. Ex plain t he changes you m ake and w hy.

12:

Addr ess t he net w or k show n in Figur e 4- 11 in a w ay t hat r educes t he r out es in t he core t o a m inim um .

96

Pa r t I I : Sca lin g w it h I n t e r ior Ga t e w a y Pr ot ocols Chapt er 5 OSPF Net w or k Design Chapt er 6 I S- I S Net work Design Chapt er 7 EI GRP Net w or k Design

97

Ch a pt e r 5 . OSPF N e t w or k D e sign Now t hat y ou ar e fam iliar w it h t he basics of t opology and addr essing design fr om t he f ir st four chapt er s in t he book, it 's t im e t o im plem ent som e r out ing pr ot ocols on t he net w or k ( illust r at ed in Figur e 4- 10) t o gain a lit t le m or e pr act ical under st anding of t he pr oblem s and t r adeoffs you w ill be w or king w it h. This par t of t he book begins w it h Open Shor t est Pat h Fir st ( OSPF) because t his is a popular pr ot ocol. See Appendix A, " OSPF Fundam ent als, " for a shor t descr ipt ion of how OSPF w or ks. This chapt er begins by consider ing how t o div ide t he net w or k up int o ar eas because t his decision affect s m any ot her design decisions. I n t his planning, y ou'll lear n w her e t o sum m ar ize and dea l w it h som e issues com m on t o dial backup —w ay s of handling t he dial- in client s, t he pr oblem s dial- in links cause, and how t o deal w it h t he ext ernal connect ions t o t he net w or k . Finally , y ou'll lear n about w hich ar eas can becom e st ub ar eas of v ar ious t y pes.

D iv idin g t h e N e t w or k f or OSPF I m ple m e n t a t ion When im plem ent ing OSPF on a net w or k , one design decision affect s t he im plem ent at ion of ev er y t hing else. So, it is im por t ant t hat y ou figur e out how y ou ar e going t o div ide t he net w or k befor e beginning w it h y our im plem ent at ion of OSPF. Ar ea bor der point s w ill decide w her e y ou can do sum m ar izat ion, w hat ar eas can be st ubby or not , and how t he net w or k can gr ow in t he fut ur e. The solut ion t o t his dilem m a t ends t o be confusing because OSPF uses a t w o lev el hier ar chy and, here, y ou'r e w or k ing w it h a t hr ee lev el hier ar chy . OSPF's t w o lev el hier ar chy has a cor e ar ea and ar eas hanging off of t hat cor e. The net w or k uses a t hr ee lev el design w it h a cor e, a dist r ibut ion lay er , and an access layer. The t hird layer really isn't account ed for in OSPF. The chapt er begins by look ing at w her e t o div ide t he net w or k out t ow ar d t he r em ot e sit es. Should t he ar ea bor der s be at t he edge of t he cor e or in t he dist r ibut ion lay er ?

Dist ribut ion La yer Design I ssues: The Core Rout ers a s ABRs First , consider put t ing t he ar ea bor der s at t he edge of t he net w or k cor e, w hich m eans defining t he cor e net w or k as ar ea 0. All of t he dist r ibut ion layer r out er s connect ed t o a given cor e r out er w ill be placed in one ar ea. Ther e ar e som e m aj or adv ant ages t o placing t he ar ea bor der r out er s ( ABRs) at t he edge of t he cor e; look at Figur e 5- 1 t o see where t his will lead you.

Figu r e 5 - 1 D iv idin g t h e Ar e a s a t t h e Cor e / D ist r ibu t ion Bou n da r y

98

Follow ing ar e som e of t he adv ant ages of placing t he ABRs at t he edge of t he cor e: • • • •

Area 0 is very sm all. Ther e shouldn't be any pr oblem s w it h subopt im al r out ing because t he cor e r out er s only r eceiv e one r out e for any giv en set of dest inat ions ( sum m ar y ) . Ther e ar en't any dist r ibut ion lay er r out er s w it h t w o connect ions int o t he cor e. All t he r edundant links fr om t he r em ot e sit es int o t he dist r ibut ion layer ar e w it hin t he sam e ar ea. Because all sum m ar izat ion w ill be done at t he cor e/ dist r ibut ion lay er bor der , t he rout ing t able in t he core w ill be very sm all —possibly as low as six r out es t o r each all of t he r em ot e sit es.

Ther e ar e som e disadv ant ages t o placing t he ar ea bor der s at t he cor e as w ell. The sect ions t hat follow addr ess t hese disadv ant ages: • • •

Sum m ar izat ion at t he cor e Dial back up past t he sum m ar izat ion point Redundancy and r out er scaling

Su m m a r iz a t ion a t t h e Cor e I f y ou m ak e each of t he core r out er s ABRs, all sum m ar izat ion t ak es place at t he cor e. As not ed in Chapt er 1, " Hier ar chical Design Pr inciples," t his isn't som et hing t hat should be done in t he cor e. Of cour se, you can br eak t his r ule if t he st abilit y of t he net w or k doesn't suffer ( r em em ber , st abilit y is t he goal of t his ent ir e ex er cise) ; how ev er , y ou do need t o be caut ious w it h sum m ar izing on t he cor e r out er s.

99

This can also cause pr oblem s w it h scalabilit y w hen t his net w or k gr ow s because m ost of t he gr ow t h is lik ely t o t ak e place in t he dist r ibut ion and access lay er s. You face t he choice of eit her building a lar ger num ber of ar eas in t hese layer s or having r at her lar ge ar eas, w hich could be a pr oblem . Making t hese ar eas som e sor t of st ub ( cov er ed lat er in t his chapt er ) could im pr ov e t he scalabilit y .

D ia l Ba ck u p pa st t h e Su m m a r iz a t ion Poin t The r ebuild of t he net w or k in Chapt er 4, " Apply ing t he Pr inciples of Net w or k Design," opt ed t o r em ove t he r edundant links bet w een t he dist r ibut ion and cor e r out er s in favor of a dial backup link from each dist ribut ion layer rout er and t he DMZ- t o- Core r out er ( t he sam e r out er t he dial- in t erm inal ser v er back s up t o) . I f you sum m ar ize at t he cor e r out er s, t he pr ocess of dialing in fr om a dist r ibut ion lay er r out er t o a differ ent cor e r out er t hat it nor m ally at t aches t o effect iv ely cir cum v ent s sum m ar izat ion. To get a bet t er feel for t he pr oblem s inv olv ed, consider Figur e 5- 2.

Figu r e 5 - 2 D ia l Ba ck u p pa st t h e Poin t of Su m m a r iz a t ion

100

When t he link bet w een Rout er A and Rout er B fails, Rout er A is configured so t hat it aut om at ically dials int o Rout er C, r est or ing connect iv it y . But w hat r out es does Rout er C advert ise? I f Rout er B is sum m ar izing t o a r elat iv ely shor t pr efix ( for ex am ple, 172.16.0.0/ 16) , t hen Rout er C could sum m ar ize t o a slight ly longer pr efix lengt h ( for exam ple, 172.16.64.0/ 20) , and t his w ill all w or k. Because Rout er C w ill be adver t ising a longer pr efix lengt h for t hese r out es, t he pat h t hr ough Rout er C w ill be chosen. But w hat if Rout er B is adver t ising 172.16.64.0/ 20? Rout er C could adver t ise each r out e lear ned t hr ough Rout er B, but t his effect iv ely cir cum v ent s sum m ar izat ion —not good. The ot her opt ion is for Rout er C t o sum m ar ize t o t w o longer pr efix es so t hat som e sum m ar izat ion is t ak ing place. Her e y ou could use 172.16.64.0/ 21 and 172.16.72.0/ 21. Because t he dist r ibut ion lay er r out er s hav e dial back up link s int o t he cor e, and t he cor e r out er s w ould be doing t he sum m ar izat ion if t he ar ea bor der is bet w een t he cor e and t he dist r ibut ion layer , t his is a pr oblem in t he net w or k. On t he ot her hand, t he only t im e dial backup should be a pr oblem is if t he cor e Rout er B it self fails.

101

I f t he link bet w een Rout er A and Rout er B fails, Rout er A w ill st ill have rout es t o all of t he dest inat ions r eachable t hr ough t he cor e because each r em ot e sit e is dual- hom ed. Rout er A w ill lear n all t he r out es it needs t hr ough som e r em ot e sit e back t o t he ot her dist r ibut ion lay er r out er in t his ar ea. Of cour se, y ou don't w ant t hese dual- hom ed r em ot es t o becom e t r ansit pat hs. How ev er , t he chances of t hat happening isn't lik ely because t he pat h t hr ough t he ot her dist r ibut ion lay er r out er w ould alw ay s be bet t er t han t he pat h t hr ough Rout er A, t hrough anot her rem ot e sit e, and, finally , up t hr ough t he cor e.

Th e D ist r ibu t ion La y e r Be com e s Ex t r a n e ou s I f y ou sum m ar ize at t he cor e r out er , y ou can effect iv ely t ak e t he dist r ibut ion r out er s out of t he net w or k because all t hey ar e pr ov iding y ou w it h is a bit of r edundancy . By placing t he ar ea bor der s at t he cor e of t he net w or k , y ou'v e effect iv ely m ade t his int o a t w o- t ier hier ar chy . This isn't t o say t hat dist r ibut ion lay er s can't be im por t ant in t w o- layer hier ar chies. For inst ance, it m ight m ak e sense t o hav e a dist r ibut ion lay er ev en w it h a t wo- t ier m odel. For ex am ple, a gr oup of geogr aphically close r em ot e sit es m ight be bet t er off feeding int o a dist r ibut ion r out er and t hen t o t he cor e inst ead of r unning individual link s t o t he cor e fr om each r em ot e sit e. Anot her issue is sim ply t he num ber of link s a r out er should hav e at t ached. The dist r ibut ion lay er isolat es t he cor e r out er s, t o som e degr ee, fr om hav ing a lar ge num ber of r em ot e sit es connect ed. Ther efor e, it isolat es t he cor e r out er s fr om v ar ious r out er- scaling issues. Most of t hese issues deal w it h queuing and pack et for w ar ding r at es and ar e out of t he scope of t his chapt er .

Dist ribut ion La yer Design I ssues: The Dist ribut ion La ye r Rout e r s a s ABRs Rat her t han put t ing t he bor der bet w een ar ea 0 and t he ot her ar eas at t he cor e r out er s, t r y put t ing t he link s bet w een t he dist r ibut ion r out er s and t he cor e int o ar ea 0. All of t he rem ot es behind one dist ribut ion layer rout er are t hen in t he sam e area. Look at Figure 5- 3 t o see w her e t his t ak es y ou.

Figu r e 5 - 3 Th e D ist r ibu t ion La y e r Rou t e r s a s ABRs

102

Because sum m ar izat ion of int er nals can t ak e place at t he ABRs, y ou can sum m ar ize at t he dist r ibut ion lay er r out er s. This design solut ion also av oids hav ing any sum m ar izat ion pr oblem s w it h t he dial back up link s int o t he cor e because y ou can j ust hav e t he dist r ibut ion lay er r out er adv er t ise w hat it nor m ally does t hr ough t h e dial connect ion. The m aj or dr aw back of t his solut ion is t hat if t he phy sical t opology isn't designed cor r ect ly , t he dist r ibut ion lay er r out er s can be dr aw n int o act ing as cor e r out er s. I n ot her w or ds, dist r ibut ion layer r out er s can end up t r ansit ing t r affic not j ust for t he access lay er dev ices at t ached t o t hem , but also bet w een t w o cor e r out er s or a cor e r out er and anot her dist r ibut ion lay er r out er . The phy sical lay er design doesn't allow t his t o happen because t her e is only one link bet w een each dist ribut ion layer and core rout er. Why w asn't t he access layer br oken up int o t o four ar eas? Because each access layer r out er is dual- hom ed int o a single dist ribut ion layer rout er. The redundant links bet w een t he r em ot e sit es and t he dist r ibut ion layer r out ers w ould be cr ossing ar ea borders. See " Case St udy: Which Area Should This Net w ork Be I n?" lat er in t his chapt er t o get a bet t er feel for w hy t his is a bad idea in general.

Finalizing ABR Placem ent in t he Dist ribut ion Layer Design I s it bet t er t o put t he area bor der s at t he edge of t he cor e, or at t he edge of t he dist r ibut ion lay er ? Assum e t he follow ing cr it er ia: • • •

Sum m arizat ion should occur at t he dist ribut ion layer. The physical layer design prevent s t he dist ribut ion layer rout ers from being pulled int o t he cor e. No pr oblem s ex ist w it h dial- in bet w een t he dist r ibut ion lay er r out er s and cor e.

103

Giv en t he opt ions and t r adeoffs, it seem s best t o par t it ion t he ar eas at t he dist ribut ion layer.

Pla cing t he H Q VLAN Rout ers Next , m ove t ow ard t he HQ VLANs and figure out w her e t he ABRs should be; Figur e 5- 4 show s only t he cor e and t he HQ VLANs in or der t o focus on t his ar ea.

Figu r e 5 - 4 Ex a m in in g H Q V LAN Rou t e r s for OSPF I m ple m e n t a t ion

104

Alt hough it isn't im m ediat ely obv ious t hat put t ing t he ar ea bor der on t he HQ VLAN r out er s v er sus t he cor e r out er s t o w hich t hey ar e at t ached is going t o m ake any differ ence, y ou should r un t hr ough t he ex er cise any w ay . I f you m ake Rout ers A and B t he ABRs, t hen you sum m arize t ow ard t he core from t hem . I gnor e t his for now , due t o t he fact t hat you ar e sum m ar izing on a cor e r out er , and consider inst ead w hat happens if Rout er C loses it s connect ion t o j ust one of t he VLANs. Assum e t he connect ion is lost t o 172.16.1.0/ 24.

105

Rout er s A and B w ould be obliv ious t o t his ev ent . They w ould st ill be adv er t ising t he 172. 16. 0. 0/ 20 r out e t ow ar d t he r est of t he cor e. If, how ev er , a pack et w er e t o ar r iv e on Rout er A w it h a dest inat ion of 172.16.1.10, it w ill look in it s rout ing t able and find t hat t he only r out e it has t o t his dest inat ion is t he sum m ar y r out e. The cr it ical point t o r em em ber her e is t hat w hen a Cisco r out er builds a sum m ary r out e, it put s a r out e in t he r out ing t able t o null0 for t hat ent ir e r ange of addr esses. Rout er A w ould for w ar d t his pack et t o 172.16.1.10 t o t he only r out e it has for t hat dest inat ion—null0. null0 is t he bit bucket , so all t r affic t o 172.16.1.0/ 24 w ould be dropped by Rout er A. How w ould t his change if you w ere t o m ake Rout ers C and D t he ABRs? Go back t o t he scenar io of Rout er C losing it s connect ion t o t he 172.16.1.0/ 24 net w or k . I nst ead of Rout er C having only a sum m ar y addr ess in it s r out ing t able, it w ill have a specific rout e t hrough Rout er D. Of cour se, t his assum es t hat all of t he par allel VLANs w ill be r unning OSPF—but is t his r eally w hat y ou w ant t o do? You don't w ant t hese VLANs t o t r ansit t r affic. ( I t 's nev er a good idea t o hav e t r ansit t r affic on a link w it h host s at t ached.) You can configur e all of t hese int er faces as passiv e and not configur e OSPF on all but one of them . You do need t o r un OSPF on at least one of t hese link s t o pr ev ent pack et s fr om being sent t o null0 if eit her Rout er C or Rout er D loses it s connect ion t o one ( or m ore) of t he VLANs. You should set aside a VLAN j ust for t his pur pose w it h no host s or ser v er s connect ed t o it . So, w it h all of t he opt ions consider ed, it 's best t o put t he ar ea bor der at t he r out er s connect ed t o t he HQ VLANs r at her t han at t he edge of t he cor e.

Pla cing t he Com m on Services Rout ers Because t he design of t he com m on ser v ices net w or k s is so sim ilar t o t he HQ VLANs, t he cov er age w on't be as in dept h in t his sect ion. Consider Figur e 5- 5.

Figu r e 5 - 5 Con n e ct ion s t o t h e Com m on Se r v ice s

106

The m aj or issue you face is dr opping packet s if eit her Rout er A or Rout er B loses it s connect ion t o one of t he ser v er far m segm ent s, or t he segm ent t he m ainfr am e is con n ect ed t o. To get ar ound t his, include t he link s bet w een t he cor e r out er s and t he com m on ser v ices r out ers in ar ea 0 and r un OSPF on one of t he links bet w een t he com m on ser v ices r out er s. This w ay y ou can sum m ar ize t he par allel LANs bet w een Rout er s A and B dow n t o one adv er t isem ent , 172.16.16.0/ 22, int o t he cor e w it hout r isk ing dr opping pack et s.

Pla cing Rout e rs t o D ia l- I n Link s The dial- in link s connect ed t o t he t er m inal ser v er ar e nex t ; Figur e 5- 6 is r educed t o only t he links and r out er s involved for clar it y.

Figu r e 5 - 6 D i al- I n Lin k s a n d Te r m in a l Se r v e r

107

The m aj or problem you need t o deal w it h here is t hat each t im e a client dials in, t he Point - t o- Point Pr ot ocol ( PPP) , w hich is t he pr ot ocol used on t he t er m inal ser v er for connect ions t o t hese dial- in user s, inst alls a host r out e t o t he client 's I P addr ess in t he r out ing t able. I f t her e is a net w or k st at em ent t hat includes t hat host r out e, it w ill be flooded t o t he ent ir e ar ea. Lik ew ise, w hen t he client disconnect s, t he host r out e is r em ov ed fr om t he r out ing t able, and t he r em ov al of t he r out e w ill need t o be flooded t o t he r est of t he r out er s in t he area. You hav e a couple differ ent opt ions for r educing flooding in an area caused by dial- in users: • • • •

Mak e t he t er m inal ser v er an ABR St op PPP fr om cr eat ing t he host r out es Don't r un OSPF on dial- in links Adv er t ise t he dial- in client s off of a loopback int er face

The sect ions t hat follow analy ze each solut ion befor e ar r iv ing at a conclusion of w hich solut ion w ill w or k best for t he net w or k segm ent illust r at ed in Figur e 5- 6.

Solu t ion 1 : M a k e t h e Te r m in a l Se r ve r a n ABR

108

One of t he easiest w ay s t o handle dial- in link s in OSPF is t o sim ply sum m ar ize t hese host r out es out at t he near est ar ea bor der—and t he closer t he ar ea bor der is, t he bet t er . You w ant t o affect t he few est r out er s possible w it h t hese const ant ly flapping d ial- in links. Anot her pr oblem y ou face is t hat t he t er m inal ser v er dials int o anot her cor e r out er for backup. I f t he ABR is placed on t he core rout er, t he second core rout er m ust also be an ABR for t his sam e ar ea in case t he t er m inal ser v er ends up dialing int o it . The easiest t hing t o do, t hen, is t o m ake t he t erm inal server it self an ABR, and sum m ar ize t he host r out es int o one dest inat ion, 172.16.22.0/ 24, t ow ar d t he cor e.

Solu t ion 2 : St op PPP fr om Cr e a t in g t h e H ost Rou t e s You can also st op PPP fr om cr eat ing t hese host r out es by configuring n o p e e r n e ig h b o r- r ou t e on t he dial int er face:

interface BRI0 ip address 192.168.11.6 255.255.255.252 encapsulation ppp dialer-group 1 ppp authentication chap no peer neighbor-route

This get s r id of t he host r out es, but it doesn't pr ovide any m et hod t o adver t ise t he d ial- in client s. One w ay y ou could adv er t ise t he dial- in client s is t o use a r edist r ibut ed st at ic r out e, w hich leads us t o t he nex t solut ion.

Solu t ion 3 : Th e St a t ic Alt e r n a t ive I t seem s silly t o m ake t he t erm inal server int o an ABR j ust t o sum m ar ize t hese r out es, and n o p e e r n e ig h b o r- r out e leav es us w it hout any w ay of adv er t ising t he d ial- in client s. Anot her w ay t o handle t his t erm inal server, w hich m ay or m ay not be easier ( depending on t he num ber of dial- up links and so for t h) , is t o not r un OSPF on t he d ial- in links at all. ( I n ot her w or ds, don't cover t he dial- in links wit h a n e t w o r k st at em ent . ) Put t he link s bet w een t he t er m inal ser v er and t he cor e in ar ea 0, cr eat e a st at ic r out e sum m ar izing all of t he dial- in client s point ing t o null0, and r edist r ibut e t his st at ic int o OSPF. So, on t he t er m inal ser v er , y ou hav e:

ip route 172.16.22.0 255.255.255.0 null0 ! router ospf 1 redistribute static default-metric 10

109

Solu t ion 4 : Adve r t ise t h e D ia l - I n Clie n t s Off of a Loopba ck I n t e r fa ce Using a " st at ic" m eans t he r out e t o t he dial- in client s w ill be an ex t er nal r out e. This m ay not be a problem in our net w ork, but it could be a problem in a net w ork w here t her e ar e lot s of dial- in client s at t aching t o t er m inal ser v ers scat t er ed all ov er t he net w or k because ex t er nal LSAs ar e flooded ev er y w her e in OSPF. I t 's possible t o m ak e t he r out e t o t he dial- in client s com e out as an OSPF int ernal by assigning t he addr ess r ange of t he client s t o a loopback int er face and including t he loopback in OSPF. The k ey is t o k eep OSPF fr om adv er t ising t he net w or k at t ached t o t he loopback int er face as a host r out e as it nor m ally does. This can be accom plished by configur ing t he loopback int er face as a point - t o- point net w or k t y pe:

interface loopback 0 ip address 172.16.22.1 255.255.255.0 ip ospf network-type point-to-point ! router ospf 1 network 172.16.22.1 0.0.0.0

One w ar ning about t his appr oach: I f a loopback int er face is configur ed as an OSPF net w or k t ype point - t o- point , t he r out er w ill not use t he loopback addr ess as it s r out er I D. ( I t nor m ally does.) Not ice t hat t he loopback int er face is included only in t he n e t w o r k st at em ent under r ou t e r ospf. This is so t hat t he indiv idual dial- in client host r out es don't get pick ed up and adv er t ised, as w ell as t he loopback addr ess.

D e t e r m in in g t h e Be st Solu t ion for D ia l - I n Lin k Rou t e r Pla ce m e n t I f you don't m ind t he ext er nal OSPF r out e r edist r ibut ing t he st at ic r out e, it seem s t his is t he least confusing solut ion w it h t he low est adm inist r at iv e ov er head. I f t her e w er e a num ber of t er m inal ser ver s in t he net w or k, and you didn't w ant ext er nals flooded fr om each one, adv er t ising t he r out e off a loopback int er face is pr obably bet t er . The only pr oblem w it h adver t ising t he r out e off of a loopbac k int er face is t hat it can be confusing t o under st and w hat 's being done w it h t he configur at ion, and it changes t he w ay OSPF chooses it s r out er I D.

110

To avoid confusion, use t he r edist r ibut ed st at ic solut ion. For m or e infor m at ion on d ial- in for backup, see " Case St udy: Dial Backup," at t he end of t his chapt er .

Est a blishing Ex t erna l Connect ion Rout es Ther e ar e t w o sides t o ext er nal r out er s in OSPF. Fir st , t hey m ust be flooded t hr oughout t he net w or k ; t hey can't be sum m ar ized or filt er ed at ABRs int o ar ea 0 at all. Ot her t han st ubby ar eas, ext er nal link- st at e adv er t isem ent s ( LSAs) ar e flooded t hroughout t he ent ire net w ork. Fur t her m or e, each aut onom ous sy st em boundar y r out er ( ASBR) in t he net w or k floods a Type 5 LSA, adver t ising t hat it , indeed, is an ASBR and any ex t er nal dest inat ions it adver t ised can be r eached along t he pat h t o t he ASBR. On t he ot her hand, losing an ex t er nal r out e only pr oduces a par t ial shor t est pat h fir st ( SPF) r un in bet t er im plem ent at ions of OSPF. Because ext er nal r out es alw ays r epr esent leaf nodes on t he SPF t r ee, t her e is no r eason t o r ecalculat e t he ent ir e t r ee w hen an ext er nal r out e is lost . I n gener al, y ou w ant t o r educe t he num ber of ex t er nal r out es in OSPF. This is som et hing you m ust consider w hen t r ying t o decide how t o handle links t o t he par t ner net w or k s and t he I nt er net . Figur e 5- 7 pr esent s a bet t er idea of w hat your opt ions are.

Figu r e 5 - 7 Ex t e r n a l N e t w or k Con n e ct ion s

The obvious solut ion t o all of t his is t o advert ise a single default rout e from Rout er B int o t he cor e, w hich effect iv ely sum m ar izes all of t he par t ner net w or k 's addr ess spac e int o one dest inat ion. The pr oblem occur s in t he second link t o t he I nt er net off Rout er A. I f you only adver t ised a default fr om Rout er B int o t he r em ainder of t he cor e, you w ould lose connect iv it y t o t he par t ner net w or k s if t he I nt er net link failed fr om Rout er C and t he alt er nat e I nt er net link on Rout er A w er e t o com e up.

111

Alt hough it w ould be nice t o condit ionally adv er t ise dest inat ions in t he par t ner net w or k s, OSPF doesn't hav e any sor t of condit ional adv er t isem ent as BGP does. Because y ou don't hav e condit ional adv er t isem ent for any t hing but t he default r out e, y ou need t o ex am ine t he choices pr esent ed in t he nex t few sect ions: • • •

Advert ise t he default and all ext ernals Condit ionally adv er t ise a default r out e Mov e t he back up I nt er net connect ion ont o t he DMZ

Solu t ion 1 : Adv e r t ise t h e D e fa u lt a n d All Ex t e r n a ls You could m ake Rout er B an ABR, put t ing all of t he ext er nal connect ions int o a separ at e ar ea. Each r out er t hat connect s t o an ex t er nal net w or k w ould becom e an ASBR, r edist r ibut ing r out es as necessar y int o t he rest of t he net w ork. Rout er C w ould adv er t ise a default r out e. This all sounds fine, but for each ext er nal connect ion m ade, you end up w it h a new ex t er nal and ASBR adv er t isem ent being flooded t hr oughout y our net w or k . You can r educe t he num ber of ASBR adv er t isem ent s r eadily enough by a slight change in st r at egy . I f you r un a r out ing pr ot ocol ot her t han OSPF on t he DMZ ( such as EI GRP, I S- I S, or RI Pv 2) , y ou can r edist r ibut e all of t he ex t er nal dest inat ions int o t his secondar y r out ing pr ot ocol and t hen r edist r ibut e t his pr ot ocol int o OSPF at Rout er B. What is t he advant age of doing t his? Because t he DMZ is a br oadcast net w or k, w hen Rout er B r edist r ibut es t he ext er nal r out e int o OSPF, t he for w ar ding addr ess w ill be set t o t he r out er t hat Rout er B hear d t he adv er t isem ent fr om . See " Case St udy : OSPF Ex t er nals and t he Nex t Hop," lat er in t his chapt er. As long as Rout er B is running OSPF on t he DMZ ( alt hough no ot her rout er is running OSPF on t he DMZ —it could ev en be a passiv e int er face on Rout er B) , any addr esses on t he DMZ w ill appear t o be OSPF int er nal r out es t o all t he ot her r out er s on t he net work. This solut ion conver t s Rout er B int o a r out e ser ver for all of t he ext er nal r out es. This cut s dow n on t he num ber of Ty pe 5 LSAs flooded int o t he net w or k by cut t ing down on t he num ber of ASBRs, alt hough t he ov er all num ber of ex t er nal r out es ar en't affect ed. To handle t he second I nt er net connect ion, y ou w ould m ak e cer t ain t hat Rout er C is act ually originat ing t he default rout e, and Rout er B is redist ribut ing it . On Ro ut er A, y ou can configur e a float ing st at ic r out e so t hat if t he ex t er nal default r out e being or iginat ed by Rout er C ever fails, t he float ing st at ic r out e configur ed on Rout er A would t ake over.

Solu t ion 2 : Con dit ion a lly Adv e r t ise a D e fa u lt Rou t e

112

I f t he float ing st at ic rout e on Rout er A seem s a lit t le m essy, or if you w ould rat her have t he default r out e or iginat ed fr om Rout er B as an int er nal r out e, you can configure a condit ionally advert ised default rout e on Rout er B. You can set up a r out e - m a p t o m ak e cer t ain t he net w or k bet w een Rout er C and t he I nt er net ser vice pr ovider ( I SP) is up, adver t ising t he default r out e only w hen it is. You don't have t he addr ess for t he link bet w een t he I SP and Rout er C, so you can fake it and say it 's x.x.x.x:

access-list 10 permit x.x.x.x x.x.x.x ! route-map advertise-default permit 10 match ip address 10 ! router ospf 1 default-information originate route-map advertise-default

Wit h t his configur ed, Rout er B w ill adver t ise t he default r out e as long as net w or k x.x .x .x ex ist s. You st ill need som e w ay of adv er t ising a default r out e fr om Rout er A t o m ak e t his w or k cor r ect ly , eit her a float ing st at ic or anot her condit ional default r out e. Again, y ou don't k now t he link addr ess bet w een Rout er A and t he I nt er net connect ion, so use y .y .y .y :

! ip route 0.0.0.0 0.0.0.0 y.y.y.y 200 ! router ospf 1 redistribute static default-metric 10

Solu t ion 3 : M ov e t h e Ba ck u p I n t e r n e t Con n e ct ion on t o t h e DMZ One addit ional solut ion is t o m ov e t he alt er nat e I nt er net connect ion ont o t he DMZ. The adv ant age of t his is t hat it sim plifies r out ing som ew hat . You don't need t o condit ionally adv er t ise any t hing, nor do y ou need t o adv er t ise any of t he ex t er nal dest inat ions. Just a sim ple de fa u lt - in f or m a t ion or ig in a t e a lw a y s configur ed on Rout er B will do t he t rick. On Rout er B, t his looks like t he following:

! router ospf 1 default-information originate always ! ip route 0.0.0.0 0.0.0.0 x.x.x.x

113

You can r un som e ot her pr ot ocol w it hin t he DMZ, w hich also pr ov ides som e r out ing isolat ion fr om t he r est of t he net w or k . This is t he best opt ion because it 's t he least t r oublesom e t o m aint ain, and it r equir es t hat only one link be m oved ( t he alt er nat e I nt er net connect ion) . I t does leave a single point of failur e, but t his could be dealt w it h by adding a second r out er bet w een t he DMZ and t he cor e, or som e ot her st r at egy . Figure 5- 8 show s w hat t he DMZ look s lik e aft er im plem ent ing t hese changes.

Figu r e 5 - 8 D M Z D e sign w it h a Se con d Rou t in g Pr ot ocol

To St ub or N ot t o St ub Up t o t his point in t he chapt er , it seem s as t hough t he dilem m a of w her e t o place all of t he ABRs in t he net w or k has been solved. Wit h OSPF, t his leaves j ust one ot her quest ion t o consider—w hich ar eas should be st ubbed? Ther e ar e t hr ee t y pes of st ub areas in OSPF: • •

St u bby — Ex t er nal r out es ar e not adv er t ised int o st ub ar eas, nor can t hey be gener at ed fr om st ub ar eas; r out er s in t hese ar eas r ely on t he default r out e t o r each all ex t er nals. N o t- so- st u b b y a r e a s ( N SSAs) — Ex t er nal r out es ar e not adv er t ised int o NSSA ar eas ( unless t hey or iginat e w it hin t he ar ea) , but t hey can be generat ed w it hin t he ar ea.

114

•

Tot a lly st u bby — Neit her ext ernal nor int ernal rout es are advert ised int o a t ot ally st ubby ar ea; all r out er s r ely on a default r out e t o r each any dest inat ion out side t he ar ea.

Refer t o Figure 5- 9, w hich pr esent s how t he ar eas ar e set up, t o see if any of t hem can be st ubbed.

Figu r e 5 - 9 OSPF Ar e a s

Tot a lly St u bby Ar e a s Gener ally you w ouldn't m ake an ar ea t ot ally st ubby unless it had only one exit point . None of t he ar eas in Figur e 5- 9 have only one exit point . Ther efor e, it doesn't seem useful t o t ot ally st ub any of t hem .

N ot - So- St u bby Ar e a s 115

Not - so- st ubby ar eas ar e gener ally used for ar eas t hat or iginat e ex t er nals and don't need any infor m at ion about t he int er ior of t he net w or k . Since y ou ar en't or iginat ing any ext er nal r out es int o t he net w or k, you pr obably w on't need any NSSAs eit her .

St u bby Ar e a s Depending on t r affic flow , som e of t hese ar eas m ight m ake good candidat es for r egular st ubs. I n each ar ea, it depends on t he am ount of t r affic dest ined t o ext er nal host s and w het her opt im um r out ing is im por t ant : • •

•

•

a r e a 0 — This ar ea cannot be m ade int o any t ype of a st ub in an OSPF net work. a r e a 1 — This ar ea pr obably has a good deal of t r affic t o ext er nal links, alt hough t hat 's not cer t ain. I f it does, it should r em ain a nor m al ar ea. The num ber of r out er s in t he ar ea ( t w o) also influences y ou, her e; it 's sm all enough t hat flooding som e ext er nals int o ar ea 1 pr obably isn't going t o be a problem . a r e a 2 — This ar ea pr obably has v er y lit t le cont act w it h out side net w or k s. I f t her e is som e host or ser v ice t hat ex t er nal host s w ill need t o cont act , subopt im um r out ing isn't m uch of an issue because bot h pat hs t o t he DMZ ar ea ar e t w o hops. This could be a st ub ar ea. a r e a s 3 a n d 4 — Ther e could be a gr eat deal of t r affic t o ex t ernal services fr om t hese ar eas, but t her e isn't m uch of a chance of subopt im al r out ing fr om t hem t o t he DMZ ar ea. These can be st ub ar eas.

Ca se St u dy : Tr ou ble sh oot in g OSPF Adj a ce n cy Pr oble m s One of t he v ar ious pr oblem s t hat y ou oft en r un int o w it h OSPF is w hen a pair of r out er s is at t ached t o t he sam e net w or k , but t hey w on't becom e fully adj acent . I f y ou k now t he r ight t hings t o look for , t his t y pe of pr oblem can be quick ly dealt w it h. Befor e t r oubleshoot ing neighbor s, w hich w on't br ing up an adj acency , y ou need t o m ak e cer t ain t hat t hey should becom e fully adj acent . For ex am ple, t he r out er s in Figur e 5- 10 ar e connect ed t o t he sam e link , but t hey w ill nev er becom e fully adj acen t .

Figu r e 5 - 1 0 N e igh bor Re la t ion sh ips on a Br oa dca st N e t w or k

116

Assum e t hat Rout er A becom es t he designat ed r out er ( DR) on t his net w or k , and Rou t er B becom es t he backup designat ed r out er ( BDR) . Since t he DR is r esponsible for sending Rout er C any inform at ion it learns from Rout er D, t here isn't any reason for Rout er C and Rout er D t o becom e fully adj acent . And, as a m at t er of fact , t hey w on't . Rout ers C and D will build t heir neighbor r elat ionship t o t he t w o- w ay st at e only , and t hey w ill nev er build a full adj acency . The rout ers in Figur e 5- 11, how ev er , should be building a full OSPF adj acency ; t hey ar e connect ed t hr ough a point - t o- point link, and t hey are bot h in area 0.

Figu r e 5 - 1 1 Tw o OSPF Rou t e r s

When you look at t h e sh o w ip o sp f n e ig h b o r out put fr om eit her r out er , how ev er , y ou can see t hat t he adj acency isn't being built . From Rout er A t he out put is as follow s:

A#sho ip ospf nei A#

117

The fir st t hing t o do w hen t his t y pe of pr oblem occur s is t o r un d e b u g ip osp f a d j on one of t he r out er s. Once again, fr om Rout er A, t he out put is as follow s:

A#debug ip ospf adj OSPF adjacency events debugging is on A# 20:12:35: OSPF: Rcv hello from 172.19.10.1 area 0 from Serial0 172.19.1.2 20:12:35: OSPF: Mismatched hello parameters from 172.19.1.2 20:12:35: Dead R 40 C 80, Hello R 10 C 20

This out put r ev eals t hat y ou hav e m ism at ched hello par am et er s, in t his case t he Dead and Hello t im ers are m ism at ched. The Hello t im er on t his rout er ( labeled C in t h e de bug out put ) is 20, w hile t he Hello t im er on t he r em ot e r out er ( labeled R in t he de bug out put ) is 10. Look ing at t he configur at ion on Rout er A, y ou see t he follow ing:

! interface Serial0 ip address 172.19.1.1 255.255.255.0 no ip directed-broadcast ip ospf hello-interval 20 no ip mroute-cache !

The OSPF Hello int er val on t his int er face has been set t o 20. Cor r ect ing t his should fix t he problem . The Hello int erval, Dead int erval, w ait t im e, and link t ype all have t o m at ch for OSPF rout ers t o becom e fully adj acent . How ev er , ot her pr oblem s ar en't so easy t o find quick ly , unless y ou k now specifically w hat y ou ar e look ing for . Nex t , cor r ect t he t im er s and see if t he neighbor s w ill com e up int o FULL st at e. A few ex ecut ions of t he sh ow ip osp f n e ig h b or c om m and r ev eals t he follow ing:

A#show ip ospf neighbors Neighbor ID Pri State Interface 172.19.10.1 1 INIT/ Serial0 A#show ip ospf neighbors Neighbor ID Pri State Interface 172.19.10.1 1 EXCHANGE/ Serial0 rp-4700-13A#sho ip ospf nei

Dead Time

Address

00:00:35 172.19.1.2

Dead Time -

Address

00:00:35

172.19.1.2

118

Neighbor ID Pri State Interface 172.19.10.1 1 INIT/ Serial0 A#show ip ospf neighbors Neighbor ID Pri State Interface 172.19.10.1 1 EXCHANGE/ Serial0

Dead Time 00:00:35

Dead Time -

Address 172.19.1.2

Address

00:00:35

172.19.1.2

Ev en t hough t he m ism at ched t im er s hav e been cor r ect ed, t he r out er s st ill w on't becom e adj acent . They j ust flip- flop bet w een I NI T and EXCHANGE m odes. EXCHANGE st at e m eans y ou ar e t r y ing t o ex change dat abases w it h t he neighbor . So, t he logical assum pt ion is t hat you ar e get t ing hello pack et s acr oss t he link , but not dat abase infor m at ion. Why w ould hello pack et s be ok ay and dat abase pack et s not be ok ay ? Well, hello pack et s ar e sm all, w hile dat abase pack et s ar e lar ge. Pr ov e t his t heor y by pin g ing w it h som e var ious sized pac k et s acr oss t he link bet w een t he t w o r out er s using an ext ended pin g as follow s:

A#ping Protocol [ip]: Target IP address: 172.19.1.2 Repeat count [5]: 1 Extended commands [n]: y Sweep range of sizes [n]: y Sweep min size [36]: 100 Sweep max size [18024]: 1500 Sweep interval [1]: 100 Type escape sequence to abort. Sending 15, [100..1500]-byte ICMP Echos to 172.19.1.2, timeout is 2 seconds: !………….. Success rate is 6 percent (1/15), round-trip min/avg/max = 1/1/1 ms

You can see fr om t he pr eceding out pu t t h at t h e ping fails w it h a pack et size of 200 by t es, w hich seem s v er y sm all. Tak e a look at t he r out er on t he ot her end of t he link and see how t he int er face is configur ed:

interface Serial0 mtu 100 ip address 172.19.1.2 255.255.255.0

119

So, it look s lik e y ou'v e found t he pr oblem—t he MTU size is m ism at ched on t he link. One r out er t hink s t he MTU is 100 by t es, w hile t he ot her end t hink s it is 1500 by t es. Because t he hello packet s ar e only 64 byt es, bot h r out er s can send and r eceive t hem wit h no problem s. But w hen it com es t im e t o send and r eceive m axim um sized dat abase descr ipt or ( DBD) packet s, Rout er B, w it h an MTU of 100 byt es, w ill dr op t he 1500 by t es pack et s gener at ed by Rout er A. One side not e—Cisco r out er s r unning new er soft w ar e w ill not hav e t his problem because t he r out er s ex change t he MTU size of t he link in t heir hello pack et s. When t hey ex change LSAs or DBDs, t hey lim it t heir pack et sizes t o t he m inim um MTU on t he link. Of cour se, if t he MTU of one end of a link is differ ent t han t he MTU of t he ot her end of t he link, lar ger packet s w ill st ill fail t o cr oss t he link in one dir ect ion, r egar dless of OSPF's abilit y t o br ing up an adj acency . This j ust shift s t he pr oblem fr om building t he adj acency t o t he m or e esot er ic pr oblem of som e applicat io ns not w or k ing acr oss t he link , or FTP cont r ol sessions w or k ing cor r ect ly but dat a sessions failing.

Ca se St u dy : W h ich Ar e a Sh ou ld Th is N e t w or k Be I n ? Som et im es you m ay find t hat a given r em ot e r out er has been, or needs t o be, dualhom ed t o r out er s in differ ent ar eas, as show n in Figur e 5- 12.

Figu r e 5 - 1 2 Re m ot e D u a l - H om e d in t o Tw o D iffe r e n t Ar e a s

120

When dual hom ing a r em ot e sit e t o t w o r out er s in differ ent ar eas, y ou need t o decide w hich area t o put each link in. Begin by put t ing t he serial link bet w een Rout ers D and B in area 1 and t he serial link bet ween Rout ers D a nd C in ar ea 2; t hese changes

121

are illust rat ed in Figur e 5- 13. Now t hat y ou hav e t hose t w o dow n, y ou st ill hav e one sm all enigm a t o handle: Which ar ea do y ou put t he r emot e Et her net in?

Figu r e 5 - 1 3 Addin g t h e Tw o Se r ia ls t o Ar e a s 1 a n d 2

I f y ou put t he Et her net link in ar ea 1, Rout er C w ill r out e t r affic t o t he Et hernet link com plet ely t hr ough t he cor e of t he net w or k t o r each it —t alk about subopt im al r out ing! Put t ing t he Et her net in ar ea 1 also defeat s t he pur pose of dual hom ing t he r em ot e. Since t r affic can't t r av el fr om ar ea 1 ( t he Et her net ) t hr ough ar ea 2 ( t he serial link bet w een Rout ers D and C) t o area 0, t he dual hom ing doesn't provide any r edundancy .

122

All of t hese sam e pr oblem s apply in t he opposit e dir ect ion if you put t he r em ot e Et hernet in area 2.

A Third Area and Virt ual Link s One possibilit y is t o put t his Et her net in a t hir d ar ea ( for exam ple, ar ea 3) and r un virt ual links bet w een area 3 and area 0 t hrough bot h area 1 and area 2. This w ill w ork, but it also present s a m aj or subopt im al rout ing problem . Suppose t hat a host at t ached t o Rout er C w ant s t o r each a dest inat ion on t his r em ot e Et her net . Because all t r affic bet w een ar eas m ust pass t hr ough ar ea 0, t he packet s w ould be passed t o ar ea 0 by Rout er C, t hen back t o Rout er D, and, finally, t o t heir dest inat ion.

Using redist ribut e connect ed t o Advert ise t he Rem ot e N et w ork One possible solut ion for t his t y pe of a pr oblem is t o sim ply r edist r ibut e t he Et her net int o bot h ar eas fr om Rout er D. I t 's sim ple enough t o configur e:

! hostname D ! router ospf 10 net 10.45.8.0 0.0.0.255 area 1 net 10.45.9.0 0.0.0.255 area 2 redistribute connected

Don't Dua l - H om e Rem ot es int o Different Area s Finally , y ou could find som e w ay t o connect t his r em ot e sit e so t he pr oblem doesn't ex ist . This is t he best solut ion because it doesn't add ex t er nals int o t he m ix , and t h er e ar en't any pr oblem s w it h subopt im al r out ing. I f possible, avoid r em ot es t hat ar e du al- hom ed int o t w o differ ent ar eas. I nst ead, find a w ay t o connect any r em ot e sit es t hat need t o be dual- hom ed t o r out er s in t he sam e ar ea.

Ca se St u dy : D e t e r m in in g t h e Ar e a in W h ich t o Pla ce a Lin k Figur e 5- 14 pr esent s a sit uat ion y ou m ight com e acr oss fr om t im e t o t im e, w her e Rout er C and Rout er D are ABRs, while Rout er A and Rout er B a re in area 0, and Rout er E and Rout er F are in area 1.

Figu r e 5 - 1 4 W h a t Ar e a Sh ou ld t h e N e t w or k in t h e M iddle Be I n ?

123

What do you do w it h t he WAN lin k in t he m iddle? Should it be in area 0, or area 1? Begin by put t ing t he WAN link in ar ea 0—it is a dir ect link bet w een t w o cor e r out er s, so it 's pr obably supposed t o be in t he net w or k cor e. Assum ing no sum m ar izat ion at t he ar ea bor der , Rout er C w ill have t w o r out es t o 10.1.2.0/ 24: • •

An int er- ar ea r out e t hr ough t he WAN link An int ra - area rout e t hrough Rout er E, t he 512k link in area 1, Rout er F, t hen Rout er D

Since OSPF always prefers int ra - area rout es over int erarea rout es, Rout er C w ill choose t he pat h t hr o ugh Rout er E ( t he 512k link) , Rout er F, and t hen Rout er D, r at her t han t he one hop WAN link t hr ough ar ea 0. This is r elat ively r adical subopt im al rout ing, so t ry put t ing t he WAN link in area 1. Placing t he WAN link in ar ea 1 pr esent s t he sam e pr oblem—only t his t im e it 's for t he 10.1.3.0/ 24 net w ork. Rout er D is going t o prefer t he link t hrough Rout er B ( t he 512k link) , Rout er A, t hen Rout er C, r at her t han t he one hop pat h over t he WAN link t hrough Rout er C. How do you resolve t his? You could put t he WAN link in ar ea 0 and t hen configur e som e st at ic r out es t o get around t he problem : •

On Rout er D, a st at ic rout e for 10.1.3.0/ 24 via Rout er C

124

•

On Rout er C, a st at ic rout e for 10.1.2.0/ 24 via Rout er D

This doesn't seem like a ver y scalable solut ion, t hough, and you a re t rying t o build a net w or k t hat w ill scale. You need anot her opt ion. I t 's also possible t o put t he WAN link in ar ea 1 and t hen build a vir t ual link acr oss it so t hat it is in bot h area 0 and area 1; how ever, a virt ual link shouldn't be used unless it 's absolut ely necessar y . The only ot her opt ion is t o fix t he net w or k design. Eit her t his is a bad place t o put an ar ea bor der , or t her e is som et hing w r ong w it h t he design of t his net w or k 's t opology . This is t he preferred opt ion: Fix t he physical net w ork t opolo gy so t his isn't a problem !

Ca se St u dy : D ia l Ba ck u p One of t he pr oblem s you face w hen using dial backup in OSPF is w her e t he r out er dials int o v er sus w her e t he ar ea bor der s ar e. Figur e 5- 15 will be useful in seeing w hat t he pr oblem s ar e and in consider ing som e solut ions.

Figu r e 5 - 1 5 D ia l Ba ck u p in OSPF

125

You w ant Rout er F t o dial up t o som e ot her rout er w hen Rout er E loses it s connect ion t o Rout er C. You can eit her dial int o Rout er D, Rout er A, or Rout er B; but t he quest ion is w hich one? The im m ediat e choice w ould be t o configur e Rout er F t o dial int o Rout er D if t he r em ot e segm ent loses all connect ivit y t hr ough Rout er E, but t his st ill leaves a single point of failur e at Rout er A. The single point of failur e could be solved by m oving t he link bet w een Rout er s D and A so t hat t he link r uns bet w een Rout er s D and B inst ead, but t his could cause r out ing pr oblem s and so for t h in t he net w or k . So, y ou don't w ant t o go w it h t hat solut ion. Dialing int o Rout er A it self isn't going t o solve t he single point of failur e pr oblem , so t he only ot her opt ion is t o dial int o Rout er B. But t his m eans t hat t her e w ill appear t o be t w o ar ea 100s connect ed t o ar ea 0—one t hr ough Rout er A, and t he ot her t hr ough Rout er B. I s t his legal? When an ABR begins building LSAs for ar ea 0, it t akes t he r out ing infor m at ion fr om each of it s ot her ar eas and bundles t hem int o sum m ar y LSAs ( Ty pe 3 LSAs, t o be ex act ) . The sum m ar y LSAs don't cont ain any ar ea infor m at ion. Ther efor e, t he ot her r out er s on t he cor e sim ply don't k now w hat ar eas t hese dest inat ions ar e in. The r out er s only k now t hat t o r each t hese dest inat ions, t he next hop is a given ABR. So, it is legal t o have m ult iple ar eas w it h t he sam e ar ea I D at t ached t o t he sam e area 0, and t o configure Rout er F t o dial int o Rout er B as a backup. The only ot her issue t hat r em ains is any possible sum m ar izat ion t hat m ight be t aking place on Rout er A, t he norm al ABR for area 100. The t r ick her e is not t o j ust sum m ar ize off t he dial- in link on Rout er B. Rout er B will t hen adver t ise specific r out es t o anyt hing behind Rout er F, w hile Rout er A w ill cont inue t o adv er t ise t he sum m aries it 's configured for.

Ca se St u dy : OSPF Ex t e r n a ls a n d t h e N e x t H op One of t he m or e int er est ing aspect s of OSPF's handling of ext er nal r out es is t he for w ar ding addr ess. Look ing at a sh ow ip osp f d a t a b a se for an ex t er nal sit e r ev eals t he follow ing:

router#sho ip ospf data extern OSPF Router with ID (130.30.4.9) (Process ID 3100) AS External Link States Routing Bit Set on this LSA LS Type: AS External Link Link State ID: 10.1.1.0 (External Network Number ) Advertising Router: 130.30.0.193 Network Mask: /24 Metric Type: 2 (Larger than any link state path) Forward Address: 0.0.0.0

126

A few fields hav e been delet ed fr om t he pr eceding out put t o m ak e it easier t o see t he fields t hat ar e im por t ant t o t he discussion at hand. The following t hree fields are par t icular ly int er est ing: • • •

Rou t in g Bit Se t on t h is LSA— This m eans t he rout e is valid and will be in t he for w ar ding/ r out ing t able. The r out ing/ for w ar ding t able is w hat y ou see in a sh ip r ou t e . Ad v e r t isin g Rou t e r— This is t he rout er I D of t he rout er advert ising t his ex t er nal dest inat ion. For w a r d Ad d r e ss— This is t he addr ess t o for w ar d t r affic dest ined t o t his net work.

The out put r ev eals a for w ar ding addr ess of 0.0.0.0; t his m eans for w ar ded pack et s dest ined t o t his net work are sent t o t he adv er t ising r out er . For t he r out ing bit t o be set on t his LSA, t her e m ust be a r out er LSA for t he adv er t ising r out er in t he OSPF dat abase. But t he for w ar ding addr ess could be differ ent t han t he adv er t ising r out er . See Figure 5- 16 as an ex am ple.

Figu r e 5 - 1 6 Se t t in g t h e For w a r din g Addr e ss in a n OSPF Ex t e r n a l Sit e

Here, Rout ers A and B are running OSPF, while B is learning som e rout es from ot her r out er s t hr ough RI P and r edist r ibut ing t hem int o OSPF. I f you look at t he ext er nal LSA for 172.30.0.0/ 16 on Rout er A, you w ill see t he follow ing:

A#sho ip ospf data extern OSPF Router with ID (130.30.4.9) (Process ID 3100) AS External Link States Routing Bit Set on this LSA LS Type: AS External Link Link State ID: 172.30.0.0 (External Network Number )

127

Advertising Router: 10.1.1.1 Network Mask: /16 Metric Type: 2 (Larger than any link state path) Forward Address: 10.1.1.2

Th e For w a r d Addr e ss field now show s t he addr ess of Rout er C r at her t han 0.0.0.0. Ther e ar e t im es w hen you w ill see t his and t he Rou t in g Bit Se t on t h is LSA field w on't show up. This is because t he for w ar ding addr ess m ust be r eachable as an int ernal OSPF LSA. For exam ple, if Rout er B w ere redist ribut ing t he 10.1.1.0/ 24 net w ork int o OSPF as w ell as t he RI P r out es, t hen t he nex t hop, 10.1.1.2, w ould be an ex t er nal sit e. OSPF w ill nev er for w ar d an ex t er nal sit e t hr ough an ex t er nal sit e. ( This is a defense against rout ing loops.) Why does OSPF do t his, anyw ay? Why not j ust use t he r out er I D of t he r edist r ibut ing r out er all t he t im e? Because in t he pr eceding scenar io, Rout er A c ould have an alt er nat e pat h t o 10.1.1.0/ 24, w hich is m uch bet t er t han t he r out e t hr ough Rout er B.

Re vie w 1:

What par am et er s m ust be m at ched for OSPF r out er s t o becom e ad j acen t ?

2:

I s it ev er nor m al for t w o OSPF r out er s t o r each only a t w o- w ay st at e? When?

3:

What is a good w ay t o t est for MTU m ism at ches?

4:

Ex plain w hy hav ing a r out er dial back up bey ond t he point of sum m ar izat ion is bad.

5:

What opt ions do y ou hav e w it h a r em ot e dual- hom ed int o t w o differ ent ar eas?

6:

Explain how you can end up t hr ow ing packet s aw ay if you sum m ar ize on Rout ers A and B in Figur e 5- 17 t o 172.27.0.0/ 16?

Figu r e 5 - 1 7 D ia gr a m for Re vie w Qu e st ion 6

128

7:

Can you have m ult iple ar eas w it h t he sam e ar ea num ber ?

8:

What one issue m ust y ou design ar ound w hen dealing w it h dial- in link s?

129

9:

Wher e ar e ex t er nal LSAs flooded?

10:

What t y pe of SPF r un is r equir ed w hen t he st at e of ex t er nal link s change?

11:

How do y ou inj ect default r out es int o OSPF?

12:

What does t he a lw a ys k ey w or d do on t he end of t he default - in f or m a t ion or igin a t e com m and?

13:

What is t he For w a r d Addr e ss in t he OSPF dat abase used for ?

14:

What is t he differ ence bet w een a t ot ally st ubby ar ea and a st ubby ar ea?

15:

I m plem ent OSPF on t he net w or k you r edesigned for r eview quest ion 11 in Chapt er 4, " Applying t he Principles of Ne t w or k Design. " Place t he ASBRs, deal w it h any design issues r aised, and decide w hich ar eas can be st ubbed.

130

Ch a pt e r 6 . I S- I S N e t w or k D e sign The I nt er m ediat e Sy st em- t o- I nt erm ediat e Syst em ( I S- I S) pr ot ocol w as or iginally desig ned t o pr ov ide r out ing infor m at ion for t he Open Sy st em s I nt er connect ( OSI ) prot ocols. I S- I S is a link- st at e pr ot ocol in w hich I nt er m ediat e Syst em s ( I Ss) , or r out er s, flood r out ing infor m at ion t o each ot her w it hin hier ar chical lev els. So w hy w ould you w ant t o consider I S- I S for rout ing in a large- scale I P net work? I n fact , I 'm cer t ain som e people out t her e r ight now ar e t hinking, " I S - IS—ar e y ou cr azy ? I t 's so har d t o configur e. " On t he cont rary, I S- I S is used in very large- scale I P net w or k s, pr im ar ily because of it s flex ible t im er s, fast conv er gence, and capabilit y t o handle inst abilit y in t he I P rout ing dom ain very w ell. I t 's t o I S- I S's adv ant age, in m any cases, t hat it w asn't or iginally designed for r out ing I P, but r at her , t hat it w as adapt ed for I P r out ing by t he I nt er net Engineer ing Task For ce ( I ETF) . The m ain adv ant age is t hat changes in I P r out ing infor m at ion don't affect t he cor e of it s funct ionalit y, w hich is t o pr ovide Connect ionless Net w or k Ser vice ( CLNS) r out ing infor m at ion. This chapt er w orks t hrou gh im plem ent ing I S- I S on t he net w ork built in Chapt er 4, " Apply ing t he Pr inciples of Net w or k Design," so t hat y ou can get a feel for t he issues involved. Ther e ar e plent y of c ase st udies in t his chapt er t hat cov er differ ent aspect s of I S- I S's oper at ion, var ious design opt ions and issues, and som e t r oubleshoot ing t ips.

D iv id in g t h e N e t w or k The fir st quest ion y ou m ust alw ay s ask w hen cont ending w it h a r out ing pr ot ocol t hat provides m ult iple levels of rout ing ( such as OSPF and I S- I S) is: Where do I divide up t he net w or k ? The answ er t o t his quest ion pr edet er m ines m any ot her design pr oblem s and solut ions, so you m ust answ er it car efully. I n I S- I S t he net w or k is div ided up int o ar eas, w it h lev el 1 ( L1) r out ing t ak ing place wit hin t he ar eas and level 2 ( L2) r out ing t aking place bet w een t he areas. L1 rout ers under st and t he t opology of only t he ar ea t hey ar e w it hin, w her eas L2 r out er s know how t o r out e pack et s t r av eling bet w een t hese ar eas. ( See Appendix B, "I S- I S Fundam ent als, " for m ore inform at ion on how I S- I S w or k s.) The cr it ical issue is w her e t o put t hese boundar ies bet w een t he L1 ar eas, or r at her , w her e t o place L2 r out er s in t he net work. The follow ing ar e issues t hat y ou need t o t hink about w hen deciding w her e t o place area borders in t he net work: • •

All L2 rout ers m ust form a cont iguous core. I n ot her w ords, t w o L2 rout ers cannot be separ at ed by a L1 r out er som eplace in t he m iddle. IS- I S r out er s w ill not aut om at ically r epair a par t it ioned L2 ar ea. I f t he cont iguous group of L2 rout ers is split due t o a net w ork failure, t here is no w ay t o r epair t his br eak using L1 links. I t 's im por t ant t o have enough r edundancy bet w een all L2 r out er s so t hat a single link failur e w ill not cause a par t it ioned L2 ar ea.

131

•

I P net w or k sum m ar izat ion can occur only on L2 r out er s. Ther efor e, you need t o m ak e cer t ain t hat L2 r out er s ar e placed w her e sum m ar izat ion w ill t ak e place.

Given t hese issues, you need t o look at t he individual cases in t he net w or k and t hink t hr ough w her e it w ould be best t o place t he L2 r out er s. Figur e 6- 1 r em ov es som e of t h e det ail t o m ake t hese issues easier t o exam ine.

Figu r e 6 - 1 Th e N e t w or k

St ar t y our ex am inat ion of t he net w or k div ision by assum ing all r out er s in t he cor e ar e going t o be L2 r out er s.

132

Ana lyzing Rout ers in t he Dist ribut ion La yer The fir st sect ion of t he net w or k t o look at is t he lar gest sect ion of r out er s out side t he core —t he r out er s in t he dist r ibut ion lay er bet w een t he cor e and t he r em ot es. Should t hese r out er s par t icipat e in L2 r out ing along w it h t he cor e? This sect ion ex am ines t he issues sur r ounding t his quest ion, including sum m ar izat ion, ar ea size, and r out ing efficiency .

Con figu r in g t h e D ist r ibu t ion La y e r Rou t e r s a s L1 Rou t e r s Sum m ar izat ion and ev ent ual ar ea size ar e t w o of t he m ain issues t o consider w hen you put t hese r out er s in t heir ow n ar eas as only L1 r out er s. Wit h r egar d t o sum m ar izat ion ( because only L2 r out er s can sum m ar ize I P subnet s) , t he decision not t o r un L2 r out ing out t o t hese dist r ibut ion layer rout ers m eans sum m ar izat ion m ust t ak e place on t he cor e r out er s, w hich is cont r ar y t o t he cor e's design goals. Wit h r egar d t o ar ea size, if any dist r ibut ion layer r out er event ually has a lar ge num ber of r em ot e sit es at t ached t o it , t oo m any r out er s could end up being in a single ar ea, m aking adm inist r at ion and gener al car e and feeding of t he net w or k m or e difficult .

Con figu r in g t h e D ist r ibu t ion La y e r Rou t e r s a s L2 Rou t e r s How ever , you m ight decide t o configur e t hese dist r ibut ion layer r out er s as par t of t he L2 cor e ar ea. Ther e ar e also som e fact or s t o consider her e. Wit h r egar d t o sum m ar izat ion, because t he dist r ibut ion lay er r out er s ar e r unning L2 r out ing, t hey can sum m ar ize t ow ar d t he cor e, w hich is good. This doesn't pr eclude sum m ar izat ion at t he edge of t he cor e ( because t he cor e r out er s ar e r unning L2 r out ing as w ell) , but it light ens t he load on t hese r out er s in any case. The disadv ant age of t his appr oach is t he possibilit y for t r affic fr om one r em ot e sit e t o anot her t o be rout ed subopt im ally . Consider , for ex am ple, t he sm all piece of t he net w ork illust rat ed in Figur e 6- 2.

Figu r e 6 - 2 Su bopt im a l Rou t in g w it h D ist r ibu t ion La y e r Rou t e r s in t h e Cor e

133

Assum e Rout er A chooses Rout er D as it s nearest L2 rout er, and Rout er C chooses Rout er B as it s near est L2 r out er . Because all L1 r out er s choose t he near est L2 rout er t o exit t heir area and pass all t raffic t hrough t hat L2 rout er, Rout er A ends up using t he r at her long pat h t hr ough Rout er E t o r each 172.16.66.0/ 24, even t hough t here is a pat h t hrough it s ot her link. I f t r affic flow bet w een r em ot e sit es is com m on, subopt im al r out ing ar gues st r ongly for t he dist ribut ion layer rout ers t o run L1 rout ing only. I f t he num ber of dist ribut ion layer rout ers grow s large and you run L2 rout ing dow n t o t he dist r ibut ion lay er , it could r esult in a lar ger num ber of r out er s r unning bot h L1

134

and L2 r out ing. Because y ou w ant t o r educe t he num ber of r out er s r unning bot h L1 and L2 r out ing, t his is som et hing y ou should be concer ned w it h.

D ist r ibu t ion La y e r Rou t e r s: L1 or L2 ? Ther e isn't any r eal w ay t o m ake a final decision about w het her t o configur e dist r ibut ion layer r out er s as L1 or L2 w it hout know ing m or e about t he gr ow t h plans and t r affic pat t er ns on t his net w or k. The t hr ee key t hings you need t o know t o m ake t his decision ar e as follow s: • • •

How m uch t r affic w ill flow bet w een t he r emot e sit es, and how im por t ant is it t hat r out ing bet w een t he r em ot e sit es be opt im ized? How m any r em ot e r out er s w ill ev ent ually at t ach t o a giv en dist r ibut ion lay er rout er? How m any dist ribut ion layer rout ers w ill t here event ually be?

Giv en t hat y ou don't know t he answ er t o t hese quest ions, t he best opt ion is t o reduce t he num ber of rout ers running L1 and L2 rout ing and only run L1 rout ing on t hese dist r ibut ion lay er r out er s. I t 's im por t ant t o not e t hat doing t his r esult s in sum m ar izing I P subnet s on t he core r out er s, w hich w as pr ev iously st at ed as som et hing t hat shouldn't be done. Rem em ber , how ev er , t hat net w or k design is a ser ies of t r adeoffs; it 's im por t ant t o know t he r ules and w hen it 's okay t o br eak t hem . Rem em ber t hat t he final goal isn't t o sim ply follow t he r ules of good hier ar chical net w or k design, but t o pr ov ide t he m ost st abilit y y ou can w it hin t he const r aint s of net w or k size, t r affic pat t er ns, and ot her fact or s.

Ana lyzing Rout ers in t he Com m on Services Area The nex t par t of t he net w or k t o look at is w her e t he t w o r out er s connect t he cor e of t he net w or k t o t he com m on ser v ices. You can r un eit her L2 or L1 r out ing on t hese rout ers. Figur e 6- 3 r em ov es som e of t he det ail fr om t he net w or k illust r at ion in Figure 6- 1 t o cut t he pr oblem dow n t o size.

Figu r e 6 - 3 Rou t e r s Con n e ct in g t h e N e t w or k Cor e t o t h e Com m on Se r vice s

135

Ther e ar e t hr ee pr im ar y issues t o consider her e —a subset of t hose t hat y ou consider ed w hen look ing at w hat t o do w it h t he dist r ibut ion lay er r out er s: • •

•

Su m m a r iz a t ion — I f t hese t w o r out er s ar e r unning as L1 r out er s only , t hen any sum m ar izat ion m ust be done on t he cor e r out er s. Su b op t im a l r ou t in g — I f t hese t w o r out er s only r un L1 r out ing, t hey w ill choose one ex it point fr om t heir ar ea. No m at t er w hich cor e r out er t hey choose as t heir ex it point , t hey w ill som et im es use subopt im al pat hs ov er t he net w or k cor e t o r each som e dest inat ions. N u m b e r of r ou t e r s r u n n in g L2 r ou t in g — I f t hese rout ers run L2 rout ing, it w ill incr ease t he num ber of r out er s in t he net w or k r unning bot h L1 and L2 rout ing.

Consider t he t r adeoffs. I f opt im al r out ing is im por t ant ( w hich seem s t o be t he case for r out er s connect ing t he cor e t o a set of com m on ser v ices) , t hen it 's pr obably im por t ant t o r un L2 r out ing on t hese r out er s. I n fact , any t im e t here ar e m ult iple connect ions t o t he cor e ( as is t he case in bot h of t hese sit uat ions) , y ou w ill hav e t hese t r adeoffs and consider at ions. How ev er , t he answ er m ay not be t he sam e in every sit uat ion. Subopt im al rout ing is not such an issue if t he second link is pur ely used for r edundancy; how ever , if t he second link is t o load- shar e w it h t he fir st link, subopt im al r out ing can be a pr oblem . For t he sak e of ar gum ent , assum e t hat t her e ar e business fact or s in t his net w or k w hich st at e t hat t he subopt im al r out ing isn't accept able. So, t hese r out er s ar e r un as par t of t he L2 cor e.

136

An a ly z in g Rou t e r s on t h e D M Z for Ex t e r n a l Con n e ct ion s The decision of w het her t he r out er s on t he DeMilit ar ized Zone ( DMZ) should only r un L1 r out ing or par t icipat e in L2 r out ing depends on t he m echanics of adv er t ising t hese ex t er nal net w or k s int o t he cor e. I f t he only connect ions t o ext er nal net w or ks w er e t hr ough t his DMZ, it w ould be r elat iv ely sim ple t o adv er t ise a single default r out e int o t he cor e; how ev er , t her e is a back up I nt er net connect ion ov er on t he ot her side of t he net w or k . To get a bet t er handle on t his, r efer t o Figure 6- 4.

Figu r e 6 - 4 Ex t e r n a l Con n e ct ion s

To opt im ize t his por t ion of t he net w or k, you need t o be able t o do t he follow ing: • • •

Adv er t ise a default r out e fr om t he r out er t hat connect s t o t he I nt er net , unless t his connect ion t o t he I nt er net is dow n. Adv er t ise a default r out e fr om t he r out er w it h t he back up connect ion t o t he I nt er net w hen necessar y . Adv er t ise a m inim al num ber of ex t er nal r out es t o t he par t ner net w or k s.

Because sum m ar izat ion can only occur on L2 r out er s, y ou can eit her run t he r out er s on t he DMZ as L1 r out er s and let t he cor e r out er at t ached t o t he DMZ do t he sum m ar izat ion, or y ou can r un all of t hese r out er s as L2 r out er s and allow t hem t o do t heir ow n sum m ar izat ion. Because t he pr efer ence for t his net w or k is t o avoid su m m ar izat ion in t he cor e, t hese rout ers are run in L2 w it h t he underst anding t hat t his decision m ay need t o be changed if a lar ge num ber of r out er s end up being connect ed t o t he DMZ in t he fut ur e.

137

Each r out er t hat connect s t o a par t ner w ill adv er t ise t he r o ut es av ailable t hr ough t hat par t ner , and t he r out er t hat connect s t o t he I nt er net w ill adv er t ise a default r out e. To advert ise a default rout e in I S- I S, y ou gener ally don't r edist r ibut e a st at ic r out e t o t he 0.0.0.0/ 0 net w or k; inst ead, you configur e d e f a u lt - in f or m a t ion or ig in a t e under t he I S- I S rout ing prot ocol. Ther e is only one pr oblem w it h t his appr oach of adv er t ising t he I nt er net r out er : How does t he I nt er net r out er know w hen t o st op adver t ising it s default r out e and allow t he alt er nat e connect ion t o t ake over? I S- I S handles t his by allow ing you t o condit ionally adv er t ise t he default r out e. Consider t he follow ing configur at ion for t he I nt er net r out er :

route-map advertise-default permit 10 match ip address 10 ! access-list 10 permit 192.168.200.192 0.0.0.3 ! router isis default-information originate route-map advertise-default

The I nt er net r out er w ill adv er t ise t he default r out e only if t he 192.168.200.192/ 30 rout e is in it s I S- I S dat abase. Not e t hat t his m eans you m ust run I S- I S on t his link, even t hough you probably aren't going t o run I S- I S wit h t he service provider.

An Alt ernat e I nt ernet Connect ion Back up Solut ion An alt er nat e solut ion is t o m ove t he backup I nt er net connect ion so t hat it 's behind t he r out er connect ing t he DMZ t o t he net w or k cor e. Figure 6- 5 illust r at es t his link m ove.

Figu r e 6 - 5 M ov in g t h e Alt e r n a t e I n t e r n e t Con n e ct ion on t o the DMZ

138

Wit h t his alt er nat e connect ion m ov ed, y ou can r econsider w het her or not t o m ak e t he r out er s on t he DMZ L1 only, or L2. Because all ext er nal connect ivit y w ill now pass t hr ough t his single cor e r out er , t her e is no r eason t o leak specific infor m at ion on t he part ner's net w orks int o t he L2 core. I nst ead, t he r out er bet w een t he cor e and t he DMZ can adv er t ise a single default r out e t o pr ov ide r eachabilit y t o all of t hese net w or k s using a sim ple default infor m at ion or iginat e. This illust r at es an im por t ant point about net w or k design —it 's v er y com m on t o see dial back ups and r edundant link s placed on t he w r ong side of sum m ar izat ion point s in a net w or k . I t 's gener ally possible t o get t hese t y pes of designs t o w or k , but it 's nev er opt im al, and it gener ally cont r ibut es t o net w or k inst abilit y .

Analyzing Rout ers on t he DM Z for Dial - I n Clie nt s Should t he access ser v er t hat dial- in client s connect t o be configur ed t o r out e L1 or L2? One im por t ant t hing t o r em em ber about access ser v er s is t hat t hey aut om at ically gener at e a host r out e ( 32- bit m ask ) for each dial- in session t hey accept . You cer t ainly don't w ant t hese host r out es float ing ar ound in t he net w or k causing r econv er gence each t im e a client connect s or disconnect s. You need t o m ake cer t ain t hese host r out es ar e eit her not adver t ised int o I S - I S, or t hey ar e sum m ar ized dow n t o a single r out e. So once again, y ou need t o decide if y ou w ant t he cor e r out er t o sum m ar ize t hese host r out es or t he access ser v er it self. I t seem s t o be har m less enough t o allow t he cor e r out er t o do t he sum m ar izat ion if it w er en't for t he dial back up link bet w een t he access ser v er and a second cor e r out er . Unless y ou w ant t o configur e ( and m aint ain) t he sum m ar izat ion on bot h of t hese cor e r out er s, it 's best t o go ahead and place t he access ser v er in t he L2 dom ain.

139

The Final I S - I S N et w ork Design Wor king out w hich r out er s w ill be L1 and L2 accom plishes m ost of t he design w or k for t his net w or k. The only r em aining t hings t o define ar e t he ar ea bor der s and su m m arizat ion. Use Figur e 6- 6 t o w or k t hr ough t hese final issues.

Figu r e 6 - 6 Fin a l I S - I S N e t w or k D e sign

The r out er s t hat ar e light er gr ay w ill be r unning L1 r out ing only. This br eaks t he net w or k up int o t he ar eas labeled 47.001 t hr ough 47.006. For sum m ar izat ion, y ou hav e • • • •

4 7 . 0 0 0 1— Bot h L2 r out er s w ill sum m ar ize t o 172.16.0.0/ 21 int o t he cor e. 4 7 . 0 0 0 2— Bot h L2 r out er s connect ed t o t he ser v er far m w ill adv er t ise sum m ar ies for 172.16.10.0/ 22 and any indiv idual 172.16.21.x link s. 4 7 . 0 0 0 3— The L2 r out er bor der ing t he DMZ ar ea w ill adver t ise a 0.0.0.0/ 0 default r out e. 4 7 . 0 0 0 4 — Adv er t ises 172.16.24.0/ 21, 172.16.32.0/ 19, 172.16.64.0/ 19, and any indiv idual 172.16.21.x net w or k s.

140

• •

4 7 . 0 0 0 5— Adv er t ises 172.16.96.0/ 21, 172.17.0.0/ 19, and any indiv idual 172.16.21.x net w or k s. 4 7 . 0 0 0 6— Adv er t ises 172.16.22.0/ 24 t hr ough a sum m ar y addr ess.

Ot h e r Fa ct or s in I S- I S Sca lin g Ther e ar e at least four pr ot ocol st r uct ur e fact or s t hat need t o be consider ed w hen working wit h I S- I S: SPF flooding, t he num ber of pseudonodes allow ed in an ar ea, t he possibilit y of over r unning t he I S - I S dat abase on a given rout er, and m et rics.

Link St a t e Flooding One of t he m aj or fact or s t o consider w hen y ou'r e using any link- st at e pr ot ocol is t he am ount of flooding t hat occur s, since ex cessiv e flooding can cause CPU ut ilizat ion and m em ory usage. IS- I S in an I P net work has an im m ediat e adv ant age because it t r eat s all I P r eachabilit y infor m at ion as leaf nodes in t he shor t est pat h t r ee. Because of t his, any change in I P r eachabilit y infor m at ion is alw ay s only a par t ial shor t est pat h fir st ( SPF) r u n—t he leaf nodes of t he t r ee ar e r ecalculat ed, but t he r em ainder of t he t r ee ( w hich r epr esent s CLNS r eachabilit y ) is left alone. I t 's easiest t o t hink of t his as if t her e ar e act ually t w o sect ions in t he SPF t r ee ( alt hough t her e ar en't ) . The pr im ar y par t of t he SPF t r ee cont ains infor m at ion on t he r eachabilit y of ot her r out er s in t he ar ea, w her eas t he r est of t he t r ee cont ains infor m at ion on t he r eachabilit y of I P dest inat ions w it hin t he net w or k . When t he r eachabilit y of any I P net w or k changes, only t he sm aller par t of t he t able needs t o be changed. Of cour se, any t im e an int er nal link ( bet w een r out er s) fails, or a r out er fails, a full SPF r un m ust t ake place w it hin t hat ar ea. Anot her issue w it h link- st at e pr ot ocols is t he aging of t he dat abase. Once a par t icular link- st at e pack et ( LSP) ages out , t he or iginat ing r out er m ust r eflood it . This occur s by default every t went y m inut es in I S- I S. A full SPF r un on ever y r out er in t he net w or k ever y 20 m inut es w it h a lar ge num ber of r out es can spell t r ouble for m em or y and pr ocessor ut ilizat ion. Fort unat ely, t here is a w ay around t his. The aging t im ers are adj ust able in I S- I S. You can set t he m ax im um age for LSPs using t he m a x - lsp- life t im e com m and, and t he r at e at w hich LSPs ar e r efr eshed using t he lsp- r e f r e sh- in t e r v a l com m and ( and it 's probably a good idea t o do so on lar ger net w or ks) .

LSP Cor r u pt ion I t is possible, on cer t ain t y pes of link s, for t he pack et cont ent s t o be cor r upt ed, but t he dat a link lay er er r or cor r ect ion fields not t o show it . For ex am ple, a sw it ch t hat t r anslat es fr om Tok en Ring or FDDI t o Et her net , lik e t he one illust r at ed in Figur e 6- 7, could easily cor r upt dat a. But , because t he Lay er 2 CRC m ust be r egener at ed w hen t he packet is r ebuilt in t he new for m at , t he dat a cor r upt ion could go unnot iced.

141

Figu r e 6 - 7 LSP Cor r u pt ion

I f Rout er A generat es an LSP and m ult icast s it t ow ard Rout er B on t he Et her net , t he sw it ch ( dur ing t he t r anslat ion t o Tok en Ring) can cor r upt t he pack et . When t he packet r eaches Rout er B, it w ould pass t he Layer 2 checks in t he r out er and be passed t o I S- I S for processing. When t he I S- I S process on Rout er B discovers t he infor m at ion in t he pack et is cor r upt ed ( by look ing at t he Lay er 3 check sum infor m at ion) , it w ill change t he LSP's r em aining lifet im e field t o 0 and r eflood t he pack et t o pur ge t he bad infor m at ion from t he net work. Rout er A w ill see t his r eflooding of an LSP it or iginat ed, gener at e a new copy of t he LSP, and flood it again t o m ake cer t ain ot her r out er s on t he net w or k have cur r ent inform at ion on it s links. I f t he sw it ch cor r upt s t he pack et again, t he ent ir e pr ocess w ill r epeat it self, possibly causing an LSP r eflood st or m in t he net w or k. The obvious answ er t o t his pr oblem is t o fix t he sw it ch—but som et im es it 's not t hat easy . While y ou'r e fix ing t he sw it ch, Rout er s A and B ar e flooding t his LSP back and for t h, causing ot her pr oblem s on your net work. I t is possible t o t urn off t he reflooding part of t his problem on Rout er B by configur ing t he r out er t o ignor e LSPs w it h inv alid check sum s, r at her t han at t em pt ing t o flush t hem fr om t he net w or k . The com m and t o configur e t his behav ior is ignore LSP- errors . When w ould y ou w ant t o t ur n off er r or check ing for LSPs? Gener ally , y ou w ouldn't , but it m ight be useful w hen you ar e r eceiving a lot of er r or s, t r acking t hese er r or s t hr ough som e ot her m eans, and w ant t o pr ov ide som e st abilit y back int o y our net work.

Maxim um N u m ber of Pseudonodes There is a hard lim it on t he num ber of pseudonodes w it hin an area of 255. I n ot her w ords, you can't have m ore t han 255 m ult i- access net w or ks w it hin one ar ea.

142

Overflow ing t he Da t a ba se I t is possible ( but a very rare condit ion) t o overflo w t he LSP dat abase on t he r out er w hen t r ying t o put a lar ge num ber of r out es on a sm all r out er . I f t his happens, t he r out er t hat is over loaded w ill set t he over load bit in it s LSPs. A r out er adv er t ising LSPs w it h t he ov er load bit set is indicat ing t hat it doesn't hav e a com plet e dat abase. To pr ev ent loops, ot her r out er s w ill use t he LSPs gener at ed by t his rout er but w ill not rely on pat hs t hat m ust pass t hrough t his rout er. The over load bit can be seen in t he I S - I S dat abase:

Rtr-A> show isis database IS-IS Level-1 Link State Database LSPID LSP Seq Num LSP Checksum 1789.6800.A49C.00-00 0x00000006 0x4D70 1789.6800.4513.00-00* 0x00000002 0x356F 1789.6800.6CA5.01-00* 0x00000001 0x50E4

LSP Holdtime ATT/P/OL 748 1/0/1 (4) 541 0/0/0 (1) 220 0/0/0 (2)

M e t r ics I n I S- I S, int ernal m et rics fall bet w een 0 and 63, w hereas ext ernal rout es fall bet w een 64 and 127. These sm all r anges of m et r ics im pr ov e t he efficiency of t he SPF calculat ions, but t hey also leav e lit t le room t o m aneuver w hen assigning m et rics t o links in your net w ork for opt im um rout ing. The default int er face cost in I S - I S is 10; in lar ger scale net w or ks, it 's obvious t hat t his default m et r ic w on't leave you m uch in t he w ay of num ber of hops possible. You'll need t o spend som e ser ious t im e t hink ing about w hat cost s t o assign t o var ious int er faces in your net w or k w hen im plem ent ing I S - I S so t hat you don't find y our self in a posit ion w her e t he t ot al hop count t hr ough t he net w or k is sev er ely lim it ed. This is a v er y im por t ant consider at ion w hen designing lar ge- scale I S- I S net w orks.

Tr ou b le sh oot in g I S- I S N e igh bor Re la t ion sh ips Ther e ar e t w o inst ances w her e I S - I S w ill not for m neighbor adj acencies cor r ect ly . The fir st is w it h m isconfigur ed NSAPs. For ex am ple, Rout er C has j ust been at t ached t o t he net w or k in Figur e 6- 8, and it isn't form ing L1 adj acencies w it h Rout ers A and B as w as ex pect ed.

Figu r e 6 - 8 I S- I S N e igh bor s in D iffe r e n t Ar e a s

143

On Rout er A, you see t he following:

A#sh clns nei System Id SNPA Protocol B 00C0.174A.08FD C 00C0.0c76.f096

Interface Et0 Et0

State Up Up

Holdtime 27 26

Type

L1 IS-IS L2 IS-IS

I t 's easy t o see fr om t his out put t hat Rout er A has for m ed a L1 adj acency w it h Rout er B, and a L2 adj acency wit h Rout er C. This m eans Rout er C m ust have been m isconfigur ed w it h an incor r ect net w or k ser vice access point ( NSAP) ; t he ar ea I D is probably w rong. Anot her inst ance w her e I S - I S r out er s w ill not for m a neighbor adj acency is if you ar e running int egrat ed I S- I S acr oss a point - t o- point link and t he I P addresses on t he

144

int er faces t he r out er s ar e connect ed t hr ough ar en't on t he sam e subnet . For an ex am ple of t his, look at Figure 6- 9.

Figu r e 6 - 9 I S- I S N e igh bor s in D iffe r e n t Su bn e t s

When you look at Rout er A's CLNS neighbor s, you see t he follow ing:

A#show clns neighbor System Id Interface Protocol 00C0.1465.A460 Se0

SNPA

State Holdtime

*HDLC*

Up

Type

297

IS

ES-IS

Not e t hat t he pr ot ocol is ES- I S rat her t han I S- I S; you w ould expect an I S - I S adj acency bet w een t hese t w o neighbor s. Because t hey ar e ES- I S neighbors, t hey will not ex change r out ing t ables. Com par ing t he I P addr ess of t he int er faces on t he t w o r out er s illust r at es w hat is w r ong:

A#show ip interface brief Interface IP-Address Protocol …. Serial0 172.19.2.1 up ….

OK?

Method

Status

YES

manual

up

Ser ial0 on t his r out er is configur ed as par t of t he 172.19.2.0/ 24 subnet .

A#show cdp neighbor detail …. Device ID: rp-2501-13a Entry address(es): IP address: 172.19.1.2 CLNS address: 47.0001.00c0.1465.a460.00 Platform: cisco 2500, Capabilities: Router Interface: Serial0, Port ID (outgoing port): Serial0

145

Ser ial0 on t he ot her r out er is configur ed as par t of t he 172.19.1.0/ 24 subnet . Let 's change t he subnet t hat Rout er A's Ser ial0 int er face is in t o see if it r esolv es t he problem .

A#config t Enter configuration commands, one per line. End with CNTL/Z. A(config)#int s0 A(config-if)#ip address 172.19.1.1 255.255.255.0 A(config-if)#end A#show clns neighbor System Id Interface SNPA State Holdtime Type Protocol 00C0.1465.A460 Se0 *HDLC* Up 22 L1L2 ISIS

Now , t hese t w o r out er s hav e cor r ect ly for m ed an I S- I S neighbor r elat ionship, and t hey w ill ex change r out es. Not e t hat t hey ar e for m ing bot h an L1 and L2 adj acency ; t his is t he default for Cisco rout ers running I S- I S.

Ca se St u dy : Th e Sin gle Ar e a Opt ion I t is possible t o put t his ent ire net w ork in a single I S- I S area using L2 rout ing only. Th e adv ant age t o t his is t hat all r out ing in t he net w or k is opt im al. The disadv ant age is t hat you can't sum m ar ize any place in t he net w or k. Ther e ar e t hr ee pr im ar y ar eas t hat y ou need t o consider w hen choosing t he single ar ea opt ion: t he HQ VLANs and t he com m on ser v ices ar eas ( w hich hav e a lar ge num ber of par allel link s w it h host s connect ed t o t hem ) , and t he dial- in client s, or ot her sim ilar ar ea, w her e t he t opology w ill change r egular ly .

H Q VLAN s a nd Com m on Services Area s The biggest issue w it h t he HQ VLANs and com m on ser v ices ar eas is t he m ult iple par allel LANs/ VLANs. You don't necessar ily w ant t hese pat hs t o becom e t r ansit pat hs in case of som e ot her failur e in t he net w or k because host s and t hr ough t r affic generally don't m ix well. Ther e ar e t w o opt ions: I nst all a sum m ar y st at ic r out e and r edist r ibut e it int o I S - I S, or j ust inj ect t he individual rout es represent ed by t hese parallel links int o I S- I S t hr ough r e d ist r ib u t e con n e ct e d or som e ot her m eans. Using a sum m ar y st at ic r out e is a sim ple st r at egy. For exam ple , t he t w o r out er s connect ed t o t he ser v er far m could hav e a single st at ic r out e:

ip route 172.16.10.0 255.255.248.0 null0

146

This single st at ic r out e t hen could be r edist r ibut ed int o I S - I S. The r est of t he net w or k w ill only k now about 172.16.10.0/ 22, w hich is r eachable t hr ough one of t hese t w o r out er s. Each of t hese r out er s w ill k now about t he specific subnet s ( because t hey ar e dir ect ly at t ached) and choose t he longer pr efix ( dir ect ly connect ed) r out es t o act ually for w ar d pack et s t o. The m ain pr oblem w it h t his idea is if one of t hese t w o r out er s loses it s connect ion t o j ust one of t hese par allel LANs, it is likely t hat t he r out er w ill begin t hr ow ing packet s dest ined t o t hat LAN t o null0, essent ially black holing t hose pack et s. Unfor t unat ely , t her e isn't m uch of a w ay around t his. I t 's j ust a risk t hat m ust be considered if t his m et hod is used. Using r e d ist r ib u t e con n e ct e d causes each of t he LAN's addr esses t o be inj ect ed int o t he ent ir e r out ing dom ain, so t his is less of an issue.

D ia l- Up Clients Are a The pr oblem w it h t he dial- up client s is t he const ant flapping of t hese dial- up links. Each t im e a cust om er dials in or dr ops a dial- in session, t he r esult ing t opology change w ill need t o be flooded t o t he ent ir e net w or k. Once again, st at ic r out es com e t o t he r escue. I nst ead of adv er t ising t hese dial- up links, it 's best t o sim ply put a st at ic r out e t o null0 in t he t er m inal ser ver and r edist r ibut e t his st at ic r out e, w hich in t his case is

ip route 172.16.22.0 255.255.255.0 null0

Alt hough t he t er minal ser v er w ill only be adv er t ising t his single r out e, w hen a pack et for one of t hese dial- up client s r eaches t his r out er , it w ill hav e a m or e specific ( host ) r out e in it s t able. Because longest pr efix m at ch alw ays w ins, t he r out er w ill use t he host r out e inst alled by t he dial- up pr ocess r at her t han sending t he pack et t o null0.

Ca se St u dy : Th e Tw o- La y e r N e t w or k I f all t he access point s in a net w or k connect t o t he sam e phy sical locat ion ( one building, for inst ance) , it 's possible t o collapse t he cor e and dist r ibut ion lay er ont o a single net w or k ( or a set of par allel high speed LANs) , pr oducing a design som et hing like t hat shown in Figur e 6- 10.

Figu r e 6 - 1 0 A Tw o- La y e r N e t w o r k

147

Essent ially , t his t y pe of net w or k collapses t he cor e and dist r ibut ion lay er int o one set of r out er s, or one ar ea, w it hin t he design. Deciding w her e t o place t he L1/ L2 bor der in t his t ype of net w or k is m uch easier because t her e is such a nat ur al br eak bet w een t he dist r ibut ion lay er and t he net w or k cor e. Figur e 6- 11 illust r at es t his.

Figu r e 6 - 1 1 D iv id in g t h e Tw o- La y e r N e t w or k

148

The bot t leneck in t his design w ill ev ent ually be t he par allel Et her net link s in t he cor e of t he net w or k , or t he r out er int er faces on t hat net w or k . Wit h high enough t r affic r at es, t he par allel Et her net link s w ill ev ent ually becom e ov er subscr ibed, or t he r out er s m ay r un int o pr oblem s buffer ing t he pack et s bet w een t he higher speed link s in t he cor e and t he low er speed link s connect ing t o t he r em ot e sit es. Going t o Gigabit Et her net , or ot her high speed t echnologies, w ill pr obably r esolv e t he ov er subscr ipt ion pr oblem in t he cor e for m ost net w or k s t o som e degr ee, but adding m ore parallel links t o t he t w o alr eady show n isn't an opt ion. Why ? Because each link added r epr esent s a new pat h t hr ough t he net w or k fr om t he com m on ser v ices t o t he r em ot e sit es and y ou r un up against t he pr oblem s w it h conv er gence and r out ing t able sizes encount er ed in Chapt er 3, " Redundancy ." I ncr easing t he speed of t he link s in t he net w or k cor e doesn't help t he buffer ing pr oblem s in t he r out er s connect ed bet w een t he cor e and t he access lay er ; if anyt hing, it could m ake t his problem w orse. Som e form of st andard, full m esh point - t o- point links could be subst it ut ed in t he cor e, but t his is w or se t han t he br oadcast links cur r ent ly show n. You w ill lose I S - I S's capabilit y t o handle br oadcast net w or k s t hr ough t he pseudonode pr ocess.

Re vie w 1:

What pr ot ocol w as I S - I S or iginally designed t o pr ovide r out ing infor m at ion for ?

149

2:

Wher e can sum m ar izat ion t ake place in I S - I S?

3:

How m any levels of rout ing are t here in an I S- I S net w ork?

4:

How m any pseudonodes are allow ed in an I S- I S area?

5:

I s it possible t o over flow t he LSP dat abase on a r out er ? What ar e t he indicat ions t hat t his is occur r ing?

6:

What is t he range of int ernal m et rics in I S- I S? What is t he r ange of ext er nal m et r ics in IS- I S? Why is t his a problem in a large- scale net work?

7:

Why isn't it good t o have a dial backup dial in t o a rout er behind a sum m ar izat ion point for t he net w or ks beh ind t he dial backup r out er ?

8:

Will r out er s in differ ent ar eas for m L1 neighbor adj acencies?

9:

Should you j ust let all t he rout ers in your net work run bot h L1 and L2 rout ing?

10:

Will I S- I S aut om at ically repair a part it ioned L2 rout ing dom a in ?

11:

Will rout ers running int egrat ed I S- I S, w hich ar e in t he sam e ar ea but differ ent I P subnet s, for m an adj acency ? What could y ou look at , and w hat w ould y ou see t o det er m ine t his is happening?

12:

Must all L2 r out er s for m one cont iguous gr oup of r out er s?

13:

How oft en does I S- I S flood link- st at e pack et s? I s t his adj ust able?

14:

How do you advert ise a default rout e in I S- I S?

15:

How do you configur e a r out er so t hat a default r out e is adver t ised only under som e condit ions?

16:

What is t he effect of an LSP t hat is cor r upt ed at t he dat a link lay er , but t he er r or cor r ect ion codes ar e cor r ect ?

17:

I m plem ent I S- I S on t he net w or k y ou cor r ect ed fr om t he Chapt er 4 review , ex plaining all design t r adeoffs and decisions.

150

Ch a pt e r 7 . EI GRP N e t w or k D e sign The pr ev ious t w o chapt er s look ed at im plem ent ing t w o differ ent link- st at e pr ot ocols, Open Shor t est Pat h Fir st ( OSPF) and I nt er m ediat e Sy st em- t o- I nt erm ediat e Sy st em (I S- I S) . These are on t he net w ork in Figur e 7- 1, w hich w as or iginally pr esent ed in Chapt er 4, " Apply ing t he Pr inciples of Net w or k Design," as Figur e 4- 10. This chapt er follow s suit by t ak ing a look at im plem ent ing Cisco's adv anced dist ance v ect or pr ot ocol—Enhanced I nt er ior Gat ew ay Rout ing Pr ot ocol ( EI GRP) .

Figu r e 7 - 1 La r ge Sca le N e t w or k

151

For m or e infor m at ion on how EI GRP funct ions, r efer t o Appendix C, " EI GRP Fundam ent als. " EI GRP has num er ous adv ant ages ov er it s link- st at e count er par t s, but it also has lim it at ions and behavior s t hat a net w or k designer m ust under st and t o successfully im plem ent a scalable EI GRP net w or k . This chapt er descr ibes som e of t hese behav ior s and pr ov ides t echniques t hat net w or k designer s can use t o im pr ov e t he per for m ance and scalabilit y of EI GRP net w or k s. This chapt er helps y ou t o do t he following: • • •

Analy ze sum m ar izat ion at t he cor e, dist r ibut ion lay er , and access lay er of an EI GRP net w or k Analy ze t he best w ay t o deal w it h ex t er nal connect ions, com m on ser v ices, and dial- in client s Ex plor e case st udies on sum m ar izat ion m et hods, quer y pr opagat ion, ex cessiv e r edundancy , t r oubleshoot ing com m on pr oblem s, and r edist r ibut ion issues

An a ly z in g t h e N e t w or k Cor e for Su m m a r iz a t ion The net w or k cor e in EI GRP has sim ilar r equir em ent s t o t hose pr esent ed by OSPF and IS- I S. Adequat e r edundancy and bandw idt h m ust be provided in t he core in order t o pr ovide r apid, r eliable deliver y of packet s pr esent ed t o it fr om t he dist r ibut ion layer and dest ined t o com m on r esour ces or ot her dist r ibut ion lay er r out er s. The cor e should pr esent as lit t le im pedim ent t o t he deliv er y of pack et s as t he geogr aphic dist ances and budget s w ill allow . Net w or k designs ar e m uch m or e scalable if it doesn't m at t er w her e a pack et ent er s t he cor e fr om t he dist r ibut ion lay er . The cor e should appear t o be a fast cloud t hat t he dist r ibut ion lay e r uses t o r each com m on r esour ces and ot her dist r ibut ion lay er r out er s. I f t he net w or k cor e m eet s t hese cr it er ia, t hen sum m ar izat ion can be per for m ed at t he cor e, and y ou w ill see significant benefit s. The follow ing sect ions discuss t he best w ays in w hich sum m ar izat ion can be im plem ent ed at t he net w or k cor e t o pr ov ide m ax im um st abilit y and r esiliency . These m et hods include sum m ar izing fr om t he net w or k cor e t o t he dist r ibut ion lay er and sum m ar izing w it hin t he cor e it self.

Sum m arizing from t he Core t o t he Dist r ibut ion La ye r Chapt er 2, " Addr essing & Sum m ar izat ion," ex plained t hat m ax im um st abilit y and scalabilit y occur s w hen m ax im um sum m ar izat ion is per for m ed. I f y our net w or k cor e t opology is r obust enough t o pr esent a m inim um of delay t o t r ansit pack et s, y ou ar e fr ee t o sum m ar ize t o t he fullest fr om t he cor e t o t he dist r ibut ion lay er . I n our exam ple net w or k, show n in Figur e 7- 1, m ax im um sum m ar izat ion can be per for m ed due t o t he designed, adequat e cor e bandw idt h and r edundancy . You can put sum m ar izat ion st at em ent s on t he ser ial link s connect ing t he cor e t o t he dist r ibut ion lay er , eit her pr esent ing only t he t w o m aj or net w or k r out es ( 172.16.0.0/ 16 and 172.17.0.0/ 16) , or j ust t he default r out e ( 0.0.0.0/ 0) t o t he dist ribut ion layer, as show n in Figur e 7- 2. Refer t o "Case St udy : Sum m ar izat ion Met hods," lat er in t his chapt er for an ex planat ion of t he differ ent w ay s t hat sum m ar izat ion can be per for m ed in an EI GRP net w or k .

152

Figu r e 7 - 2 Su m m a r iz in g Ou t bou n d fr om t h e Cor e

Minim izing t he updat es sent t o t he dist r ibut ion layer r out er s fr om t he cor e gr eat ly r educes t he quer y r ange and sim plifies t he pr ocess of br inging up neighbor s acr oss t hese crit ical links in t he net w ork. Refer t o " Case St udy : Cont r olling Quer y Pr opagat ion," lat er in t his chapt er for det ails on how im por t ant it is t o lim it t he r each of queries in an EI GRP net w ork. One possible negat ive side- effect of sum m ar izing fr om t he net w or k cor e t o t he dist r ibut ion lay er is t hat if t he dest inat ion subnet is closer in t he t opology t o one cor e r out er t han anot her , t he shor t est pat h fr om t he dist r ibut ion lay er r out er t o t he t ar get net w ork m ay not be t he one t aken. I f t he net w ork core is t ruly present ing m inim al delay t o t r affic, t hen t he addit ion of an ex t r a hop w ill not be significant w hen com par ed t o incr eased st abilit y .

Sum m a rizing w it hin t he Core You can sum m ar ize bet w een t he cor e r out er s, but it 's only necessar y if t he dist r ibut ion lay er r out er s ar e not sum m ar izing t ow ar d t he cor e t hem selv es. As Figure 7- 3 illust r at es, t he cor e r out er s could sum m ar ize t ow ar d t he ot her cor e r out er s so t hat each cor e r out er has full com ponent k now ledge of t he subnet s inside of t he r egions t o w hich it is connect ed but only sum m ar y know ledge of t he ot her r egions.

Figu r e 7 - 3 Su m m a r iz a t ion w it h in t h e Cor e

153

The follow ing list descr ibes t he r out ing adv er t isem ent s r esult ing fr om t he set up in Figur e 7- 3: • • • • •

Rout er A adv er t ises 172.16.0.0/ 21 for t he HQ VLANs and 172.16.16. 0/ 22 for t he com m on ser v ices out t ow ar d t he ot her cor e r out er s. Rout er B adv er t ises 172.16.22.0/ 24 for t he ex t er nal connect ions, and 172.16.0.0/ 21 for t he HQ VLANs t ow ar d t he ot her cor e r out er s. Rout er C adv er t ises 172.16.22.0/ 24 for t he dial- in user s, 172.17.0.0/ 19 for r em ot e sit es, and 172.16.96.0/ 19 for r em ot e sit es. Rout er D adv er t ises 172.16.64.0/ 19, 172.16.24.0/ 21, and 172.16.32.0/ 19 for r em ot e sit es. Rout er E adv er t ises 172.16.16.0/ 22 for t he com m on ser v ices.

The adv ant age of t his appr oach is t hat t he cor e r out er s have full know ledge about all r em ot e locat ions in t heir r egion and can choose t he opt im um r out e fr om t he cor e r out er t o t he r em ot e sit e. The disadv ant age of t his appr oach is t hat t he cor e r out er s for each region are direct ly involved in t he quer y pat h for any link failur e inside of t heir r egion. Should you sum m ar ize w it hin t he cor e of t he net w or k? Because t his m akes t he configur at ion of t he cor e m or e com plicat ed and m ov es w or k fr om t he dist r ibut ion

154

layer int o t he net w ork core, you probably shouldn't adopt t his solut ion. I n any case, you w ill need t o hold off on m aking a final decision unt il you have dealt w it h sum m arizat ion in t he dist ribut ion layer.

An a ly z in g t h e N e t w or k ' s D ist r ibu t ion La y e r for Su m m a r iz a t ion The dist ribut ion layer's goals in hier ar chical net w or k ing ar e t o sum m ar ize and aggr egat e t r affic. The follow ing sect ions on sum m ar izing t ow ar d t he net w or k cor e and sum m ar izing t ow ar d t he r em ot e sit es w ill giv e y ou a bet t er idea of w hat y ou can do w it h sum m ar izat ion her e.

Sum m a r izing t ow a rd t he N et w ork Core You can apply sum m ar izat ion t o t he inbound link s t ow ar d t he cor e t o lim it t heir adv er t isem ent s t o one or m or e sum m ar y r out es r epr esent ing all t he subnet s off of t hat dist ribut ion rout er. For exam ple, in Figur e 7- 4, sum m ar izat ion occur s out bound from Rout er A and Rout er B on t he serial links t ow ard t he core rout er.

Figu r e 7 - 4 Su m m a r iz a t ion be t w e e n t h e D ist r ibu t ion La y e r a n d Cor e

155

For t he set up in Figur e 7- 4, bot h Rout er A and Rout er B advert ise t he follow ing rout es: • • •

172.16.64.0/ 19 172.16.24.0/ 21 172.16.32.0/ 19

156

How ev er , t her e is one pr oblem t hat can occur w it h t his sum m ar izat ion m et hod unless pr oper st eps ar e t aken. I f Rout er A and Rout er B bot h adver t ise t o t he cor e only a sum m ar y r out e r epr esent ing t he sam e set s of net w or k s at t he r em ot es, y ou can cr eat e a " black hole" should one of t he dist r ibut ion r out er s lose access t o one of t he r em ot es. For ex am ple, if Rout er A adv er t ises 172.16.64.0/ 19, but loses t he Fr am e Relay per m anent v ir t ual cir cuit ( PVC) t o one r em ot e in t hat r ange, all t he packet s for w ar ded t o Rout er A t hat ar e dest ined t o a r em ot e sit e in t hat r ange w ill be dr opped. This can be a ser ious pr oblem . Ther e ar e t w o solut ions t o t his pr oblem . The fir st solut ion is t o sum m ar ize at t he cor e r at her t han bet w een t he dist r ibut ion and cor e r out er s, as cov er ed in t he pr ev ious sect ion " Sum m ar izing w it hin t he Cor e." This solut ion defeat s t he goals of t he dist r ibut ion lay er , how ev er , and w ill cause quer ies for net w or k s in t he br anches t o be pr opagat ed int o t he cor e. A second solut ion is t o hav e a r elat iv ely high- speed and r eliable link connect ing t he dist r ibut ion layer r out er s w it hin a r egion. Rout es adver t ised over t his link w ill not be filt er ed, but bot h dist r ibut ion lay er r out er s w ill cont ain all of t he com ponent s from each ot her . Not e t hat t he link bet w een t he dist r ibut ion lay er r out er s m ust be r obust enough t o suppor t r em ot e- t o- r em ot e t r affic w it hin t he r egion. On m ost cor por at e net w or k s, how ev er , r em ot e- t o- r em ot e t r affic is negligible w hen com par ed t o r em ot et o- c om m on r esour ce t r affic. The obv ious solut ion t o t he sum m ar izat ion t ow ar d t he net w or k pr oblem is t o hav e a relat ively high- speed and r eliable link connect ing t he dist r ibut ion lay er r out er s w it hin a r egion, giv en t hat t her e w ill be v er y lit t le r em ot e- t o- remo t e- t r affic. Figure 7- 5 illust r at es t he new design.

Figu r e 7 - 5 Lin k s be t w e e n D ist r ibu t ion La y e r Rou t e r s

157

The fir st t hing t o not e in Figur e 7- 5 is t hat no link ex ist s bet w een t he t w o cent er dist r ibut ion lay er r out er s because t his w ould cause t oo m uch r out e leakage. You m ight r em em ber t hat t he or iginal net w or k design had t hese link s in it befor e rew orking t he net w ork design in Chapt er 4, " Apply ing t he Pr inciples of Net w or k Design . " This is a per fect inst ance of im plem ent at ion issues for cing com pr om ises in design; t he great er goal isn't t o m eet all of t he w rit t en goals —it 's t o pr oduce t he m ost st able net w or k possible w it h t he m at er ial at hand.

Sum m a r izing t ow a rd t he Rem ot e Sit es Sum m ar izat ion should be per for m ed on t he int er faces out bound t o t he r em ot e sit es, as w ell. The pur pose of t his sum m ar izat ion is t o lim it t he r out ing updat es t o t he r em ot e r out er s so t hat t hey cont ain only a default r out e or m aj or net r out es; w it hout t he sum m ar izat ion, all t he com ponent s in t he r egion w ill be sent t o t he r em ot e sit es. As ex plained in t he Case St udy lat er in t he chapt er , " Tr oubleshoot ing St uck- I n- Act iv e Rout es," sending t he int ra - r egion com ponent r out es unnecessar ily t o t he r em ot es causes t he r em ot e sit es t o be included in t he quer y pr ocess, w hich is not a good t hing. I ncr easing t he r ange of t he quer y pr ocess bey ond w hat is absolut ely necessar y incr eases t he am ount of w or k r equir ed t o r each net w or k conv er gence and t he c hances t hat t her e w ill be a pr oblem w it h conver gence due t o link or r out er issues. The m or e dev ices or link s inv olv ed in conv er gence incr eases t he lik elihood t hat y ou w ill hav e a pr oblem w it h it . Addit ionally, if t he r out es ar e not sum m ar ized fr om t he dist r ibut ion r out er s t o t he r em ot e r out er s, a significant am ount of m or e w or k and t r affic ar e r equir ed t o st ar t up t he neighbor r elat ionship bet w een t he dist r ibut ion and r em ot e r out er s. Because

158

sm aller bandw idt h link s t end t o be used bet w een r em ot e sit es and t he dist ribut ion lay er , decr easing EI GRP's bandw idt h r equir em ent s at st ar t up is a w ise m ov e. The m et hod used t o sum m ar ize t he r out es t o t he r em ot e sit es can be eit her t he su m m a r y - a ddr e ss st at em ent or t he dist r ibu t e - list st at em ent . Eit her one of t hese m et hods w ill w or k fine for t his applicat ion. For m or e on how t o im plem ent t he su m m a r y - a ddr e ss and dist r ibu t e - list st at em ent s, r efer t o " Case St udy : Sum m ar izat ion Met hods," lat er in t he chapt er . At t he end of t he ear lier sect ion " Sum m ar izing w it hin t he Cor e," t he decision of w het her t o add sum m ar izat ion w it hin t he net w or k cor e w as not m ade. Based on t he decision t o sum m ar ize fr om t he dist r ibut ion layer int o t he cor e via su m m a r y a ddr e ss or d ist r ib u t ion - list st at em ent s, sum m ar izat ion w it hin t he cor e is unnecessar y . Because each dist r ibut ion lay er r out er is sending only sum m ar y infor m at ion t o t he cor e, it is pr obably unnecessar y t o fur t her sum m ar ize bet w een cor e r out er s.

An a ly z in g Rou t in g in t h e N e t w or k ' s Acce ss La y e r Access lay er r out er s can nor m ally be classified as st ub or d u al- hom ed. The sect ions t hat follow pr esent each t ype along w it h alt er nat ive m et hods of suppor t ing t hem .

St u b Sit e s St ub sit es ar e t hose t hat hav e only a single pat h int o t he r est of t he net w or k and t y pically hav e v er y few r out es t o adv er t ise upst r eam . Tr ue st ub sit es do not have dial backup or any ot her w ay t hat t hey could gain an addit ional pat h int o t he dist r ibut ion layer. As such, t rue st ubs are fairly rare. Ther e ar e gener ally t w o ( obv ious) w ay s t o handle st ubs: r unning EI GRP out t o t hem ( allow ing t hem t o adv er t ise t heir locally connect ed net w or k s) or not r unning EI GRP out t o t hem . I f EI GRP is r unning out t o t he st ub sit e's r em ot e r out er , t he r em ot e r out er can adv er t ise any r eachable dest inat ions using EI GRP. I n t his case, t he quest ion is, w hat should t he dist r ibut ion lay er r out er t o w hich t he st ub is connect ed adv er t ise t o t he r em ot e sit e? By definit ion, a st ub sit e r eally doesn't hav e any r out ing decisions t o m ak e; t hat is, if t he addr ess isn't local, it m ust be r eachable t hr ough t he link t o t he dist ribut ion layer. Ther efor e, it is par t icular ly appr opr iat e t o lim it t he r out es sent fr om t he dist r ibut ion layer t o t he r em ot e t o t he m inim um num ber possible. Believe it or not , t he m inim um can be one—or even none! You can eit her send a single default r out e fr om t he dist r ibut ion lay er r out er t o t he st ub r em ot e sit e or y ou can filt er out all updat es fr om t he dist r ibut ion lay er r out er t o t he r em ot e sit e and define a st at ic default r out e in t he r em ot e sit e point ing back t o t he dist r ibut ion lay er r out er , w hich is m or e efficient . I n t his w ay, t he r out es fr om t he r em ot e ar e lear ned dy nam ically for deliv er y of t r affic t o t he r em ot e, but a st at ic r out e is used for t he t r affic inbound fr om t he r em ot e.

159

I f EI GRP is not r unning bet w een t he st ub's r out er and t he dist r ibut ion lay er r out er t o w hich it connect s, y ou use st at ic r out es at bot h t he r em ot e sit e and t he dist r ibut ion layer rout er . Because EI GRP is not running bet w een t he rem ot e rout er and t he dist r ibut ion layer r out er , t her e isn't any w ay for t he dist r ibut io n layer rout er t o learn dy nam ically about dest inat ions r eachable at t he r em ot e sit e. To pr ov ide t he r est of t he net w or k w it h infor m at ion about dest inat ions av ailable at t his st ub sit e, st at ic r out es ar e defined in t he dist r ibut ion lay er r out er point ing t o t h e appr opr iat e access r out er for each r em ot e net w or k. This is ideal for sit uat ions w her e t he links t o t he r em ot e sit es ar e not ver y r obust ; because EI GRP isn't r unning over t he link, it isn't affect ed a gr eat deal if t he link oft en fails and, t her efor e, c annot cr eat e any pr oblem s for t he r em ainder of t he net w or k due t o SI As. The disadv ant age of t his appr oach is t he adm inist r at iv e ov er head of defining a lar ge num ber of st at ic r out es and t hen m aint aining t hem w hen t he net w or k t opology changes. Ty pically , t his appr oach should be used only if you ar e t r ying t o elim inat e pr oblem links fr om t he quer y and updat e pat h for EI GRP.

D u a l-H om e d Re m ot e s The second cat egor y of access lay er r out er s, dual- hom ed rem ot es, is m uch m ore com m on t han st ubs. Som e ar e " per m anent " du a l- hom ed r em ot es, lik e t he ex am ple net w or k , w it h low - speed ( or low- CI R) connect ions t o t w o differ ent dist r ibut ion r out er s fr om each r em ot e sit e. The pur pose of t he t w o connect ions fr om t he r em ot e could be for load balancing, but t hey ar e usually for r edun dancy . These im por t ant r em ot e sit es ar e connect ed in such a w ay t hat a Fr am e Relay PVC failur e or dist r ibut ion lay er r out er failur e w ill not cause t hem t o lose access t o t he cor e of t he net work. Anot her t y pe of r em ot e connect ion t hat needs t o be t r eat ed as if it were dual- hom ed is a st ub sit e w it h dial backup capabilit y. Even t hough st ub sit es w it h dial backup capabilit ies don't hav e t w o per m anent pat hs int o t he cor e of t he net w or k , t he dial connect ion w ill com e up in t he event of Fr am e Relay failur e. When t he Fram e Relay connect ion com es back up, for a br ief per iod of t im e bot h t he Fr am e Relay and dial connect ion w ill be funct ional and, t hus, m ake t he r em ot e appear as if it is dualhom ed. Dist r ibut ion lay er r out er s t hat ar e at t ached t o t hese dual- hom ed rem o t es w ill see each of t he r em ot es as an alt er nat iv e pat h t o r each elsew her e in t he net w or k ; t hey w ill appear t o be t r ansit pat hs or alt er nat e pat hs t hr ough t he net w or k . For an ex am ple, look at Figur e 7- 6.

Figu r e 7 - 6 A D ua l - H om e d Re m ot e a s a Tr a n sit Pa t h

160

Wit h a default configur at ion of EI GRP r unning bet w een all t he rout er s show n in Figur e 7- 6, Rout er A sees four pat hs t o t he 192.168.250.0/ 24 net w or k : • • • •

Rout er Rout er Rout er Rout er

C t o Rout er B D t o Rout er B E t o Rout er B B

Rout er A w ould nor m ally choose t he r out e dir ect ly t hr ough Rout er B t o r each t his dest inat ion, but if t hat r out e fails, Rout er A w ill choose bet w een t he r em aining t hr ee r out es or , possibly , load shar e bet w een t hem . This m ay be fine fr om a t r affic st andpoint ; t he links can be sized t o handle t he load, and so for t h. The pr oblem is t hat Rout er A w ill see each of t hese pat hs as a pat h t hr ough w hich it m ust quer y if t he 198.162.250.0/ 24 net w or k fails, and it w ill hold each of t hese pat hs in it s t opology t able, consequent ly w ast ing m em ory. Sum m ar izing out bound fr om t he dist r ibut ion lay er , as discussed in t he sect ion " Sum m ar izing t ow ar d t he Rem ot e Sit es," effect iv ely lim it s t he num ber of pat hs Rout er A sees t o r each t he 192.168.250.0/ 24 net w or k . Because t he r em ot e r out er s w on't hav e r out es t o t his specific net w or k t hr ough Rout er B, t hey cannot adv er t ise it back t o Rout er A. This is an im por t ant concept for t he EI GRP net w or k because t her e ar e so m any r em ot es t hat ar e dual- hom ed. I t 's im por t ant t hat y ou sum m ar ize t o t he gr eat est possible ext ent fr om t he dist r ibut ion layer int o t hese r em ot e sit e r out er s. You should configur e t he dist r ibut ion lay er r out er s w it h dist r ibut ion list s or sum m ar y addr ess st at em ent s so t hat t he access lay er r out er s r eceiv e only a default r out e.

161

Dual - H om e d Re m ot e s a n d Be st N e x t H op I n som e net w or k s, t her e m ay be a r equir em ent t hat t he r em ot e sit es use t he pat h t hr ough t he dist r ibut ion r out er t hat is closest t o t he t ar get net w or k inst ead of sending t o w hichever dist r ibut ion r out er is next in t he load- shar ing schem e. For ex am ple, if a r em ot e r out er is connect ed t o one dist r ibut ion r out er in Los Angeles and anot her dist r ibut ion r out er in New Yor k, it m ay be ver y desir able t o choose t he dist r ibut ion r out er t hat is t opologically closest t o t he t ar get net w or k . This r equir es a slight ly differ ent appr oach t han t he one discussed pr ev iously . I f a dual- hom ed r em ot e sit e needs t o select t he best nex t hop t o r each cer t ain dest inat ions ( t y pically dat a cent er s or com m on ser v ices ar eas) , specific r out es t o t hose dest inat ions m ust be pr opagat ed t o t he r em ot e r out er s so t hat pat h select ion can t ak e place. Of cour se, allow ing t hese addit ional r out es w ill incr ease t he w or k r equir ed t o br ing up t he adj acency bet w een t he dist r ibut ion r out er and t he r em ot e r out er and possibly allow t he feedback of r out es fr om dist r ibut ion r out er t o r em ot e r out er t o dist r ibut ion r out er as descr ibed in a pr eceding par agr aph. So how do y ou deal w it h t his sit uat ion? I f a lim it ed num ber of r out es ar e being allow ed fr om t he dist r ibut ion lay er r out er t o t h e r em ot e r out er , t he addit ional over head of br inging up t he link should not be sev er e. Car e m ust be t ak en t o k eep t he num ber of r out es adv er t ised t o t he r em ot es t o a bare m inim um . The second act ion t hat should be t ak en is t o elim inat e t he possibilit y of t he dist r ibut ion lay er r out er s seeing t he r em ot e r out er s as t r ansit pat hs t o t he r out es t hat ar e allow ed in t he adv er t isem ent s t o t he r em ot e r out er s. This can be accom plished by put t ing dist r ibut ion list s in t he r em ot e r out er s, allow ing only t he r ou t es at t hat r em ot e sit e in r out ing updat es. I n ot her w or ds, t he r out es per m it t ed ar e only t hose or iginat ing at t he r em ot e sit e, not r out es lear ned v ia t he link s t o t he dist r ibut ion lay er . This w ill st op t he r em ot e r out er s fr om " r eflect ing" r out es back t o t he dist ribut ion layer. Anot her r eason t hat t he dist r ibut ion list s in t he r em ot e r out er s, as descr ibed in t he pr eceding par agr aph, m ay be a good idea is t hat t hey w ill act as an insur ance policy against disast er due t o m isconfigur at ion of a dist r ibut ion r out er . I f a sum m ar y addr ess st at em ent or dist r ibut ion list is accident ally left off of a dist r ibut ion r out er , any int erface t hat is no longer get t ing filt ered rout es m ay learn m any m ore rout es t han desir ed. The ex t r a r out es m ay be an annoy ance, and t hey m ay cr eat e hav oc, as well. Depending on t he sum m ar izat ion st r at egy used in t he net w or k , it is possible t hat t hese inadv er t ent ly leak ed r out es could be t he m ost specific r out es t o t he t ar get net w or ks lear ned by t he ot her dist r ibut ion r out er . Wit hout t he dist r ibut ion lis t s lim it ing updat es fr om t he r em ot e r out er s t o only t hose r out es or iginat ing at t he r em ot e sit e, t he r em ot e lear ns t hese ex t r a r out es and t hen adv er t ises t hem t o t he ot her dist r ibut ion r out er t o w hich it is connect ed. This m ay cause t he ot her dist r ibut ion r out er t o use t he r em ot e t o r each t hose t ar get net w or k s because I P r out ing alw ay s follow s t he m ost specific r out e. This could be a disast er because it is v er y doubt ful t hat t he link s t o t he r em ot e r out er s ar e pr ov isioned t o suppor t t he am ount of t r affic t hat m ay occur if t he r em ot e w er e used as a t r ansit sit e.

162

I n t he sam ple net w or k show n pr eviously in Figur e 7- 6, t he dist ribut ion list s in t he r em ot e ar e not r eally necessar y because ever y dist r ibut ion r out er w ill know t he sam e lev el of sum m ar izat ion. To be safe, how ev er , y ou should put t he dist r ibut ion list s in.

An a ly z in g Rou t e s t o Ex t e r n a l Con n e ct ion s Anot her ar ea t o be concer ned w it h in t he EI GRP net w or k im plem ent at ion concer ns t he m et hod of pr opagat ing r out ing infor m at ion for ex t er nal dest inat ions; t hat is, sit es t hat ar e not par t of t he AS, such as t he par t ner net w or k s at t ached t o t hr ough t he DMZ shown in Figur e 7- 7. You can classify t hese ex t er nal sit es in t w o w ay s: t hose t hat hav e a lim it ed scope of addr esses and t hose t hat don't . An ex am ple of t he fir st t y pe is connect ions fr om t he AS int o eit her anot her com pany 's net w or k , or ot her div isions of t he com pany t hat fall under ot her adm inist r at iv e cont r ol. An ex am ple of t he second t y pe is t he I nt er net connect ion.

Figu r e 7 - 7 N e t w or k Se t u p f or Pr opa ga t in g Rou t in g I n for m a t ion t o Ex t e r n a l Con n e ct ion s

This sect ion descr ibes sev er al m et hods t hat EI GRP offer s t o pr opagat e infor m at ion about t hese ext er nal dest inat ions. Fir st , if t he ext er nal AS has a lim it ed num ber of I P net w or k s, y ou can r edist r ibut e t he r out es int o EI GRP fr om t he ot her AS. Redist r ibut ing r out es int o EI GRP can be a r easonable choice if done cor r ect ly . I f done poor ly , how ev er , r edist r ibut ion can cr eat e a disast er . Refer t o " Case St udy :

163

Redist r ibut ion," lat er in t he chapt er for m ore inform at ion on how t o resolve t he pr oblem of r edist r ibut ing r out es fr om EI GRP int o ot her pr ot ocols and v ice v er sa. The " Case St udy : EI GRP/ I GRP Redist r ibut ion" focuses m or e ex clusiv ely on r edist r ibut ion bet w een I GRP and EI GRP for com bining net w or ks and for t r ansit ioning fr om I GRP t o EI GRP. I f t he ex t er nal connect ion is t o t he I nt er net , r edist r ibut ing t he r out es int o EI GRP is not appr opr iat e. Ther e ar e ent ir ely t oo m any r out es in t he I nt er net ; you w ill overpopulat e t he rout ing t ables in t he AS! Besides, as m ent ioned ear lier , you should lim it y our r out ing k now ledge t o t he m inim al set t hat enables y ou t o r out e t r affic pr oper ly . Ty pically w it h an I nt er net connect ion, if t he addr ess isn't cont ained w it hin t he AS, it 's out t her e, and you could sim ply follo w a default r out e t o r each it . I n EI GRP, t her e ar e t w o w ay s t o pr opagat e infor m at ion about t he default r out e. You could define a st at ic r out e t o 0.0.0.0/ 0 and r edist r ibut e t his r out e int o EI GRP fr om t he DMZ r out er . This r out e m at ches any t ar get I P addr ess t hat t he r out er does not hav e a m or e specific r out e t o. One pr oblem w it h t his appr oach is t hat if t her e ar e any r out er s t hat ar e sum m ar izing t o 0.0.0.0/ 0 w it h ip su m m a r y - a d d r e ss e ig r p < AS> 0 . 0 . 0 . 0 0 . 0 . 0 . 0 st at em ent s on t heir int er faces, t hey w ill not accept t his default r out e. A local sum m ar y r out e has a default adm inist r at iv e dist ance of 5 and t he ex t er nal default r out e w ill hav e an adm inist r at iv e dist ance of 170 and w ill, t hus, fail t o be inst alled in t he r out ing t able. Eit her t he local r out er m ust have a st at ic r out e w it h a bet t er adm inist r at iv e dist ance t han t he sum m ar y , or t he sum m ar y m ust be configur ed w it h a adm inist r at iv e dist ance higher t han 170. ( Chapt er 1, " Hier ar chical Design Pr inciples, " cov er s adm inist r at iv e dist ances in gr eat er det ail if y ou need t o review .) An alt er nat ive t o using a 0.0.0.0/ 0 r out e is t o define a default net w or k by configur ing ip defa ult - n e t w o r k x . x . x . x on t he DMZ rout er. The dest inat ion configure d as t he default m ust be reachable from all ot her rout ers in t he net work. I n t he case of t he ex am ple net w or k in Figur e 7- 7, y ou could use t he addr ess of t he link t hat c onnect s t he net w or k t o t he I nt er net , w hich w ould look som et hing lik e t his:

! ip default-network 192.168.200.0 !

You could also inst all a st at ic r out e on t he DMZ r out er for a dest inat ion t hat doesn't exist anyplace else in t he net w or k and point it t o t he ot her side of t he link t o t he I nt er net .

! ip route 10.0.0.0 255.0.0.0 192.168.200.1 ip default-network 10.0.0.0 !

164

Ther e ar e posit iv e and negat iv e aspect s of each m et hod. Using a default net w or k allow s y ou t o lear n t he default dest inat ion t hr ough som e ot her r out ing pr ot ocol and adj ust y our default r out ing in r esponse t o losing t hat r out e. St at ic default r out es can be r ecur siv e ( can point t o a net w or k not dir ect ly at t ached t o t he r out er in w hich t hey ar e configur ed) , but t hey don't pr ov ide t he flex ibilit y of default net w or k s. Default net w or ks also w or k cor r ect ly w it h I GRP if t her e is any I GRP in your net w or k. I GRP can't car r y t he default r out e of 0.0.0.0/ 0. On t he ot her hand, t he default r out e is m or e com m on and can be passed t o, or learned from , ot her r out ing pr ot ocols, such as Bor der Gat ew ay Pr ot ocol ( BGP) or OSPF. Cisco r out er s also conv er ge fast er for changes in t he default r out e t han t hey do for changes in a default net w ork. For t he net w or k in t his chapt er , w hich has no I GRP, st ick w it h a default r out e of 0.0.0.0/ 0. This is t he pr efer r ed m et hod unless y ou hav e som e r eason t o use a default net work.

An a ly z in g Rou t e s t o t h e Com m on Se r vice s Ar e a The com m on ser v ices ar e connect ed t o t he cor e t hr ough t w o dist r ibut ion r out er s and ar e also connect ed v ia m ult iple, parallel Et hernet links ( or Fast Et hernet links) , as illust r at ed in Figur e 7- 8. Whet her t hese ar e t r uly separ at e phy sical link s or VLANs connect ed t hr ough sw it ches, t o EI GRP t hey pr esent t he appear ance of m ult iple par allel pat hs connect ing t he " back side" of t he t w o dist r ibut ion r out er s. One of t he m or e t ypical er r or s m ade by net w or k designer s is t o include all of t hese par allel pat hs as alt er nat iv e pat hs for r out es t o r each m uch of t he r est of t he net w or k . This sect ion addr esses how t o av oid t his condit ion.

Figu r e 7 - 8 Com m on Se r v ice Con n e ct ion s

165

I deally, t he ser v er s on t hese segm ent s point t heir default gat ew ay t o a Hot St andby Rout ing Pr ot ocol ( HSRP) addr ess shar ed by t he t w o dist r ibut ion r out er s. This design allow s t he ser v er s on t hese segm ent s t o adapt t o a r out er failur e alm ost im m ediat ely . Th ese n et wor k s ar e not designed for t r ansit t r affic; t hat is, t r affic is not ex pect ed t o ent er t he com m on ser v ices dist r ibut ion r out er fr om t he cor e, go t hr ough one of t he Fast Et her net link s used by t he com m on ser v ices, and t hen ex it t hr ough t he ot her dist r ibut ion r out er back t o t he cor e. EI GRP, how ev er , w on't k now t his by default . I t w ill t r eat each of t hese link s as an alt er nat e pat h, st or ing infor m at ion about t hem in t he t opology t able, and pr opagat ing quer ies t hr ough t hem . These alt er nat e pat hs com plicat e EI GRP's conv er gence. To elim inat e t he possibilit y of t hese net w or k s being used for t r ansit t r affic, t he net w ork m anager shouldn't run EI GRP on any of t hese parallel Et hernet links. ( Well, one or t w o should r un EI GRP, but t his is discussed follow ing Figur e 7- 9.) Configur ing p a ssiv e - in t e r fa ce { in t er f ace} for an int erface or subint erface w ill rem ove EI GRP fr om t hese int er faces.

166

Figu r e 7 - 9 Sim plifie d Com m on Se r vice s

To pr ev ent t he r est of t he r out er s in t he net w or k fr om going act iv e on indiv idual segm ent s suppor t ing t hese ser v er s, y ou should use t he sam e st r at egy t hat is used ev er y w her e else in t he net w or k . Sum m ar ize t he subnet s t hat r eside on t he com m on ser v ice Et her net connect ions in bot h dist r ibut ion lay er r out er s so t hat t hey w ill send only a single sum m ar y r out e out t o t he cor e. I f a single Et her net connect ion goes dow n in t he com m on ser v ices ar ea, t he r em ainder of t he net w or k w ill not st ar t t he quer y pr ocess t o find an alt er nat iv e pat h. The quer y w ill st op at t he fir st r out er t hat doesn't hav e k now ledge of t he specific subnet t hat has failed, w hich w ill be a cor e r out er . Ther e is one pr oblem w it h t his st r at egy t hough—it can cr eat e r out ing black holes in t he sam e w ay t hat dual- hom ed r em ot es can. To under st and w hy , ex am ine Figur e 79, which has all but t w o of t he com m on ser v ices net w or k s r em ov ed. Rout er A and Rout er B w ill bot h be adver t ising a sum m ar y of 172.16.16.0/ 22, w hich cov er s t he ent ir e addr ess r ange but doesn't ov er lap w it h any ot her addr esses in t he net w or k. ( See Chapt er 4 for m ore det ails.) I f Rout er A's int er face on t he 172.16.18.192/ 26 net w or k fails, Rout er A w ill cont inue adv er t ising t he 172.16.16.0/ 22 sum m ar y t ow ar d t he cor e. I f, how ev er , one of t h e cor e r out er s for w ar ds a pack et dest ined t o t he 172.16.18.192/ 26 net w or k t ow ar d Rout er A, Rout er A w ill drop it because it has no rout e for t his dest inat ion—or even w or se, it w ill send t he pack et back t ow ar d t he cor e along it s default r out e.

167

To r esolv e t his sit uat ion, Rout er A m ust k now t hat 172.16.18.192/ 26 is r eachable t hrough Rout er B. This is w hy EI GRP should be run over at least one of t hese parallel Et her net link s. I n or der t o do t his, a p a ssiv e - int e r fa ce st at em ent should NOT be put int o t he configur at ion for at least one Et her net link . I t w ould be ev en bet t er if t her e w er e one or t w o link s bet w een t hese r out er s dedicat ed t o r edundancy ( w it h no ser v er s or ot her dev ices on t hem ) t o account for j ust t his sit uat ion.

An a lyzin g Rou t e s t o D ia l - I n Clie n t s Ther e ar e a num ber of issues and com plicat ions t hat dial- in access cr eat es. This sect ion discusses host r out es cr eat ed by t he dial pr ocess and EI GRP bandw idt h concer ns.

H ost Rout e s Typically, dial in is handled t hrough t he Point - t o- Point Pr ot ocol ( PPP) . When a PPP session is init iat ed, a host r out e ( / 32) is cr eat ed on t he access ser v er for t he r em ot e sit e, and t he host r out e is r em oved w hen t he call is dr opped. I f t her e is a lar ge num ber of dial- in client s, t his can cr eat e a significant am ount of net w or k act iv it y as t he net w or k r eact s t o t hese host r out es appear ing and disappear ing. Ther e ar e t w o m et hods of elim inat ing t his influx of net w or k act ivit y in EI GRP. Fir st , y ou can define t he com m and n o ip p e e r h ost - r ou t e on t he int er face( s) of t he access ser v er , w hich w ill st op t he host r out e fr om being cr eat ed in t he fir st place. The second m et hod y ou can use t o elim inat e t he host r out es is t o sum m ar ize t he host r out es lear ned v ia t he dial int er faces and allow only t his sum m ar y r out e t o be adv er t ised t ow ar d t he cor e. This sum m ar izat ion can be done by eit her configur ing an ip su m m a r y - a ddr e ss aut onom ous sy st em eigrp st at em ent , or by using a dist r ibu t e - list ou t st at em ent , as discussed in " Case St udy : Sum m ar izat ion Met hods" lat er in t he chapt er. I f t he client dialing in is norm ally included as part of a sum m ary elsew here in t he net w or k ( for inst ance, a PC w it h an addr ess t hat is nor m ally par t of one of t he r em ot e sit es t hat dials int o t he access ser v er ) , t he m or e specific com ponent t hat dialed in w ill need t o be sent out nonsum m ar ized. I t 's im possible t o get ar ound adv er t ising t his host r out e because t he access ser v er can't adver t ise t he sam e sum m ar y t hat t he r em ot e sit e r out er ( or som e r out er bet w een t he access layer and t he cor e) is adver t ising w it hout causing ot her r o ut ing pr oblem s. I f host s w ill be dialing in using addr esses t hat ar e sum m ar ized elsew her e in t he net w or k, t he only w ay t o r esolve t his is t o place an access ser ver for each r egion behind t he sum m ar y point . An exam ple of t his t echnique is show n in Figur e 7- 10; t he addr esses for t he dial- in client s w ill fall int o t he sum m aries t hat t he dist ribut ion layer r out er s ar e alr eady adver t ising. Som e net w or k adm inist r at or s use t his st r at egy t o m inim ize com ponent s being adver t ised in t he net w or k, but m any of t hem ar e cont ent w it h t he com ponent s being adv er t ised.

168

Figu r e 7 - 1 0 Addr e ssin g D ia l - I n Clie n t s

169

Ba ndw idt h I ssue s Bandw idt h can be an issue w hen r out er s ar e dialing int o an access ser v er ( r at her t han indiv idual host s) . EI GRP uses t he bandw idt h configur ed on t he int er face ( using t h e b a n d w id t h com m and) t o det er m ine t he r at e t o pace EI GRP pack et s. EI GRP paces it s pack et s so t hat it w on't ov er w helm t he link by using 50% of t he defined bandw idt h by default . Because EI GRP r elies on t he bandw idt h configur ed on t he int er face for pack et pacing, it 's v er y im por t ant for t he int er face t o be configur ed cor r ect ly. ( I t should r eflect t he r eal bandw idt h available on t he link.) I f EI GRP believ es t hat t he int er face has m or e bandw idt h t han is r eally av ailable, it can dom inat e t he link and not allow ot her t r affic t o flow . I f EI GRP believ es t hat t he int er face has m uch less bandw idt h t han it act ually does, it m ay not be able t o successfully send all of t he updat es, quer ies, or r eplies acr oss t he link due t o t he ext ended pacing int erval. To m ak e t hings m or e com plicat ed, t he bandw idt h is div ided by t he t ot al num ber of r em ot e peer s on I SDN Pr im ar y Rat e I nt er face ( PRI ) and dialer int er faces in an at t em pt t o fair ly dist r ibut e t he av ailable bandw idt h bet w een t he neighbor s t hat ar e r eachable t hr ough t hat int er face. Wit h Fr am e Relay m ult ipoint int er faces, t his w orks fine. Wit h I SDN or dialer int er faces, how ever , you never know how m any neighbor s w ill be dialed in. I f t her e is only one Basic Rat e I nt er face ( BRI ) dialed in, t he bandw idt h should be defined as 64 K. I f 23 BRI s are dialed in, t hen t he bandwidt h shoul d be 1.544 M. Because t he defined bandw idt h doesn't change w it h t he num ber of neighbor s dialed in, y ou should set t he bandw idt h t o m ak e it w or k for bot h ex t r em es by doing t he follow ing: • •

Define t he dial- in int erfaces as dialer profiles inst ead of dialer gro ups or dialer int er faces; t his allow s y ou t o set t he bandw idt h per dialed- in peer. However, t his is a v er y int ense adm inist r at iv e appr oach. Sum m ar ize t he EI GRP updat es out of t he dial link t o m ak e t he am ount of t r affic so insignificant t hat it can fit acr o ss t he link regardless of how m uch bandw idt h is act ually available.

Su m m a r y of EI GRP N e t w or k D e sign The pr ev ious sect ions ex plor ed how t he best sum m ar izat ion t echniques can be applied t o an EI GRP net w or k t o im pr ov e it s scalabilit y . A num ber of t echniques w ere discussed and num er ous r ecom m endat ions w er e m ade t o sum m ar ize r out es at v ar ious point s in t he net w or k. These point s include t he follow ing: • • • • • • •

Sum m ar izing fr om t he net w or k cor e t o t he dist r ibut ion lay er Sum m ar izing fr om t he dist r ibut ion lay er t o t he net w ork core Sum m ar izing fr om t he dist r ibut ion lay er t o t he r em ot e sit es Placing dist r ibut ion list s on t he r em ot e r out er s t o lim it t heir adv er t isem ent s t o cont ain only t hose r out es or iginat ing at t he r em ot e sit e Sum m ar izing fr om t he com m on ser v ices ar ea t o t he net work core I m plem ent ing passiv e int er faces on all but one or t w o com m on ser v ices Et her net / Fast Et her net links Sum m ar izing fr om t he dial access ser v er s int o t he net w or k cor e

170

By t ak ing t hese st eps, t he net w or k w ill be r obust and scalable. Adding addit ional sit es r equir es only t hat t he sam e t echniques be applied t o t he new r out er s. New r egions can be added by using t he sam e sum m ar izat ion/ dist r ibut ion list t echniques t o m inim ize t he scope of quer ies and updat es in t he EI GRP net w or k and pr ov iding t he m ost robust , st able possible net w or k ing env ir onm ent .

Ca se St u dy : Su m m a r iz a t ion M e t h ods Ther e ar e t w o basic t ools used t o sum m ar ize r out es in EI GRP: su m m a r y - a ddr e ss st at em ent s and dist r ibu t e - list st at em ent s. These t w o m et hods pr ov ide significant ly differ ent appr oaches t o lim it ing t he r out ing updat es t o a sum m ar y of t he infor m at ion and each is uniquely useful. The best solut ion t o a sum m ar izat ion pr oblem is oft en a m ix t ur e of bot h appr oaches. One or bot h of t hese basic t ools w ill be applied in all t hree layers—cor e, dist r ibut ion, and access—in order t o provide t he m axim um in sum m ar izat ion and, t hus, t he m ax im um in st abilit y and scalabilit y . Nex t , y ou can look at each t ool in or der t o under st and t he pr os and cons of each.

sum m a ry- a ddr e ss St a t e m e nt s The first sum m arizat io n t ool is t he su m m a r y - a ddr e ss st at em ent . This com m and is in t he form ip su m m a r y - a d d r e ss e ig r p AS net w or k m ask dist ance and is applied t o an int er face of a Cisco r out er out of w hich y ou w ant t o adv er t ise a sum m ar y r out e. Th e su m m a r y - a ddr e ss com m and pr ov ides t w o r elat ed funct ions: • •

I t cr eat es a sum m ar y r out e in t he r out ing t able ( ident ified as a sum m ar y rout e wit h a next - hop addr ess of null0) . I t w ill t hen pr opagat e t o any neighbor s out of t he int er face w it h t he sum m ar y addr ess st at em ent defined. I t filt ers out t he com ponent s of t he sum m ar y t hat w ould nor m ally hav e been sent out of t he int er face w it h t he sum m ar y addr ess st at em ent . I n t his w ay , it sends ONLY t he sum m ar y infor m at ion.

While t he sum m ar y addr ess m et hod of sum m ar izat ion is ex t r em ely flex ible and pow er ful, it can also be adm inist r at iv ely w ear isom e and possibly er r or- pr one. As m ent ioned pr ev iously , t he su m m a r y - a d d r e ss st at em ent needs t o be applied t o each int er face t hat y ou w ant t o adv er t ise t he sum m ar y . On r out er s t hat cont ain dozens or even hundr eds of int er faces and subint er faces, t her e can be a lar ge num ber of su m m a r y - a ddr e ss st at em ent s t hat m ust be defined cor r ect ly . Ther e ar e also a couple of issues t hat need t o be under st ood about t he sum m ar y addr ess im plem ent at ion in or der t o m ak e pr oper use of t he t ool. First , a sum m ary r out e w ill be cr eat ed and sent only if EI GRP has an int er nal com ponent of t he sum m ar y . This m eans t hat if all com ponent s t hat m ak e up t he sum m ar y disappear , or only ex t er nal ( r edist r ibut ed) com ponent s ex ist , t he sum m ar y r out e is not inst alled and adver t ised. This is pr oper behavior because a r out er should not be adver t ising t hat it can r each a r ange of addr esses if t her e ar e not any com ponent s of t hat r ange r eachable t hr ough t he adver t ising r out er . One unfor t unat e side- effect of using t he sum m ary address m et hod is t hat if you are r eceiv ing a r out e t hat m at ches t he sum m ar y ( sam e net w or k and m ask ) fr om anot her sour ce, y ou w on't accept it . This is because t he sum m ar y r out e gener at ed by t he su m m a r y - a ddr e ss com m and has an adm inist r at iv e dist ance of fiv e by default ,

171

w hich w ill be bet t er t han t he adm inist r at iv e dist ance of any dy nam ically lear ned r out e. To illust r at e, suppose t hat you have a r out er t hat is lear ning it s default r out e t hr ough an ex t er nal sour ce:

router#show ip route …. Gateway of last resort is 172.19.1.1 to network 0.0.0.0 …. D*EX 0.0.0.0/0 [170/2195456] via 172.19.1.1, 00:00:09, Serial0

You w ant t o configur e a su m m a r y - a ddr e ss st at em ent t hat w ill adv er t ise t he least num ber of r out es possible out of int er face ser ia l 1. So, you w ill configur e t he follow ing:

router(config)#int serial 1 router(config-if)#ip summary-address eigrp 100 0.0.0.0 0.0.0.0

Now , you have:

rp-2501-13a#show ip route …. Gateway of last resort is 0.0.0.0 to network 0.0.0.0 …. D* 0.0.0.0/0 is a summary, 00:00:49, Null0

This is a pr oblem . Any pack et s t hat should follow t he default r out e and be dir ect ed t ow ar d 172.19.1.1 w ill act ually be sent t o null0 ( t he bit - bucket ) . Essent ially, you w ill t hr ow t hese pack et s aw ay . To re solve t his, you can use a new addit ion on t he ip su m m a r y - a d d r e ss com m and:

router(config-if)#ip summary-address eigrp 100 0.0.0.0 0.0.0.0 200

The final 200 set s t he adm inist r at iv e dist ance of t his sum m ar y r out e t o 200. Alt hough t he dow nst r e am r out er w ill st ill r eceive only t he 0.0.0.0/ 0 r out e, t he sum m ar y w on't be inst alled in t his r out er 's r out ing t able because t he adm inist r at ive dist ance is higher t han t he ext er nal EI GRP r out e you cur r ent ly have. This feat ur e isn't av ailable in all v er sions of I OS soft w ar e. ( I t w as int egr at ed in 12.0( 5) T, so t he ver sion m ust be lat er t han t his.)

172

dist ribut e -list St a t e m e n t s The second m et hod used t o filt er and sum m ar ize r out es in EI GRP is t o define dist r ibut e list s under t he EI GRP configur at ion. This m et hod uses a t ot ally differ ent appr oach t han t he su m m a r y - a ddr e ss st at em ent s, but it pr ov ides v er y sim ilar funct ionalit y . Wit h t he dist r ibut e list appr oach, y ou ex plicit ly t ell EI GRP w hich r out es ar e allow ed t o be adv er t ised out of any or all int er faces. The com m a nd is of t he form dist r ibu t e - list { access- list - num ber | nam e} out [ in t er f ace- nam e| rout ing- pr ocess] and is ent er ed in EI GRP configur at ion m ode. The access list associat ed w it h t he dist r ibut e list ( access list 1 in t he ex am ple) descr ibes t he r out e, or r out es, t h at can be sent out t he int er face defined under t he dist r ibu t e - list com m and. A w ildcar d m ask can be supplied in t he access list in or der t o have m or e t han one r out e per m it t ed under t he sam e access list . Not e t hat a k ey differ ence bet w een dist r ibut e list s and sum m ar y addr esses is t hat dist r ibut e list s do not aut om at ically cr eat e t he sum m ar y r out e y ou need t o adv er t ise. I f t he r out e per m it t ed by t he access list does not ex ist , t hen t he r out e is not sent , of cour se. Typically, t he net w or k m anager w ill define a st at ic r out e t o m at ch t he access list so t hat t he r out e w ill alw ay s be t her e t o adv er t ise. This st at ic r out e can be float ing ( t hat is, w it h a high adm inist r at ive dist ance) so t hat if t he sam e r out e is lear ned fr om elsew her e, it w ill be accept ed and used. The st at ic rout e w ill be used only if t he dy nam ically der iv ed r out e disappear s.

Ca se St u dy : Con t r ollin g Qu e r y Pr opa ga t ion Not only do su m m a r iz a t ion st at em ent s and/ or dist r ibut e list s lim it t he size and cont ent of t he updat es sent t o neighbor s fr om a r out er , t hey also cont r ol t he scope of EI GRP quer y pr opagat ion. ( See Appendix C for fur t her det ails on t he quer y pr ocess.) Look at Figur e 7- 11 and consider a quer y pr opagat ing t hr ough t his net work.

Figu r e 7 - 1 1 Con t r ollin g Qu e r y Pr opa ga t ion

173

I f Rout er B loses it s r out e t o 172.30.8.0/ 24, w hich is dir ect ly at t ached, it w ill quer y each of it s neighbor s in sear ch of a differ ent pat h t o r each t his dest inat ion. Because Rout er B has only one neighbor, t he only rout er t hat w ill receive t he query is Rout er A. Rout er A will t hen query each of it s neighbors, Rout er C and Rout er D, looking for an alt er nat ive pat h t o 172.30.8.0/ 24. Rout er C w ill t hen quer y Rout er D. Ther efor e, Rout er D will receive t wo queries: one from Rout er A, and one from Rout er C. You know fr om looking at t he net w or k t opology t hat Rout er D w ill not have a r out e t o 172.30.8.0/ 24 unless Rout er A does—so w hy should you bot her Rout er D w it h t w o queries about t his net w ork? Well, you can configure Rout er A so t hat Rout er D doesn't r eceiv e t wo queries. A quer y w ill st op pr opagat ing w hen it r eaches a r out er t hat doesn't hav e any k now ledge of t he r out e t hat has gone act iv e. ( See Appendix C for fur t her infor m at ion on t he act iv e pr ocess w it hin EI GRP.) Ther efor e, if y ou r em ov e Rout er C's k now ledge of 172.30.8.0/ 24, Rout er C w ill not pr opagat e a quer y it r eceives fr om Rout er A t o Rout er D. This is w her e sum m ar izat ion and dist r ibut ion list s com e int o play; t hey keep Rout er C fr om k now ing about t he 172.30.8.0/ 24 dest inat ion. On Rout er A, you can adver t ise a sum m ar y of all t he r out es available in r em ainder of t he net w or k, 172.30.0.0/ 16, t o Rout er C. When Rout er C r eceives a quer y for t he 172.30.8.0/ 24 net w or k , it w ill not e t hat it does not have a t opology t able ent r y for t his par t icular dest inat ion net w or k and w ill im m ediat ely r eply t o Rout er A t hat it does not hav e any alt er nat iv e pat hs.

174

Ca se St u dy : A Ple t h or a of Topology Ta ble En t r ie s One of t he com m on pr oblem s in an EI GRP net w or k is t he sheer num ber of alt er nat e pat hs t hr ough w hich a giv en dest inat ion can be r eached. Each alt er nat e pat h in t he t opology t able also r epr esent s a quer y t hat m ust be gener at ed if t he pat h cur r ent ly being used fails for som e reason. But t hese alt er nat e pat hs ar en't alw ays obvious w hen y ou look at t he t opology t able:

router#show ip eigrp topology IP-EIGRP Topology Table for process 100 Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - Reply status P 172.19.2.128/25, 1 successors, FD is 2297856 via 172.28.1.2 (2297856/128256), Serial0.1 P 172.19.10.0/24, 1 successors, FD is 2297856 via 172.28.1.2 (2297856/128256), Serial0.1

The pr eceding t opology t able show s w hat appear t o be t w o dest inat ions, each w it h a single pat h t o r each t hem . How ev er , t he pat hs show n her e ar e only a subset of w hat is know n by EI GRP. This out put doesn't show all t he pat hs available. I t show s only t he ones t hat t he Diffusing Updat e Algor it hm ( DUAL) has calculat ed t o be loop fr ee. To get a m or e accur at e pict ur e of w hat pat hs ar e available, you can do a sh ow ip e ig r p t op olog y a ll or a sh ow ip e ig r p t op olog y for a par t icular dest inat ion:

router#show ip eigrp topology all IP-EIGRP Topology Table for process 100 Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r Reply status P 172.19.2.128/25, 1 successors, FD is 2297856 via 172.28.1.2 (2297856/128256), Serial0.1 via 172.28.2.2 (3879455/2389454), Serial0.2 via 172.28.3.2 (4893467/2389454), Serial0.3 via 172.28.4.2 (4893467/2389454), Serial0.4 via 172.28.5.2 (4893467/2389454), Serial0.5 via 172.28.6.2 (4893467/2389454), Serial0.6 via 172.28.7.2 (4893467/2389454), Serial0.7 via 172.28.8.2 (4893467/2389454), Serial0.8 via 172.28.9.2 (4893467/2389454), Serial0.9 via 172.28.10.2 (4893467/2389454), Serial0.10 P 172.19.10.0/24, 1 successors, FD is 2297856 via 172.28.1.2 (2297856/128256), Serial0.1 via 172.28.2.2 (3879455/2389454), Serial0.2 via 172.28.3.2 (4893467/2389454), Serial0.3 via 172.28.4.2 (4893467/2389454), Serial0.4 via 172.28.5.2 (4893467/2389454), Serial0.5 via 172.28.6.2 (4893467/2389454), Serial0.6

175

via 172.28.7.2 (4893467/2389454), Serial0.7 via 172.28.8.2 (4893467/2389454), Serial0.8 via 172.28.9.2 (4893467/2389454), Serial0.9 via 172.28.10.2 (4893467/2389454), Serial0.10 router#show ip eigrp topology 172.19.10.0 255.255.255.0 IP-EIGRP topology entry for 172.19.10.0/24 State is Passive, Query origin flag is 1, 1 Successor(s), FD is 2297856 Routing Descriptor Blocks: 172.28.1.2 (Serial0.1), from 172.28.1.2, Send flag is 0x0 Composite metric is (2297856/128256), Route is Internal …. 172.28.2.2 (Serial0.2), from 172.28.2.2, Send flag is 0x0 Composite metric is (3879455/2389454), Route is Internal …. 172.28.3.2 (Serial0.3), from 172.28.3.2, Send flag is 0x0 Composite metric is (3879455/2389454), Route is Internal …. 172.28.4.2 (Serial0.4), from 172.28.4.2, Send flag is 0x0 Composite metric is (3879455/2389454), Route is Internal …. 172.28.5.2 (Serial0.5), from 172.28.5.2, Send flag is 0x0 Composite metric is (3879455/2389454), Route is Internal …. 172.28.6.2 (Serial0.6), from 172.28.6.2, Send flag is 0x0 Composite metric is (3879455/2389454), Route is Internal …. 172.28.7.2 (Serial0.7), from 172.28.7.2, Send flag is 0x0 Composite metric is (3879455/2389454), Route is Internal …. 172.28.8.2 (Serial0.8), from 172.28.8.2, Send flag is 0x0 Composite metric is (3879455/2389454), Route is Internal …. 172.28.9.2 (Serial0.9), from 172.28.9.2, Send flag is 0x0 Composite metric is (3879455/2389454), Route is Internal …. 172.28.10.2 (Serial0.10), from 172.28.10.2, Send flag is 0x0 Composite metric is (3879455/2389454), Route is Internal

Fr om t he pr eceding out put ex am ples, y ou can see t hat alt hough t her e is only one successor for t his part icular dest inat ion, t here are m a ny differ ent possible pat hs. This alm ost alw ay s indicat es a t opology w it h t oo m uch r edundancy ; t his r out er has at least t en neighbor s, and each of t hem has a pat h t o t his dest inat ion. Unfor t unat ely , t her e ar en't any definit e r ules on how m any pat hs ar e t oo m any in t he t opology t able. The num ber of alt er nat iv e pat hs, how ev er , indicat es how m any quer y pat hs t her e ar e in t he net w or k and, t her efor e, how m uch w or k t he r out er s in t he net w or k w ill need t o do w hen conv er ging on a t opology change. I n general, you should av oid r unning EI GRP ov er m ult iple par allel link s bet w een t w o r out er s unless you int end t r ansit t r affic t o be passed over all of t hem , sum m ar ize as m uch as possible, and use dist r ibut e list s t o r educe t he am ount of r out ing infor m at ion a r out er needs t o deal w it h w henever possible.

176

Ca se St u dy : Tr ou ble sh oot in g EI GRP N e igh bor Re la t ion sh ip s Ther e ar e num er ous r easons w hy EI GRP m ay have pr oblem s est ablishing neighbor r elat ionships. I n or der t o det er m ine t he sour ce of t he pr oblem , t he fir st t hing t o do is t o add t he com m and e igr p log- n e i g h b o r- ch a n ge s under t he r out er pr ocess in t he configur at ion of ever y r out er . This w ill give you m uch m or e infor m at ion about t he cause of any neighbor pr oblem s. This Case St udy descr ibes t w o com m on pr oblem s t hat cause EI GRP not t o est ablish neighbor s successfully . The fir st pr oblem occur s w hen t he pr im ar y addr esses used by t he r out er s t r y ing t o be neighbor s do not belong t o t he sam e subnet . The second com m on pr oblem occur s w hen t he under ly ing m edia is failing t o deliv er eit her un icast or m ult icast t r affic in one dir ect ion or bot h. The t w o sect ions t hat follow discuss each of t hese error condit ions in m ore det ail.

Com m on Problem 1 Because Cisco r out er s per m it t he definit ion of bot h pr im ar y and secondar y I P subnet s on t he sam e int erface, m any net w or k im plem ent er s w ill t r eat t he pr im ar y and secondar y addr esses as equal. As Figur e 7- 12 r ev eals, t his isn't necessar ily t he case.

Figu r e 7 - 1 2 EI GRP N e igh bor s w it h D iffe r e n t Pr im a r y Addr e sse s

From Figur e 7- 12, y ou can see t hat Rout er C has it s pr im ar y ( and only ) I P addr ess in t he subnet w it h t he secondar y addr esses of Rout er A and Rout er B. You can det er m ine t his easily by t he out put of sh ow ip e igr p n e igh bor s on all t hree rout ers.

177

A#show ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime (sec) (ms) Cnt 1 172.30.1.3 Et0 13 00:00:15 0 0 10.1.1.2 Et0 13 00:09:56 26 B#show ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime (sec) (ms) Cnt 0 172.30.1.3 Et1 11 00:00:03 0 1 10.1.1.1 Et1 11 00:11:09 23 C#show ip eigrp neighbors IP-EIGRP neighbors for process 1 C#

SRTT RTO Q Num 5000 1 0 200 0 323

Seq

SRTT RTO Q Num 3000 1 0 200 0 3042

Seq

As t he pr eceding out put indicat es, Rout er A and Rout er B see Rout er C as a neighbor ( a neighbor w it h a pr oblem , how ev er —not e t he Q count and lack of SRTT) , but Rout er C doesn't see Rout er A or Rout er B as neighbor s. This is because Rout er A and Rout er B m at ch t he I P addr ess of t he sour ce of t he hello packet w it h any of it s addr esses on t hat int er face. Because Rout er C falls in one of t he subnet s, Rout er A and Rout er B will accept Rout er C as a neighbor. N ot e Th e Q count , shown in sh ow ip e ig r p n e ig h b or, indicat es t he num ber of it em s fr om t he t opology t able t hat need t o be sent t o t his neighbor . Som e ( or all) of t hese it em s m ay never be sent due t o split - horizon, dist r ibut ion list s, sum m ar ies, or ot her t hings; so t his doesn't indicat e t he num ber of pack et s t hat need t o be sent or t he num ber of r out es t hat ar e being sent . Th e Sm oot hed Round Tr ip Tim e ( SRTT), shown in sh ow ip e ig r p n e ig h b or, indicat es t he av er age am ount of t im e it t ak es for a neighbor t o r espond t o pack et s t hat r equir e an ack now ledgem ent . I t is a sm oot hed ( or w eight ed) av er age ov er m ult iple t r ansm it / ack now ledgem ent cy cles.

On t he ot her hand, w hen Rout er C com par es t he sour ce addr ess of t he r eceiv ed hellos, it doesn't m at ch any of t he addr esses on t hat int er face and w ill, t her efor e, r ej ect t hem . I n som e v er sions of I OS, t he m essage " neighbor not on com m on subnet " w ill be a definit e indicat ion of t his pr oblem .

Com m on Problem 2 Anot her problem t hat is oft en seen w it h EI GRP neighbor est ablishm ent occur s w hen t he under ly ing m edia fails t o deliv er eit her unicast or m ult icast t r affic in one dir ect ion or bot h. The r em ainder of t his Case St udy descr ibes how it look s w hen y ou ar e m issing m ult icast t r affic in one dir ect ion using t he net w or k diagr am ed in Figur e 7- 13.

178

Figu r e 7 - 1 3 EI GRP N e igh bor s w it h M u lt ica st D e liv e r y Pr oble m s

When look ing at Rout er A's sh ow ip e igr p n e igh bor s out put , y ou w ill see t he follow ing:

RouterA#show ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT (sec) (ms) Cnt Num 0 192.168.10.2 Se1 13 00:00:10 0 5000

RTO 1

Q

Seq

0

Not ice t hat Rout er B is seen in t he neighbor t able of Rout er A, but t he Q count is not zer o and t he SRTT is not set t o a value. I f you have e igr p log- n e ig h b or- ch a n g e s configur ed ( as you should! ) , you w ill also get m essages on t he console, or syslog, r epor t ing t hat t his neighbor is being r est ar t ed due t o r e t r a n sm it lim it e x ce e de d. These sy m pt om s indicat e t hat y ou ar e not able t o get updat es delivered and ack now ledged t o t his neighbor , but y ou ar e able t o see t he neighbor 's hellos. Now look at Rout er B's sh ow ip e ig r p n e ig h b or s ou t pu t :

RouterB#show ip eigrp neighbors IP-EIGRP neighbors for process 1 RouterB#

Here y ou w ill not ice t hat Rout er B doesn't hav e Rout er A in it s neighbor t able at all! This indicat es t hat t he m ult icast pack et s sent by EI GRP as hellos ar e not being delivered t o t his neighbor. Com m on reasons for t his are a m issing b r oa d ca st keyw ord on a dia le r m a p or f r a m e - r e la y m a p st at em ent , m isconfigur at ion of Sw it ched Mult im egabit Dat a Ser v ice ( SMDS) m ult icast gr oups, or som e ot her problem w it h t he delivery m echanism . For ex am ple, a cor r ect configur at ion for a m ult ipoint Fr am e Relay int er face w ould look like t he following:

179

! interface Serial 0 encapsulation frame-relay ip address 172.30.14.1 255.255.255.0 frame-relay map ip 172.30.14.2 100 broadcast frame-relay map ip 172.30.14.3 104 broadcast frame-relay map ip 172.30.14.4 210 broadcast

Not e t he br oadcast k ey w or d inser t ed at t he end of each fr a m e - r e la y m a p configur at ion com m and. This sy m pt om could also indicat e t hat t r affic fr om Rout er A is not being deliv er ed t o Rout er B. You can det er m ine w het her t his is t he case by pinging Rout er B from Rout er A. I f t he unicast ping w or ks, but EI GRP is unable t o see Rout er A fr om Rout er B, you should pin g 224.0.0.10 ( EI GRP's m ult icast addr ess) fr om Rout er A and see if Rout er B responds. A m ult icast ping t o 224.0.0.10 should be for w ar ded ont o ev er y int er face by t h e r out er and be r esponded t o by ever y adj acent EI GRP neighbor :

router#show ip eigrp neighbors IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 4 192.168.10.2 Se1 14 00:00:05 0 3000 8 0 3 10.31.1.2 Se0.1 12 00:00:11 132 792 0 1668 2 10.31.2.2 Se0.2 12 00:00:12 131 786 0 1670 1 10.31.3.2 Se0.3 11 00:00:12 166 996 0 1669 0 10.1.2.1 Et0 10 1w4d 13 200 0 60131 router#ping 10.31.1.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.31.1.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/16/20 ms router#ping 224.0.0.10 Type escape sequence to abort. Sending 1, 100-byte ICMP Echos to 224.0.0.10, timeout is 2 seconds: Reply Reply Reply Reply Reply Reply Reply

to to to to to to to

request request request request request request request

0 0 0 0 0 0 0

from from from from from from from

10.1.2.1, 12 ms 10.31.3.2, 112 ms 10.31.2.2, 104 ms 10.31.1.2, 100 ms 10.250.1.1, 12 ms 10.200.1.1, 12 ms 10.1.3.2, 12 ms

180

Ca se St u dy : Tr ou ble sh oot in g St u ck- i n - Act ive Rou t e s St u ck- in- act ive ( SI A) rout es can be som e of t he m ost challenging pr oblem s t o r esolv e in an EI GRP net w or k . For m or e det ail on EI GRP's act iv e pr ocess, r efer t o Appendix C. I n sum m ar y , a r out e becom es act iv e w hen it goes dow n or it s m et r ic w or sens, and t her e ar en't any feasible successor s. When a r out e goes act iv e on a r out er , t hat r out er sends out quer ies t o all of it s neighbor s ( ex cept t hr ough t he int er face w her e t he r out e w as lost ) and aw ait s t he r eplies. A 3- m inut e t im er st ar t s w hen t he r out er m ar ks t he r out e as act ive; if t he t im er expir es w it hout get t ing all of t he r eplies, t he r out e t hat w as act iv e is consider ed st uck in act iv e pr ocessing ( t hus t he label " st uck- in- act iv e" r out es) and r equir es dr ast ic act ions. Three m inut es is an incredibly long t im e t o a r out er . The r eason t hat t he r eplies could t ake longer t han 3 m inut es should be explained. Figur e 7- 14 show s a sim ple net w or k t hat is r eact ing t o a lost r out e in or der t o under st and how t o t r oubleshoot it .

Figu r e 7 - 1 4 SI As

Rout er A loses net w or k 10.1.100.0/ 24 due t o shut t ing dow n an int er face t o sim ulat e a failur e. Rout er A t hen goes act ive on t he r out e and sends a quer y t o Rout er B, w hich look s in it s t opology t able for anot her successor , or feasible successor , for 10.1.100.0/ 24. I n t his case, Rout er B w ill not have ot her successor s or feasible successor s. So, it w ill also go act ive on t he r out e and send a quer y t o Rout er C. Rout er C w ill go t hr ough t he sam e decision pr ocess, and t he quer y w ill cont inue on t o Rout er D ( and fart her if t here w ere fart her t o go) . Dur ing t his ent ir e pr ocess, Rout er A's 3- m inut e t im er has been running because a reply is not sent back from Rout er B unt il it receives an answ er from Rout er C, w hich

181

is w ait ing on Rout er D. I f som et hing happens som ew here dow nst ream ( as it w ill in t his Case St udy) t he t im er on Rout er A m ay expir e, and Rout er A w ill consider t he pat h t hr ough Rout er B unr eliable. When t hat happens, Rout er A r eset s it s neighbor r elat ionship w it h Rout er B and t osses all r out es pr eviously lear ned t hr ough Rout er B ( r elear ning t hese r out es r equir es r ebuilding t he neighbor r elat ionship) . This can be brut al if t he link bet ween Rout er A and Rout er B is a core link in your net work! Now , you can see how t o t roubleshoot SI A rout es on t he exam ple net w ork in Figur e 7- 14. Fir st , how do y ou k now y ou ar e get t ing st uck- in- act ive rout es? You will see m essages in your log such as t he follow ing: Jan 19 14:26:00: %DUAL-3-SIA: Route 10.1.100.0 255.255.255.0 stuck-inactive state in IP-EIGRP 1. Cleaning upJan 19 14:26:00: %DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor 10.1.4.1 (Ethernet1) is up: new adjacency

The DUAL- 3- SI A m essage ident ifies w hich r out e is get t ing st uck—10.1.100.0/ 24 in t his case—but it doesn't r eveal w hich neighbor didn't answ er . You will need t o have log- n e ig h b or- ch a n g e s configur ed ( as r ecom m ended ear lier ) in or der t o get t he m essage im m ediat ely aft er t he DUAL- 3- SI A m essage, st at ing new adj acency for t he neighbor ( or neighbor s) w hich w as r eset due t o t he SI A. You can also t ell w hic h neighbors have been recent ly reset by looking for a short upt im e in sh o w ip e ig r p n e igh bor s , but y ou cannot be sur e t hat t heir r eset condit ion w as due t o t he SI A. Again, m ake sure log- n e i g h b o r- ch a n ge s is configur ed on ever y r out er . Because t he log capt ur ed SI A m essages, y ou need t o t r y t o det er m ine w her e t he sour ce of t he pr oblem is. Ther e ar e t w o quest ions t o ask about SI A r out es: • •

Why ar e t he r out es going act iv e? Why are t hey get t ing st uck?

Bot h aspect s of t he pr oblem should be w or k ed on, but t he second is t he m ost im por t ant by far and pr obably t he m ost difficult t o r esolve. I f you det er m ine w hy a r out e is going act iv e and r esolv e t his par t of t he pr oblem w it hout det er m ining w hy it becam e st uck , t he nex t t im e a r out e goes act iv e it could also becom e st uck. Ther efor e, finding t he cause of t he st u ck is m or e im por t ant t han finding t he cause of t h e act iv e. Even t hough it is m or e im por t ant t o find t he cause of r out es becom ing st uck r at her t han w hy t hey w ent act iv e, t hat doesn't m ean y ou should ignor e w hy r out es are going act iv e. Using t he DUAL- 3- SI A m essages, you can det erm ine if t he rout es going act ive ar e consist ent ; t hat is, ar e t hey all / 32 r out es fr om dial- in client s com ing and going, or ar e t hey all t he r esult of poor qualit y lines at t he fr inges of t he net work? I f t hey ar e all host r out es caused by dial- in user s, you should t r y t o m inim ize t hese act iv e r out es t hr ough sum m ar izat ion or ot her m et hods. I f t he act iv e r out es ar e due t o unst able link s, y ou need t o get t hese Lay er 2 pr oblem s r esolv ed. How do you t r oubleshoot t he st uck par t of t he SI A? I f t he SI A r out es ar e happening r egular ly, and you ar e m onit or ing t he r out er s dur ing t he t im e of t he pr oblem , t his is a fair ly st r aight for w ar d j ob. I f t he pr oblem happens infr equent ly , and y ou w er e not

182

m onit or ing t he r out er s w hen t he pr oblem happened, it is ex t r em ely difficult ( act ually , it 's alm ost im possible) t o find t he cause. For t his Case St udy , assum e t hat t he pr oblem is happening r egular ly enough for y ou t o cat ch t he r out es hav ing pr oblem s. On Rout er A ( where you are receiving t he DUAL- 3- SI A m essages for 10.1.100.0/ 24) y ou look for act iv e r out es using t he com m and sh ow ip e ig r p t op olog y a ct iv e . Look ing at t he follow ing out put r ev eals a lot about t he st at e of t he act iv e r out e:

routerA#show ip eigrp topology active IP-EIGRP Topology Table for process 1 Codes: P - Passive, A - Active, U -Update, Q - Query, R - Reply, r - Reply status A 10.1.100.0/24, 1 successors, FD is Inaccessible 1 replies, active 00:01:23, query-origin: Local origin via Connected (Infinity/Infinity), Loopback0 Remaining replies: via 10.1.4.1, r, Ethernet1

Th e A on t he left side of t he addr ess show s t hat t his is an act iv e r out e. The a ct iv e 0 0 :0 1 :2 3 r eveals t he dur at ion of t he w ait on a r eply t o t his quer y. I t is nor m al in a fair ly lar ge net w or k t o see r out es go act iv e, but if t he am ount of t im e t hey st ay act ive is m ore t han a m inut e, t hen som et hing is cert ainly w rong, and SI As m ay occur soon. Not ice t he field Re m a in in g r e plie s; any neighbor s list ed under t his field hav e not yet r eplied t o t his quer y. Depending on t he t im ing w hen t he com m and is issued, you w ill oft en see neighbor s w ho hav en't r eplied w it h a low er case r beside t he addr ess but not under Re m a in in g r e plie s. For ex am ple ( but not dir ect ly r elat ed t o t his Case St udy ) , r efer t o t he follow ing:

router#show ip eigrp topology active IP-EIGRP Topology Table for process 1 Codes: P - Passive,A - Active, U - Update, Q - Query, R - Reply, r - Reply status A 10.1.8.0 255.255.255.0, 1 successors, FD is 2733056 1 replies, active 0:00:11, query-origin: Multiple Origins via 10.1.1.2 (Infinity/Infinity), r, Ethernet0 via 10.1.5.2 (Infinity/Infinity), Serial1, serno 159 via 10.1.2.2 (Infinity/Infinity), Serial0, serno 151 Remaining replies: via 10.1.1.1, r, Ethernet0

The fir st ent r y in t he pr eceding out put for sh ow ip e ig r p t op olog y a ct iv e ident ifies a neighbor t hat y ou ar e w ait ing on but isn't under t he Re m a in in g r e plie s sect ion. Keep your eye out for bot h form s.

183

Now , back t o t he t r oubleshoot ing. Because t he sh ow ip e ig r p t op olog y a ct iv e on Rout er A r evealed t hat you w er e w ait ing on neighbor 10.1.4.1 for 1 m inut e and 23 seconds, you know w hich neighbor t o look at next —Rout er B. Log int o Rout er B and issue sh ow ip e ig r p t op olog y a ct iv e again t o see w hy y ou hav en't got t en an answ er fr om it . The r esult s of t his com m and ar e as follow s:

RouterB#show ip eigrp topology active IP-EIGRP Topology Table for process 1 Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - Reply status A 10.1.100.0/24, 1 successors, FD is Inaccessible 1 replies, active 00:01:36, query-origin: Successor Origin via 10.1.4.3 ((Infinity/Infinity), Ethernet Remaining replies: via 10.1.1.1, r, Ethernet0

You'll not e t hat Rout er B is st ill w ait ing on a r eply fr om 10.1.1.1, w hich is Rout er C. So t he next logical st ep is t o log int o Rout er C and see w hy it isn't answ er ing. Once on Rout er C, you issue t he com m and sh ow ip e ig r p t op olog y a ct iv e again and get t he follow ing r esult s:

RouterC#show ip eigrp topology activeIP-EIGRP Topology Table for process 1 Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - Reply status A 10.1.100.0/24, 1 successors, FD is Inaccessible, Q 1 replies, active 00:01:49, query-origin: Successor Origin via 10.1.1.2 (Infinity/Infinity), Ethernet1 Remaining replies: via 10.1.16.1, r, Serial0

Rout er C is in t he sam e condit ion as Rout ers A and B. Rout er C has not answ ered Rout er B because it is st ill w ait ing on an answ er as well. Now log int o 10.1.16.1, w hich is Rout er D, t o see if t his r out er is having t he sam e pr oblem . The out put of sh ow ip e ig r p t op olog y a ct iv e on Rout er D pr ov ides differ ent r esult s:

RouterD#show ip eigrp topology active IP-EIGRP Topology Table for process 1

So, Rout er D isn't wait ing on anyone! Rout er C is wait ing on Rout er D, but Rout er D isn't w ait ing on replies from any ot her rout er. This indicat es t he link bet w een Rout er C and Rout er D is unreliable, and you need t o st art exploring w hy t he com m unicat ions bet w een Rout er C and Rout er D ar en't w or k ing cor r ect ly . The fir st t hing y ou need t o est ablish is w het her t he neighbor r elat ionship is up by issuing t he sh o w ip e ig r p n e ig h b o r com m and:

184

RouterD#show ip eigrp neighbor IP-EIGRP neighbors for process 1 H Address Interface Seq

Hold Uptime

SRTT

RTO

Q

(sec) (ms) Cnt Num 0 10.1.16.2 Se0 14 00:10:27 1197 5000 1 741 RouterD# %DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor 10.1.16.2 (Serial0) is down: retry limit exceeded %DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor 10.1.16.2 (Serial0) is up: new adjacency

The Q count of 1 isn't a pr om ising sign. Then, you get t he er r or m essage r e t r y lim it e x ce e d e d on t he console because y ou configur ed e ig r p log - n e ig h b o r- ch a n g e s on t his r out er . The r e t r y lim it e x ce e d e d m essage is an indicat ion t hat ack now ledgem ent s ar e not being r eceiv ed for r eliable pack et s. Now y ou need t o det er m ine w hy t hey ar en't being r eceived. By going back t o Rout er C and check ing t he st at e of t he neighbor relat ionship w it h Rout er D, you w ill find t he follow ing infor m at ion:

RouterC#show ip eigrp neighbor IP-EIGRP neighbors for process 1 H Address Interface Seq

Hold Uptime

SRTT

RTO

Q

(sec) (ms) Cnt Num 0 10.1.16.1 Se0 14 00:10:33 479 5000 1 1388 1 10.1.1.2 Et1 11 00:11:46 28 300 0 5318 RouterC# %DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor 10.1.16.1 (Serial0) is down: retry limit exceeded %DUAL-5-NBRCHANGE: IP-EIGRP 1: Neighbor 10.1.16.1 (Serial0) is up: new adjacency

So, Rout er C is also com plaining about t he inabilit y of ex changing r eliable t r affic w it h Rout er D. Now you need t o use your nor m al t r oubleshoot ing skills t o r esolve t his pack et deliv er y pr oblem . You w ill need t o issue pin gs, look at int er faces, and t ak e t he ot her nor m al st eps needed t o find t he t r ue cause of t he pr oblem . Ot her com m on pr ob lem s t hat can cause a r out er t o not answ er quer ies include t he follow ing: •

Low m em ory

185

• •

Congest ion on t he link —t oo m any r out es for pipe or queue dr ops t hat ar e t oo sm all MTU problem s—sm all pack et s ar e deliv er ed ov er t he link but not lar ge pack et s

Wit hout t aking t he st eps follow ing t he chain of w ait ing r out er s w it h t he sh ow ip e ig r p t op olog y a ct iv e com m and, y ou nev er w ould hav e been able t o find t he failing link and st ar t t r oubleshoot ing it .

Ca se St u dy : Re dist r ibu t ion You w ill oft en find your self w ant ing t o r edist r ibut e r out es fr om EI GRP int o ot her pr ot ocols and r out es fr om ot her pr ot ocols int o EI GRP. The m ain pr oblem w it h r edist r ibut ion bet w een pr ot ocols is t hat it 's v er y easy t o cr eat e r edist r ibut ion r out ing loops. Look at Figur e 7- 15 t o see w hy .

Figu r e 7 - 1 5 Re dist r ibu t ion Rou t in g Loop

Given t he set up in Figur e 7- 15, t he follow ing event s w ill occur : 1. Rout er C w ill adv er t ise t he 172.16.20.0/ 24 net w or k t o Rout er B; assum e it has a m et ric of 3 hops when it reaches Rout er B. 2. Rout er B will now adv er t ise t his r out e w it h a m et r ic of four hops t o Rout er A. 3. Rout er A w ill r edist r ibut e t he r out e int o EI GRP w it h som e m et r ic and adver t ise it t o Rout er D. 4. Rout er D will redist ribut e it back int o RI P wit h a default m et ric of 1 hop, for exam ple, and adv er t ise it t o Rout er E. 5. Rout er E w ill adver t ise t his r out e t o Rout er B w it h a m et r ic of 2 hops, w hich is bet t er t han t he r out e t hr ough Rout er C ( w hich is, in fact , t he cor r ect r out e) . Wit h EI GRP's use of an adm inist r at iv e dist ance of 170 for ex t er nal sit es, t he pr eceding pr oblem shouldn't happen; should it ? The ex am ple is sim plified t o m ak e it clear. I n realit y, w hen Rout er D get s t he rout e from Rout er A, Rout er D should prefer t he r out e it had alr eady r eceived fr om RI P because it has an adm inist r at ive dist an ce of 120. So what is t he problem ?

186

The pr oblem occur s if Rout er E t em por ar ily loses t he r out e t o 172.16.20.0/ 24 and wit hdraws it from Rout er D. I f t his happens, Rout er D advert ises t o Rout er E t he r out e t o 172.16.20.0/ 24 due t o t he r edist r ibut ion fr om EI GRP. This m eans t hat t he alt er nat iv e pat h is w or k ing fine. Unfor t unat ely , because t he hop count on t he r edist r ibut ion is set t o 1 due t o t he default m et r ic, w hen Rout er E get s t he " r eal" r out e back fr om Rout er B, it w ill not use it because t he one it r eceived from Rout er D is bet t er . This is not w hat y ou w ant t o happen! This is a classic r edist r ibut ion r out ing loop. How do y ou solv e it ? The easiest t hing t o do is t o filt er t he dest inat ions redist ribut ed from RI P int o EI GRP and from EI GRP int o RI P.

Using D ist ribut e List s t o Troubleshoot Redist ribut ion Rout ing Loops The fir st , and sim plest , w ay t o handle t his is t o set up a dist r ibut e list specifically blocking t he r out es t hat you don't w ant t o r edist r ibut e. For exam ple, on Rout er D, you could build t he follow ing dist r ibut e list :

access-list 10 deny 172.16.20.0 0.0.0.255 access-list 10 permit any ! router rip redistribute eigrp 100 distribute-list 10 out serial 0

Assum ing t hat serial 0 is t he link bet ween Rout er D and Rout er E, t his will resolve t he problem . RI P will not advert ise t he 172.16.20.0/ 24 rout e from Rout er D t o Rout er E. I f you have m or e t han one connect ion back int o t he RI P side of t he net w or k, it can be difficult t o m anage t he dist r ibut ion list s t hat m ust be m aint ained.

Using Rout e M a ps t o Troubleshoot Redist ribut ion Rout ing Loops Anot her alt er nat ive t o dist r ibut ion list s is t o use a r out e m ap; in w hich case, you would configure t he following on Rout er D:

access-list 10 deny 172.16.20.0 0.0.0.255 access-list 10 permit any ! route-map kill-loops permit 10 match ip address 10 ! router rip redistribute eigrp 100 route-map kill-loops

187

This configur at ion allow s only t hose net w or k s per m it t ed by access list 10 t o be r edist r ibut ed int o RI P. This has t he sam e effect as t he dist r ibut e list used in t he pr eceding solut ion, but it applies t he filt er in t he r edist r ibut ion r at her t han in t he advert isem ent t o Rout er D. Anot her alt ernat ive is t o m at ch all ext ernal EI GRP rout es in t he rout e m ap, like t his:

route-map kill-loops deny 10 match route-type external route-map kill-loops permit 20

But t his w ill also " kill off" any ext er nal EI GRP r out es lear ned fr om a pr ot ocol ot her t han RI P. I n ot her w or ds, it w ill pr ev ent ex t er nal dest inat ions elsew her e in t he EI GRP net work from being re ached by t he host s at t ached on t he RI P side of t he net w or k .

Using Prefix List s t o Troubleshoot Redist ribut ion Rout ing Loops I n addit ion t o using r out e m aps t o t r oubleshoot r edist r ibut ion r out ing loops, y ou can also use pr efix list s. For exam ple, you could configure Rout er D w it h t he follow ing:

ip prefix-list loop-list 10 deny 172.16.20.0/24 ip prefix-list loop-list 10 permit 0.0.0.0/0 le 32 ! route-map kill-loops permit 10 match prefix-list loop-list ! router rip redistribute eigrp 100 route-map kill-loops

The big adv ant age of pr efix list s is t hat t hey allow y ou t o m at ch based on pr efix lengt h ( t he subnet m ask) as w ell as t he pr efix ( dest inat ion net w or k) it self. Ther e ar e a lot of possibilit ies for filt er ing w hen t his applicat ion is consider ed, but t hey w on't be cov er ed her e.

Set t ing t he Adm inist ra t ive Dist a nce t o Troubleshoot Redist ribut ion Rout ing Loops Anot her w ay t o block t hese r out es t hat is com plet ely differ ent and doesn't r ely on t he m anual configur at ion of an access list , is t o set t he adm inist rat ive dist ance of all ext er nal r out es lear ned by Rout er D fr om Rout er A. You can accom plish t his configur at ion using t he d ist a n ce com m and. On Rout er D, you w ould configur e t he follow ing:

188

router eigrp 100 distance 255 172.16.21.1 0.0.0.0

Assum ing t hat Rout er A's addr ess is 172.16.21.1, Rout er D assigns an adm inist r at iv e dist ance of 255 t o any r out es it r eceiv es fr om Rout er A. A r out e w it h t he adm inist r at iv e dist ance of 255 w ill nev er be inser t ed in t he r out ing t able; t her efor e, t hey will not be r edist r ibut ed int o RI P fr om EI GRP ( because r edist r ibut ion alw ay s occur s fr om t he r out ing t able r at her t han any pr iv at e dat abases t hat t he v ar ious r out ing pr ot ocols use) . The only problem w it h t his approach is t hat Rout er D w ill refuse all rout es le ar ned fr om Rout er A, including any legit im at e ones. You can r em edy t his by adding t he access list back int o t he equat ion:

access-list 10 permit 172.16.20.0 0.0.0.255 ! router eigrp 100 distance 255 172.16.21.1 0.0.0.0 10

Using Ext ernal Flags t o Troubleshoot Redist ribut ion Rout ing Loops All of t he pr eviously m ent ioned t r oubleshoot ing m et hods w ill w or k, but t hey all r equir e eit her configur ing a list of net w or k s or r em ov ing t he alt er nat iv e r out e t hrough t he ot her prot ocol as a possible backdoor ro ut e in t he case of failure. Tagging EI GRP ext er nals t o block r out ing loops r esolves t hese t w o pr oblem s and is fair ly st r aight for w ar d t o configur e. The t w o net w orks in Figur e 7- 16 have r ecent ly been m er ged by connect ing Rout er A t o Rout er B and Rout er C t o Rout er D. At som e point in t he fut ure, t he net w ork adm inist r at or s int end t o r eplace RI P w it h EI GRP; for now , t hey ar e r edist r ibut ing bet w een RI P and EI GRP on Rout ers A and C.

Figu r e 7 - 1 6 Com ple x Re dist r ibu t ion Rou t in g Loop

189

This set up produces a classic redist ribut ion rout ing loop. Rout er B learns about som e dest inat ion, for ex am ple 10.1.4.0/ 24, t hr ough RI P, and t hen adv er t ises t his r out e t o Rout er A. Rout er A r edist r ibut es t his r out e int o EI GRP and adv er t ises it t o Rout er C. Then, Rout er C r edist r ibut es t his r out e back int o RI P and adver t ises it t o Rout er D, w hich w ill t hen adver t ise it back t o Rout er B ( possibly w it h a bet t er m et r ic t han Rout er B learned in t he original advert isem ent ) . Alm ost all of t he EI GRP net w or k uses addr esses fr om t he 10.1.0.0/ 16 addr ess space, and alm ost all of t he RI P net w or k uses addr esses fr om t he 10.2.0.0/ 16 addr ess space. How ev er , t her e ar e som e ex cept ions, such as t he 10.1.4.0/ 24 net w or k . I f it w er en't for t he ex cept ions, t his r edist r ibut ion r out ing loop w ould be easy t o r esolve. You w ould sim ply pr event Rout er A and Rout er C fr om adver t ising rout es in t he 10.2.0.0/ 16 address range t o Rout er B and Rout er D and prevent Rout er B and Rout er D fr om adver t ising r out es in t he 10.1.0.0/ 16 addr ess r ange t o Rout er A and Rout er C. Dist r ibut ion list s com bined w it h sum m ar izat ion w ould m ake t his con f igur at ion ver y easy. ( See t he pr evious Case St udy, " Redist r ibut ion," in t his chapt er for m ore inform at ion.) Because t her e ar e ex cept ions, t hough, pr ev ent ing t his r edist r ibut ion r out ing loop becom es m or e of a pr oblem . You could build dist r ibut ion list s ar ound t he subnet s present on each side and apply t hem on Rout er A, Rout er B, Rout er C, and Rout er D, but t his adds som e ser ious adm inist r at iv e ov er head if t her e ar e a lot of ex cept ions. Specific dist r ibut ion list s w ould also r equir e m odificat ion for each new except ion added. I t is easier t o use an aut om at ic m et hod t o flag t he r out es lear ned t hr ough RI P on Rout er A and Rout er C, and t hen you can pr event any r out e t hat is flagged fr om being redist ribut ed back int o RI P. For exam ple, Rout er A will st ill learn about t h e 10.1.100.0/ 24 net w or k t hr ough EI GRP and adv er t ise t his dest inat ion t o Rout er B t hrough RI P. Rout er B w ill st ill adver t ise 10.1.4.0/ 24 t o Rout er A, w hich w ill t hen r edist r ibut e it int o EI GRP and advert ise it t o Rout er C. But Rout er A w ill flag t his rout e as com ing fr om t he RI P dom ain so t hat Rout er C w on't adver t ise it back int o RI P. Using som e sor t of t ag like t his m eans t hat adding a new net w or k in t he RI P AS shouldn't r equir e any r econfigur at ion on t he r out er s doing t he r edist r ibut ion. This t y pe of rout ing loop is a good use for EI GRP's adm inist r at or t ags. Adm inist rat or t ags are applied and m at ched using rout e m aps. On Rout er A and Rout er C, fir st y ou cr eat e t he r out e m aps and t hen y ou apply t hem t o t he redist ribut ion bet w een EI GRP and RI P by issuing t he follow ing:

route-map setflag permit 10 set tag 1 route-map denyflag deny 10 match tag 1 route-map denyflag permit 20

190

Th e se t fla g r out e m ap set s t he adm inist r at or t ag on any r out e t o 1, w her eas t he de n y fla g r out e m ap denies r out es w it h a flag of 1 and perm it s all ot hers. On bot h Rout er A and Rout er C, you apply t hese r out e m aps t o t he r edist r ibut ion bet w een EI GRP and RI P by issuing t he follow ing:

router eigrp 4000 redistribute rip route-map setflag router rip redistribute eigrp 4000 route-map denyflag

As rout es are redist ribut ed from RI P t o EI GRP, t he rout e m ap se t f la g is applied, set t ing t he EI GRP adm inist r at iv e t ag t o 1. As t he r out es ar e r edist r ibut ed fr om EI GRP t o RI P, t he adm inist r at ive t ag is checked; if it is 1, t he r out e is denied so t hat it w on't be r edist r ibut ed.

Ca se St u dy : EI GRP/ I GRP Re dist r ibu t ion One issue com m only faced w it h EI GRP is r edist r ibut ion bet w een I GRP and EI GRP for com bining net w or k s and for t r ansit ioning fr om I GRP t o EI GRP. Use t he net w or k in Figur e 7- 17 as an ex am ple.

Figu r e 7 - 1 7 Re dist r ibu t ion be t w e e n I GRP a n d EI GRP

191

I n t his net w ork, Rout er A and Rout er B are redist ribut ing bet w een EI GRP AS 1 I GRP AS 2. They have sim ilar configur at ions:

hostname A ! router eigrp 1 redistribute igrp 2 network 10.0.0.0 ! router igrp 2 redistribute eigrp 2 network 10.0.0.0 !

Look ing at t he r out ing t able, y ou can see t hat Rout er A pr efer s t he I GRP r out e t hrough Rout er C, rat her t han t he EI GRP ext ernal sit e t hrough Rout er B, w hich is act ually t he bet t er r out e ( t hr ough a T1 r at her t han a 56k link) : A#show ip route 10.1.1.0 [100/2000] via 10.1.5.2, 00:00:39, Serial0 Looking at t he t opology t able on Rout er A, you can see t he ent r y t hr ough Rout er B:

A#show ip eigrp topology 10.1.1.0 255.255.255.0 IP-EIGRP topology entry for 10.1.1.0/24 State is Passive, Query origin flag is 1, 1 Successor(s), FD is 256000 Routing Descriptor Blocks: 10.1.5.2, from 10.1.5.2, Send flag is 0x0 Composite metric is (256000/25600), Route is External

The EI GRP m et r ic is 256,000, w hich y ou can div ide by 256 t o dir ect ly com par e t o t he I GRP m et r ic. 256000/ 256 is 1000, so t he EI GRP ext er nal m et r ic is act ually bet t er . The r edist r ibut ion is causing y ou t o choose t he w or st r out e r at her t han t he best . You ar e choosing t he I GRP r out e because of t he adm inist r at iv e dist ance of t he t w o pr ot ocols; w her eas I GRP has an adm inist r at iv e dist ance of 100, EI GRP ex t er nal sit es have an adm inist r at ive dist ance of 170. I f you reconfigure Rout er A and Rout er B so t hat EI GRP and I GRP are using t he sam e AS, som et hing odd happens in t he r out ing t able:

hostname B ! router eigrp 1 network 10.0.0.0 ! router igrp 1

192

network 10.0.0.0 ! B#show ip route DEX 10.1.1.0 [170/256000] via 10.1.10.2, 00:00:39, Ethernet0

Now t he EI GRP ext ernal rout e learned from Rout er B is t he preferred rout e! When com par ing an EI GRP ex t er nal ( r edist r ibut ed fr om I GRP in t he sam e AS) and an I GRP r out e fr om t he sam e AS, y ou ignor e t he adm inist r at iv e dist ances of t he r out es and com par e only t he m et r ics.

Ca se St u dy : Re t r a n sm ission s a n d SI A Tw o t im er s t hat can int er act in EI GRP t o cause a SI A rout e in EI GRP are t he SI A t im er and t he hold t im er bet w een t w o peer s. But how do t hese t w o r elat e? This sect ion look s at t he t w o independent ly and t hen it look s at how t hey int er act .

The H old Tim e r The obvious use for t he hold t im er is t o det er m ine how long y ou w ill holdup a neighbor r elat ionship w it hout hear ing any EI GRP hellos. Each t im e a r out er r eceiv es a hello packet fr om a neighbor , it r eset s t he hold t im er t o t he hold t im e cont ained in t he hello pack et and decr em ent s it once for each second t hat passes. Once t he hold t im er r eaches zer o, t he neighbor is assum ed dead. All pat hs t hr ough t hat neighbor ar e m ar k ed unusable ( DUAL is r un ov er t hese dest inat ions t o det erm ine if t he rout e needs t o go act ive) , and t he neighbor is m arked dow n. But t he hold t im er is also used by t he EI GRP's r eliable t r anspor t m echanism as an out er bound on how long t o w ait for a neighbor t o ack now ledge t he r eceipt of a pack et . As m ent ioned in Appendix C, EI GRP w ill at t em pt t o r et r ansm it 16 t im es or unt il r et r ansm ission has been occur r ing for as long as t he hold t im er , w hichever is longer. So, in t he net w or k depict ed in Figur e 7- 18, assum e t hat Rout er D's hold t im er is 240 seconds. ( I gnor e t he Hello t im er because t hese ar e separ at e t im er s) .

Figu r e 7 - 1 8 I n t e r a ct ion s be t w e e n H old Tim e r s a n d SI A Tim e r s

I f Rout er C sends a packet t o Rout er D, and Rout er D doesn't acknow ledge t he packet , Rout er C w ill cont inue r et r ansm it t ing unt il it has r et r ansm it t ed 16 t im es. Then, it w ill check t o see if it has been r et r ansmit t ing for 240 seconds. I f it hasn't , it w ill cont inue sending t he pack et unt il it has been r et r ansm it t ing for 240 seconds.

193

Once it has at t em pt ed r et r ansm ission for 240 seconds, it w ill assum e t hat Rout er D is never going t o answ er and clear it s neighbor relat ionship.

SI A Tim e r The ot her t im er y ou need t o concer n y our self w it h is t he SI A t im er because it det er m ines how long a quer y can be out st anding befor e t he r out e is declar ed SI A and t he neighbor r elat ionship w it h t he r out er t hat hasn't answ er ed is t or n dow n and r est ar t ed. This t im er is, by default , 3 m inut es ( alt hough t here has been t alk of changing it ) . This m eans a rout er w ill w ait 3 m inut es once it has declared a rout e act ive unt il it decides t hat any neighbor t hat has not r eplied for t his act iv e r out e has a problem and rest art s t he neighbor. Going back t o Figure 7- 18, t his m eans t hat if Rout er A loses it s connect ion t o 172.16.20.0/ 24, it w ill send a quer y t o Rout er B. I f it doesn't r eceiv e a r eply t o t hat query w it hin 3 m inut es, it w ill rest art it s neighbor relat ionship w it h Rout er B. Not e t hat t w o com plet ely differ ent t hings ar e being discussed her e —one is how long t o w ait befor e get t ing an ack now ledgem ent for a pack et , and t he ot her is how long t o w ait for a reply t o a query.

I nt eract ion bet w een t he H old Tim er and t he SI A Tim er You can w or k t hr ough an ex am ple of how t hese t w o t im er s int er act . Assum e, in Figur e 7- 18, t hat Rout er A loses it s connect ion t o 172.16.20.0/ 24. Because it has no ot her pat hs t o t his dest inat ion, it w ill m ar k t he r out e as act ive and send Rout er B a query. Rout er B w ill acknow ledge t he quer y and t hen send a query t o Rout er C; Rout er C will, in t urn, acknowledge t he query and send a query t o Rout er D. But Rout er D, for som e r eason, nev er ack now ledges t he quer y . Rout er C w ill begin r et r ansm it t ing t he quer y t o Rout er D, and at t em pt t o do so unt il it has r et r ansmit t ed for t he lengt h of t he hold t im er. For t he ent ir e t im e t hat Rout er C is t r ying t o get an acknow ledgem ent fr om Rout er D, Rout er A's SI A t im er is running. Because t he SI A t im er is 3 m inut es, and Rout er D's hold t im er is 4 m inut es, it is safe t o assum e t hat Rout er A's SI A t im er w ill go off before Rout er C gives up ret ransm it t ing t he query t o Rout er D and clears t he neighbor r elat ionship. Ther efor e, Rout er A w ill r egist er an SI A and clear it s neighbor r elat ionship w it h Rout er B. So, it 's im por t ant t o r em ember w hen designing y our net w or k t hat t he hold t im er for any given link should never be m or e t han or equal t o t he SI A t im er for t he ent ire net work. I n t his case, t her e ar e t w o possible solut ions:

194

• •

Reduce Rout er D's hold t im e t o som et hing less t han t he SI A t im er ( 90 seconds, for ex am ple) by using t he int er face lev el com m and ip e ig r p h old t im e . I ncr ease t he SI A t im er t o som et hing gr eat er t han t he hold t im er ( 5 m inut es, for exam ple) by using t he com m and t im e r s a ct iv e under t he r ou t e r e igr p configur at ion.

I t 's difficult t o know w hich opt ion t o pick w it hout m or e infor m at ion. I f t he link bet w een Rout er C and Rout er D is congest ed oft en enough t hat an ack now ledgem ent t ak es 4 m inut es t o get t hr ough, t hen it 's pr obably going t o be necessar y t o incr ease t he SI A t im er. On t he ot her hand, if it seem s unr easonable t o w ait 4 m inut es for a sim ple ack now ledgem ent acr oss a single link , t hen it 's bet t er t o decr ease t he hold t im er on Rout er D. ( Rem em ber t o decr ease t he Hello t im er , t oo.) The t w o t r adeoffs ar e as follows: • •

The hold t im er should be a r easonable am ount of t im e, giv en t he nat ur e of t he link and t he likelihood of an EI GRP packet being delayed for a given period of t im e. The SI A t im er bounds t he t im e t he net w or k is allow ed t o r em ain unconver ged.

These t w o t r adeoffs need t o be balanced for your net w or k. Ther e ar e no m agic num ber s ( alt hough t her e ar e default s) .

Ca se St u dy : M u lt iple EI GRP ASs One design used com m only in EI GRP t o lim it quer y r ange and im pr ove st abilit y is m ult iple ASs—but is t his r eally effect iv e? Look at Figur e 7- 19 for som e answ er s.

Figu r e 7 - 1 9 M u lt ip le EI GRP ASs

195

Begin by assum ing t hat Rout er D is r edist r ibut ing all t he r out es fr om AS 100 int o AS 200 and all t he rout es from AS 200 int o AS 100. I f Rout er C loses it s direct connect ion t o 172.30.9.0/ 24, it w ill not e t hat it has no feasible successor , place t he dest inat ion in act ive st at e, and quer y each of it s neighbor s. When Rout er D r eceives t his quer y, w hat act ion w ill it t ake? I t w ill look t hr ough it s t opology t able and, seeing no ot her r out es t o t his dest inat ion w it hin t his AS, im m ediat ely send a r eply t o Rout er C t hat t his rout e is no longer reachable. Rout er C w ill acknow ledge t he r eply and send an updat e t o Rout er D t hat t he r out e is no longer reachable. ( So far, so good.) Ret urn t o Rout er D once m ore. Rout er D w as redist ribut ing t his rout e int o AS 100. When Rout er D loses t he rout e, it w ill go act ive on t he AS 100 t opology t able ent ry and quer y it s neighbor s ( in t his case, Rout er A) . Rout er A w ill, in t ur n, quer y Rout er B; t he ent ir e quer y pr ocess r uns in AS 100 for t his r out e. I n shor t , AS boundar ies don't r eally st op queries in EI GRP. The query it self m ay st op, but a new quer y is gener at ed at t he AS bor der and pr opagat ed t hr ough t he neighbor ing AS. So it w on't help w it h quer y r ange issues, but can it r eally har m any t hing? Tak e a look at Figure 7- 20 for a m om ent .

Figu r e 7 - 2 0 Au t osu m m a r iz a t ion a cr oss a n AS Bou n da r y

196

Figur e 7- 20 r ev eals t hat not only does Rout er D r edist r ibut e bet w een AS 100 and AS 200, but an aut osum m ary for t he 10.0.0.0/ 8 net w ork on Rout er D is being advert ised t oward Rout er C, and an aut osum m ar y for 172.30.0.0/ 16 is being adver t ised t ow ar d Rout er A. Because of t hese aut osum m ar ies, t he quer y r ange w ill be bound at Rout er A for 172.30.9.0/ 24. I n ot her w or ds, Rout er B w ill never r eceive a quer y about t his net w or k because Rout er A shouldn't hav e any infor m at ion about it in it s t opology dat abase. The pr oblem is t hat EI GRP doesn't aut osum m ar ize ext er nals unless t her e is also an int er nal com ponent in t he t opology t able. Rout er D w on't build sum m ar ies for t he 10.0.0.0/ 8 and 172.30.0.0/ 16 net w or k s aut om at ically ; it w ill adv er t ise all of t he com ponent s. The r eally confusing par t com es in if you decide t o add som et hing in t he 10.0.0.0 net w or k on Rout er B. Suppose t hat you add an Et her net link t o Rout er B and addr ess it as 10.1.5.0/ 24. Rout er B w ill sum m ar ize t his t o be 10.0.0.0/ 8 and adver t ise it t ow ar d Rout er A ( r em em ber t hat t his is an int er nal com ponent ) , and Rout er A w ill advert ise it t o Rout er D. When Rout er D sees t hat t her e is an int er nal com ponent in t he 10.0.0.0 net w or k wit hin AS 100, it w ill begin sum m ar izing t he ex t er nal sit es t ow ar d Rout er A, adver t ising only t he 10.0.0.0/ 8 r out e. This m eans t hat Rout er A w ill have t w o r out es t o 10. 0. 0. 0/ 8—a confusing sit uat ion at best . What if you don't t ry t o put a m aj or net boundary on an AS boundary and rely on m anual sum m ar izat ion? Ther e ar en't any ot her pr oblem s w it h m ult iple ASs, ar e t her e? As a m at t er of fact , yes. Take a look at Figur e 7- 21 for a t hird problem .

197

Figu r e 7 - 2 1 D iscon t igu ou s ASs

I n t he set up in Figur e 7- 21, Rout er B and Rout er D ar e r edist r ibut ing bet w een AS 100 and AS 200. Rout er E is redist ribut ing from RI P int o EI GRP AS 200. Rout er B will r eceiv e t w o r out es for 172.30.9.0/ 24—an int er nal t hr ough Rout er C and an ext er nal t hrough Rout er A—w h ich r out e w ill it choose? The r out e t hr ough Rout er A pr obably has a bet t er m et r ic, but Rout er B w ill choose t he pat h t hr ough Rout er C because t he adm inist r at iv e dist ance of int er nal r out es is bet t er t han t he adm inist r at iv e dist ance of ext er nals. I f all of t hese r out er s w er e in a single AS, Rout er B w ill choose t he shor t est pat h t o 172.30.9.0/ 24; using m ult iple ASs causes t he r out er s t o choose subopt im al r out es. Consider t he r out e t o 172.30.11.0/ 24 next . Which r out e w ill Rout er B choose for t his dest inat ion? I t seem s logical t hat Rout er B should choose t he r out e t hr ough Rout er A because bot h r out es ar e ex t er nals. ( The adm inist r at iv e dist ances ar e t he sam e for bot h r out es.) How ever, t he behavior in t his inst ance is undefined. I n ot her w ords, Rout er B could choose eit her r out e, r egar dless of w hich one has t he bet t er m et r ic. All in all, it 's best t o st ick t o one AS unless you've car efully t hought out all of t he issues involved in m ult iple AS designs. Wit h good design, you can lim it t he query scope w it hin t he net w or k t hr ough sum m ar izat ion and dist r ibut ion list s. I f an EI GRP net w or k gr ow s lar ge enough t o need split t ing, it 's bet t er t o use a prot ocol ot her t han EI GRP t o do so ( preferably BGP, or possibly NHRP or MPLS) .

Re vie w 1:

What ar e t he t w o basic t ools y ou can use t o sum m ar ize r out es ( or hide dest inat ion det ails) in EI GRP?

2:

How can you t ell t hat a r out e is a sum m ar y w hen y ou look at t he r out ing t able?

198

3:

What is t he default adm inist r at iv e dist ance for a sum m ar y r out e? What is t he problem w it h t his?

4:

What bounds a quer y?

5:

How far beyond one of t he possible quer y bounds w ill a quer y t r avel?

6:

What is t he pr im ar y adv ant age t o sum m ar izing bet w een cor e r out er s r at her t han bet w een t he dist r ibut ion layer and cor e?

7:

How is it possible t o " black hole" packet s w hen sum m ar izing dest inat ions behind dual- hom ed r em ot es int o t he cor e?

8:

Why should sum m ar izat ion be configur ed out bound fr om t he dist r ibut ion lay er r out er s t ow ar d access lay er r out er s at r em ot e sit es?

9:

What is t he m ost c om m on pr oblem w it h dual- hom ed r em ot es? What opt ions ar e av ailable t o r esolv e it ?

10:

What m et hods can be used t o break a redist ribut ion rout ing loop?

11:

Under w hat condit ions is t he adm inist r at iv e dist ance ignor ed bet w een EI GRP and I GRP?

12:

What opt ions do y ou hav e for gener at ing a default r out e in EI GRP?

13:

How can you pr event m ult iple par allel links w it hin a net w or k fr om being used as t r ansit pat hs?

14:

What does EI GRP use t o pace it s packet s on a link?

15:

I m plem ent EI GRP on t he net w or k y ou redesigned for Review Quest ion 11 in Chapt er 4, " Apply ing t he Pr inciples of Net w or k Design." Discuss decisions on sum m ar izat ion point s and be car eful of non- t r ansit pat hs and ot her design flaw s.

199

Pa r t I I I : Sca lin g be yon d t h e D om a in Chapt er 8 BGP Cor es and Net w or k Scalabilit y Chapt er 9 Ot her Lar ge Scale Cor es

200

Ch a pt e r 8 . BGP Cor e s a n d N e t w or k Sca la bilit y Bor der Gat ew ay Pr ot ocol ( BGP) is t he r out ing pr ot ocol t hat ( lit er ally ) glues t he I nt ernet t oget her. I t falls under t he Ex t er nal Gat ew ay Pr ot ocol ( EGP) cat egor y — unlik e t he pr ot ocols descr ibed in pr ev ious chapt er s, w hich ar e I nt er nal Gat ew ay Pr ot ocols ( I GPs) . BGP4 is t he cur r ent ver sion, but t hr oughout t his chapt er , it w ill be referred t o sim ply as BGP. Tr adit ionally , BGP has been ut ilized t o ex change r out ing infor m at ion bet w een differ ent ASs. I n t he t ypical configur at ion, BGP is used t o t ie I nt er net ser vice pr ov ider s ( I SPs) t o t heir cust om er s and each ot her . This chapt er does not deal w it h connect ions t o t he I nt er net or int er- I SP oper at ions—ev en t hough m ost of t he ex per ience in t his ar ea com es fr om t he I SPs. I nst ead, it pr esent s t he pr ov en, r obust , and scalable BGP feat ur es t hat w ill allow your net w or k t o gr ow past any I GP lim it at ions. The only por t ion w her e I nt er net c onnect ivit y is dealt w it h explicit ly is in t he " Case St udy : Dual- Hom ed Connect ions t o t he I nt er net ." This chapt er is not about BGP it self, but how it can be used t o scale your net w or k ev en fur t her . I t is assum ed t hat y ou ar e fam iliar w it h t he basic oper at ion of t he pr ot ocol. I f you need a quick r eview , r ead Appendix D, " BGP Fundam ent als, " befor e cont inuing. As descr ibed in pr ev ious chapt er s, hier ar chy , addr essing, sum m ar izat ion, and r edundancy ar e essent ial com ponent s of a good net w or k design. The w ay t hat t he I GP of y our choice is placed on t op of t hese elem ent s is equally im por t ant . How ev er , all pr ot ocols hav e lim it at ions, and as t he net w or k gr ow s, y ou w ill unav oidably hit t h e m . The m ain lim it at ion is t he am ount of r out ing infor m at ion t hat t he pr ot ocol can handle, no m at t er how good y our addr essing schem e and sum m ar izat ion st r at egy is. On t he ot her hand, BGP is current ly deployed w orldw ide and carries m ore t han 55,000 rout ing ent r ies at t he cor e of t he I nt er net . ( This num ber is gr ow ing at t he t im e of t his w r it ing.) Som e pr ov ider s hav e been k now n t o car r y closer t o 80,000 r out es! Policies ar e har d t o define and enfor ce w it h an I GP because t her e is lit t le flex ibilit y— usually, only a t ag is available. I n t he age of cont inuous m er ger s and acquisit ions, it m ay be cum ber som e and difficult t o connect t w o net w or k s w hile k eeping inst abilit y isolat ed and m anaging m ult iple I GPs. BGP offers an ext ensive suit e of knobs t o deal w it h com plex po licies: com m unit ies, AS_PATH filt er s, local pr efer ence, and Mult iple Ex it Discr im inat or ( MED) , t o nam e a few . BGP also count er s inst abilit y by im plem ent ing a r out e dam pening algor it hm . This is w hen t he adv er t isem ent of a rout e is suppressed if it is known t o change r egular ly ov er a per iod of t im e. ( All t he par am et er s fr om t he per iodicit y of t he flaps t o t he t y pe of r out es suppr essed ar e configur able.) Alt hough y ou w ill follow t he st r uct ur al r ecom m endat ions giv en in t his book w hen building net w or k s w it h t he different I GPs st udied, BGP is not t ied t o a set hier ar chical m odel. I n fact , t he t opology can t ak e any for m , and t he pr ot ocol w ill adapt t o it . Look at t he I nt er net , it has no discer nible hier ar chical st r uct ur e; it is im possible t o pinpoint a cor e or a dist r ibut ion lay er ( for t he I nt er net as a w hole) — and it works!

201

N e ig h b or s, Rou t e s, a n d Pr op a g a t ion Ru le s in BGP A r out er using BGP exchanges r out ing infor m at ion by for m ing a neighbor r elat ionship w it h ot her rout ers. BGP rout ers can eit her est ablish int ernal o r ext er nal peer ings. BGP peers in t he sam e AS are called iBGP peers, w hile peers in a different AS are called eBGP peer s. An AS m ay have m or e t han one ext er nal connect ion ( on differ ent r out er s) ; in w hich case, t her e is a need t o hav e sev er al BGP speak er s in t he net w ork t o m aint ain r out ing consist ency . Unlik e ot her pr ot ocols, t he r ules of w hen and if a pr efix is adver t ised t o a neighbor depend on t he t ype of neighbor t he pr efix w as lear ned fr om . Ther e ar e t hr ee possible com binat ions: • • •

Rou t e s le a r n e d f r om a n e BGP p e e r— Pr opagat ed t o all peer s. Rou t e s le a r n e d f r om a n iBGP p e e r — Pr opagat ed only t o eBGP peer s. Rou t e s or igin a t e d loca lly — Pr opagat ed t o all peer s.

Because r out es lear ned fr om iBGP peer s ar e not sent t o ot her iBGP peer s, it is clear t hat a full logical m esh is needed bet w een t hem t o ensur e consist ent r out ing infor m at ion.

This chapt er is a discussion of t he use of BGP as a w ay t o scale your net w or k even fur t her . The discussion st ar t s w it h a descr ipt ion of t he im plem ent at ion in t he cor e of t he net w or k ( w her e full r out ing is r equir ed) and t hen expands t he concept s t o be used in t he net w or k as a w hole.

BGP in t h e Cor e The cor e is t he place in y our net w or k w her e t he scalabilit y pains w ill be felt fir st . The cor e needs t o hav e full k now ledge of all t he dest inat ions in t he net w or k—full r out es. The t ask is t o configur e BGP on all t he cor e r out er s, and let it handle t he r out es t hat ar e ex t er nal t o t he cor e. The I GP w ill car r y only t he infor m at ion about local dest inat ions. See Figur e 8- 1.

Figu r e 8 - 1 Th e N e t w or k Cor e

202

A sim ple w ay t o shift t he bur den of car r y ing t he r out ing inform at ion t o BGP is t o im plem ent a full iBGP m esh in t he cor e. I n t his case, t he r out ing infor m at ion fr om t he dist ribut ion layer is redist ribut ed int o BGP, w hich carries it as int ernal rout es. I GP r out es hav e a low er adm inist r at iv e dist ance t han iBGP and, hence, ar e fav or ed. Ther efor e, it is necessar y t o filt er all t he I GP r out es com ing fr om t he dist r ibut ion lay er int o t he cor e. Anot her solut ion is t o use a differ ent I GP in t he cor e ( or at least use a differ ent inst ance or pr ocess) . I n addit ion, iBGP sy nchr onizat ion needs t o be t ur ned off. For det ails on sy nchr onizat ion, see Appendix D," BGP Fundam ent als." This appr oach pr ovides an inst ant scalable cor e. I n t er m s of m igr at ion, y ou should ov er lay BGP on t he I GP t hat is cur r ent ly in use. Once t he r out es hav e been r edist r ibut ed int o BGP, and it s consist ency is v er ified ( in ot her w or ds, m ak e sur e t hat all t he r out es ar e pr esent in t he BGP t able) , you can st ar t filt er ing t he I GP inform at ion at t he border. I f t w o or m ore dist ribut ion rout ers are int roducing t he

203

sam e sum m ar y , t hen changing iBGP's adm inist r at iv e dist ance t o fav or it s r out es ov er t he I GP's is a safer appr oach. I t is ver y im por t ant t o highlight t he fact t hat BGP w as not conceiv ed as an I GP; it s m ain obj ect iv e w hen it w as designed w as t o car r y ex t er nal r out es—rout es learned fr om ot her ASs or r out ing dom ains. BGP cannot det ect r out ing loops w it hin an AS; it can det ect loops only in eBGP rout es. Because of t his, y ou cannot r edist r ibut e iBGP r out es ( r out es or iginat ed in t he local AS) int o y our I GP. I n ot her w or ds, t he BGP r out es cannot be passed on t o t he dist r ibut ion lay er . This leav es y ou w it h a single choice: t o only car r y a default point ing back t o t he cor e. I f your dist r ibut ion layer needs at least par t ial r out ing infor m at ion fr om t he cor e, t hen y ou w ill need t o hav e an eBGP connect ion. This appr oach is ex plor ed in t he follow ing sect ions. Anot her adv ant age of using eBGP t o glue y our net w or k t oget her is t he added flex ibilit y ( in filt ering and decision m aking) t hat BGP pr ov ides.

Ca se St udy: Sa m ple M igr a t ion Consider t he net w or k cor e in Figur e 8- 1. The fir st t ask is t o ov er lay BGP on t he ex ist ing net w or k w it hout any ot her changes t ak ing place. The configur at ion is sim ple and can be st andar dized for ease of deploy m ent :

router bgp 109 no synchronization redistribute ospf 1 route-map routes-to-core neighbor x.x.x.x remote-as 109 no auto-summary ! route-map routes-to-core permit 10 set metric-type internal

Not e t hat sy nchr onizat ion and aut osum m ar y ar e t ur ned off. This last act ion allow s BGP t o car r y t he r out ing infor m at ion w it h t he sam e gr anular it y as t he I GP does ( not only t he m aj or net w orks) . Also, t he MED is set using t he se t m e t r ic - t y p e in t e r n a l com m and w it h t he pur pose of being able t o choose t he best ex it point ( shor t est I GP dist ance) in case of m ult iple opt ions. Rem em ber : One n e ig h b or st at em ent is r equir ed for each of t he ot her r out er s in t he cor e. As discussed in Chapt er 5, " OSPF Net w or k Design," t he ABRs m ay or m ay not be locat ed at t he edge of t he cor e. The pr eceding configur at ion assum es t hat t he ABRs are not t he border rout ers—so r edist r ibut ion of OSPF int o BGP t akes place. Keep in m ind t hat t he r edist r ibut ed r out es ar e t he ones pr esent in t he r out ing t able. I f t he bor der r out er s ar e ABRs, t hen sum m ar izat ion t ak es place at t hese r out er s. The sum m ar ized r out es, how ev er , ar e not pr esent in t he r out ing t able at t he ABRs. I t is necessar y t o m anually cr eat e t he sum m ar ies and t hen r edist r ibut e t hem . The sam ple configur at ion changes t o som et hing like t his:

204

router bgp 109 no synchronization neighbor x.x.x.x remote-as 109 redistribute static route-map routes-to-core no auto-summary ! router ospf 109 area 0 range y.y.y.y y.y.y.y area 0 range t.t.t.t t.t.t.t ! ip route y.y.y.y y.y.y.y null0 ip route t.t.t.t t.t.t.t null0 ! route-map routes-to-core permit 10 set metric 20

An adv ant age of t his m et hod is t hat t he r out es ar e " nailed" t o t he null0 int er face ( w hich m eans it never flaps and never goes dow n) , w hich w ill ensur e st abilit y in t he cor e r egar dless of t he st at e of any of t he ar eas. One m aj or differ ence in t he appr oach is t he use of t he m et r ic; in t his case, t he m et r ic m ay be set eit her w it h a r out e m ap, or on each r out e at t he t im e t hat t hey ar e defined. To v er ify t he consist ency of t he infor m at ion in t he BGP t able, a com par ison m ust be m ade bet w een t he dat a in t he r out ing t able ( lear ned v ia OSPF, in t his case) and t he one in t he BGP t able. The follow ing configur at ion pr esent s an ex am ple of w hat y ou need t o see ( for net w or k 20.1.1.0/ 24, in t his case) :

rtrC#show ip route 20.1.1.0 Routing entry for 20.1.1.0/24 Known via "ospf 109", distance 110, metric 65, type intra area Redistributing via ospf 109 Last update from 140.10.50.6 on Serial0, 00:00:28 ago Routing Descriptor Blocks: * 140.10.50.6, from 20.1.1.1, 00:00:28 ago, via Serial0 Route metric is 65, traffic share count is 1 rtrC#show ip bgp 20.1.1.0 BGP routing table entry for 20.1.1.0/24, version 47 Paths: (1 available, best #1) Local 140.10.50.6 from 140.10.50.6 (20.1.1.1) Origin incomplete, metric 20, localpref 100, valid, internal, best

I f t hese t w o t ables ar e not unifor m , t hen y ou w ill need t o r ev isit y our r edist r ibut ion point s and check y our filt er s ( if any ) . Because LSA filt er ing can be t r ick y ( at best ) or im possible, changing t he adm inist r at iv e dist ance for t he iBGP r out es w ill be explor ed nex t . To achiev e t he change, t he follow ing com m and is used:

205

router bgp 109 distance bgp 20 20 20

This com m and set s t he adm inist r at iv e dist ance for int er nal, ex t er nal, and local BGP rout es t o 20. I n Cisc o r out er s, t he default adm inist r at iv e dist ance for OSPF r out es is 110 —and t he low est v alue is pr efer r ed. To v er ify t he effect iv eness of t he change, t ake a look at t he rout es again:

rtrC#show ip route 20.1.1.0 Routing entry for 20.1.1.0/24 Known via "bgp 109", distance 20, metric 20, type internal Last update from 140.10.50.6 00:00:09 ago Routing Descriptor Blocks: * 140.10.50.6, from 140.10.50.6, 00:00:09 ago Route metric is 20, traffic share count is 1 AS Hops 0 rtrC#show ip bgp 20.1.1.0 BGP routing table entry for 20.1.1.0/24, version 47 Paths: (1 available, best #1) Local 140.10.50.6 from 140.10.50.6 (20.1.1.1) Origin incomplete, metric 20, localpref 100, valid, internal, best

Now, t he BGP rout e is t he one in t he rout ing t able .

Sca lin g be y on d t h e Cor e As y our net w or k gr ow s t ow ar d becom ing an int er nat ional Jugger naut , y ou w ill find t hat t ak ing t he load off t he cor e r out er s is not enough—it is t im e t o ex t end t he use of BGP t o t he rest of t he net w ork. Three different approaches m a y be follow ed in general: • • •

You can div ide y our net w or k int o separ at e r out ing dom ains—connect t hem using eBGP. You can use confeder at ions. You can use r out e r eflect or s.

iBGP requires a full int ernal m esh t o ensure rout ing consist ency. This int ernal m esh grows lar ger as BGP ex t ends t hr oughout t he net w or k and, of cour se, as t he net w or k gr ow s. The last t w o appr oaches in t he pr eceding list pr esent a scalable w ay t o r educe t he num ber of neighbor s w hile m aint aining consist ency . Div iding y our net w ork up int o separat e ASs and r educing t he num ber of int er nal neighbor s w ill be cov er ed fir st . The fir st t w o appr oaches ar e v er y sim ilar . I n fact , bot h r equir e t hat y ou follow t hese t hr ee " easy " st eps:

206

1. Divide t he net w or k int o m ult iple r egions/ ar eas. 2. Select and configur e an I GP for each r egion/ ar ea. 3. Connect each region using BGP. The " div ide and conquer " opt ion t hat y ou chose w ill depend on a com binat ion of t he t opology ( r esult ing fr om t he div ision) and t he ex t er nal connect iv it y . The follow ing " rule of t hum b" is offered t o aid in t he decision: 1. I s y our net w or k connect ed t o t he I nt er net or ar e y ou planning t o connect it ? o I f no, t hen connect t he pieces using eBGP. o I f y es, t hen go t o t he nex t st ep. 2. Did t he division r esult in a t w o level hier ar chy w it h a cor e AS and all t he ot h er s connect ing t o it ( and not am ong t hem selves) ? ( See Figur e 8- 2. )

Figu r e 8 - 2 D iv ide d I n t o Re gion s

o

I f no, t hen use confeder at ions.

207

o I f y es, t hen go t o t he nex t st ep. 3. Wher e ar e t he connect ions t o t he I nt er net locat ed? o I f at least one is not in t he cor e AS, use confeder at ions. You hav e r eached t he end of t he " m agic for m ula" and no clear decision m ay have been m ade. The nex t couple of pages ex am ine t he gener al case, concent r at ing on using eBGP connect ions t o t ie t he pieces t oget her . The oper at ion of a net w or k using confeder at ions is descr ibed lat er in t his chapt er .

D ividin g t h e N e t w or k in t o Pie ce s Depending on t he t opology ( bot h logical and phy sical) of y our net w or k , t he div ision m ay t ak e place along geogr aphical boundar ies, depar t m ent al lines, or t he hier ar chical st r uct ur e it self. Figur e 8- 2 show s a pr oposed par t it ion of t he sam ple net work. The m ost st r aight for w ar d par t it ion is along hier ar chical lines. ( The sam e pr inciples can be ex t ended t o net w or k s fr agm ent ed along differ ent lines.) The dist r ibut ion lay er w ill alw ay s connect t o t he cor e at differ ent point s. This, along w it h t he fact t hat it is at t hese j unct ions w her e sum m ar izat ion t ak es place, m ak es im plem ent at ion of a BGP cor e ideal. I n t his case, t he local BGP pr ocess in t he dist r ibut ion r out er w ill or iginat e t he sum m ar ized r out es. An eBGP connect ion w ill car r y t he r out es int o t he cor e, allow ing for det ailed cont rol regarding w hich rout es m ake it t hrough and t heir at t r ibut es. The cor e r out er s should be configur ed in a full iBGP m esh. At t his point , y ou hav e m anaged t o effect iv ely split t he net w or k up int o sev er al independent unit s. Fr om t he BGP point of view , t he cor e has a full iBGP m esh and eBGP connect ions t o all t he ot her subnet w or k s. The subnet w or k s need t o hav e only a f ew BGP speaker s, w hich ar e t he r out er s t hat connect t o t he cor e. How ev er , t her e ar e t w o sit uat ions w her e you should consider cr eat ing an iBGP m esh inside any of t hese subnet w or ks: • •

M ost of t h e r ou t e s f r om t h e cor e a r e n e e d e d — I n t his case, you w ill have t he sam e scala bilit y issues as y ou encount er ed in t he cor e befor e. Th e n e e d e x ist s t o p r ov id e t r a n sit t o r e a ch ot h e r su b n e t w or k s — Clear ly , t he num ber of r out es w ill consider ably incr ease and w ill need t o be t r anspor t ed t o t he cor e. This scenar io w ill occur only on net works eit her r esult ing in m or e t han one layer of hier ar chy or w it hout a clear cor e AS.

Unt il now , y ou hav e been dealing w it h a st r aight hier ar chical net w or k w her e t her e is a cor e net w or k w it h all t he ot her pieces connect ed t o it . BGP, how ev er , allow s t he f lex ibilit y t o connect t he subnet w or k s any w ay y ou w ant ! BGP w ill t ak e car e of finding t he best pat h t o any dest inat ion for y ou. Connect ions t o t he I nt er net , and/ or ot her net w or k s, should t ak e place at t he cor e, and Pr ivat e Aut onom ous Syst em Num ber s ( ASNs) sh ould be r em ov ed at t he point w her e y ou at t ach t o t he out side w or ld. I t is im por t ant t o dist inguish t he r egional eBGP connect ions fr om t he " r eal" ext er nal ones. I n t he case w her e m ult iple connect ions t o t he I nt er net ex ist , t hese should be locat ed in t he core r egion. I f t his is not possible, t hen confeder at ions m ust be used.

208

Regiona l I GPs Aft er div iding t he net w or k int o r egions, y ou w ill effect iv ely hav e cr eat ed sev er al " independent " net w or k s. Each one m ay be designed t o hav e it s ow n cor e, dist ribut ion layer, access lay er , addr essing schem e, and int er nal r edundancy . I n addit ion, each region m ay use it s ow n I GP. The decision w het her t o use differ ent I GPs or not is up t o y ou. Link st at e pr ot ocols m ay be t r ick y in t he im plem ent at ion of filt er s. I f any t hing, y ou might end up at least using differ ent inst ances of t he sam e pr ot ocol in t he differ ent r egions.

BGP N e t w or k Gr ow in g Pa in s Even BGP m ay exper ience som e gr ow ing pains as t he cor e or t he r egions gr ow . Keep in m ind t hat a full iBGP m esh is required. Most likely, t he cor e w ill hav e a per v asiv e BGP configur at ion ( w hich m eans t hat all t he r out er s r un BGP) . Som e of t he issues t hat need t o be kept in m ind w it h a lar ge num ber of neighbor s include t he follow ing: • • • • •

BGP updat e gener at ion Loss of infor m at ion due t o aggr egat io n Scaling BGP policies Scaling I BGP m esh Rout e flaps

Upda t e Ge ne r a t ion I ssue s BGP sends only incr em ent al updat es. I f t he net w or k is st able, w hy is updat e gener at ion a pr oblem ? One updat e needs t o be for m ed for ever y peer . I n ot her w or ds, each t im e a pr efix changes, t he r out er needs t o gener at e t he sam e am ount of updat es as neighbor s t hat it has. I n r out er s w it h a high num ber of neighbor s ( ev en t hose t hat ex per ience spor adic changes) , t his could r epr esent im pair m ent in t he for m of high per cent age pr ocessor ut ilizat ion, w hich m ay result in t he rout er not having enough cy cles t o pr ocess t r affic. Ther e ar e t w o w ay s t o pr ev ent t his pr oblem : • •

Reduce t he num ber of updat es gener at ed Reduce t he num ber of neighbor s

Re du cin g t h e N u m be r of U pda t e s Ge n e r a t e d To r edu ce t he num ber of updat es gener at ed, it 's not obligat or y t o r educe t he num ber of neighbor s. The am ount of updat es m ay be decr eased w it h t he use of Peer Gr oups. A Peer Group is a set of BGP neighbor s t hat shar es t he sam e out bound policy , but t heir inbound policie s m ay be differ ent . You m ay configur e y our r out er t o filt er out r out es sent t o som e of t he depar t m ent s in t he com pany ( t he r out es t o r each t he pay r oll ser v er s, for inst ance) . I n gener al, iBGP peer s r eceiv e t he sam e updat es all t he t im e, m aking t hem ideal t o be arranged in a Peer Group. The m ain advant age, besides ease of configur at ion, is t he fact t hat t he updat es ar e gener at ed only once per Peer Group.

209

Re du cin g N e igh bor Cou n t At fir st glance, t he r educt ion of t he num ber of neighbor s does not seem t o be possible. Aft er all, you already know t hat a full iBGP m esh is required for proper oper at ion of t he pr ot ocol. As far as eBGP peer s ar e concer ned, if ext er nal infor m at ion is needed, t hey hav e t o be t her e. Tw o m et hods can be used, how ev er , t o achiev e a reduct io n in t he num ber of neighbors —iBGP neighbor s, t hat is: • •

Confeder at ions Rout e r eflect or s

The nex t t w o sect ions cov er t hese m et hods in gr eat er det ail.

Confe de r a t ions I n shor t , t his m et hod of r educing t he num ber of neighbor s consist s of br eaking up t he AS int o sm aller unit s by follow ing t he sam e pr ocedur e t hat w as out lined befor e: assigning a separ at e ASN t o each new piece inst ead of using a pr iv at e ASN for each one. I n ot her words, m ake it look like one AS t o t he eBGP peers. The AS w ill be div ided int o pieces, each piece w ill be it s ow n AS ( using pr ivat e num ber ing) com plet e w it h iBGP as w ell as eBGP peer s. The iBGP peer s w ill be t he ot her BGP speaker s in t he sam e sub- AS, w her eas t he eBGP peer s w ill be t he BGP speakers bot h in t he ot her sub- AS and out side t he m ain AS. Each r out er is configur ed w it h t he new sub- ASN, but it is given infor m at ion about w hich ot her ASs belongs t o t he sam e confeder at ion. I n gener al, eBGP peer s bet w een t he sub- ASs and t he AS ar e t r eat ed as or dinar y eBGP peer s w it h one except ion: local pr efer ence and MED ar e passed acr oss AS boundar ies. This behav ior allow s t he m ain AS t o funct ion as one t o t he out side. I f y ou ar e confused, look at Figur e 8- 3.

Figu r e 8 - 3 Con fe de r a t ion s

210

The r eal ASN is 1; ex t er nal neighbor s w ill see all t hr ee of t he ASs as one AS. I nt er nally , t he net w or k has been div ided int o t hr ee new sub- ASs. Rout ers A, B, and C ar e all eBGP neighbor s inside t he confeder at ion. The m ain advant age of using confeder at ions is t he fact t hat now policies can be m or e easily cont r olled inside t he net w or k by hav ing m ult iple ASs. How ev er , t he w hole net w or k needs t o be m igr at ed t o t his schem e at t he sam e t im e, and leav ing one or m or e r out er s w it hout a pr oper confeder at ion configur at ion m ay cause r out ing loops. At all t im es each m em ber of a confederat ion ( t hat is, all t he BGP rout ers in t he net w or k ) should k now w hat t he real ASN is, w hich sub- AS it belongs t o, and w hat ot her sub- ASs belong t o t he sam e confeder at ion. I f any of t his infor m at ion is m issing, t hen im pr oper infor m at ion pr opagat ion m ay r esult .

Rout e Reflect ors One of t he big adv ant ages of r out e r eflect or s is t hat y ou can st age y our m igr at ion t o t hem , w hich m eans t hat y ou can configur e one r out er at a t im e w it hout disr upt ing nor m al oper at ion of t he w hole net w or k. I n shor t , t he iBGP for w ar ding r ules ar e br ok en; r out e r eflect or s ar e capable of for w ar ding iBGP- lear ned r out es t o ot her iBGP peer s. I t is im por t ant t o under st and t hat only t he r out er s configur ed as r out e r eflect or s w ill for w ar d r out es t o ot her iBGP peer s. Ther efor e, only t he r out e r eflect or s need any special configur at ion. Because r out e r eflect ors m ay be deployed t hr oughout t he net w or k at any given t im e, st udy t heir im plem ent at ion in par t s of t he net w or k illust r at ed in Figur e 8- 1. The cor e

211

will m aint ain a full m esh configur at ion as long as all t he r out er s at it s edge ar e r out e r eflect or s. Som e par t s of t he net w or k m ay hav e a t w o- t ier r out e r eflect ion st r uct ur e. I n gener al, t he best w ay t o place clust er s in t he net w or k is t o follow t he phy sical t opology . A r out er configur ed as a r out e r eflect or w ill cat egor ize it s iBGP neighbor s as client s and non- client s ( r efer t o Figure 8- 4) . Client s ar e r out er s t hat depend on t he rout e refle ct or t o r eceiv e int er nal r out ing infor m at ion; client s do not need any t y pe of special configur at ion—in fact , all t hey need is an iBGP session t o t he r out e r eflect or . A r out e r eflect or and it s client s ar e collect iv ely k now n as a clu st er .

Figu r e 8 - 4 Tw o- Tie r Rou t e Re f le ct or M e sh

Figur e 8- 4 show s t w o separ at e clust er s ; each one will be covered here. Rout er C is a rout e reflect or wit h four client s ( Rout er I , Rout er G, Rout er E, and Rout er F) . I f bot h Rout er I and Rout er G have ext er nal connect ions, t he pr efixes ar e for w ar ded as follows: 1. Rout ers I and G receive an ext ernal r out e. ( Assum e it 's for t he sam e pr efix .) 2. Bot h r out er s announce t his pr efix t o t heir iBGP neighbor —Rout er C is t heir only iBGP peer.

212

3. Rout er C com par es t he r out es and select s one best pat h. 4. Because it is a r out e r eflect or , Rout er C pr opagat es it s best pat h t o all it s ot her client s and non- client s. ( Rout er A is t he only non- client peer ing w it h Rout er C, in t his case.) Not e t hat in Rout er C's case t he client s don't hav e iBGP sessions bet w een t hem . Rout er B is a rout e reflect or wit h t hree fully - m eshed client s. The full m esh at t he client lev el y ields t w o differ ent r esult s. Fir st , t he r out e r eflect or doesn't hav e t o r eflect t he infor m at ion bet w een client s. Alt hough y ou m ight be t hink ing t hat a fully m eshed configur at ion defeat s t he pur pose of having a r out e r e flect or , it isn't t r ue! Keep in m ind t hat t he obj ect ive is t o r educe t he num ber of iBGP peer s: t he client s have a full m esh, but t hey don't have t o peer w it h t he rest of t he net w ork! I f Rout er H has an ex t er nal connect ion, t he pr efix es ar e for w ar ded as follows: 1. Rout er H receives an ext ernal rout e, and it propagat es it t o all of it s iBGP peers ( Rout er D, Rout er E, and Rout er B) . 2. Rout ers D and E don't do anyt hing m ore —t hey follow t he r ules! 3. Rout er B w ill pr opagat e t he pat h infor m at ion ( if it is t he best pat h) t o it s nonclient s ( Rout er A and Rout er X) . As a side not e, if Rout er B w er e t o r eflect t he best pat h back t o it s client s, t her e w ould be r edundant infor m at ion. The issue her e is not t he r edundant infor m at ion t hat t he client s w ould r eceiv e but t he pr ocessing t hat is r equir ed by t he r out e reflect or. I n ot her w ords, it is recom m ended t o have a clust er w it h a full m esh of client s if client s ar e pr esent in a significant num ber or if t he physical t opology dict at es t his t o be so.

Rou t e Re fle ct or Re du n da n cy As y ou m ay have not iced, a r out e r eflect or m ay becom e a single point of failur e. I n m any cases, t his sit uat ion is unav oidable because of t he phy sical t opology of t he net w or k ( as discussed in Chapt er 3, " Redundancy " ) . Ther e ar e a couple of w ay s t o achiev e r out e r eflect or r edundancy . The " classical" case is w hen t he r out e r eflect or s ar e put in t he sam e clust er . Each clust er has a clust er I D ( usually t he r out er I D of t he r out e r eflect or) . So, you need t o configure all t he r eflect or s t o hav e t he sam e clust er I D. The lim it at ion ( but also w her e t he addit ional r edundancy is pr esent ) is t hat all t he client s need t o hav e iBGP sessions w it h bot h r eflect or s. The r out e r eflect or s should be iBGP peer s of each ot her ; if a pr efix has alr eady been for w ar ded by one of t he r eflect or s, t he ot her s w ill not for w ar d it . ( This is w her e t he clust er I D com es int o play.) The " m oder n" appr oach is t o hav e only one r out e r eflect or per clust er . I n t his case, not all t he client s need t o connect t o all t he r out e r eflect or s ( only t he ones t hat need/ w ant t he r edundancy ) . Refer back t o Figure 8- 4; Rout er E is a client of t w o differe nt r out e r eflect or s.

Rou t e Re fle ct or D e ploy m e n t What is t he best w ay t o deploy r out e r eflect or s? Wher e should t he r eflect or s be placed? Befor e t hese quest ions ar e answ er ed, r efer back t o Figur e 8- 4. A t hird

213

clust er could have been defined w it h Rout er A as t he rout e reflect or and Rout er B and Rout er C as client s, cr eat ing a t w o- level, r out e r eflect or ar chit ect ur e. Keeping in m ind t he init ial obj ect ive of using BGP t o help scale t he net w or k , a r out e r eflect or ar chit ect ur e w ould be deploy ed in t w o lay er s w it h a full m esh cor e. Refer r ing back t o Figure 8- 1, t he r out er s at t he net w or k cor e should be configur ed in a full iBGP m esh. The rout ers t hat border w it h t he dist ribut ion layer act as an upper lay er of r out e r eflect or s. A low er lay er m ay be put at t he bor der bet w een t he dist r ibut ion and access lay er s. These second lev el r out e r eflect or s w ould be client s of t he fir st layer ones. A r ule of t hum b t o com ply w it h is t his: follow t he physical t opology . I n ot her w or ds, define t he iBGP peer ing—bet w een client s, r eflect or s, and/ or norm al int ernal peers —t o m at ch t he phy sical connect iv it y of t he net work. This w ill pr ov ide sim plicit y t o t he net w or k and not pr esent a false sense of r edundancy . Figur e 8- 5 show s anot her par t of t he net w or k w her e r out e r eflect or s m ay be used. I n t his case, Rout ers A and B are configured as rout e reflect ors, and Rout ers C, D, and E ar e client s of bot h; not e t he dual connect ions. Bot h t he phy sical t opology and t he logical BGP connect iv it y clear ly indicat e t hat t he pack et s bet w een client s will go t hr ough one of t he r eflect or s, w hich of t he r eflect or s depends on t he I GP m et r ics.

Figu r e 8 - 5 D u a l Con n e ct ion s in t o Re fle ct or s

214

Ca se St u dy : Rou t e Re f le ct or s a s Rou t e Se r v e r s Som et im es r out e r eflect or s ar e confused w it h r out e ser v er s ( and v ice v er sa) . Rout e ser v er s ar e gener ally used at I nt er net ex change point s. The obj ect iv e is for r out er s t o only peer w it h t he r out e ser v er ( not all t he ot her rout ers in t he exchange) and obt ain all t he r out ing infor m at ion fr om it . The r out e ser v er has t he capabilit y of pr opagat ing infor m at ion in a t r anspar ent fashion —as if t he adv er t isem ent s w er e r eceiv ed dir ect ly fr om t he r out er or iginat ing it . Rout e r eflect ors also t r y t o r educe t he num ber of peer s needed in an iBGP cloud, w her eas t he r out e ser v er is t y pically used w it h eBGP neighbor s. The r out e ser v er it self pr ocesses no t r affic, w her eas t he r out e r eflect or s do. I n fact , r out e r eflect or s ar e usually placed at t r affic aggr egat ion point s. I t is clear t hat r out e r eflect or s and r out e ser ver s sat isfy differ ent needs in t he net w or k. Figur e 8- 6 illust r at es a place in t he net w or k w her e a r out e r eflect or m ay be used as a rout e server.

Figu r e 8 - 6 Rou t e Se r v e r

Rout er A is t he r out e r eflect or , and it peer s w it h all t he ot her r out ers on t his shared m edia. The ot her r out er s don't peer am ong t hem selv es. Not e t hat t he r out e r eflect or is a " r out er on a st ick." I n ot her w or ds, it only has one int er face. ( This is not necessar y , but it m ak es t he ex am ple clear er .) All t he r out es r eflect ed w ould have a next hop t hat is r eachable t hr ough one of t he ot her r out er s so t hat Rout er A w ill not pr ocess t he dat a pack et s. Keep in m ind t hat t he r out e r eflect or doesn't change t he at t r ibut es in t he pr efixes. To illust r at e t his, assum e t hat an ex t er nal r out e is lear ned t hr ough Rout er B. The r out e is pr opagat ed t hr ough Rout er A ( t he r out e r eflect or ) t o Rout er E ( and all t he ot her client s) . This is w hat t he pr efix looks like fr om Rout er E:

E#show ip bgp 30.0.0.0 BGP routing table entry for 30.0.0.0/8, version 7

215

Paths: (1 available, best #1) 200 200.200.200.2 from 10.105.1.71 (200.200.200.1) Origin IGP, metric 0, localpref 100, valid, internal, best Originator : 200.200.200.1, Cluster list: 140.10.245.1 E #show ip route 200.200.200.2 Routing entry for 200.200.200.0/24, Hash 196 Known via "isis", distance 115, metric 20, type level-1 Redistributing via isis Last update from 10.105.1.76 on Ethernet0, 00:04:25 ago Routing Descriptor Blocks: * 10.105.1.76, from 200.200.200.1, via Ethernet0 Route metric is 20, traffic share count is 1

Not e t hat t he pr efix w as lear ned fr om t he r out e r eflect or ( 10.105.1.71) , but t he nex t hop is r eachable via Rout er B ( 10.105.1.76) . I n t his case, t he t r affic dest ined for 30.0.0.0/ 8 w ill be for w ar ded dir ect ly t o Rout er B from Rout er E wit hout going t hr ough t he r out e r eflect or .

Ca se St u dy : Tr ou ble sh oot in g BGP N e igh bor Re la t ion sh ips Because BGP is designed as an EGP, rat her t han an I GP, t here isn't m uch t o BGP neighbor r elat ionships. The pr im ar y t hing t o k eep in mind is t hat all com m unicat ions bet w een BGP peer s ar e based on TCP. So, a valid I P connect ion m ust be in place bet w een t he peer s befor e a r elat ionship can be est ablished. Tak e a look at Figur e 87, w hich is only t hr ee r out er s, t o see w hat pr oblem s ar e possible.

Figu r e 8 - 7 Sim p le N e t w or k w it h BGP Pe e r s

Begin by looki ng at what Rout er A would look like wit h a good, " up and running" eBGP neighbor relat ionship wit h Rout er B. I ssuing sh o w ip b g p n e ig h b o r result s in t he follow ing out put :

A#show ip bgp neighbor BGP neighbor is 172.28.1.2, remote AS 2, external link …. BGP version 4, remote router ID 10.1.1.1 BGP state = Established, table version = 1, up for 00:00:33 …. Connections established 2; dropped 1 Last reset 00:01:01, due to : User reset request

216

No. of prefix received 0 Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Local host: 172.28.1.1, Local port: 11001 Foreign host: 172.28.1.2, Foreign port: 179 …. SRTT: 710 ms, RTTO: 4442 ms, RTV: 1511 ms, KRTT: 0 ms

One m ain point in t he out put t ells you t hat t his neighbor relat ionship is up and running fine—t he st at e is est ablished. Ot her st at es of int er est ar e • • • • • •

I dle — No BGP neighbor relat ionship exist s w it h t his neighbor. Con n e ct — BGP is w ait ing for t he t r anspor t pr ot ocol ( TCP) t o est ablish a connect ion. Act iv e — BGP is t r y ing t o connect t o a peer by st ar t ing a t r anspor t pr ot ocol ( TCP) connect ion. Ope n Se n t — BGP has est ablished a TCP connect ion, sent an OPEN m essage, and is now wait ing for an OPEN m essage from it s peer. Ope n Con fir m — At t his point t he OPEN m essage has been r eceived and v er if ied; BGP is not wait ing for a Keepalive ( or a Not ificat ion) m essage. Est a blish e d— BGP can ex change r out ing infor m at ion at t his point .

N o I P Conne ct ivit y When neighbor s cy cle t hr ough t he I dle, Connect , and Act iv e st at es, it gener ally m eans t hat t her e is no I P pat h bet w een t hem . Ther e isn't m uch t o do her e but t r y and figur e out w hy t he I P connect iv it y isn't good. Gener ally , pings and t r ace r out es can be used t o find pr oblem s at t his level. A sh ow ip b g p n e ig h b or m ay show:

A#show ip bgp neighbor BGP neighbor is 172.28.1.2, remote AS 2, external link Index 1, Offset 0, Mask 0x2 BGP version 4, remote router ID 0.0.0.0 BGP state = Active, table version = 0 Last read 00:00:17, hold time is 180, keepalive interval is 60 seconds Minimum time between advertisement runs is 30 seconds Received 3 messages, 0 notifications, 0 in queue Sent 3 messages, 0 notifications, 0 in queue Connections established 1; dropped 1 Last reset 00:00:19, due to : User reset request No. of prefix received 0 No active TCP connection

Ther e ar e a couple of it em s t hat should be highlight ed fr om t he pr eceding out put : •

Th e " BGP st a t e "— I n t his case it indicat es " Act iv e." This st at e w as chosen ( ov er Connect or I dle) because it is t he m ost confusing one. " Act iv e" doesn't in dicat e t hat t he connect ion is w or k ing; it indicat es t hat t he r out er is act iv ely at t em pt ing t o est ablish a connect ion.

217

•

Th e la st lin e in t h e displa y — " No act iv e TCP connect ion" is a clear indicat ion of w hat is going on.

eBGP M ult ihop eBGP is designed t o r un only bet w een dir ect ly connect ed neighbor s, such as bet w een Rout ers A and B in Figur e 8- 7. When at t em pt ing t o configur e Rout er s A and C as eBGP neighbors, Rout er A will show t he follow ing:

A#showip bgp neighbor BGP neighbor is 192.168.1.2, remote AS 1, external link Index 1, Offset 0, Mask 0x2 BGP version 4, remote router ID 0.0.0.0 BGP state = Idle, table version = 0 Last read 00:00:18, hold time is 180, keepalive interval is 60 seconds Minimum time between advertisement runs is 30 seconds Received 0 messages, 0 notifications, 0 in queue Sent 0 messages, 0 notifications, 0 in queue Prefix advertised 0, suppressed 0, withdrawn Connections established 0; dropped 0 Last reset never 0 accepted prefixes consume 0 bytes 0 history paths consume 0 bytes External BGP neighbor not directly connected. No active TCP connection

Not e t hat t her e is no act iv e TCP connect ion, and t he display st at es t he Ex t er nal BGP neighbor isn't dir ect ly connect ed. I f y ou configur e bot h of t hese r out er s fore bgpm u lt ih op, t he follow ing illust r at es w hat happens:

A#conf t Enter configuration commands, one per line. End with CNTL/Z. A(config)#router bgp 2 A(config-router)#neighbor 192.168.1.2 ebgp-multihop A#show ip bgp neighbor BGP neighbor is 192.168.1.2, remote AS 1, external link …. BGP state = Established, table version = 93, up for 00:00:19 …. External BGP neighbor may be up to 255 hops away. Connection state is ESTAB, I/O status: 1, unread input bytes: 0 Local host: 172.28.1.1, Local port: 179 Foreign host: 192.168.1.2, Foreign port: 11008

Not e t he out put of sh ow ip bgp n e igh bor now st at es t he ex t er nal neighbor m ay be up t o 255 hops aw ay.

218

Ot her BGP N eighbor Problem s There are a couple of ot her problem s you can run int o w it h BGP neighbor r elat ionships, w hich w ill be quickly m ent ioned her e. The fir st is t hat BGP neighbor r elat ionships w ill not build at all if t he AS num ber s ar e configur ed incor r ect ly . For inst ance, t w o rout er s w it h t he follow ing configur at ions w ill not ev er build a neighbor relat ionship:

hostname routerA ! router bgp 100 neighbor remote-as 100 hostname routerB ! router bgp 200 neighbor remote-as 100

Also, you can set t he hello and hold int ervals for a BGP rout er:

router(config-router)#neighbor 10.1.1.1 timers ? Keepalive interval router(config-router)#neighbor 10.1.1.1 timers 100 ? Holdtime router(config-router)#neighbor 10.1.1.1 timers 100 100 ?

These v alues ar e not negot iat ed bet w een r out er s. They ar e calculat ed depending on t he local set t ings and t he value r eceived in t he Open m essage ( w hich only car r ies t he Hold Tim e) . Ther efor e, t hey can be set t o alm ost any t hing y ou w ant , as lo ng as t hey ar e ov er 3 seconds. The algor it hm used t o calculat e t he t im er s is such t hat ev en if t he configur at ion does not m at ch, bot h r out er s ( for a given BGP session) w ill use t he sam e v alues. As y ou can t ell, t his is not r eally a pr oblem , but a com m on cause of confusion. Luck ily , t he out put of sh ow ip bgp n e igh bor s includes a line t hat indicat es t he t im er s used for t hat par t icular session:

router#show ip bgp neighbor BGP neighbor is 192.168.1.2, remote AS 1, external link … Last read 00:00:18, hold time is 180, keepalive interval is 60 seconds …

219

Logging N eighbor Cha nges Alt hough t her e ar en't a lot of t hings t hat can go w r ong w it h BGP neighbor r elat ionships, it is useful t o log changes in t he st at es of neighbor s any w ay so t hat y ou can t ell w hat happened aft er any t y pe of ev ent occur s. The configur at ion for logging neighbor changes is sim ple:

router#conf t Enter configuration commands, one per line. End with CNTL/Z. router(config)#router bgp 2 router(config-router)#bgp log-neighbor-changes

Ca se St u dy : Con dit ion a l Adv e r t ise m e n t I t 's oft en useful t o condit ionally adver t ise som e r out es t o upst r eam neighbor s — par t icular ly if y ou ar e t r y ing t o cont r ol w hich link is cr ossed by t r affic dest ined t o a par t icular net w or k . ( Refer t o " Case St udy : Du a l- Hom ed Connect ions t o t he I nt er net " for an exam ple.) BGP has t he capabilit y t o condit ionally adv er t ise r out es; look at Figur e 8- 8 and work t hr ough t he ex am ple t hat follows.

Figu r e 8 - 8 Con dit ion a l Adv e r t ise m e n t

I n t his case, you w ant t o adver t ise 172.28.23.0/ 24 t o Rout er B as long as t hat link is up, but if it fails, you w ant t o advert ise t his rout e t o Rout er A from Rout er C.

220

Her e, y ou w ould build a nor m al eBGP neighbor r elat ionship bet w een Rout er s B and D and a norm al iBGP neighbor relat ionship bet w een Rout ers C and D. The only m agic is on Rout er C. Take a look at Rout er C's configur at ion:

C#sho running-config Building configuration… …. ! router ospf 100 network 0.0.0.0 255.255.255.255 area 0 ! router bgp 100 network 172.28.23.0 mask 255.255.255.0 neighbor 10.1.1.1 remote-as 200 neighbor 10.1.1.1 distribute-list 20 out neighbor 10.1.1.1 advertise-map toadvertise non-exist-map ifnotexist neighbor 10.1.2.2 remote-as 100 ! access-list 10 permit 172.28.23.0 0.0.0.255 access-list 20 deny 10.1.3.0 0.0.0.255 access-list 20 permit any access-list 30 permit 10.1.3.0 0.0.0.255 …. route-map ifnotexist permit 10 match ip address 30 ! route-map ifnotexist deny 20 ! route-map toadvertise permit 10 match ip address 10 !

The m agic is in t he n e ig h b or 1 0 .1 .1 .1 a d v e r t ise - m a p t oa d v e r t ise n on - e x ist m a p if n ot e x ist c onfigur at ion st at em ent . This t ells BGP t o adv er t ise t hose net w or k s per m it t ed by t he r out e m ap t oa d v e r t ise if t he net works m at ched by rout e m ap ifn ot e x ist ar en't in t he BGP t able. To see if it w orks, you need t o shut dow n t he link from Rout er B t o Rout er D and see if Rout er A picks t he 172.28.23.0/ 24 net w ork up in it s rout ing t able:

D(config)#int s1 D(config-if)#shut D(config-if)# %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial1, changed state to down %LINK-5-CHANGED: Interface Serial1, changed state to administratively down A>sho ip route …. 172.28.0.0/16 is subnetted, 1 subnets

221

B ….

172.28.23.0 [20/60] via 10.1.1.2, 00:00:25

Ca se St u dy: D u a l - H om e d Con n e ct ion s t o t h e I n t e r n e t Because it 's becom ing com m on t o see net w or k s dual- hom ed t o t he I nt er net t hr ough t w o ser vice pr ovider s, one of t he quest ions people ask is how t o load shar e bet w een t hese m ult iple connect ions. Ther e ar e t w o sides t o t his equat ion: inbound t r affic and out bound t r affic. Because asy m m et r ic r out ing is v er y com m on t hr oug hout t he I nt er net , t he t w o t r affic flow s need t o be dealt w it h separ at ely . Along w it h t hese t w o issues, t he effect s of t he use of default r out ing ver sus r eceiving par t ial/ full r out ing fr om t he pr ov ider s w ill also be ex plor ed. The last sect ion in t his case st udy deals wit h t he danger of becom ing a t r ansit AS. For t he discussion t hat follow s, use Figur e 8- 9 as a net w or k t o w or k w it h.

Figu r e 8 - 9 D ua l - H om e d t o t h e I n t e r n e t

Loa d Sha ring on t he I nbound Side Load shar ing on t he inbound side is a difficult pr oposit ion t o st ar t w it h because y ou r eally don't hav e any cont r ol over t he decisions m ade by t he rout ers in ot her ASs. You, essent ially , hav e t hr ee choices: •

Pr epend ent r ies t o your AS pat h.

222

• •

Set y our Mult i- Ex it Discr im inat or ( MED) out bound. Set com m unit ies on y our out bound adv er t isem ent s.

The last t w o opt ions apply only if y ou ar e dual- hom ed t o t he sam e provider as in Figur e 8- 10.

Figu r e 8 - 1 0 D ua l - H om e d t o t h e Sa m e I SP

The one t hing t o r em em ber is t hat I SPs oft en aggr egat e t he addr ess space y ou ar e adv er t ising t hr ough t hem , and r out er s alw ay s choose t he pat h w it h t he longest pr efix lengt h. Befor e im plem ent ing any of t hese m et hods, y ou need t o hav e a discussion w it h y our pr ov ider s about t heir aggr egat ion policies. I f t her e is a st r ong aggr egat ion policy , t her e m ay not be m uch y ou can do about cont r olling inbound load, ex cept , per haps, cont r olling w hat y ou adv er t ise out each link . ( See " Case St udy: Condit ional Advert isem ent ." )

Pr e pe n din g AS Pa t h En t r ie s Pr epending AS pat h ent r ies is usually fair ly effect iv e in cont r olling t r affic inbound t o y our net w or k . I t 's r at her sim ple t o configur e, as w ell. I f y ou w ant t he t r affic dest ined t o 192.168.2.0/ 24 t o com e t hr ough I SP A and t he t r affic dest ined t o 192.168.1.0/ 24 t o pass t hrough I SP B ( as depict ed previously in Figur e 8- 9) , you could configur e t he follow ing:

router bgp 100 neighbor remote-as neighbor route-map neighbor remote-as neighbor route-map

200 add-to-200 out 300 add-to-300 out

223

route-map add-to-200 permit 10 match ip address 5 set as-path-prepend 100 100 route-map add-to-300 permit 10 match ip address 10 set as-path-prepend 100 100 access-list 5 permit 192.168.2.0 0.0.0.255 access-list 10 permit 192.168.2.0 0.0.0.255

Mak ing t he AS_PATH lengt h longer for 192.168.1.0/ 24 w hen it is adv er t ised t o I SP A, and v ice v er sa, w ill achiev e t he obj ect iv e.

Se t t in g M ED Ou t bou n d The MED is an indicat ion ( t o your neighbor AS) of w hich pat h you pr efer for incom ing t r affic. As m ent ioned pr ev iously , t he MED should be used only w hen dual- hom ed t o t he sam e AS ( as in Figur e 8- 10) . The v alue t hat should be used for t he MED is t he m et r ic of y our I GP t o r each t he adv er t ised dest inat ion. I n ot her w or ds, y ou w ill be giv ing an indicat ion of t he int er na l t opology of y our net w or k so t hat t he pr ov ider can m ak e an infor m ed decision. The configur at ion is st r aight for w ar d:

Router C: router bgp 100 neighbor remote-as 200 neighbor route-map set-MED out ! route-map set-MED permit 10 set metric-type interval Router D: neighbor remote-as 200 neighbor route-map set-MED out ! route-map set-MED permit 10 set metric-type internal

Se t t in g Com m u n it ie s I f you r efer t o Appendix D, " BGP Fundam ent als," y ou w ill not ice t hat t he decision algor it hm w ill not com par e t he MED unt il aft er look ing int o t he local pr efer ence and t he AS_PATH ( am ong ot her s) . This m eans t hat t he MED v alue t hat w as set up in t he last sect ion m ay be over r idden by t hose ot her at t r ibut es. I t w ould be nice t o be able t o change t he local pr efer ence value of your r out ing infor m at ion as seen by your

224

pr ov ider . The only dow nside is t hat y ou don't hav e access t o change t he configur at ion of y our pr ov ider 's r out er s. Don't despair , it is possible t o m ake an ar r angem ent w it h your I SP t o set a given com m unit y st r ing on y our r out es, w hich w ill cause t he I SP t o set t heir local pr efer ence so t hat y ou can cont r ol w hich dest inat ions w ill use a giv en inbound li nk . Just call t hem up!

Loa d Sha ring on t he Out bound Side Keep in m ind t hat BGP w ill choose only one best pat h for each dest inat ion for t he net work in Figur e 8- 9. There fore, load sharing w ill have t o be done m anually by changing t he configur at ion of t he r out er . For t he out bound case, t her e ar e t hr ee v ar iat ions t hat should be ex plor ed depending on t he num ber of r out es lear ned fr om t he eBGP peers: • • •

No r out es r eceiv ed; t hat is, use a default . Full rout ing received. Only par t ial r out es r eceiv ed.

The decisions m ade w ill change for each case. The pr oblem being addr essed is: " How do I load shar e m y out going t r affic bet w een differ ent pr ov ider s giv en t hat t her e is alw ays only one best pat h for each dest inat ion?" All of t he answ er s can't be offer ed in t his shor t case st udy , but hopefully , y ou r ealize t he fact t hat each sit uat ion has t o be ex am ined separ at ely and t hat t her e is no easy and st r aight for w ar d solut ion t o t his problem .

Usin g D e fa u lt Rou t e s Ou t The m ost obvious, easiest solut ion is t o use st at ic default r out es out bound t ow ar d bot h pr ov ider s and let t he r out er w or r y about balancing bet w een t he t w o ser v ice pr ov ider s. Of cour se, w hen y ou use t his solut ion, t her e is a chance t hat t he out bound r out er w ill choose t o send t r affic dest ined for a net w or k in Com pany B t hr ough I SP A. This m eans t he t r affic t o Com pany B w ill act ually pass t hr ough t he ent ir e I nt er net cor e t o r each it s final dest inat ion r at her t han passing j ust I SP B's net work; t his is slight ly subopt im al r out ing.

Acce pt in g Fu ll Ta ble s Anot her solut ion is t o accept t he full I nt er net r out ing t able fr om bot h I SPs and choose t he best r out e based on t he BGP at t r ibut es for each pr efix . This w ill clear ly work for dest inat ions like Com pany B because t he r out er at t ached t o Com pany A w ill choose t he shor t est AS pat h by select ing t he pat h t hr ough I SP B r at her t han t he longer pat h t hrough I SP A. For a possibly significant num ber of net w or k s w it hin t he I nt er net cloud, t hough, ( if bot h prov ider s ar e Tier One I SPs w it h a sim ilar dist r ibut ion of cust om er s) t her e w ill not be any clear w ay t o choose one pat h ov er t he ot her . All t he select ion cr it er ia dow n t o t he r out er I D of t he BGP peer w ill r esult in a t ie. Ther efor e, t he r out er I Ds

225

will be used t o choose t he pat h. This m ay r esult in a lar ge am ount of t r affic being for w ar ded over t he sam e link because t he sam e r out er w ill alw ays w in, and t he sam e pat h w ill alw ay s be chosen. Not e t hat t he pr eceding par agr aph has m any condit ions t hat need t o be m et for t he st at em ent s t o be t r ue. Ex per ience should t ell y ou t hat only a low per cent age of dualhom ed net w or ks w ould sat isfy t hem . I n t he gener al case, you w ill m ost likely use a Tier One ( or nat ional) pr ov ider and a Tier Tw o ( or r egional/ local) pr ov ider. I f t his is t he case, t hen t he num ber of r out es for w hich no clear select ion cr it er ia ex ist s w ill hav e consider ably dim inished. The pur pose of t his book is not t o delv e int o how t o select your I SP or ot her t opics along t hat line.

Acce pt in g a Pa r t ia l Ta ble One final w ay of cont r olling t he t r affic out bound fr om y our net w or k is t o accept only t hose r out es fr om each pr ov ider t hat ar e dir ect ly at t ached t o t hem and use a default r out e t o r each t he r est of t he net w or k in t he I nt er net . I n ot her w or ds, Rout er A w ould accept only r out es announced fr om I SP A t hat belong t o it and it s cust om er s. The t r ick, in t his case, is t o effect ively filt er t he r out es out t hat do not belong t o your pr ov ider or t heir cust om er s. Ther e ar e t w o w ay s t o achiev e t he sam e r esult : t he easy w ay and t he not - so- easy w ay . •

Th e Ea sy W a y — Ask y our pr ov ider s only t o adv er t ise t o y ou t heir r out es and t heir cust om er 's r out es. Any pr ov ider w ill be glad t o com ply . A v ar iat ion inv olv es ask ing y our pr ov ider t o set a com m unit y on t heir r out es and t heir cust om er 's r out es. All y ou hav e t o do is filt er out all t he r out es t hat do not have t he agr eed upon com m unit y m ar king. Your choice, along w it h t he use of local pr efer ence, w ill guar ant ee t he shor t est pat h t o t he dest inat ions r eceiv ed.

•

Th e N ot- So- Ea sy W a y — Set up a filt er t o accept only r out es w it h an AS_PATH lengt h of 1 or 2. The value of 1 w ill ident ify your provider's rout es, w her eas t he value of 2 w ill ident ify t heir cust om er 's r out es. This m ight w or k out w ell enough, but you w ill leave out any prefix on w hich t he AS_PATH is pr epended.

Be ing a Tr a nsit AS So far , t he issues r ev olv ing ar ound load shar ing inbound and out bound t r affic acr oss t he t w o ser v ice pr ov ider link s hav e been cov er ed. Consider t he sit uat ion w her e y ou ar e r unning iBGP bet w een r out er s w it hin your AS, as illust r at ed in Figur e 8- 11.

Figu r e 8 - 1 1 Tr a n sit AS

226

Assum ing t hat Com pany A is accept ing at least a par t ial r out ing t able fr om t he I SPs t hat it is connect ed t o, t her e is som e danger of eit her I SP select ing t he pat h t hr ough Com pany A as it s best pat h t o r each net w or k s in ot her ASs. I n fact , AS100 could becom e a t r ansit net w or k for t r affic bet w een it s t w o pr ovider s' net w or ks. This sit uat ion is not desir able m ainly because of t he bur den t hat AS100 w ould hav e t o car r y due t o t he pot ent ial high t r affic load. Ther e ar e a few w ay s t o pr ev ent t his fr om happening; t he fir st is, sim ply , t o use a default r out e and not accept any BGP adv er t isem ent s fr om t he t w o I SPs. Alt hough t his solves t he pr oblem , it dir ect ly under m ines any w or k aim ed at pr oviding som e sor t of out bound load balancing. The easiest w ay t o accept adv er t isem ent s and pr ev ent t r ansit t r affic is by configur ing an AS pat h filt er so t hat you only adver t ise r out es or iginat ing in t he local AS. For Rout ers C and D in t his net w ork, t his w ould look like t he follow ing configurat ion: This configur at ion w ould allow only r out es or iginat ing in t he local AS t o be adv er t ised t o t he eBGP peer s. One t hing t hat look s odd about t his configur at ion is t he a s- pa t h a cce ss- list —w hy is t he AS_PATH em pt y ? The AS_PATH at t r ibut e is changed only as a r out e is adv er t ised t o an eBGP neighbor . I n Cisco's im plem ent at ion, t his occur s aft er any cor r esponding filt er s hav e been applied. ( Aft er all, w hy w ould y ou go t hr ough t he chor e of pr epending infor m at ion on r out es t hat m ight be filt er ed out ?)

227

Router C: router bgp 100 neighbor remote-as 200 neighbor filter-list 1 out ip as-path access-list 1 permit ^$ Router D: neighbor remote-as 300 neighbor filter-list 1 out ip as-path access-list 1 permit ^$

Ca se St u dy : Rou t e D a m pe n in g One t hing t hat causes m aj or pr ob lem s in t r uly lar ge- scale net w or ks is a dest inat ion t hat flaps r egular ly , or goes up and dow n sev er al t im es in succession w it hin a shor t per iod of t im e. BGP allow s a net w or k adm inist r at or t o st op accept ing a r out e fr om an ex t er nal neighbor for a cer t ain per iod of t im e t hr ough dam pening. Not e t hat dam pening w or k s for eBGP r out es only . The configur at ion for t his capabilit y is ver y sim ple —it 's j ust a single ext r a configur at ion com m and ( see Figur e 8- 12) .

Figu r e 8 - 1 2 Sim p le D a m p e n in g Ex a m p le

For exam ple, if you w ant ed t o dam pen t he rout es from Rout er B in Figur e 8- 12, y ou w ould configure:

router bgp 100 bgp dampening

Now , assum e t he link 192.168.1.0/ 24 flaps several t im es in a row . Rout er A w ill add a penalt y t o t he r out e each t im e it flaps, w hich w ill event ually dam pen t he r out e. On Rout er A, t his looks like t he follow ing:

228

A#show ip bgp flap BGP table version is 7, local router ID is 10.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i internal Origin codes: i - IGP, e - EGP, ? - incomplete Network From Flaps Duration Reuse Path h 192.168.1.0 172.28.1.2 3 00:02:10 100 A#show ip bgp BGP table version is 7, local router ID is 10.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path h 192.168.1.0 172.28.1.2 0 0 100 I

Not e t he h beside t he rout e in bot h displays—t he r out e is being m ar k ed as a r out e t hat is flapping. Once dam pened, how does a r out e com e out of t his st at e? The penalt y against t he r out e is halv ed unt il t he r out e's penalt y has fallen below t he r euse lim it once ev er y 15 minut es ( by default ) . Once t he penalt y against t he r out e has fallen below t he r euse lim it , t he r out e w ill be adver t ised t o BGP neighbor s again. Ther e ar e fiv e at t r ibut es of a r out e w hen dam pening is configur ed t hat y ou need t o be concer ned w it h: • • • • •

Pe n a lt y — The penalt y t hat is applied t o t he r out e each t im e it flaps; t he default is 1000. Su ppr e ss lim it — Once t he penalt y r eaches t his m ar k , t he r out e w ill be dam pened; t he default is 2000. H a lf- life — Each t im e t he half - life passes, t he penalt y t hat is cur r ent ly assessed against t he r out e is halv ed; t he default is 15 m inut es. Re use lim it — The penalt y m ust dr op below t his num ber for t he r out e t o be advert ised again; t he default is 750. M a x im u m su ppr e ss lim it — The m axim um num ber of half - liv es a r out e can be suppressed; t he default is 4 half - liv es.

These can be configur ed as par t of t he bgp da m pe n com m and. To giv e an ex am ple of how t his w or k s, look at t he penalt y t hat occur s ov er t im e for a giv en r out e as show n in Figur e 8- 13.

Figu r e 8 - 1 3 Rou t e D a m pe n in g Affe ct s

229

Here, a given rout e is wit hdrawn and re - advert ised by an eBGP r out er t w ice in 5 m inut es; each t im e t he r out e flaps, a penalt y of 1000 is applied for a t ot al of 2000. When t he second flap occur s, t he r out e is dam pened. Aft er 15 m inut es, t he penalt y in for ce against t he r out e w ill hav e decay ed ex ponent ially t o 1000. I m m ediat ely aft er t his, t he r out e flaps t w ice m or e, r aising t he t ot al penalt y t o 3000. 15 m inut es lat er , at t he 30- m inut e m ark, t he penalt y has now decayed t o 1500. At t he 45- m inut e m ark, t he penalt y will have decayed half of it s value t o 750, and t he r out e can be r eused again.

Re vie w 1:

What is an EGP?

2:

What pr ev ent s iBGP fr om being an effect ive I GP?

3:

Wher e w ill r out es lear ned fr om an eBGP peer be pr opagat ed?

4:

Why shouldn't y ou r edist r ibut e BGP r out es int o an I GP?

5:

What pr ot ocol do all BGP pack et s r ide on t op of?

6:

I f a neighbor r elat ionship bet w een t w o BGP peer s const ant ly cy cles t hr ough t he I dle, Act iv e, and Connect st at es, w hat act ion should y ou t ak e?

7:

Explain t he significance of t he next hop in BGP.

8:

What possible solut ions ar e t her e for load shar ing out bound t r affic t o m ult iple I SPs?

230

9:

All at t r ibut es being t he sam e, w hat w ill br eak a t ie in t he BGP decision pr ocess?

10:

What t w o t hings can be done t o r educe t he num ber of updat es gener at ed and sent by a r out er ?

11:

What is t he default half - life of a dam pened rout e?

12:

How does a r out e r eflect or adv er t ise r out es lear ned fr om an iBGP peer ?

13:

What does a confeder at ion of r out er s appear as out side t he confeder at ion area?

14:

What is an ex am ple of an applicat ion of condit ional adv er t isem ent ?

15:

Treat ing t he net w ork show n in Figur e 4- 10 in Chapt er 4, " Applying t he Pr inciples of Net w or k Design," as a ser v ice pr ov ider net w or k ( w it h t he access layer connect ing t o ext er nal net w or ks) , configur e t he net w or k t o r un BGP t hr oughout . What changes w ould y ou m ak e t o t he net w or k? Would you use r out e r eflect or s or confeder at ions any w her e?

231

Ch a pt e r 9 . Ot h e r La r ge Sca le Cor e s Scalabilit y of full m esh, Layer 3 designs is a m aj or issue w hen building very large net w orks. Chapt er 3, " Redundancy ," discussed pr oblem s w it h Layer 2, full m esh designs. Layer 3, full m esh designs have m any of t he sam e pr oblem s. At som e point , t he num ber of possible neighbor s and pat hs becom es ov er w helm ing, and y ou need t o r educe t he am ount of w or k t hat needs t o be done by t he cor e rout ers. Tw o possible solut ions t o t his pr oblem ar e Next Hop Resolut ion Pr ot ocol ( NHRP) and Mult ipr ot ocol Label Sw it ching ( MPLS) .

N H RP One possible solut ion t o t he Layer 3 m eshing problem is t he Next Hop Resolut ion Pr ot ocol ( NHRP) . NHRP is t echnically a r out ing pr ot ocol r at her t han a new Layer 2/ 3 swit ching m echanism . Figur e 9- 1 prov ides an ex am ple net w or k for discussion.

Figu r e 9 - 1 Fu ll M e sh N e igh bor s

Now, as you know from Chapt er 3, t he full m esh design in Figur e 9- 1 result s in 15= > 6( 6- 1) / 2 pat hs t hr ough t he net w or k . Suppose t hat y ou w ant t o r educe t he pat hs t hrough t he net work by m aking it a hub and spoke design. I t could look like t he one illust rat ed in Figur e 9- 2.

Figu r e 9 - 2 H u b a n d Spok e N e t w or k D e sign

232

The r eal difficult y w it h t his design ( ot her t han t he single point of failur e) is t he am ount of t r affic t hat m ust pass t hr ough t he hub r out er . I f all of t hese link s are 2.4 Gbps, t he hub r out er needs t o sw it ch t r affic at 12 Gbps or fast er . Ther e m ust be som e w ay t o spr ead t his w or k out a bit . I f you ar e using a low er layer m edia t hat suppor t s sw it ched vir t ual cir cuit s ( SVCs) , such as ATM ( or Fram e Relay SVCs) , you sho uld be able t o t ak e adv ant age of t hem t o m ak e dir ect connect ions bet w een t he spok e r out er s w hen needed. The pr oblem w it h t his is r out ing. How does t he r out er know t hat a given dest inat ion is r eachable t hr ough som e ot her m eans t han t he hub r out er ? How does it know w hich SVC t o use ( w hat num ber t o dial, so t o speak ) t o r each t his dest inat ion? This is w her e NHRP com es in. I n NHRP, a num ber of r out er s ar e configur ed as r out e ser v er s. Each r out er adv er t ises it s r eachable dest inat ions t o t his r out e ser v er along w it h a SVC t o use t o reach t hem . When a r out er w ant s t o r each a given dest inat ion, it quer ies t he r out e ser ver t o find out if t her e is a dir ect pat h t hr ough t he cloud. I f t her e is, it w ill br ing up a SVC t o t he next hop and pass t he t r affic along. This effect ively pr ovides t he advant ages of a full m esh t opology w hile also pr oviding t he scalabilit y of a part ial m esh t opology.

233

Ca se St u dy : N H RP in a n ATM N e t w or k I n t he net w or k show n in Figur e 9- 3, t r affic sour ced fr om 172.16.2.0/ 24 dest ined t o 172.16.1.0/ 24 nor m ally flow s t hr ough Rout er A, w hich is at t he hub of t he sw it ched ATM net w or k . I nst ead of hav ing all t he t r affic pass t hr ough one r out er , it m ak es m or e sense t o hav e Rout er s B and C set up SVCs t o one anot her w hen t hey ar e needed.

Figu r e 9 - 3 N H RP in a n ATM N e t w or k

To accom plish t his goal, you can r un NHRP over t he ATM cloud. Then, t he configurat ion on Rout er A is as follows:

interface ATM0 no ip address atm pvc 5 0 5 qssal atm pvc 16 0 16 ilmi ! interface ATM0.1 multipoint ip address 172.16.58.1 255.255.255.0 ip nhrp network-id 1 ip nhrp interest 101 ip ospf network point-to-multipoint atm esi-address 852852852852.01 atm pvc 100 0 40 aal5snap inarp 5 atm pvc 105 0 90 aal5snap inarp 5 ! router ospf 1 network 0.0.0.0 0.0.0.0 area 0 !

234

access-list 101 deny ip any any

On rout er B, w e have:

interface Ethernet0 ip address 172.16.2.1 255.255.255.0 ! interface ATM0 no ip address atm pvc 5 0 5 qsaal atm pvc 16 0 16 ilmi ! interface ATM0.1 multipoint ip address 172.16.58.2 255.255.255.0 ip nhrp network-id 1 ip nhrp interest 101 ip route-cache same-interface ip ospf network point-to-multipoint atm esi-address 145145145145.01 atm pvc 100 0 40 aal5snap inarp 5 ! router ospf 1 network 0.0.0.0 0.0.0.0 area 0 ! access-list 101 permit ip any any

Rout er C is ident ical t o Rout er B except for I P addr esses and ATM infor m at ion. To under st and how t his w or k s, look at t his Telnet session t hat is fr om a host on t he 172.16.2.0/ 24 net w or k t o a host on t he 172.16.2.0/ 24 net w or k : 1. Rout er C sends it s t r affic for t he 172.16.2.0/ 24 net w or k t ow ar d Rout er A because it has a r out e for t hat net w or k in t hat dir ect ion t hr ough OSPF. 2. Rout er A not ices t his dest inat ion is r eachable t hr ough an int er face on Rout er C, which is in t he sam e NHP group Rout er B is in. 3. Rout er A sends Rout er C's connect infor m at ion ( it s ATM addr ess) t o Rout er B, and it also sends Rout er B's ATM addr ess t o Rout er C. 4. Rout er B and Rout er C open a SVC t o each ot her and t r affic bet w een t he 172.16.1.0/ 24 and t he 172.16.2.0/ 24 net w or k s flow s along t his pat h. On Rout er B, befor e t he Telnet session bet w een t he host s t ak es place, y ou'll see t he follow ing in t he ARP cache:

B#show arp Protocol Address Age(min) .... Internet 172.16.58.1 3

Hardware Addr

Type

Interface

VCD#0100

ATM

ATM0.1

235

Aft er t he Telnet session, Rout er B has built an ARP cache ent r y for t his dest inat ion over t he new ly est ablished SVC bet w een Rout er B and Rout er C:

B#show arp Protocol Address Age(min) .... Internet 172.16.58.1 71 Internet 172.16.2.1 1

Hardware Addr VCD#0100 VCD#0060

Type

Interface

ATM ATM

ATM0.1 ATM0.1

M PLS MPLS r esolves t he sam e pr oblem as NHRP but in a differ ent w ay. MPLS is a new concept ( as of t his w r it ing) , and not all of t he st andar ds and m echanism s ar e fully w or k ed out . This chapt er cov er s an ov er v iew of t he t heor y .

N or m a l Pa ck e t Sw it ching Sw it ching an I P pack et nor m ally inv olv es t he follow ing pr ocedur e: 1. Looking up t he dest inat ion I P addr ess in a t able t hat m ight cont ain sever al ov er lapping m at ches 2. Choosing t he m at ching dest inat ion net w or k w it h t he longest pr efix lengt h 3. Finding t he MAC header for t he nex t hop and copy ing it ont o t he fr ont of t he pack et The deploy m ent of ATM and Fr am e Relay br ought a new idea t o t he for efr ont in sw it ching packet s: sw it ching based on a shor t label t hat can be sw apped hop by hop as a packet m oves t ow ar d it s dest inat ion. Figur e 9- 4 pr ov ides a net w or k illust r at ion for dem onst r at iv e pur poses.

Figu r e 9 - 4 Sim ple N e t w or k I llu st r a t in g Sw it ch in g by Ta gs

236

Because Rout er A is adver t ising a sum m ar y, and Rout er B is a com ponent w it hin t hat sum m ary, Rout er C has t w o ent ries in it s r out ing t able:

10.1.0.0/16 via A 10.1.2.0/24 via B

These t w o ent r ies ar e passed t o Rout er D so t hat it w ill also have t w o ent r ies in it s t able:

10.1.0.0/16 via C 10.1.2.0/24 via C

I f Rout er D r eceives a packet dest ined t o 10.1.2.1, it fir st finds t hat t her e ar e t w o m at ches for t his dest inat ion, and it m ust com par e t he pr efix lengt h of t hese t w o m at ches t o det er m ine t he best pat h. I nst ead of using t he I P addr ess t o sw it ch t he pack et , t hese r out er s could assign labels t o represent each hop along t he pat h, and t hen sw it ch based on t hese labels. For inst ance, assum e t hat t he follow ing condit ions ar e t r ue: • •

Rout er A assigns t he adv er t ising t o Rout er Rout er B assigns t he adv er t ising t o Rout er

label 100 t o t he dest inat ion 10.1.0.0/ 16, w hich it is C. label 200 t o t he dest inat ion 10.1.1.0/ 24, w hich it is C.

237

• •

Rout er Rout er Rout er Rout er

C assigns t he label 300 t o 10.1.0.0/ 16 and adv er t ises t his upst r eam t o D. C assigns t he label 400 t o 10.2.0.0/ 16 and adv er t ises t his along t o D.

Now , w hen Rout er D r eceives a packet dest ined t o 10.1.2.1, it not es t hat t his r out e cor r esponds t o 10.1.0.0/ 16, w hich is labeled 400. So, Rout er D m ar ks t he packet w it h t he label 400 and for w ar ds it t o Rout er C. I nst ead of looking at t he dest inat ion addr ess and choosing t he next hop based on t he longest pr efix m at ch fr om t he I P r out ing t able, Rout er C sim ply looks up t he label, 400, and sees t hat t his belongs 10.1.0.0/ 16, w hich is labeled 100. Rout er C sw aps t he labels and passes t he pack et along. When Rout er B receiv es t he pack et , it sees fr om t he label ( 200) t hat t his pack et is dest ined t o a dir ect ly at t ached subnet . Then, it st r ips t he label off t he pack et and forwards it as usual. The pr eceding ex am ple doesn't pr ov ide m uch net w or k sav ings. You'v e sav ed only one r out er t he expense of looking up a longest pr efix m at ch. I f t hat one r out er w as r eally a cloud, how ev er , and t he cloud cont ained num er ous r out er s, t he sav ings could be significant . When a Label Sw it ching Rout er ( LSR) r em oves a label fr om t he packet , t his is called a pop; w hen it adds a new label on t he pack et , t his is called a push.

St rea m s a nd La bel M erging MPLS doesn't r est r ict it self t o one label for each dest inat ion. I t uses a label t o designat e a st r eam , or a flow , of t r affic inst ead—a Forwarding Equiv alence Class ( FEC) . Abst r act ing indiv idual pack et s int o an FEC allow s MPLS r out er s ( LSRs) t o m er ge a lar ge num ber of st r eam s t hat r equir e t he sam e handling ( Class of Ser v ice, next hop, and so on) int o one FEC and use t he sam e label t o ident ify all of t hem . To under st and t his bet t er , look at t he exam ple in Figur e 9- 5.

Figu r e 9 - 5 M e r gin g St r e a m s

238

I f y ou w er e using nor m al I P r out ing, y ou couldn't sum m ar ize t he t w o r out es advert ised by Rout er D—10.1.1.0/ 24 and 172.16.1.0/ 24. Assum e Rout er D is adver t ising label 100 for 10.1.1.0/ 24 and label 200 for 172.16.1.0/ 24 t ow ar d Rout er C. I f Rout er C is capable of m erging t hese FECs advert ised by Rout er D, it can adver t ise a single label t ow ar d Rout er s A and B for bot h st r eam s, w hich effect ively sum m ar izes t hem int o one FEC, one label, and one adv er t isem ent . This capabilit y t o m erge st r eam s, r egar dless of t he dest inat ion addr esses, gr eat ly im pr oves t he scalabilit y of MPLS by cut t ing dow n on t he am ount of r out ing infor m at ion t he LSRs m ust st or e and w or k w it h.

La be l Gr a nula r it y Unt il now , you've w or ked only w it h labels t hat ar e bound t o a dest inat ion net w or k . ( Unless t hey are m erged; in w hich case, a single label can represent a num ber of dest inat ion net w or k s.) I n r ealit y , labels can bound at differ ent gr anular it ies t o a flow of t r affic. The follow ing ar e a few com m on label assignm ent possibilit ies: • • • • • •

H ost pa ir — Each sour ce and dest inat ion addr ess pair is assigned a label; all packet s fr om 10.1.1.1 t o 172.16.1.1 ar e placed in one FEC. Por t qu a dr u ple — Each sour ce addr ess: por t t o dest inat ion addr ess: por t pair is assigned a label; all pac k et s fr om 10.1.2.1: 1024 t o 172.16.1.1: 23 ar e placed in one FEC. Por t q u a d r u p le w it h Ty p e of Se r v ice ( ToS) — Each sour ce addr ess: por t t o dest inat ion addr ess: por t pair w it h a giv en ToS is assigned a label; all pack et s fr om 10.1.2.1: 1024 t o 172.16.1.1: 23 ToS 3 are placed in one FEC. N e t w or k p a ir— Each sour ce/ dest inat ion net w or k pair is assigned a label; all packet s fr om 10.1.2.0/ 24 t o 172.16.1.0/ 24 ar e placed in one FEC. N e t w or k pa ir s w it h ToS— Each sour ce/ dest inat ion net w or k pair w it hin a given ToS is assig ned a label; all pack et s fr om 10.1.2.0/ 24 t o 172.16.1.0/ 24 m ar ked for ToS 3 ar e placed in one FEC. D e st in a t ion n e t w or k— All pack et s t r av elling t o a giv en dest inat ion net w or k ar e assigned a label ( w hich is w hat y ou'v e seen in t he ex am ples so far ) .

239

• • • • •

Egr e ss ro u t e r — All packet s exit ing t he MPLS cloud at a given egr ess LSR are assigned t he sam e label. N e x t h op BGP a u t on om ou s sy st e m ( AS) — Each sour ce AS is assigned a label, and t hat label is used t o r each any dest inat ion w it hin, or t hr ough, t hat AS. D e st in a t ion BGP AS— This is sim ilar t o assigning labels based on t he nex t hop AS m ent ioned in t he pr eceding it em , but only dest inat ions sour ced w it hin a giv en AS use a label associat ed w it h t hat AS. M u lt ica st sou r ce / g r ou p p a ir— For m ult icast , a giv en sour ce/ gr oup pair can be assigned a label t hr ough t he m ult icast dist r ibut ion t r ee. M u lt ica st * / g r ou p p a ir ( a n y sou r ce f or t h is g r ou p ) — Rat her t han assigning a label per sour ce, t his schem e assigns only a label per m ult icast group.

Assigning La be ls How ar e labels assigned t o st r eam s or flow s of t r affic? Ther e ar e t w o aspect s of t his quest ion t hat MPLS m ust answer: • •

What device assigns t hem ? What dr iv es label assignm ent ? ( What causes a label t o be assigned?)

Th e cont r ol com ponent is t he device t hat assigns a label t o a new flow pr esent ed w hile ar r iving at t he edge of t he MPLS cloud. This w ill m ost likely be an MPLScapable r out er ( an LSR) r unning BGP w it h t he ot her edge r out er s connect ed t o t his cloud. The egr ess r out er assigns labels based on r equest s fr om upst r eam neighbo rs. Ther e ar e t w o w ay s t o det er m ine if a label needs t o be assigned: • •

When t he fir st packet in a new flow r eaches an edge r out er on t he MPLS cloud, t he edge r out er can cause t he label assignm ent pr ocess t o begin. As edge r out er s r eceive updat es t o t heir r out ing t ables, t hey can dr iv e t he assignm ent of labels t hr ough t he cloud based on t he infor m at ion in t he r out ing t able.

The fir st w ay of dr iving label assignm ent is dat a dr iven; t he labels ar e assigned in r esponse t o dat a t r affic. The second is cont r ol dr iv e n; t he labels ar e assigned in r esponse t o cont r ol t r affic.

Sour ce Rout ing Because a single label pushed ont o t he pack et at t he ingr ess t o t he MPLS cloud defines t he ent ir e pat h t hr ough t he cloud, MPLS can be consider ed a t y pe of sour ce rout ing. I t is m ore scalable t han t r adit ional sour ce r out ing, t hough, because t he cur r ent hop infor m at ion needs t o be car r ied only in t he pack et —not t he ent ir e pat h. St r ict sour ce r out ing pr ov ides m any capabilit ies ov er t r adit ional hop- by- hop rout ing ( w hich ar e cur r ent ly im plem ent ed by I P) . For ex am ple, t r affic engineer ing is easier because t he ent ire pat h of a given st ream of dat a is know n. I t 's easier t o size links and det er m ine w hat capacit y is needed w her e w hen t he pat h of any giv en st r eam

240

can be known ( and in fact , adm inist r at iv ely chosen, w hen t he pack et ent er s t he net w ork) .

Tunneling a nd La bel St a ck s Packet s ar en't lim it ed t o one label; labels can be st acked on t op of one anot her w it h t he cur r ent LSR act ing on t he " t op" label of t he st ack . Figure 9- 6 dem onst r at es how t his can be used for t unneling.

Figu r e 9 - 6 Tu n n e lin g a n d La be l St a ck s

I f w s1 w ant s t o com m unicat e w it h w s2 w it hout user s ( or hack er s) at t ached t o LSR C or LSR D being able t o see t he t r affic, t hen t he edge Rout er E can negot iat e a label w it h LSR A t o r epr esent t his t r affic and push t his label ont o t he st ack. ( LSR A is also called t he ingr ess LSR because it is w her e t he t r affic ent er s t he MPLS net w or k .) Rout er E can also look in it s r out ing t able and find t he label for t r affic going t o LSR A. Then, it can push t his label ont o t he st ack ahead of t he fir st label. Follow ing is an exam ple: • • •

Rout er s A and E negot iat e t he label 900 for t he t unneled ( hidden) t r affic. The label for t raffic dest ined t o LSR A t hrough LSR D is 100. The label for t raffic dest ined t o LSR A t hrough LSR C is 200.

LSR E w ill fir st push 900 ont o t he label st ack , follow ed by 100, and pass t he pack et ont o LSR D. When LSR D receives t his packet , it w ill act on t he label on t he t op of t he st ack , w hich indicat es t he t r affic is dest ined t o egr ess at LSR A. I t pops t he t op label, w hich is 100, and r eplaces it w it h t he label for t he nex t hop in t he pat h, w hich is 200. Now , LSR C r eceiv es t he pack et and sees t hat t he label indicat es t his t r affic is dest ined for LSR A. Seeing t he nex t hop is t he egr ess LSR ( t he edge of t he MPLS net w or k w her e t he t r affic w ill be leaving) , LSR C sim ply pops t he label and passes t he t r affic t o LSR A.

241

When LSR A r eceiv es t he pack et , t her e w ill be only one label ( 900) , w hich indicat es t hat t his t r affic is for w s2. LSR A w ill pop t he final label and for w ar d t he pack et . Figur e 9- 7 show s t his ser ies of label pushes and pops.

Figu r e 9 - 7 A La be l St a ck t h r ou gh a Sh or t Tu n n e l

The pr eceding ex am ple show s t hat LSR C w ould pop t he label befor e t he pack et act ually leav es t he t unnel ( w hich t er m inat es at LSR A) . The nex t t o t he last LSR along a pat h ( eit her t hr ough a t unnel or t hr ough an MPLS cloud) , also k now n as t he penult im at e LSR, should pop t he label befor e passing it on t o t he egr ess node.

Tim e t o Live The w ay I P guar ant ees t hat a pack et w ill not be passed back and for t h bet w een t w o r out er s in a r out ing loop is t he Tim e To Live ( TTL) field in t he packet header . Each r out er t hat t he pack et passes t hr ough w ill subt r act one fr om t he TTL unt il it r eaches zer o; w hen t he TTL r eaches zer o, t he pack et w ill be discar ded. Because MPLS allow s LSRs t o sw it ch pack et s based only on t he label, t he I P header is never t ouched. Ther efor e, t he TTL on I P pack et s passing t hr ough an MPLS cloud m ay never be decr eased. For t his r eason, MPLS suggest s t hat t he ingr ess r out er on an MPLS cloud decr ease t he TTL in t he I P header by t he num ber of hops t he pack et w ill t r av el t hr ough t he cloud. I f t he packet 's TTL is low enough t hat it w ill r each zer o befor e r eaching t he egr ess LSR, t hen t he packet should be discar ded befor e ent er ing t he MPLS net w or k.

Ot he r M PLS Re fe r e nce s This shor t ov er v iew doesn't cov er m any det ails of how MPLS w or k s; refer t o t he dr aft and st andar ds docum ent s of t he I ETF for a com plet e ex planat ion of t he m echanism s used t o pr ev ent loops, dist r ibut e labels, and encapsulat e t r affic t hr ough MPLS net w orks.

242

Re vie w 1:

I s NHRP a r out ing pr ot ocol, or is it a pr ot ocol t hat helps r out ing pr ot ocols do t heir j ob?

2:

How m any pat hs exist t hrough a net w ork w it h 30 nodes? 40?

3:

What t ask does a rout e server in NHRP perform ?

4:

When a r out er on an NHRP net w or k w ant s t o find t he SVC t o use for a giv en dest inat ion, w hat does it do?

5:

What t hr ee st eps ar e nor m ally inv olv ed in r out ing a pack et ?

6:

What t ype of sw it ching paradigm do ATM and Fram e Relay use?

7:

What t y pe of sw it ching par adigm does MPLS use?

8:

What is a push? A pop?

9:

What is a FEC?

10:

Why do y ou m er ge FECs?

11:

Ex plain each t y pe of label assignm ent : • • • • • • •

Host pair Port quadruple Por t quadr uple w it h ToS Net w or k pair Dest inat ion net w or k Egress rout er Dest inat ion AS

12:

Which device assigns labels in an MPLS net w ork?

13:

Do dow nst r eam dev ices or upst r eam dev ices assign labels?

14:

What ar e t he t w o w ay s of dr iv ing label assignm ent ?

15:

How is t unneling per for m ed in an MPLS net w or k?

243

Pa r t I V: Appe n dix e s Appendix A OSPF Fundam ent als Appendix B IS- I S Fundam ent als Appendix C EI GRP Fundam ent als Appendix D BGP Fundam ent als Appendix E Answ er s t o t he Rev iew Quest ions Glossar y

244

Appe n dix A. OSPF Fu n da m e n t a ls Open Shor t est Pat h Fir st ( OSPF) is a pr ot ocol st andar dized in RFC 2328 by t he I nt er net Engineer ing Task For ce ( I ETF) . OSPF is a link- st at e prot ocol t hat has m any adv ant ages, including low t r affic lev els dur ing nor m al oper at ion and r apid conv er gence. This appendix w ill giv e y ou a gener al ov er v iew of t he pr ot ocol r at her t han a com plet e under st anding of ev er y aspect of OSPF's oper at ion. You should also look at t he r elevant RFCs published by t he I ETF and OSPF Net w ork Design Solut ions by Thom as M.Thom as I I , w hich is published by Cisco Pr ess.

H ow OSPF W or k s I n a t y pical dist ance v ect or pr ot ocol ( such as I GRP) , each r out er adv er t ises it s t able of r eachable dest inat ions ( v ect or s) and t he dist ances t o t hem ( dist an ce) on each of it s int erfaces on a regular basis ( per iodic updat es) . OSPF r out er s adv er t ise t he st at e of t heir dir ect ly connect ed link s t o all r out er s on t he net w or k ( t hr ough flooding) . Alt hough OSPF uses per iodic updat es t o t he ent ir e net w or k, t her e ar e long per iods of t im e bet w een t hem , r educing net w or k t r affic t o a m inim um . Each r out er r eceiv es t hese link- st at e adv er t isem ent s LSAs) fr om it s neighbor s and floods t hem out each of it s ot her int erfaces, m aking cert ain t hat all ro ut er s on t he net w or k r eceive all LSAs. Once all r out er s hav e r eceiv ed all adv er t isem ent s, t hey per for m t he shor t est pat h fir st calculat ion t o find t he best pat h t o each dest inat ion on t he net w or k . OSPF uses neighbor r elat ionships t o r eliably flood LSAs and enfor ces hier ar chy in a net w or k t hr ough ar eas.

Rou t e r I D s Each r out er r unning OSPF on a net w or k m ust hav e a unique ident ifier—t h e rout er I D. This r out er I D is used in com binat ion w it h an LSA sequence num ber t o det ect duplicat e LSAs and t o pr ev ent a r out er from accept ing an LSA. The r out er I D is chosen fr om am ong t he int er faces configur ed for I P on a Cisco r out er ; it is eit her t he highest I P addr ess fr om any oper at ional int er face ( int er face and line prot ocol bot h up) , or it is t he address of t he loopback int er f ace. Th e r ecom m endat ion is t o use loopback int er faces t o set t he r out er I D because t his pr ovides m or e st abilit y in t he net w or k and m akes t he r out er I D m or e pr edict able. I n new er v er sions of I OS, t her e w ill be a com m and t o set t he r out er I D independent ly .

LSA Ty pe s LSAs ar e classified by t y pe. Each t y pe ser v es a differ ent pur pose and som e ar e descr ibed in t he follow ing list :

245

•

• •

•

•

Rou t e r LSAs ( t y p e 1 ) — Cont ain infor m at ion about a r out er and t he link s it has in an ar ea; t hey ar e flooded w it hin an ar ea only . The r out er indicat es if it can com put e pat hs based on Qualit y of Ser v ice ( QoS) , if it is an ar ea bor der rout er, if it is one end of a virt ual link, or if it is an aut onom ous syst em boundar y r out er ( ASBR) w it hin t his LSA. Type 1 LSAs ar e also used t o advert ise st ub net w or ks , w hich hav e only one r out er at t ached. N e t w or k LSAs ( t y p e 2 ) — Used for t r ansit net w or k s w it hin an ar ea; t hey ar e not flooded out side of an ar ea. A t r ansit net w or k has at least t w o r out er s connect ed. Su m m a r y LSAs f o r ABRs ( t y p e 3 ) — Advert ise int er nal net w or k s t o r out er s in ot her ar eas ( int er ar ea r out es) . Type 3 LSAs m ay r epr esent a single net w or k or a set of net w or ks sum m ar ized int o one adver t isem ent . Sum m ar ies ar e gener at ed only by ar ea bor der r out er s ( ABR) . Su m m a r y LSAs f or ASBRs ( t y p e 4 ) — Used t o adv er t ise t he locat ion of an aut onom ous sy st em boundar y r out er . Rout er s t hat ar e t r y ing t o r each an ex t er nal net w or k use t hese adv er t isem ent s t o det er m ine t he best pat h t o t he nex t hop. Aut onom ous sy st em bor der r out er s ( ASBR) gener at e t hese. Aut o n om ou s Sy st e m Ex t e r n a l LSAs ( t y p e 5 ) — Used t o r edist r ibut e r out es fr om ot her aut onom ous sy st em s, gener ally using a differ ent r out ing pr ot ocol, int o OSPF.

Re lia b le Flood in g of LSAs Each LSA flooded t o t he net w or k has an age par am et er ( LSAge) , w hich is set by t he or iginat ing r out er t o 0. When a r out er r eceives an LSA fr om a neighbor , it begins aging it out by adding 1 t o t he LSAge for each second it holds t he LSA in it s dat abase. Once t he LSAge equals Max Age, t he r out er w ill set t he cost t o unr eachable, flood t he LSA, and t hen r em ov e t he LSA fr om it s dat abase. This has t he effect of clear ing any LSA fr om t he net w or k t hat has not been r efr eshed w it hin t he MaxAge t im efr am e. Due t o t his aging out m echanism , OSPF rout ers m ust reflood t heir LSAs periodically t o pr event t hem fr om being t im ed out . How oft en a r out er floods it s LSAs is called t h e LSRefr eshTim e. The Max Age is set t o 1 hour , and t he LSRefr eshTim e is set t o 30 m inut es. When a r out er r eceives an LSA ( or t he st at us of one of it s dir ect ly connect ed links changes) , it m ar ks t he dat abase ent r y and builds a list of neighbor s t o w hich t his ent r y needs t o be flooded. As t he r out er builds a pack et t o send ( w hich can cont ain m or e t han one LSA) , it w ill do t he follow ing: • •

Choose dat abase ent r ies t hat have been m ar ked for sending and places t hem in t he packet Not e in t he dat abase t he neighbor s t o w hich t he LSA has been adv er t ised

As ack now ledgm ent s ar e r eceiv ed, neighbor s ar e r em ov ed fr om t he " w ait ing for ack now ledgm ent " list associat ed w it h t he LSA. Ev er y so oft en t he r out er w ill check t his list of out st anding ack now ledgm ent s t o see if som e neighbor hasn't r esponded; it w ill r esend t he LSA t o t hose t hat haven't r esponded. This int er val is configur able on a per int er face basis using t he ip osp f r e t r a n sm it - in t e r v a l com m a nd on a Cisco rout er.

246

Bu ildin g Adj a ce n cie s Because adj acencies ar e v it al t o t he r eliable flooding of t hese link- st at e adver t isem ent s, you should exam ine how an adj acency is built and lear n fr om som e special cases. Figure A- 1 begins w it h an illust r at ion of t w o r out er s connect ed t o t he sam e net work.

Figu r e A - 1 Bu ildin g Adj a ce n cie s

When Rout ers A and B are first at t ached t o t he serial link bet w een t hem , t hey w ill begin sending hello pack et s on t his net w or k. Next , t he r out er s begin r eceiving each ot her 's hello packet s, as show n in Figur e A- 2. When Rout er s A and B r eceive each ot her 's hellos, t hey w ill place t heir new neighbor s in init - st at e.

Figu r e A - 2 Rou t e r Ex ch a n ge of H e llo Pa ck e t s

Aft er placing a new neighbor in init st at e, a r out er begins including t he r out er I D of t hat neighbor in it s hellos, as shown in Figur e A- 3. Once a rout er has received a hello fr om a neighbor w it h it s r out er I D enclosed, it places t he neighbor in t w o- w ay st at e. This " t w o- w ay " st ep ensur es t her e is t w o- w ay com m unicat ion bet w een t he r out er s befor e t hey begin exchang ing dat abase infor m at ion. Rout er s w ill not ent er t he t w ow ay st at e if t he link t y pe, hello t im e, w ait t im e, or dead t im e do not m at ch.

Figu r e A - 3 Tw o- W a y St a t e

247

Aft er det er m ining t hat an adj acency should be built ( r out er s w ill r em ain in t w o- way st at e under som e cir cum st ances—see t he sect ion, " Adj acencies on Mult i- Access Net w or k s," lat er in t his appendix ) , t he r out er s w ill begin t o negot iat e t he ex change of t heir OSPF dat abases. I f a new r out er on t he net w or k w er e t o w ait unt il nor m al flooding occur r ed t o obt ain a com plet e dat abase, it could t ak e a half an hour t o do so—dur ing w hich t im e t he r out er w ould not be able t o r each all ar eas in t he net w or k and could cause rout ing loops. This st age is called ex st ar t ; a m ast er and slave w ill be chosen t o synchr onize t he dat abase ex change. The m ast er cont r ols t he ex change of t he dat abase descr ipt or s ( DBDs) bet w een t he r out er s. Figure A- 4 show s how t he ex st ar t st age oper at es.

Figu r e A - 4 Ex st a r t

Once t he r out er s hav e negot iat ed w hich one w ill cont r ol t he DBD ex change, t hey begin ex changing t heir dat abases as show n in Figure A- 5. Wit h t his pr ocess finished, t he rout ers w ill be in f u ll st at e, m eaning t hat t hey have synchronized t heir dat abases.

Figu r e A - 5 Rou t e r D a t a ba se Ex ch a n ge

248

Adj a ce n cie s on M u lt i- Acce ss N e t w or k s I t isn't efficient for every rout er on a m ult i- access ( br oadcast or NBMA) net w or k t o build full adj acencies w it h ev er y ot her r out er on t hat net w or k . So, OSPF uses t he concept s of designat ed r out er s ( DRs) and back up designat ed r out er s ( BDR) t o r educe t he num ber of adj acencies t hat m ust be built ( and r educe t he num ber of LSAs flooded t hr oughout t he ar ea for t he com m on net w or k ) . Each r out er on t he net w or k w ill build a full adj acency w it h t he DR and t he BDR and leave all ot her neighbor s on t hat net w or k in t he t w o- way st at e. The DR is r esponsible for adv er t ising a link t o t he net w or k and for flooding LSAs t o ot her r out er s on t he link. The DR and BDR ar e elect ed based on t he r out er pr ior it y ( configur ed on a per int er face basis on a Cisco r out er w it h ip ospf pr ior it y ) and t he r out er I D. Assum ing Rout ers B, C, and D in Figure A- 6 at t em pt ed t o connect t o t he sam e net w or k link at t he sam e t im e ( t his is unlik ely , but possible) , each w ould see each ot her 's hellos, pr ogr ess t o t he t w o- w ay st at e, and t hen begin elect ing a BDR and a DR for t his link.

Figu r e A - 6 A M u lt i- Acce ss N e t w or k

Take a look at t his pr ocess fr om Rout er A's per spect iv e. Rout er A r eceiv es t hr ee hellos, one each from Rout er B, Rout er C, and Rout er D. Because Rout er B's priorit y is set t o 0, w hich m eans B cannot becom e t he DR or t he BDR, Rout er A keeps it s neighbor st at e w it h Rout er B at t h e t w o- w ay st at e. The hello fr om Rout er C indicat es t hat it has a rout er priorit y of 80 and an I D of 10.1.1.5, and t he hello from Rout er D indicat es t hat it has a rout er priorit y of 100 and an I D of 10.1.1.10. Rout er A fir st com par es t he pr ior it ies w it h it s own; Rout er D's m at ches, but Rout er C's is low er. Because Rout er C has a low er priorit y, it is rem oved from t he possibilit ies. Because Rout er D's m at ches, t he r out er I D is used t o det er m ine t he BDR. ( The BDR is alw ays elect ed fir st .) Rout er A's r out er I D is higher t han Rout er D's, so Rout er A is chosen as t he BDR.

249

Now , Rout er A det er m ines t hat t her e is no DR on t he link. So, it pr om ot es t he BDR t o t he posit ion of DR and t hen elect s a new BDR. Rout er A pr om ot es it self t o DR and ex am ines each of it s ot her neighbors in t w o- w ay st at e t o see w hich one should becom e t he BDR. Once again, Rout er B is not consider ed because it s pr ior it y is 0. Rout er A com par es t he hellos fr om t he r em aining t w o neighbor s, and it discov er s t hat Rout er C has a low er pr ior it y t han Rout er D. So, t he new BDR is Rout er D. The or der in w hich t his occur s is of som e im por t ance because t he pr ocess m ust be repeat able when t he DR is lost —t he BDR is pr om ot ed, and a new BDR is elect ed. Because y ou pr obably can't get all of t hese r out er s t o connect t o t he link at t he sam e m om ent , y ou need t o ex am ine how an OSPF r out er deals w it h a new link w hen t her e are already DRs and BDRs in place. Assum e t hat Rout ers B, C, and D are all t hree at t ached t o t his Et her net and hav e been r unning for som e t im e. What happens w hen Rout er A is at t ached? Wit hout Rout er A, Rout er D w ould be t he DR, and Rout er C w ould be t he BDR. When Rout er A is fir st at t ached, it sees Rout er D's hellos asser t ing t hat it is t he DR and does not at t em pt t o re - elect a new one ( even t hough Ro ut er A w ould be chosen if a new elect ion w er e t o occur ) . This pr ev ent s unnecessar y DR elect ion and usually result s in t he rout er t hat is up t he longest being t he DR.

OSPF a n d N on br oa dca st M u lt i- Acce ss N e t w or k s Nonbr oadcast m ult i- access ( NBMA) net w or k s, suc h as t he one depict ed in Figure A- 7, pose a special pr oblem for OSPF and DR elect ion. On a Cisco r out er , t hese net w or k s can be configur ed t o act as a single br oadcast int er face w it h m ult iple connect ions.

Figu r e A - 7 An N BM A N e t w or k a s a Poin t - t o- M u lt ip oin t N e t w or k

250

Because Rout er A is using a single m ult ipoint int erf ace ( a Fr am e Relay int er face using inver se ARP or f r a m e - m a p configur at ions t o separ at e t he t r affic bet w een t he per m anent v ir t ual cir cuit s [ PVCs] ) w hen Rout er A br oadcast s a pack et , all t he ot her r out er s r eceive it . But w hen Rout er s B or F br oadcast a packe t , t he only r out er t hat r eceives t he packet is Rout er A. Because all t he r out er s connect ed t o t his m ult i- access net w or k assum e it is a single br oadcast dom ain, t hey w ill at t em pt , unsuccessfully, t o elect a BDR and DR. Assum ing t hat all r out er s ar e connect ed t o t he link at t he sam e t im e, t he following scenario w ill occur: • • • •

Rout ers A and B will elect Rout er A as t he DR and Rout er B as t he BDR. Rout ers A and F will elect Rout er F as t he DR and Rout er A as t he BDR. Rout er B w ill not receive Rout er F's hellos. Ro ut er F w ill not receive Rout er B's hellos.

Essent ially, t his is br oken; t her e is no w ay t o det er m ine w hat t he final out com e w ill be. I t m ay act ually w or k for som e t im e unt il a link flaps or one of t he r out er s on t he net w or k goes dow n. Ther e ar e t hr ee possible solut ions t o t his problem : • • •

Set all r em ot e sit es t o OSPF pr ior it y 0, and t he hub or cor e r out er t o any t hing else. Use point - t o- point subint er faces ( on Cisco r out er s) . Configure t he net w ork as a point - t o- point net w or k t y pe.

251

The first solut ion—configur ing t he OSPF r out er pr ior it ies—w as t he only solut ion for som e t im e ( befor e t he availabilit y of point - t o- point subint er faces or net w or k t ype point - t o- m ult ipoint ) . Som e net w or k adm inist r at or s, how ev er , configur e t he r em ot e r out er s w it h a low pr ior it y r at her t han a pr ior it y of 0, w hich w or k s but can st ill cause pr oblem s because t he BDR st at us w ill be in quest ion. I t is best t o sim ply configur e t he r em ot e r out er s t o be ineligible t o becom e DR or BDR. The second solut ion —using point - t o- point subint er faces—has been available for som e t im e now and has m any advant ages. I t has one disadvant age t hat m any adm inist r at or s don't lik e, t hough: A separ at e net w or k addr ess m ust be used for each ser ial link . I f a net w or k has a lot of r em ot e sit es connect ed t o dist r ibut ion or access layer r out er s in t his fashion, t his can becom e a m aj or adm inist r at ive night m ar e. The final solut ion—net w or k t ype point - t o- m ult ipoint —is a r ecent dev elopm ent . I nst ead of t he hub r out er t r eat ing t he NBMA net w or k as a br oadcast dom ain, it t r eat s each PVC as a point - t o- point link, building full adj acencies w it h each r out er . This t echnique is effect iv e, but it r esult s in t he cr eat ion of host r out es for each r em ot e rout er on t he NBMA net w ork. When consider ing w hich of t hese t hr ee solut ions t o use, y ou need t o consider t he adv ant ages and disadv ant ages of each and decide w hich best suit s y our net w or k .

Ar e a s OSPF pr ov ides for ( and enfor ces) hier ar chical net w or k design t hr ough ar eas. Ther e are four t ypes of areas provided for in OSPF: • • • •

Co r e a r e a , w h ich is a r e a 0 ( o r 0 .0 .0 .0 ) — All t r affic t r ansit s t hr ough t he cor e ar ea, and all ot her ar eas m ust t ouch t he cor e ar ea in at least one place. St u bby — Ex t er nal r out es ar e not adv er t ised int o st ub ar eas, nor can t hey be gener at ed fr om st ub ar eas; r out er s in t hese ar eas r ely on t he default r out e t o r each all ex t er nals. N o t- so- st u b b y a r e a s ( N SSAs) — Ex t er nal r out es ar e not adv er t ised int o NSSAs ( unless t hey or iginat e w it hin t he ar ea) , but t hey can be gener at ed w it hin t he area. Tot a lly st u bby — Neit her ext ernal nor int ernal rout es are advert ised int o a t ot ally st ubby ar ea; all r out er s r ely on a default r out e t o r each any dest inat ion out side t he ar ea.

All ar eas can be ident ified w it h a single int eger ( ar ea 1) or w it h a four - oct et num ber sim ilar t o an I P addr ess ( ar ea 1.1.1.1) . All t r affic bet w een ar eas ( int er ar ea t r affic) passes t hr ough t he cor e; link s bet w een ar eas t hat do not pass t hr ough t he cor e ar ea w ill not be used. The cor e ar ea m ust be cont iguous—t her e cannot be t w o cor e ar eas w it hin t he net w ork. Rout er s t hat bor der or t ouc h t w o ar eas—t he cor e and som e ot her ar ea—ar e ar ea bor der r out er s ( ABRs) . ABRs ar e w her e sum m ar izat ion is per for m ed in an OSPF net work —bot h int o ar ea 0 and int o t he ot her ar eas t hey connect t o ( see Figure A- 8) .

Figu r e A - 8 ABRs a n d ASBRs

252

I n a t ot ally st ubby ar ea, t he ABR gener at es only a default r out e, w hich r educes t h e am ount of r out ing infor m at ion t hat m ust be flooded t o r out er s w it hin t he st ubby ar ea. Each r out er in t he st ubby ar ea m ust be configur ed w it h t he a r e a area id st u b com m and. The cor e ar ea m ay not be defined as a st ubby ar ea, and ex t er nal r out es m ay not be inj ect ed int o st ubby ar eas. The pr im ar y differ ence bet w een st ubby and not - so- st ubby ar eas is t he capabilit y of st ubby ar eas t o pr opagat e ext er nal r out es t hat or iginat e w it hin t he ar ea t ow ar d t he cor e.

Ex t e r n a l Rou t e I n j e ct ion Ext ernal rout es—r out es fr om ot her aut onom ous sy st em s or pr ot ocols —ar e inj ect ed int o OSPF by aut onom ous sy st em boundar y r out er s ( ASBRs) . Ext ernal rout es are flooded t hr oughout t he OSPF aut onom ous sy st em ( t hr oughout all ar eas) w it hout change. ( This m eans no sum m ar izat ion.) Ext er nal r out es w it hin OSPF also hav e a For w ar d Addr ess field, w hich allow s an OSPF r out er t o act as a r out e ser ver . I n Figur e A- 9, Rout er B is an ASBR for t he OSPF cloud and is also lear ning r out es from Rout er A and Rout er C t hrough t he Border Gat eway Prot ocol ( BGP) . Rout er D is not lear ning t hese BGP r out es, but it is adv er t ising an int er nal OSPF link t o t he Et hernet . When Rout er B advert ises t hese rout es it has learned from BGP, it w ill put t he Et her net addr esses for Rout er A and Rout er C in t he For w ar d Addr ess field so t hat ot her r out er s in t he OSPF cloud can for w ar d t r affic t o t hem dir ect ly , r at her t han t hrough Rout er B specifically. This m eans ot her rout ers could choose t he ro u t e t o Rout er D t o get t o Rout ers A or C, even t hough Rout er D is not advert ising t hese r out es. Rout er B is act ing as a r out e ser ver in t his case for t he ext er nally der ived BGP r out es. I f t he For w ar d Addr ess field is set t o 0.0.0.0, t he r out er adver t ising t he ex t er nal r out e is w her e t he t r affic should be for w ar ded. I f a r out er w ant ed t o for w ar d t r affic t o t he ext er nal net w or k adver t ised, it w ould look for an ASBR link- st at e t o det er m ine how t o r each t he ASBR t hat is adv er t ising t he ex t er nal r out e.

253

Figu r e A - 9 Ex t e r n a l Rou t e I n j e ct ion

V ir t u a l Lin k s Ther e ar e t im es w hen t he cor e ar ea becom es div ided, or an ar ea loses cont act w it h t he cor e —gener ally, w hen t her e is som e net w or k out age. For t hese sit uat ions, t he designer s of OSPF pr ov ided t he v ir t ual link. The v ir t ual link act s as a t unnel, allow ing t r affic t hat needs t o t r av er se t o and fr om t he cor e ar ea t o pass t hr ough anot her area. Rout er A in Figur e A- 10 has gone dow n for som e r eason, effect ively par t it ioning ar ea 1 fr om t he r est of t he net w or k ( m aking it unr eachable) . The net w or k adm inist r at or could, by configur ing a virt ual link bet w een Rout er C and Rout er B across t he backup link, m ake area 1 accessible unt il Rout er A could be repaired and rest ored t o service. N ot e One of t he m ost confusing aspect s of configur ing vir t ual links is t he m yst er ious ar ea num ber included in t he com m and. This is not t he ar ea you ar e t r ying t o r each or r epair , but r at her t he ar ea t hr ough w hich t he vir t ual link passes. Vir t ual links ar e t ypically a sign of poor net w or k design; r at her t han using t hem , you should ev aluat e y our net w or k design and at t em pt t o elim inat e t hem w her e y ou can.

Figu r e A - 1 0 V ir t u a l Lin k s

254

On- D e m a n d Rou t in g On- dem and rout ing ( ODR) is a w ay t o provide for on- dem and c ir cuit s ( such as dialon- dem and I SDN cir cuit s) w it hin an OSPF aut onom ous sy st em . Because OSPF

255

gener ally uses hello packet s and per iodic r eflooding of LSAs t o m aint ain net w or k st at e, it w ould nor m ally be im possible t o r un t his pr ot ocol ov er a dial- on- dem and cir cuit because t he cir cuit w ould need t o r em ain up at all t im es. To r esolv e t his, OSPF allow s a special bit t o be set w it hin t he adv er t isem ent , w hich indicat es t his LSA should nev er be aged out . This allow s t w o r out er s connect ed ov er an on- dem and circuit t o ex change dat abases w hen t he cir cuit is up and not lose infor m at ion about dest inat ions acr oss t he link w hen it is dow n. ODR is relat ively sim ple t o configure —t he one caveat is t hat all r out er s in t he ar ea m ust suppor t ODR ( ev en if t hey don't hav e it configur ed) so t hat t hey w ill under st and t he special bit set t ings in t he LSA. Rout er s t hat ar en't ODR capable w ill sim ply t im e t he r out es out as usual, and t he net w or k w ill per iodically lose connect iv it y t o any dest inat ions bey ond t he dial- on- dem and link.

256

Appe n dix B. I S- I S Funda m e nt a ls IS- I S ( I nt er m ediat e Sy st em- t o- I nt er m ediat e Syst em ) is a pr ot ocol st andar dized by t he I nt er nat ional Or ganizat ion for St andar dizat ion ( I SO) for use w it h Connect ionless Net w or k Ser v ice ( CLNS) and ot her I SO r out ed pr ot ocols. The I nt er net Engineer ing Task For ce ( I ETF) has int egr at ed I P r out ing w it h I S - I S t hrough a series of RFCs. This appendix w ill give you a gener al over view of t he I S - I S prot ocol. For m ore infor m at ion, you should r efer t o t he r elevant I SO docum ent s and RFCs.

H ow I S- I S W or k s IS- I S is a link- st at e pr ot ocol t hat r uns t he shor t est pat h fir st ( SPF or Dij skt r a) algor it hm t o calculat e t he best pat h t hr ough a net w or k. I S- I S pr ov ides t w o lev els of rout ing for hierarchy —lev el 1 ( L1) r out ing ar eas are int erconnect ed using level 2 ( L2) r out ing. The L2 r out ing dom ain is som et im es called t he cor e. IS- I S uses hier ar chical addr essing t o br eak an aut onom ous syst em up int o L1 r out ing ar eas and t o dist inguish bet w een L1 and L2 r out es. All nodes w it hin a given ar ea use L1 rout ing t o reach each ot her, w hereas nodes in different areas m ust use L2 rout ing t o r each one anot her . As a link- st at e pr ot ocol, I S - I S relies on rout ers flooding t he st at e of t heir links t o all ot her rout ers w it hin t heir area ( L1 or L2) t o pr opagat e t opology infor m at ion. Each r out er r uns t he SPF algor it hm over t he infor m at ion it has r eceived in link- st at e pack et s ( LSPs) fr om ot her r out er s t o find t he shor t est pat h t o each dest inat ion in t he net work. Because rout ers in link- st at e pr ot ocols rely on all t he rout ers w it hin a given rout ing ar ea t hat hav e infor m at ion in t heir dat abases t o pr eclude r out ing loops, I S- I S doesn't gener ally per m it filt er ing of r out ing infor m at ion.

En d Sy st e m s a n d I n t e r m e dia t e Sy st e m s I n I S- I S, t w o different hello - t y pe pr ot ocols ar e used t o build adj acencies and ex change infor m at ion—ES- I S and I S- I S. Th e En d Sy st em- t o- I nt erm ediat e Syst em ( ES- I S) pr ot ocol is used by r out er s t o discov er host s ( and host s t o discov er r out er s) and for ex changing configur at ion infor m at ion and r edir ect ing pack et s t o a bet t er pat h. The I S- I S pr ot ocol builds and m aint ains adj acencies bet w een r out er s ( int er m ediat e sy st em s) . This is sim ilar in funct ion t o t he Hello pr ot ocol used in OSPF t o discov er and m aint ain neighbor adj acencies.

CLN S Addr e ssin g To under st and t he w ay I S - I S allow s hier ar chy, you fir st need t o under st and a lit t le about CLNS addr essing. CLNS ident ifies nodes on a net w or k ( host s or r out er s) by using net w or k ser v ice access point s ( NSAPs) .

257

The follow ing list ident ifies t he fields t y pically found in an NSAP: • • • • •

N SAP Se le ct or ( N SEL) — I dent ifies t he user or ser vice on a par t icular host ( m uch lik e a TCP or UDP por t num ber ) . Sy st e m I D— I dent ifies an indiv idual sy st em or host . Ar e a Addr e ss— I dent ifies t he L1 ar ea t hat t his host r esides in. I nit ia l D om a in I d e n t if ie r ( I D I ) — A variable - lengt h field ident ify ing t he rout ing dom ain t hat t his syst em is in. Au t h or it y For m a t I d e n t if ie r ( AFI ) — A one- by t e field t hat ident ifies bot h t he aut hor it y t hat assigned t his addr ess and t he for m at t he addr ess is in.

NSAPs ar e div ided int o t w o m aj or par t s—t he I nit ial Dom ain Par t ( I DP) and t he Dom ain Specific Par t ( DSP) —and can be a m ax im um of 20 by t es in lengt h. The NSEL, sy st em I D, and ar ea addr ess ar e consider ed par t of t he DSP, w her eas t he I DI and AFI ar e par t of t he I DP. For 47.0012.00C0.A94B.51C1.00, t he fields ar e defined as follow s: • • • •

4 7 . 0 0— AFI and dom ain. 1 2 — area. 0 0 C0 .A9 4 B.5 1 C1 — Sy st em I D; t his is alw ay s 6 by t es. 0 0 — NSAP; t his is alw ay s 1 by t e.

You w ill oft en see an NSAP of 00, w hich m eans t his sy st em rat her t han som e upperlevel ent it y on t his syst em . Not e t hat t he AFI and I DI ar e oft en t r eat ed as one piece r at her t han as t w o separ at e pieces. This addr essing ex am ple cont inues: • • •

Any t hing sent fr om t his host and dest ined t o 47.0012.x x x x .x x x x .x x x x .x x is L1 r out ed. Any t hing sent fr om t his host t o 47.00x x .x x x x .x x x x .x x x x .x x is L2 r out ed. Any t hing else needs t o be r out ed bet w een dom ains ( int er dom ain r out ed) .

Wher eas I P addr esses ar e assigned t o a w ir e or link, NSAPs ar e assigned t o a host . Ther efor e, a syst em ( such as a r out er ) w it h connect ions t o m ult iple net w or k s w ill have m ult iple I P addr esses ( one for each net w or k it at t aches t o) but only one NSAP.

Rout ing in a n I S- I S N e t w or k When a gr oup of end sy st em s ( host s) and int er m ediat e sy st em s ( r out er s) w it h t he sam e ar ea I Ds in t heir NSAPs ar e connect ed t oget her , t hey begin for m ing adj acencies using ES- I S and I S- I S. Host s r ely on t he near est L1 r out er w it hin t heir ar ea t o for w ar d all t r affic for t hem unless t hey ar e r edir ect ed. A r out er m ay use ES- I S eit her t o t ell a host t o send it s pack et s for a giv en dest inat ion t o anot her L1 r out er , or t o t ell a host t o send it s pack et s dir ect ly t o t he r eceiv ing ES ( if t hey ar e on t he sam e phy sical link ) . Host s send any t r affic w it h a dest inat ion out side t he ar ea t o t he near est L2 rout er, w hich ex am ines it s dat abase t o find a pat h t o anot her L2 r out er w it hin t hat ar ea and for w ar ds t he t r affic.

258

L1 r out er s t hat r eceiv e t r affic for a dest inat ion out side of t heir ar ea aut om at ically for w ar d t his t r affic t o t he near est L2 r out er . All L2 r out er s m ust be cont iguous; L1 ar eas cannot br eak up t he cor e of t he net w or k.

M e t r ics & Ex t e r n a l Rou t e s in I S - I S N e t w or k s The m et r ics for int er nal r out es r ange fr om 0 t o 63; int er faces gener ally hav e a default m et ric of 10. N ot e A m etric is t he m et hod by which a r out ing algor it hm det er m ines t hat one r out e is bet t er t han anot her r out e. This infor m at ion is st or ed in r out ing t ables. Met r ics include bandw idt h, com m unicat ion cost , delay , hop count , load, MTU, pat h cost , and r eliabilit y .

Rout es fr om ot her pr ot oc ols can be inj ect ed int o I S- I S as ext ernal LSPs. Ext ernals ar e inj ect ed as L1 and/ or L2 r out es and can hav e eit her int er nal or ex t er nal m et r ic t y pes. The t wo m et ric t ypes in I S- I S ar e sim ilar t o t ype 1 and t ype 2 ext er nals w it hin OSPF. IS- I S suppor t s ex t ernals w it h int er nal m et r ics ( w hich im plies t hat t hey ar e in t he local dom ain) and ex t er nals w it h ex t er nal m et r ics. Ex t er nal r out es w it h int er nal m et r ics ar e alw ay s pr efer r ed ov er ex t er nal r out es w it h ex t er nal m et r ics.

Bu ildin g Adj a ce n cie s When an I S- I S rout er is connect ed t o a br oadcast ( or m ult i- access) net w or k , it im m ediat ely begins sending out I S - I S hellos. When connect ed t o a point - t o- point link, a rout er wait s unt il it builds an ES- I S adj acency w it h t he dev ice on t he ot her end befor e it det er m ines t o t ransm it I S- I S hellos. These hellos ar e alw ay s padded t o t he m ax im um t r ansm ission unit ( MTU) size of t he link . This w ay , t w o r out er s w ill not build an adj acency ov er a link w it h differ ent MTUs configur ed on eit her end. When t wo I S- I S neighbor s fir st begin bringing up an adj acency , t hey ex change Com plet e Sequence Num ber Pack et s ( CNSPs) t o sy nchr onize t heir dat abases. Once a pair of r out er s ar e adj acent , Par t ial Sequence Num ber Pack et s ( PSNPs) ar e used t o request and send inform at ion about a subset of t he link- st at e's dat abase. To r educe t he pr oblem s associat ed w it h building a full m esh of adj acencies on m ult iaccess links, such as Et her net or Token Ring, I S- I S builds pseudonodes. One of t he I Ss is specified as t he Designat ed I nt er m ediat e Syst em ( DI S) ; t his r out er becom es t he pseudonode on t he net w or k.

259

All r out er s at t ached t o t he m ult i- access net w or k build an adj acency w it h t his DI S r at her t han w it h one anot her . The DI S is select ed by r out er pr ior it y; w hen t her e is a t ie, t he t ie is br ok en by t he r out er w it h t he highest subnet w or k point of at t achm ent ( SNPA) . DI S st at us is pre - em pt ive, unlike designat ed r out er ( DR) st at us in OSPF. This m eans t hat if a new r out er w it h a higher pr ior it y is connect ed t o a m ult i- access link, it will t ake over t he role of DI S. The DI S is r esponsible for gener at ing pseudonode LSPs for all adj acent r out er s on t he m ult i- access net w or k . These pack et s ar e for r epor t ing t he link st at us of ot her r out er s t o t he m ult i- access net w or k . The DI S also br oadcast s a pack et cont aining infor m at ion on ev ery ( configur able) LSP in it s dat abase ev er y 10 seconds ont o t he link it is t he pseudonode for ; t his pack et is a Com plet e Sequence Num ber PDU, or CSNP. Ot her r out er s on t he m ult i- access net w or k w ill ex am ine t hese CSNPs t o det er m ine if t heir dat abase is com plet e. I f t he dat abase isn't com plet e, t he ot her r out er s on t he m ult i- access net w ork w ill request part icular LSPs from t he DI S. One int er est ing point t o not e is t he possibilit y for differ ent L1 and L2 DI Ss t o co- exist on t he sam e m ult i- access net w or k . Ther e is a separ at e elect ion pr ocess for each level of rout ing, and t he sam e rout er m ay or m ay not be bot h t he L1 and L2 DI S for a given m ult i- access link.

LSP Floodin g a n d SPF Re ca lcu la t ion Tim e r s IS- I S, lik e OSPF, uses a com plex , r ecur siv e algor it hm for calculat ing t he best pat h t o a par t icular dest inat ion and ages out LSPs ev er y so oft en. The int er v als w her e t hese ev ent s nor m ally occur ar e configur able on Cisco r out er s. Chapt er 6, "IS- I S Net work Design , " has som e infor m at ion on t he im por t ance of adj ust ing t hese t im er s in lar ge IS- I S net works. To adj ust t he int er val at w hich I S - I S does a SPF run, use t he spf- in t e r v a l com m and. The default int erval is 5 seconds. I S- I S w ill aut om at ically r un SPF each t im e a change in t he net w or k occur s, r egar dless of w het her t his int er val of t im e has passed. Each LSP adv er t ised also cont ains a Rem aining Lifet im e field ( also k now n as t he m a x - lsp- life t im e or Max age) t hat det er m ines how long t he LSP should be kept in m em or y befor e it is t im ed out . As a r out er t im es out LSPs in it s dat abase, it w ill flood t o all ot her r out er s t hat t his dest inat ion is no longer r eachable. Aging out occur s w hen t he Rem aining Lifet im e field reaches 0. The r out er t hat or iginat es an LSP w ill t im e t he LSP out of it s dat abase slight ly fast er t han nor m al. Ther efor e, it should flood a new copy of t he LSP befor e any ot her r out er on t he net w or k t im es it out and m ar ks it as unr eachable. The default Rem aining Lifet im e is 20 m inut es; t he rout er t hat or iginat es t he LSP t im es it out in 15 m inut es. The Rem aining Lifet im e t hat a r out er places in LSP can be

260

adj ust ed using t he m a x - lsp- life t im e com m and; t he r at e at w hich t he or iginat ing r out er w ill t im e out it s ow n LSPs can be adj ust ed using lsp- re f r e sh- in t e r v a l.

N e ig h b or Loss a n d LSP Re g e n e r a t ion Look at what happens when Rout er B in Figu r e B- 1 r eboot s for som e unknow n reason.

Figu r e B- 1 An I S- I S Adj a ce n cy

Rout er A w ill not im m ediat ely flush t he LSPs t hat Rout er B has adver t ised as you m ight ex pect . I nst ead, Rout er A w ait s unt il t he Rem aining Lifet im e field of t hese LSPs r eaches 0 ( t hey t im e out ) . Then, it floods t o t he r est of t he net w or k t hat t he LSPs ar e unr eachable. Finally, Rout er A flushes t he LSPs fr om it s dat abase. Therefore, Rout er A will not flush t he LSP advert ised by Rout er B for NSAP 47. 0189. 00C0.AF56.25B6.00 unt il it s Maxage t im er reaches 0. When Rout er B finishes r eboot ing and r ebuilds it s adj acency w it h Rout er A, it sends t his LSP t o Rout er A w it h a sequence num ber of 1. When Rout er A r eceives t his LSP, it exam ines it s dat abase and finds t hat it has an exist ing LSP for t his dest inat ion w it h a higher sequence num ber . Then, Rout er A r eplies t o Rout er B w it h a copy of t his lat er LSP. Rout er B, on r eceiving t his lat er LSP, set s it s LSP sequence num ber for t his dest inat ion so t hat it is higher t han t he copy t hat Rout er A r eplied w it h.

I P I n t e gr a t ion in t o I S - I S I P rout ing is int egrat ed int o I S- I S via carrying I P reachabilit y inform at ion in LSPs. All I P net w or k s ar e consider ed ex t er nals, and t hey alw ay s end up as leaf nodes in t he shor t est pat h t r ee w hen I S- I S does a SPF run. This m eans t hat changes in I P reachabilit y alone result only in a part ial SPF run ( Par t ial Rout e Calculat ion, or PRC) ; t he r out er s in t he t r ee need t o calculat e only t he par t s of t he t r ee in w hich t he leaf node for t hat dest inat io n net w or k r esides.

261

Only L2 r out er s can sum m ar ize I P dest inat ions t o shor t er m asks.

M u lt iple n e t St a t e m e n t s Som et im es, you w ill see a Cisco r out er configur ed w it h m ult iple n e t st at em ent s under rout er I S- I S. This is a useful t echnique for m er ging t w o dom ains or t r ansit ioning fr om one addr essing schem e t o anot her , but it 's not gener ally r ecom m ended. When y ou configur e t w o n e t st at em ent s, t he r out er sim ply com bines, or m er ges, t he dat abases int o one dat abase. This m eans t hat r out ing occur r ing bet w een w hat m ay nor m ally be consider ed dom ains ends up appear ing as sim ple L2 r out ing.

262

Appe n dix C. EI GRP Fu n da m e n t a ls Enhanced I nt er ior Gat ew ay Rout ing Pr ot ocol ( EI GRP) is an adv anced dist ance v ect or pr ot ocol w it h m any advant ages: •

•

• •

M in im a l u se of n e t w or k r e sou r ce s in n or m a l op e r a t ion— EI GRP t r ansm it s only sm all hello pack et s dur ing nor m al oper at ion t o m aint ain neighbor r elat ionships; t her e ar e no per iodic r out ing updat es ( flooding of t he r out ing t able t o neighbor s) . Re st r ict e d u se of n e t w ork r e sou r ce s w h e n r e a ct in g t o n e t w or k t op olog y ch a n g e s— EI GRP t r ansm it s only infor m at ion about w hat has changed and also r est r ict s ( paces) t he r at e at w hich it sends pack et s so t hat it will not overwhelm a link. Ra p id con v e r g e n ce — EI GRP conv er ges v er y quick ly dur ing t opology changes. Sca la bilit y — Because t her e ar e no per iodic updat es, and t her e is m inim al use of net w or k r esour ces dur ing conv er gence, EI GRP can scale int o v er y lar ge net w orks.

A m aj or revision of t he prot ocol occurred in I OS revisions 10.3( 11) , 11.0( 8) , and 11.1( 3) . Running soft w ar e t hat im plem ent s t he lat er r evision of EI GRP is r ecom m ended t o pr om ot e st abilit y and int er oper abilit y . The pr im ar y addit ion t o EI GRP in t he new er r evision is t he pacing of packet s so t hat EI GRP w on't use m or e t han 50 per cent of t he av ailable bandw idt h; alt hough t her e ar e ot her s, t his is t he m ost im por t ant change. EI GRP is based on t he Diffusing Updat e Algor it hm ( DUAL) t o find t he best loop- free pat hs t hrough a net w ork. This appendix w ill give you a gener al over view of t he pr ot ocol r at her t han a com plet e under st anding of ev er y aspect of EI GRP's oper at ion.

D UAL Ope r a t ion Typical dist ance vect or pr ot ocols, such as RI P, use t he dist ance ( m et r ic —in m ost cases, t he hop count ) t o a dest inat ion net w or k t o det er m ine t he best pat h and sav e t he v ect or ( nex t hop) for only t he best pat h. I f t he best pat h becom es unusable, t he r out er w ait s unt il t he next set of updat es fr om each of it s neighbor s t o find a new pat h ( or r ediscov er an old pat h t hat w as pr ev iously discar ded) . Wait ing for per iodic updat es t o discov er alt er nat e pat hs t o a dest inat ion slow s conv er gence t im e dr am at ically . For exam ple, if t he net w or k in Figure C- 1 is running RI P, Rout er B w ill choose t he pat h t o 10.1.4.0/ 24 by ex am ining t he hop count t hr ough each av ailable pat h. Because t he pat h t hrough Rout er C is t hree hops, and t he pat h t hrough Rout er A is t w o hops, Rout er B w ill choose t he pat h t hrough Rout er A and discard t he alt ernat e pat h it learned t hrough Rout er C.

Figu r e C- 1 Ch oosin g t h e Be st Rou t e in a n RI P N e t w or k

263

I f Rout er A's pat h t o 10.1.4.0/ 24 fails, Rout er B w ill cont inue believ ing t hat t he best r out e t o t his dest inat ion is t hr ough Rout er A unt il it hasn't hear d about 10.1.4.0/ 24 from Rout er A for t hree updat e periods ( 90 seconds in RI P) . Once Rout er B has t im ed out t he rout er t hrough Rout er A, it m ust w ait for Rout er C t o re - adv er t ise t he r out e ( w hich occur s ever y 30 seconds in RI P) . Not including any hold- dow n t im e, it could t ake bet w een 90 and 120 seconds for Rout er B t o sw it ch fr om t he pat h t hr ough Rout er A t o t he pat h t hrough Rout er C t o reach 10.1.4.0/ 24. Rat her t han discar ding infor m at ion about alt er nat e pat hs, EI GRP builds a t opology t able fr om each of it s neighbor 's adver t isem ent s and conver ges by eit her looking for an alt er nat e r out e in t he t opology t able, or quer ying it s neighbor s if it know s of no ot her r out e. Then, EI GRP m ust provide: •

• •

Som e m eans of building and m aint aining neighbor r elat ionships. Because EI GRP doesn't periodically re - adver t ise r out es, it r elies on neighbor r elat ionships t o det er m ine if t he r out es t hr ough a given neighbor ar e st ill usable. A w ay of det er m ining if a given pat h adver t ised by a neighbor cont ains a loop. EI GRP m ust be able t o det erm ine if a rout e is a loop so t hat a list of valid alt er nat e r out es is av ailable. A m et hod of quer ying neighbor s t o find pr eviously unknow n pat hs. Split hor izon and ot her cir cum st ances can cause a r out er not t o adv er t ise all t he dest inat ions it can r each. Because EI GRP doesn't r ely on per iodic updat es, r out er s m ust be able t o quer y neighbor s t o find alt er nat e r out es t hat m ay be hidden.

Est a b lish in g N e ig h b or Re la t ion sh ips in a n EI GRP N e t w or k EI GRP conser v es net w or k bandw idt h by using nonper iodic, incr em ent al updat es, w hich m eans changes t o t he net w or k t opology ar e t r ansm it t ed bet w een r out er s as needed. There are no full rout ing updat es once a neighbor relat io nship has been est ablished, and t her e ar e no per iodic updat es. The basic pr oblem w it h nonper iodic updat es is k now ing w hen a pat h t hr ough a neighbor ing r out er is no longer av ailable. Ther e ar e no per iodic updat es t o age r out es and t im e t hem out .

264

I nst ead, EI GRP r elies on neighbor r elat ionships; if t he neighbor r out er has lear ned t hat a pat h t hr ough is r eachable, t he pat h is assum ed t o be v alid. Because neighbor r elat ionships ar e so im por t ant t o t he oper at ion of t he pr ot ocol, it is im por t ant t o look at t h em closely . Refer back t o Figure C- 1 and exam ine t he neighbor r elat ionship bet ween Rout ers A and B. Assum e Rout er B is pow ered up and running; w hen Rout er A is pow ered on, it will begin sending hello pack et s out t o t he m ult icast addr ess 224.0.0.10 on each of it s int er faces. When Rout er B r eceives Rout er A's fir st hello ( only one sim ple sit uat ion w ill be exam ined her e) , it w ill send a hello packet w it h t he init ializat ion bit set . Rout er A w ill r eceive t his hello packet w it h t he init ializat ion bit set and begin t ransm it t ing it s full rout ing t able t o Rout er B. Once Rout er s A and B have finished exchanging t heir r out ing t ables, t hey w ill m aint ain t his neighbor r elat ionship w it h per iodic hello pack et s. This r aises t he quest ion of how oft en t o t r ansm it hello pack et s. Det er m ining how oft en t o send hello pack et s is a m at t er of balancing bet w een fast conver gence and m inim al net w or k ut ilizat ion. On higher speed and point - t o- point links it 's gener ally safe t o t r ansm it hello pack et s r at her fr equent ly , w her eas on low er bandw idt h, m ult ipoint link s conser v at ion of bandw idt h becom es m or e im por t ant . Specifically , hellos ar e sent ev er y 5 seconds on: • • •

Br oadcast m edia, such as Et her net , Tok en Ring, and FDDI Point - t o- point serial links, such as PPP or HDLC leased circuit s, Fram e Relay point - t o- point subint er faces, and ATM point - t o- point subint er faces High bandw idt h, m ult ipoint cir cuit s, such as I SDN, PRI , and Fr am e Relay m ult ipoint cir cuit s gr eat er t han T1 ( as configur ed using t he in t e r f a ce b a n d w id t h com m and)

Hellos ar e sent ev er y 60 seconds on m ult ipoint cir cuit s of T1 bandw idt h or slow er , such as Fr am e Relay m ult ipoint int er faces, ATM m ult ipoint int er faces, ATM sw it ched vir t ual cir cuit s, and I SDN BRI s. The r at e at w hich hello pack et s ar e sent is called t he hello int er v al and can be adj ust ed per int erface using t he ip e ig r p h e llo- in t e r v a l com m and. The am ount of t im e t hat a r out er w ill consider a neighbor up w it hout r eceiving a hello ( or som e ot her EI GRP pack et ) is called t he hold t im e, and is t ypically t hree t im es t he hello int erval; so, t he hold t im es are 15 seconds for a 5 second hello int erval and 180 seconds for a 60 second hello int er v al by default . The hold t im e can be adj ust ed w it h t h e ip e igr p h o ld- t im e int er face com m and. N ot e Not e t hat if y ou change t he hello int er v al, t he hold t im e is not aut om at ically adj ust ed t o account for t his change. You m ust m anually adj ust t he hold t im e t o r eflect t he configured hello int erval.

265

I t is possible for t w o rout er s t o becom e EI GRP neighbor s ev en t hough t he hello and hold t im ers do not m at ch because t he hold t im e is included in hello packet s. A rout er w ill keep a neighbor up as long as it r eceives hello packet s fr om t hat neighbor w it hin t he hold t im e adver t ised in t he neighbor 's hello pack et . Alt hough t her e is no dir ect w ay t o det er m ine t he hello and hold int er v als, ex ecut ing sh o w ip e ig r p n e ig h b o r sev er al t im es in a r ow can giv e y ou a good idea of w hat t he hello int er val and hold t im er s ar e for a neighboring rout er . ( sh ow ip e ig r p n e ig h b o r cannot be used t o det er m ine t he hello and hold t im er s on t his r out er .) For exam ple:

router#show ip eigrp neighbor IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT (sec) (ms) Cnt Num 1 10.1.1.2 Et1 13 12:00:53 12 0 10.1.2.2 S0 174 12:00:56 17 router#show ip eigrp neighbor IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT (sec) (ms) Cnt Num 1 10.1.1.2 Et1 12 12:00:55 12 0 10.1.2.2 S0 173 12:00:57 17 router#show ip eigrp neighbor IP-EIGRP neighbors for process 1 H Address Interface Hold Uptime SRTT (sec) (ms) Cnt Num 1 10.1.1.2 Et1 11 12:00:56 12 0 10.1.2.2 S0 172 12:00:58 17

RTO 300 200

Q Seq 0 0

RTO 300 200

Q Seq 0 0

RTO 300 200

620 645

620 645

Q Seq 0 0

620 645

Th e H old colum n w ill never get abov e t he hold t im e and should nev er get below t he hold t im e m inus t he hello int er v al ( unless, of cour se, y ou ar e losing hello pack et s) . I f t h e H old colum n usually r anges bet w een 10 and 15 seconds, t he hello int er val is 5 seconds and t he hold t im e is 15 seconds. I f t he H old colum n usually has a w ider range —bet w een 120 and 180 seconds—t he hello int er val is 60 seconds and t he hold t im e is 180 seconds. I f t he num ber s do not seem t o fit one of t he default t im er set t ings, check t he int er faces on t his r out er and t he neighbor because t he t im er s hav e pr obably been configur ed m anually . I t 's possible for a link t hat can pass t r affic in only one dir ect ion t o r esult in a " half r elat ionship" bet w een t w o neighbor s. Bot h r out er s w ill r epor t r et r ansm ission lim it ex ceeded er r or s at t he console, and one r out er w ill hav e high Q Cou n t s and an SRTT of zero in sh o w ip e ig r p n e ig h b o r.

M e t r ics in a n EI GRP N e t w or k Befor e discussing t he w ay EI GRP im plem ent s DUAL, y ou need t o hav e som e under st anding of t he m et r ics used. EI GRP uses t he m inim um bandw idt h and t he t ot al delay t o com put e m et r ics. Ot her m et r ics can be used by adj ust ing t he " k" values, but it 's not r ecom m ended. ( The " k " v alues change t he w ay EI GRP uses t he m et r ic t o

266

det er m ine t he best pat h. I 'm not cer t ain w hy t hey ar e called " k" values. The reason is pr obably bur ied deep in t he hist or y of t he or iginal EI GRP design.) Adj ust ing t he " k" v alues is v er y com plex ; it 's possible t o cr eat e r out ing loops w hen t r y ing t o use t hese ot h er m et r ics. Follow ing is t he for m ula t hat EI GRP uses for com put ing t he m et ric from t he m inim um bandw idt h and t he t ot al delay ( or t he sum of t he delay s on t he pat h) :

S( delay s) r epr esent s t he sum of t he delays on t he pat h. Use Figure C- 2 t o see how t he m et r ics ar e calculat ed in a sim ple net w or k .

Figu r e C- 2 EI GRP M e t r ics

When Rout er C adver t ises 10.1.1.0/ 24, it set s t he bandw idt h t o 10000 and t he delay t o 100. When Rout er B r eceiv es t he adv er t isem ent , it com par es t he bandw idt h in t he adv er t isem ent ( 10000) w it h t he bandw idt h of t he int er face t hat it r eceiv ed t he adv er t isem ent on ( 128) and uses t he low er of t he t w o ( in t his case, 128) . Then, Rout er B adds t he delay configur ed on t hat int er face t o t he delay in t he adv er t isem ent so t hat t he t ot al delay w ill be 1100. When Rout er A r eceiv es t he adver t isem ent fr om Rout er B, it per for m s t he sam e pr ocedur e, r educing t he m inim um bandw idt h t o 56 and adding 2000 t o t he delay for a t ot al delay of 3100. I n Rout er B, t he t ot al m et ric t o 10.1.1.0/ 24 w ould be

I n Rout er A, t he t ot al m et r ic t o 10.1.1.0/ 24 w ould be

267

I n case you're w onder ing, t he infinit y is 4,294,967,296, w hich is 23 2 . You'll probably get a differ ent answ er on som e of t hese if y ou use a calculat or t o check t hem . This is because r out er s don't do float ing- point m at h, so t hey t r uncat e t he decim al places at each div ision .

Loop Fr e e Rou t e s in EI GRP N e t w or k s To under st and how EI GRP det er m ines if a pat h is valid ( loop fr ee) , t ake a look at Figure C- 3, which is a sim ple geom et ric figure . Each line her e is assigned a lengt h of 1 for sim plicit y . ( Figure C- 4 applies t he sam e m echanics using real m et rics.)

Figu r e C- 3 M ode l for V a lid Rou t e D iscov e r y

Because t he lengt h of each of t hese line segm ent s is 1, t he follow ing t ot al dist ances would be t rue: • • • • • • •

B A D A D B B

to to to to to to to

C= 1 B t o C= 2 B t o C= 2 D t o B t o C= 3 A t o B t o C= 3 A t o D t o B t o C= 4 D t o A t o B t o C= 4

I f A adv er t ises t o B t hat it has a pat h t o C t hr ough D, t he t ot al dist ance it adv er t ises is 3. This is gr eat er t han B's best pat h t o C, w hich is 1. I n fact , it 's m at hem at ically im possible for A t o ev er adv er t ise a bet t er r out e t o C t han B's best pat h because it alw ay s includes t he dist ance bet w een B and C. Given t his, it 's r elat ively sim ple for B t o det er m ine if t he pat h t o C t hat A is adver t ising has alr eady passed t hr ough B ( and if it is looped, or invalid) —sim ply com par e t he t ot al dist ance A is adv er t ising w it h t he best pat h cur r ent ly k now n. I f t he

268

pat h A is adv er t ising is longer ( has a higher t ot al dist ance) t han t he best pat h cur r ent ly know n, it 's possible t hat t he adver t ised pat h is a loop and shouldn't be used. Wit h t his in m ind, look at t he exam ple in Figur e C- 4 and see how t his w or ks w it h r eal m et r ics.

Figu r e C- 4 EI GRP Loop D e t e ct ion

Rout er B w ill r eceive t hr ee adver t isem ent s for 10.1.1.0/ 24 as follow s: • • •

Through Rout er A wit h a m et ric of 2500096 Through Rout er C w it h a m et ric of 281600 Through Rout er D wit h a m et ric of 2500096

Nor m ally , Rout er B r eceiv es only one of t hese adv er t isem ent s—t hrough Rout er C— because of split - horizon. Split - horizon is t urned off in t his exam ple t o explain how EI GRP finds inv alid r out es based only on t he m et r ics. Ro ut er B adds t he m et r ic t hr ough t he int er face t hat it r eceiv es t he adv er t isem ent s on, and now it has t hese pat hs: • • •

Through Rout er A wit h a m et ric of 2756096 Through Rout er C wit h a m et ric of 1988096 Through Rout er D wit h a m et ric of 2756096

Now, Rout er B chooses t he best pat h ( low est m et r ic) t o 10.1.1.0/ 24, w hich is t hr ough Rout er C, and uses t his as a " m easur ing st ick." Because t he dist ances advert ised by Rout ers A and D ( before Rout er B adds t he m et rics in t hrough it s int er faces) ar e bot h higher t han t he best pat h ( aft er Rout er B adds in it s int er face m et r ics) , neit her of t hese pat hs ar e valid. Rem em ber fr om t he pr ev ious ex am ple in Figur e C- 3 t hat it 's m at hem at ically im p ossible for t he m et r ic t hr ough A or D t o be low er t han t he t ot al dist ance t o t he dest inat ion if t he pat h cont ains a loop ( passes t hr ough B m or e t han once) .

269

To put t his in EI GRP t er m s: • • • •

The dist ance t o t he dest inat ion adv er t ised by t he neighbor is t he r epor t ed dist an ce. The best m et r ic available t o t he net w or k is t he feasible dist ance. The neighbor w it h t he best m et r ic t o a dest inat ion is t he su ccessor. Any neighbor s w hose r epor t ed dist ances ar e less t han t he feasible dist ance are feasible successor s. ( They ar e adver t ising a loop fr ee r out e.)

This m odel is conser vat ive. Som et im es, a r out e is det er m ined t o be a possible loop w hen it isn't .

Split - H or iz on in EI GRP Split - hor izon in EI GRP net w or k can be a bit confusing. Follow ing is a shor t ex am ple. Going back t o basics, split - hor izon is a loop pr event ion r ule, w hich st at es t hat a r out er should not adv er t ise a r out e t hr ough t he int er face it lear ned t he r out e on. Take a look at Figure C- 5 for an exam ple.

Figu r e C- 5 Split - H or iz on in EI GRP

I n t his figur e, Rout er A is adver t ising t he 192.168.10.0/ 24 net w or k t o Rout er s B and C. The num ber s indicat ed on t he link s bet w een t he r out er s r epr esent t he bandw idt h configur ed on t he link s r at her t han t he t ot al m et r ic or som e ot her m easur em ent . I f y ou ex am ine t he EI GRP t opology t able for each of t hese t hr ee r out er s, y ou w ill find t hat Rout er A has only one pat h t o 192.168.10.0/ 24 ( as y ou w ould ex pect ) because it has a dir ect ly connect ed r out e. Rout er B has t w o r out es—one t hr ough Rout er A,

270

and t he ot her t hrough Rout er C—and it is choosing t he pat h t hr ough Rout er C ( t he m inim um bandw idt h t hr oug h Rout er C is 10,000 rat her t han 1,000) . How ev er , Rout er C is show ing only one pat h—t hrough Rout er A. Why isn't it show ing t he pat h t hrough Rout er B? Because Rout er B is " split - hor izoning" t he adv er t isem ent of t his dest inat ion t o Rout er C. Why ? Because Rout er B chose t he r out e t hr ough Rout er C as it s best pat h t o 192.168.10.0/ 24. What about Rout er C? Because it could be lear ning about t his net w or k t hr ough Rout er B, shouldn't it be split - horizoning it s advert isem ent t o Rout er B as w ell? No, t he split - hor izon r ule for EI GRP is slight ly differ ent t han it is for ot her dist ance- vect or pr ot ocols. EI GRP split - hor izons, or doesn't adver t ise a r out e, out of a given int er face only w hen t he r out er is using t hat int er face t o for w ar d pack et s t ow ar d t he dest inat ion in quest ion. I n t his exam ple, Rout er C isn't using t he link bet w een it self and Rout er B t o r each 192. 168. 10. 0/ 24—it 's using t he link t ow ard Rout er A. So, Rout er C advert ises t his dest inat ion out t ow ar d Rout er B, r egar dless of w hat alt er nat e pat hs it m ight be learning from Rout er B.

Cle a r in g t h e Topology Ta ble a n d Qu e r y in g N e igh bor s in EI GRP N e t w or k s Once EI GRP has built a t opology t able and decided w hich pat hs ar e not looped, it needs som e w ay t o adj ust t o changes in t hat t opology t able. Because EI GRP uses n on periodic updat es, it does not t im e r out es out of it s t able; t he r out e m ust eit her be r em ov ed by new infor m at ion fr om a neighbor , or t hr ough t ear ing dow n a neighbor r elat ionship. When a r out er loses it s connect ion t o a dest inat ion, it w ill exam ine it s t opology t able first t o det erm ine if it has a feasible successor for t hat dest inat ion. I f a feasible successor ex ist s, t he r out er w ill do t he follow ing: 1. Rem ove t he old rout e. 2. Replace t he old successor w it h t he new one. 3. Re- com put e t he t opology t able for t hat dest inat ion. ( Changing t he feasible dist ance m ay pr oduce a new set of feasible successor s.) 4. Updat e any neighbor s on t he change in it s pat h. I f, how ever, a rout er loses it s rout e t o a dest inat ion, and it has no ot her loop free r out es t o t hat dest inat ion, t he r out er w ill quer y each of it s neighbor s t o see if any of t hem has anot her pat h. At fir st glance, t his m ay seem unnecessar y , but it ser v es t hr ee pur poses: • • •

To re - ev aluat e pat hs t hat m ay hav e been r ej ect ed as looped. To lear n of pat hs t hat m ay not hav e been or iginally adv er t ised due t o split horizon rules. To infor m all neighbor s t hat t his r out er no longer has a pat h t o t his net w or k ; if t hey ar e r ely ing on t his pat h t o r each t his dest inat ion, t hey need t o find a new pat h because t his one is no longer av ailable.

271

I n Figur e C- 6, if Rout er D's int er face on 10.1.1.0/ 24 goes dow n ( lat er , you discover t he cable dangling out of t he r out er , of cour se) , Rout er D w ould im m ediat ely m ar k t his dest inat ion as unreachable and query each of it s neighbors —Rout ers B and C in t his case—for a new pat h t o t his dest inat ion ( ar r ow 1 in Figure C- 6) . Rout ers B and C ar e bot h using Rout er D as t heir successor t o t his net w or k and, t her efor e, m ar k t he dest inat ion as unr eachable and quer y each of t heir neighbor s ( ar r ow s 2 and 3) . Because t he link bet w een Rout er s A and C is fast er t han t he link bet w een Rout ers A and B, Rout er A uses Rout er C as it s successor t o t his net w or k , and t he quer y fr om Rout er C ar r ives fir st ( in t heor y anyw ay—t her e ar e m any ot her sequences in w hich t hese ev ent s could occur , but t he end r esult w ill be t he sam e) .

Figu r e C- 6 Qu e r y Pa t h t h r ou gh a N e t w or k

When Rout er A r eceives t he quer y fr om Rout er C, it exam ines it s t opology t able, not es t hat it has a feasible successor for t his dest inat ion t hr ough Rout er B, and queues a r esponse for Rout er C. Assum e t he quer y fr om Rout er B ar r ives befor e t hat response is sent ; Rout er A not es t hat it has no ot her feasible successors and m arks t he r out e as unr eachable. Then, Rout er A adj ust s it s r esponse t o Rout er C t o m ake t he r eplied m et r ic unr eachable and also sends a pack et t o Rout er B, not ify ing it t hat t his pat h is unreachable ( arrow s 4 & 5) . When t hese r eplies ar r ive at Rout er s B and C, t hese r out er s r em ove t he dest inat ion from t heir t opology t ables and send re sponses back t o Rout er D t hat t his pat h is unr eachable ( ar r ow 6) . Once Rout er D r eceiv es all t he answ er s, or r eplies, t o it s quer ies, it sends updat es t o Rout er s B and C t o not ify t hem t hat 10.1.1.0/ 24 is no longer reachable. Rout ers B and C, in t urn, propagat e t his infor m at ion t o Rout er A.

St uck - in - Act iv e Rou t e s When a r out er quer ies it s neighbor s about a r out e, t he r out e is placed in act iv e m ode. ( The r out er is act iv ely seek ing a pat h t o t his dest inat ion.) A r out e t hat has r em ained act iv e for t hr ee m inut es is called st u ck- in- act iv e. When a r out e is st uck- inact iv e, t he neighbor t hat has not answ er ed is r einit ialized, effect iv ely clear ing t he st u ck- in- act ive st at e.

272

Ther e ar e m any r easons a r out e could be in t he st uck- in- act ive st at e; t he r eason t hat is m ost likely is a poor ly per for m ing link ( or a ser ies of bor der line links) in t he quer y pat h. Ot her possibilit ies include eit her a r out er t hat cannot im m ediat ely answ er t he quer y ( being out of m em or y or hav ing high CPU ut ilizat ion ar e com m on pr oblem s) , or t he net w or k is sim ply so lar ge t hat t he quer ies cannot t r av el t hr ough t he net w ork in under t hree m inut es.

Bou n din g Qu e r ie s in EI GRP N e t w or k s The st abilit y of a lar ge- scale EI GRP net w ork is oft en dependent on t he range of a quer y t hr ough t he net w or k . I f a quer y m ust t ravel from one end of a large net w ork t o t he ot her , t he odds ar e high t hat st uck- in- act iv es w ill be com m on. Essent ially , t he gr eat er t he num ber of r out er s and links a quer y m ust t r avel, t he gr eat er t he likelihood of encount ering a poor link or a rout er t hat cannot answ er im m ediat ely . Ther efor e, t he lik elihood is gr eat er t hat a r out e w ill becom e st uck- in- act ive. Ther e ar e t w o pr im ar y w ays t o bound t he r ange of a quer y: • •

Sum m ar izat ion, w hich is cov er ed in t he nex t sect ion. Dist r ibut ion list s, w hich ar e c overed in Chapt er 7, " EI GRP Net w or k Design."

EI GRP Su m m a r iz a t ion EI GRP r out es, ex t er nal and int er nal, can be sum m ar ized m anually or aut om at ically . ( This is called aut osum m ariz at ion.) Manual sum m ar izat ion can be configur ed at any bit boundar y using an int er face lev el com m and such as t he follow ing:

ip summary-address eigrp autonomous system summary address mask

Wit h t his configur ed, EI GRP w ill do t he follow ing: 1. Build a r out ing t able ent r y for t his sum m ar ized net w or k t o t he int er face null0. 2. Adv er t ise t he sum m ar y out of t he int er face it is configur ed on. 3. Adv er t ise t he com ponent s of t his sum m ar y as unr eachable out of t he int er face it is configur ed on. The rout e will be m ar k ed as a sum m ar y in bot h t he r out ing t able and t he t opology t able on t he r out er w her e t he sum m ar izat ion t ak es place ( t he r out er gener at ing t he sum m ar y ) . Aut osum m ar izat ion occur s w hen a r out er is on t he boundar y of t w o differ ent m aj or net w or ks. A r out er r unning EI GRP w ill aut om at ically cr eat e a sum m ar y for each of t he m aj or net w orks t o advert ise t ow ard it s neighbors in t he ot her m aj or net w ork. I n Figur e C- 7, Rout er B w ould build a r out e for 10.0.0.0/ 8 t o n u ll0 and adv er t ise it t o Rout er C; it w ould also build a r out e for 172.16.0.0/ 16 t o null0 and adv er t ise it t o Rout er A. This behavior can be m odified by configur ing n o a u t o- su m m a r y under

273

t he rout er EI GRP process on B, in w hich case it w ould adver t ise t he subnet s r at her t han t he m aj or net w or k sum m ar ies.

Figu r e C- 7 Au t osu m m a r iz a t ion in EI GRP

Ther e is a cav eat concerning aut osum m ar izat ion and ex t er nal r out es in EI GRP: ext er nal r out es w ill not be aut osum m ar ized unless t her e is som e int er nal com ponent of t he sam e m aj or net w ork. I n t he net w ork in Figur e C- 7, if Rout ers A and B are running EI GRP and Rout ers B and C are running RI P ( or som e ot her prot ocol) , Rout er B adv er t ises t he 172.16.1.0/ 24 r at her t han 172.16.0.0/ 16 t o Rout er A. I f, how ev er , Rout er C is running RI P t ow ard it s Et hernet link and EI GRP t ow ar d it s ser ial link ( w it h bot h Rout er s A and B r unning EI GRP) , t hen Rout er B w ill aut osum m ar ize because t he 172.16.1.0/ 24 net w ork is an int ernal rout e, and it is in t he sam e m aj or net w ork as t he ext ernal from RI P. This has som e im plicat ions for designs t hat use m ult iple EI GRP aut onom ous sy st em s. I f t he aut onom ous sy st em bor der s ar e on m aj or net w or k boundar ies, designs of t his t y pe w ill do m or e har m t han good because aut osum m ar izat ion w ill be defeat ed.

Ch a n gin g M e t r ics in EI GRP for Re liable Tr a n spor t Whenev er y ou ar e t r y ing t o change t he pat h EI GRP chooses bet w een t w o r out er s, it is best t o change t he delay m et r ics along t he pat h r at her t han t he bandw idt h m et r ics. The pr im ar y r eason for t his is t hat t he bandw idt h configur ed on t he int er face affect s t he operat ion of EI GRP's reliable t ransport m echanism . Using t he bandw idt h st at em ent s t o influence r out ing decisions can hav e unint ended consequences because t he inst allat ion of a new link can unex pect edly ov er r ide y our bandw idt h configur at ion. The delay m et rics are cum ulat ive; so, t heir effect is m ore predict able and m anageable in t he long run.

Loa d Ba la n cin g in EI GRP N e t w or k s Lik e all ot her pr ot ocols on a Cisco r out er , if EI GRP discov er s up t o six equal cost pat hs t o a given dest inat ion, it inst alls all six rout es in t he rout ing t able ( assum ing m a x - pa t h s 6 is configur ed) , and t he r out er w ill load balance ( or t r affic shar e) ov er t hem . EI GRP, how ev er , has t he capabilit y t o inst all unequal cost r out es in t he r out ing t able, and t he rout er will share t r affic over t hem in pr opor t ion t o t heir m et r ics. Use t h e v a r ia n ce com m and in r out er configur at ion m ode t o allow EI GRP t o load balance over pat hs w it h unequal m et r ics.

274

Th e v ar ian ce is a divider ; if a r out e's dist ance, divided by t he var iance configur ed, is less t han or equal t o t he best m et r ic, t he r out e w ill be inst alled in t he r out ing t able. For exam ple, if you had t he pat hs w it h m et rics of 100, 200, 300, and 400 in t he t opology t able, and t he v ar iance is set t o t he default v alue of 1, only t he pat h w it h a m et ric of 100 w ill be used. I f y ou set t he v ar iance t o 2, bot h t he best pat h ( w it h a m et r ic of 100) and t he pat h w it h a m et ric of 200 w ill be inst alled in t he rout ing t able. Set t ing t he variance t o 3 includes t he r out e w it h a m et r ic of 300, and so on. The r out er w ill load balance over t hese m ult iple pat hs in pr opor t ion t o t heir m et r ics.

275

Appe n dix D . BGP Fu n da m e n t a ls The Bor der Gat ew ay Pr ot ocol ver sion 4 ( BGP4, or j ust BGP) is an ext er ior gat ew ay r out ing pr ot ocol used bet w een r out ing dom ains ( or aut onom ous sy st em s) . BGP is t he pr ot ocol used bet w een all I nt er net ser v ice pr ov ider s ( I SPs) and in t he cor es of ot her v er y lar ge net w or k s. BGP pr ov ides ex t r em ely st able r out ing bet w een aut onom ous sy st em s ( ASs) —ev en wit h huge rout ing t ables—and pr ov ides net w or k adm inist r at or s w it h a gr eat deal of cont r ol and flex ibilit y ov er r out ing policy . This appendix pr ov ides an ov er v iew of t he BGP pr ot ocol, not a det ailed ex planat ion of ev er y aspect of BGP's oper at ion. For fur t her det ail, see I nt er net Rout ing Ar chit ect ur es by Bassam Halabi ( Cisco Press) , CCI E Pr ofessional Dev elopm ent : Rout ing TCP/ I P, Volum e I by Jeff Doyle ( Cisco Pr ess) , and t he r elevant RFCs published by t he I ETF.

M e ch a n ics of a Pa t h V e ct or Pr ot ocol BGP is unique am ong all t he cur r ent ly used r out ing pr ot ocols because it r elies on infor m at ion about t he v ect or ( dir ect ion) t o a dest inat ion and t he pat h t o a dest inat ion t o pr ev ent r out ing loops. All ot her com m only used r out ing pr ot ocols, such as OSPF, I S- I S, and EI GRP, rely on m et rics or cost s com bined w it h som e lev el of t opology infor m at ion t o pr event r out ing loops. Look at Figure D- 1 for an ex am ple of t he oper at ion of a pat h v ect or pr ot ocol. Suppose t hat Rout er A or iginat es a r out e t o 10.1.1.0/ 24 t ow ar d Rout er B. I n t he infor m at ion on how t o r each t his dest inat ion, Rout er A not es t hat it is t he fir st r out er in t he pat h. Rout er B r eceiv es t his r out e, adds it self t o t he pat h, and adv er t ises t he dest inat ion t o Rout er C. Rout er C adds it self t o t he pat h and adv er t ises it t o Rout er D. When Rout er D r eceiv es t he r out e t o t his dest inat ion, it sees t hat t he pat h is t hr ough Rout er s C, B, and A. I t , lik ew ise, adds it self t o t he pat h and adv er t ises it back t o Rout er A. When Rout er A r eceives t his adver t isem ent , it sees t hat it is alr eady in t he pat h t o t his dest inat ion and r ej ect s t he r out e. This is essent ially how BGP works —except t hat inst ead of individual r out er s m ar king t he rout e w it h som e inform at ion, each AS in t he pat h m ar ks t he r out e. Any r out er t hat r eceiv es t he r out e can see if t he pat h t o t his dest inat ion is a loop by check ing if t he AS t hey are list ed in is one of t he ASs list ed in t he pat h. For a concr et e ex am ple, see Figure D- 2.

Figu r e D - 1 A Pa t h V e ct or Ex a m ple

276

Figu r e D - 2 An AS - Ba se d Pa t h V e ct or Ex a m ple

I n t his case, Rout er A or iginat es a r out e for 10.1.1.0/ 24 t ow ar d Rout er B, w hich in t ur n for w ar ds it t o Rout er C. When Rout er C r eceives t his r out e, it r ecognizes t hat t he r out e or iginat ed fr om a r out er in anot her AS and adds t hat AS t o t he pat h t o t his dest inat ion ( t he AS pat h) . Rout er C for w ar ds t he r out e t o Rout er D, w hich also r ecognizes t hat t his r out e originat ed in an AS ot her t han it s ow n, and Rout er D adds AS3 t o t he AS pat h. Rout er D t hen for w ar ds t he r out e t o Rout er E. When Rout er E r eceiv es t his r out e, it ex am ines t he AS pat h and sees t hat t he AS it is in, AS1, is alr eady in t he AS pat h. Because of t his, Rout er E w ill assum e t his

277

advert isem e nt r epr esent s a loop ( it does fr om an AS- level view ) and discar ds t he adv er t isem ent .

Pa t h D e cision Because BGP doesn't r ely on any t y pe of m et r ic t o det er m ine if a pat h is looped, t he m et r ics it does use ar e m or e policy- based—t hat is, t hey can be used by net w ork adm inist r at or s t o set policies for r out er s t o use w hen select ing a pat h. BGP only adver t ises t he best r out e t o each of it s neighbor s ( unless BGP m ult ipat h is configur ed—t his is covered in Chapt er 8, " BGP Cor es and Net w or k Scalabilit y " ) . List ed in or der of im por t ance, t hese m et r ics ar e as follow s: • • • • • • • • •

Adm inist r at iv e w eight Local pr efer ence Locally or iginat ed r out es Shor t est AS pat h Low est origin Mult iple Exit Discr im inat or ( MED) Prefer ext ernals Pat h t hr ough near est neighbor if synchr onizat ion is on Pat h t hr ough neighbor w it h t he low est r out er I D

The sect ions t hat follow discuss som e of t hese m et r ics indiv idually .

Local Preference A r out e m ap gener ally set s local pr efer ence w hen a dest inat ion net work ( prefix) is adver t ised or r eceived fr om a BGP peer . The local pr efer ence is adver t ised w it h t he pr efix t hr oughout t he AS. The local pr efer ence is used t o set a pr efer r ed exit point for t his dest inat ion fr om t his AS.

AS Pat h Lengt h The pat h w it h t he shor t est AS pat h lengt h is pr efer r ed if all fact or s w it h m or e w eight t han pat h lengt h are equal.

M ED The MED, or m et ric, is generally set using a rout e m ap w hen a prefix is advert ised t o a neighbor ing AS. The MED is not car r ied w hen a pr efix is adv er t ised fr om one AS t o anot her. I t is non- t r ansit iv e. The MED is consider ed t o be a hint about w hich ent r y point int o an AS t he adm inist r at or w ould lik e t r affic for t hat dest inat ion t o use. I t is gener ally check ed only if t he AS pat hs on t w o r out es ar e equal in lengt h and ident ical. I n ot her w or ds, t he MEDs of t w o pr efix es lear ned fr om differ ent neighbor ing ASs ar e not consider ed.

278

On a Cisco rout er, b g p a lw a y s- com pa r e - m e d w ill com par e MEDs fr om differ ent ASs. This is not t he default .

Low est Rout e r I D I f all m et r ics pr ev iously list ed ar e equal, BGP select s t he pat h t hr ough t he neighbor w it h t he low est r out er I D. This final m et r ic can becom e an issue in places w her e an AS has t w o connect ions t o anot her AS. ( See " Case St udy : Dual- Hom ed Connect ions t o t he I nt ernet " in Chapt er 8, " BGP Cor es and Net w or k Scalabilit y ." )

Com m u n it y St r in gs A com m unit y st r ing is a st r ing of num ber s ( and y ou t hought it w as char act er s) t hat can be used t o t ag a pr efix. This t ag can t hen be used for t hings like: •

•

En t r y p o in t co n t r o l— Because t he MED, in m any cases, isn't used in pat h det er m inat ion ( because t he AS pat h of t w o r out es m ust be t he sam e for t he MED t o be com par ed) , t her e is a sy st em w here a r out er r eceiving a pr efix w it h a giv en com m unit y st r ing set w ill set it s local pr efer ence. Pr op a g a t in g Qu a lit y of Se r v ice ( QoS) in f or m a t ion— An ar r angem ent could be m ade bet w een t w o BGP peer s so t hat t agging a pr efix w it h a given com m unit y st r ing r esu lt s in t he pack et s dest ined t o t hat subnet being t r eat ed different ly.

Com m unit y st r ings ar e set and checked using r out e m aps. ( See t he sect ion, " Filt er ing w it h Rout e Maps," lat er in t his appendix for m or e on t his t opic.)

N e igh bor Re la t ion sh ips Most adv an ced r out ing pr ot ocols have som e syst em of neighbor discover y, gener ally a hello pr ot ocol, so t hat a r out er can discover neighbor s and t r ade r out ing infor m at ion r eliably . BGP is an ex cept ion because it r equir es t he m anual configur at ion of neighbor r elat ionshi ps; it does not discov er neighbor s aut om at ically . Lik e ot her adv anced r out ing pr ot ocols, t hough, BGP r equir es a r eliable t r anspor t sy st em t o guar ant ee t hat pack et s don't get lost bet w een peer s. BGP uses TCP for r eliable t r anspor t . When a r out er r unning BGP ( a BGP speaker ) is configur ed t o build a neighbor r elat ionship w it h anot her BGP speak er , it fir st builds a TCP connect ion t o t r anspor t inform at ion. ( Port 179 is t he w ell- k now n por t for BGP.) This m eans t hat I P connect iv it y bet w een BGP speak er s m ust ex ist befor e a BGP session can be set up bet w een t he t w o r out er s. Once a neighbor r elat ionship is set up bet w een t w o r out er s, t hey t r ade full r out ing infor m at ion ( as allow ed by any filt er s t hat ar e applied —m ore on filt ers in t he sect ion " Rout e Filt ering in BGP" ) . Aft er t his, BGP speak er s send only incr em ent al updat es t o neighbor s adv er t ising or w it hdr aw ing pr efix es as necessar y .

279

Ex t erior BGP BGP peers in t w o different ASs w ill aut om at ically form an Ext erior BGP ( eBGP) neighbor r elat ionship. Refer t o Figure D- 3 for an ov er v iew of how eBGP w or k s.

Figu r e D - 3 e BGP Pe e r s

Rou t er A adver t ises t he 10.1.1.0/ 24 pr efix t hr ough an I nt er ior Gat ew ay Pr ot ocol ( I GP) t o Rout er B, w hich has an eBGP neighbor r elat ionship w it h Rout er C. Ther e ar e several ways t his rout e can be inj ect ed int o BGP by Rout er B: • •

•

Re dist r ibu t ion — Rout er B can redist r ibut e r out es fr om t he I GP used bet w een Rout er A and Rout er B int o BGP. This result s in t he origin code for t he r edist r ibut ed r out es t o be m ar k ed as " unk now n." n e t w or k St a t e m e n t — Rout er B can have a n e t w or k st at em ent configur ed under r ou t e r b g p , which m a t ches 10.1.1.0/ 24. Not e t hat unlike m any ot her r out ing pr ot ocols, t he n e t w or k st at em ent in BGP does not indicat e w hich int er faces t o r un t he pr ot ocol on, but r at her it indicat es t he pr efix es t o advert ise. I f a rout er has an exact m at ch ( including prefix le ngt h) in it s rout ing t able for a n e t w o r k st at em ent under r ou t e r b g p , it adv er t ises t his prefix. a ggr e ga t e - a d d r e ss St a t e m e n t — Rout er B can sum m ar ize t he 10.1.1.0/ 24 net w or k int o a lar ger block of I P addr esses t hr ough an a g g r e g a t e - a ddr e ss st at em ent configur ed under r ou t e r b g p .

Once Rout er B det er m ines t hat it should adver t ise t his pr efix t o Rout er C, it sends an updat e. The AS pat h field in t his updat e is blank because t he dest inat ion or iginat es wit hin Rout er B's AS. The next hop for t his rout e is Rout er B's I P addr ess. When Rout er C r eceiv es t his updat e, it not es t hat t he updat e cam e fr om an eBGP peer , adds t hat peer 's AS t o t he beginning of t he AS pat h, and places t he pr efix in t he BGP t able. Rout er C m ay or m ay not inst all t his prefix in it s rout ing t able, depending on ot her r out es av ailable t o t his pr efix , and so for t h.

280

I nt e r ior BGP When a BGP speaker is configured w it h a neighbor in t he sam e AS, t hese rout ers becom e iBGP peer s. To under st and iBGP bet t er , r efer t o Figure D- 4 for t he discussion t hat follow s. As Figure D- 4 dem onst r at es, Rout er A is adv er t ising t he 10.1.1.0/ 24 dest inat ion as an eBGP rout e t o Rout er B; Rout er B is in t urn advert ising t his rout e t hrough iBGP t o Rout er C. When t his pr efix is passed t o Rout er C, t he next hop isn't changed ( it r em ains Rout er A's I P address) unless n e x t - hop- se lf is configur ed, and t he AS pat h isn't changed ( because t he pr efix w asn't adv er t ised acr oss an AS boundar y ) . The AS pat h not changing explains one of t he m ost sever e r est r ict ions of iBGP—iBGP peer s cannot adver t ise a r out e lear ned via iBGP t o anot her iBGP neighbor . Figu r e D- 5 adds a couple of rout ers t o provide a bet t er idea of w hy iBGP peers m ust be full m esh.

Figu r e D - 4 iBGP Pe e r s

Figu r e D - 5 iBGP Pe e r s

281

Using t he iBGP peer ing show n in Figur e D- 5, follow t he chain of ev ent s t hat occur if 10.1.1.0/ 24 is adver t ised fr om Rout er A t o Rout er B. Not e t hat t his nor m ally does not occur —iBGP doesn't allow r out es t o be adver t ised in t his m anner . This discussion is only t o illust r at e w hy iBGP doesn't allow t his. Rout er B advert ises t his prefix t o Rout er C, w hich in t urn advert ises it t o Rout er D. Rout er D adver t ises t his pr efix t o each of it s peer s, including Rout er E, w hich adv er t ises it t o Rout er C. At t his point , Rout er C has received t w o iBGP adv er t isem ent s for t he 10.1.1.0/ 24 pr efix —one t hrough Rout er B and one t hrough Rout er E. Which pat h does Rout er C choose? Because t he nex t hop and AS pat h ar en't changed w hen a pr efix is adver t ised fr om one iBGP peer t o anot her, Rout er C has no way of know ing t he pat h t hat it 's learning from Rout er E is a loop! To pr ev ent t his sor t of pr oblem , iBGP peer s ar e not allow ed t o adv er t ise a r out e lear ned t hr ough iBGP t o anot her iBGP neighbor . The pr act ical applicat ion of t his r ule result s in anot her rule: iBGP peers m ust be fully - m eshed. There are w ays around t he full m esh rule in iBGP, but t hey are covered in Chapt er 8 r at her t han her e.

The N ex t H op At t ribut e The pr ev ious sect ion br iefly m ent ioned t hat t he nex t hop at t r ibut e in t he adv er t ised pr efix is not changed bet w een iBGP neighbor s. The next hop m ay also be set t o a r out er ot her t han t he adver t ising r out er w hen eBGP is r unning acr oss a m ult i- access net w or k . For an ex am ple, see Figur e D- 6.

282

Rout er C is advert ising t he 10.1.1.0/ 24 net w ork t o Rout er B via an I GP, and, in t urn, Rout er B is advert ising t his prefix t o Ro ut er A via eBGP. Because it doesn't m ake any sense in t his sit uat ion for t he t raffic t o flow from Rout er A t o Rout er B ( t hen, over t he sam e Et hernet t o Rout er C) , Rout er B w ill advert ise t he next hop as Rout er C. Th e n e igh bor { ip- addr ess| peer - group- nam e} ne x t - h o p- se lf com m and can be used t o alt er t his behavior . Configur ing t his on Rout er B causes all t r affic t o flow t hr ough Rout er B if t his is t he desired behavior.

Rou t e Filt e r in g in BGP Because BGP focuses on adm inist r at iv e cont r ol of r out ing, it 's only nat ur al t hat it should hav e v ast filt er ing capabilit ies—and it does hav e v ast filt ering capabilit ies! This is, in fact , one t he m ost confusing ar eas of configur ing BGP. The follow ing sect ions discuss t he filt er ing capabilit ies of BGP via r out e m aps, se t and m a t ch st at em ent s, pr efix list s, and dist r ibut ion list s.

Figu r e D - 6 N e x t H op on a M u lt i- Acce ss N e t w or k

Filt ering w it h Rout e M aps Filt ering in BGP on Cisco r out er s is t ypically done using r out e m aps, w hich ar e const r uct ed as a set of m at ches and set s w it hin a sequence. The m at ches, for filt er ing, specify t he condit ion t hat a pr efix m ust m at ch in or der t o be consider ed.

283

Th e se t st at em ent det er m ines w hat is t o be done t o t he pr efix once it 's det er m ined t hat t he pr efix m at ches. The sequences r epr esent t he or der in w hich r ou t e - m a p st at em ent s ar e check ed, m uch lik e BASI C line num ber s r epr esent ed pr ogr am ex ecut ion or der ( if y ou'v e ev er used t he original BASI C) . A t ypical r out e m ap is const r uct ed som et hing like t he follow ing:

route-map filter permit 10 match something set something route-map filter permit 20 match something set something

I n t he rout e m ap nam ed filt er , t he per m it sequence 10 w ill be ev aluat ed befor e t he per m it sequence 20.

Filt ering w it h Set s a nd M a t ches To giv e y ou a bet t er idea of t he t y pe of filt er ing t hat can be done w it h a r out e m ap, her e is a shor t list of possible m at ches t hat can be configur ed as opt ions of t he m a t ch com m and: • • • •

ip a d d r e ss— Mat ches eit her t he I P addr ess list ed or t he I P addr esses per m it t ed by t he list ed access list . a s- pa t h — Mat ches t he pat h list ed in an as- p at h list . com m u n it y - list — Mat ches a giv en com m unit y st r ing fr om w it hin a com m unit y list . m et ric— Mat ches a given MED value.

I f t he pr efix adver t ised is per m it t ed by t he condit ion in t he m a t ch st at em ent , t hen a se t m ay be applied. Som e possible se t st at em ent s used t o alt er t he pr efix ar e • • • • • •

se t se t se t se t se t se t

com m u n it y — Set s t he com m unit y st r ing associat ed w it h t he pr efix . m e t r ic — Set s t he MED associat ed w it h t he pr efix. loca l- p r e f e r e n ce — Set s t he local pr efer ence associat ed w it h t his pr efix . w e ig h t — Set s t he adm inist r at iv e w eight associat ed w it h t he pr efix . or igin — Set s t he BGP or igin code. a s- pa t h - p r e p e n d— Pr epends ex t r a hops ont o t he AS pat h.

These v ar ious com binat ions allow t o y ou filt er ( or classify ) pr efix es adv er t ised by a neighbor and t hen set v ar ious aspect s of t hat pr efix . The adm inist r at or has v er y fine cont r ol ov er w hat pat h is chosen t hr ough t he net w ork.

284

Filt ering w it h Prefix List s BGP also suppor t s t he use of pr efix list s for filt er ing t he dest inat ions r eceived fr om or adv er t ised t o a peer . A pr efix list can be configur ed eit her in a w ay sim ilar t o a r out e m ap ( w it h sequence num ber s w it hin t he giv en pr efix list being used t o det er m ine t he or der of evaluat ion) or in a w ay sim ilar t o access list s ( w it h t he or der of oper at ion being det er m ined by t he or der of configur at ion) . For ex am ple, t o filt er all of t he pr iv at e addr ess space out of adv ert isem ent s t o a peer , y ou could use:

ip prefix-list noprivates deny 10.0.0.0/8 ip prefix-list noprivates deny 172.16.0.0/19 ip prefix-list noprovates deny 192.168.0.0/16 ip prefix-list noprivates permit any ! router bgp 100 distribute-list prefix noprovates out

Filt ering w it h Dist ribut ion List s Pr efix es accept ed fr om or adv er t ised t o a neighbor can also be cont r olled using dist r ibut ion list s. St andar d access list s used as dist r ibut ion list s oper at e as ex pect ed, block ing t hose pr efix es denied and allow ing t hose pr efix es per m it t ed. Ex t ended access list s, how ev er , can be used t o filt er based on t he subnet m ask as w ell as t he dest inat ion net w or k. The st andar d for m of t he ext ended access list is

access-list number {permit|deny} protocol source wildcard destination wildcard

Ther e ar e fur t her opt ions dealing w it h pr ot ocol t y pes and/ or por t num ber s not list ed her e, as w ell as som e keyw or ds. When using an ext ended access list as a BGP dist r ibut ion list , how ev er , t he sy nt ax becom es

access-list number {permit|deny} ip network wildcard subnet mask wildcard

This allow s you t o configur e a dist r ibut ion list t hat filt er s out all dest inat ions in t he 10.0.0.0 net w or k w it h a pr efix lengt h of gr eat er t han 24 bit s, for exam ple:

access-list 101 permit ip 10.0.0.0 0.255.255.255 0.0.0.0 255.255.255.0

285

iBGP Sy n ch r on iz a t ion iBGP sy nchr onizat ion is pr obably one of t he least under st ood concept s in BGP. To under st and w hy synchr onizat ion bet w een t he I GP and BGP r out ing t ables is im po r t ant w hen deciding if a r out e should be adver t ised t o an eBGP peer , r efer t o Figur e D- 7 and t he discussion t hat follow s.

Figu r e D - 7 iBGP Sy n ch r on iz a t ion

AS 2, as pict ur ed her e, is a t r ansit AS, w hich m eans it passes t r affic bet w een t w o ot her ASs; in ot her w or ds, host s connect ed t o Rout er E should be able t o send t r affic acr oss AS 2 t o dest inat ions in 10.1.1.0/ 24. Assum e t hat Rout ers A and B are eBGP peers, Rout ers B and D are iBGP peers, and Rout ers D and E are eBGP peers. Rout er C, in t he m iddle of AS 2, is only running som e I GP t o Rout ers B and D. Rout er E t r ansmit s a packet along it s pat h t o 10.1.1.0/ 24 t oward Rout er D. Rout er D, in t ur n, for w ar ds t his pack et t o Rout er C. When Rout er C r eceiv es t his pack et , it m ust have a r out e t o 10.1.1.0/ 24 t o for w ar d it cor r ect ly. Because Rout er C is running only an I GP, t he eBGP rout es learned from AS 1 need t o be redist ribut ed int o t his I GP for Rout er C t o know how t o reach 10.1.1.0/ 24. One solut ion in t his sit uat ion is t o have Rout er C run iBGP wit h bot h Rout ers B and D r at her t han r edist r ibut ing t he r out es int o t he I GP. However , it 's not uncom m on t o find sit uat ions like t his w her e t he AS in t he m iddle ( in t his case, AS 2) is not ex pect ed t o t r ansit t r affic bet w een t he t w o ASs on t he out side but r at her , is j ust t r y ing t o gain connect iv it y t o dest inat ions in bot h of t hese n et works. I n t his case, it 's valid for Rout er C not t o know about any of t he rout es in t hese ot her ASs. ( I t m ay lead t o subopt im al r out ing if it doesn't , but it is valid.) I f AS 2 isn't a t r ansit AS, synchr onizat ion isn't im por t ant and can be t ur ned off.

BGP Su m m a r iz a t ion BGP can sum m ar ize r out es adv er t ised t o peer s using t he a ggr e ga t e - a d d r e ss com m and. As an ex am ple, assum e y ou hav e m ult iple subnet s of t he 172.30.0.0/ 16 net w or k and y ou w ant t o adv er t ise t his sum m ar y if any of t hese subnet s ex ist :

router bgp 1

286

neighbor 10.1.1.1 remote-as 2 network 172.30.1.0 mask 255.255.255.0 network 172.30.8.0 mask 255.255.255.0 network 172.30.14.0 mask 255.255.255.0 network 172.30.25.0 mask 255.255.255.0 network 172.30.42.0 mask 255.255.255.0 aggregate-address 172.30.0.0 255.255.0.0

The pr eceding configur at ion w ill adv er t ise t he 172.30.0.0/ 16 pr efix and all of t he subnet s for w hich t her e ar e net w or k st at em ent s and m at ching r out es in t he r out ing t able. To adv er t ise t he sum m ar y addr ess only , y ou can use t he su m m a ry - only k ey w or d on t he a ggr e ga t e - a d d r e ss com m and:

aggregate-address 172.30.0.0 255.255.0.0 summary-only

When a BGP speaker or iginat es a sum m ar y, it usually places only it s AS num ber in t he AS pat h. This can lead t o loops if t he pr efixes being sum m ar ized ar e fr om sev er al eBGP peer s r at her t han or iginat ing w it hin t he r out er 's AS. To pr ev ent t hese loops fr om occur r ing, use t he a s- se t keyw ord in t he a ggr e ga t e a ddr e ss com m and.

aggregate-address 172.30.0.0 255.255.0.0 as-set

This t ells t he r out er t o place all t he ASs in t he AS pat hs fr om each com ponent in an a s- se t and advert ise t hem w it h t he rout e.

287

Appe n dix E. An sw e r s t o t h e Re vie w Qu e st ion s The quest ions t hat appear in t he Rev iew Sect ions in Chapt er s 1–9 ar e r est at ed here for y our r efer ence along w it h t he cor r ect answ er s.

An sw e r s t o Ch a pt e r 1 Re v ie w Qu e st ion s 1:

Why is t he t opology of t he net w or k so im por t ant ? Ar e t he t opology and t he logical layout of a net w or k t he sam e t hing?

A:

The t opology dir ect ly affect s t he st abilit y of t he net w or k. No.

2:

Why ar e hier ar chical net w or ks built in " layer s" ?

A:

To br eak t he pr oblem dom ain int o sm aller , m or e m anageable pieces. The concept of hier ar chical design is sim ilar t o t he OSI m odel, w hich br eak s t he pr ocess of com m unicat ion bet w een com put er s int o lay er s, each hav ing differ ent design goals and cr it er ia.

3:

Not e t he lay er of t he net w or k in w hich each of t hese funct ions/ ser v ices should be per for m ed and w hy:

A:

a. Sum m ar ize a set of dest inat ion net w or ks so t hat ot her r out ers have less infor m at ion t o pr ocess. Dist r ibut ion lay er , because t his r educes t he ar ea t hr ough w hich infor m at ion about t opology changes m ust pass. b. Tag pack et s for qualit y of ser v ice pr ocessing. Access lay er , because dev ices in t he access lay er should be concer ned w it h feeding t r affic t o t he net w or k and cont r olling t he t y pes and am ount of t raffic adm it t ed. This should not generally be done in ot her layers, becau se it can com plicat e configur at ions and m aint enance, and it can also r educe sw it ching speeds. c . Reduce ov er head so t hat pack et s ar e sw it ched as r apidly as possible. Cor e, because t he cor e of t he net w or k is w her e sw it ching speeds ar e t he m ost crit ical. d. Met er t r affic. Access lay er , because dev ices in t he access lay er should be cont r olling t he t ra ffic adm it t ed int o t he net w or k . Allow ing t r affic int o t he net w or k at t he edge, and t hen m et er ing it out , or dr opping it for t r affic engineer ing pur poses, at som e ot her place in t he net w or k is an inefficient use of

288

bandw idt h. e. Use a default r out e t o r each int er nal dest inat ions. Access and dist r ibut ion lay er s, because w it hin t he cor e of t he net w or k , all r out er s should know how t o r each all int er nal dest inat ions. f.

Cont r ol t he t r affic t hat is adm it t ed int o t he net w or k t hr ough pack et lev el filt ering. Access lay er , because access lay er dev ices should cont r ol t r affic being adm it t ed int o t he net w or k . Allow ing pack et s int o t he net w or k s only t o be filt er ed at som e ot her point is a w ast e of r esour ces, and filt er ing can slow dow n som e oper at ions.

g. Aggr egat e a num ber of sm aller links int o a single larger link. Dist r ibut ion lay er , because t he access lay er is focused on feeding t r affic int o t he net w or k , and t he cor e is focused on t he sw it ching of t r affic. Tr affic aggr egat ion should occur befor e any t r affic r eaches t he net work cor e and cannot occur as t he t r affic ent er s t he net w or k . h. Term inat e a t unnel. Access lay er , because t unnel pr ocessing can consum e a good deal of pr ocessor t im e, w hich is m ost likely not accept able in a device in t he cor e of t he net w or k . Access lay er dev ices should be t he m ain point for t r affic t o ent er t he net w or k, and t unnels usually r epr esent a point w her e t raffic ent ers t he net work. 4:

What t w o fact or s is speed of conv er gence r eliant on?

A:

The num ber of r out er s par t icipat ing in conv er gence, and t he am ount of infor m at ion t hey m ust pr ocess.

5:

What t y pes of cont r ols should y ou t y pically place on an access lay er r out er t o block at t acks fr om w it hin t he net w or k ?

A:

No addr ess spoofing, no br oadcast sour ces, and no dir ect ed br oadcast .

6:

What ar e t he posit iv e and negat iv e aspect s of a single r out er collapsed cor e?

A:

Pr os: I t 's only a single r out er . So, it 's easy t o m anage. Cons: I t 's only a single r out er . • • •

I t w on't scale. I t 's easy t o overwhelm . I t is a single point of failure.

289

7:

What aspect s of policy- based rout ing are different t han t he rout ing a r out er nor m ally per for m s?

A:

Nor m al r out ing occur s based on dest inat ion addr ess look up in t he r out ing/ for w ar ding t able, w her eas policy r out ing pack et s ar e r out ed based on policy configur ed.

8:

Should y ou nor m ally allow dir ect ed br oadcast s t o be t r ansm it t ed ont o a segm en t ?

A:

No—t his is a secur it y hazar d because an at t ack er can t ie up a gr eat deal of net w or k r esour ces and discover a gr eat deal about w hat host s exist on var ious segm ent s by sending pack et s t o t he dir ect ed br oadcast addr esses.

9:

What det er m ines t he num ber of r out er s par t icipat ing in conv er gence?

A:

Conv er gence depends on t he ar ea t hr ough w hich t he t opology change m ust pr opagat e. The num ber of r out er s can be r educed v ia t he use of a w ell- planned addr essing schem e lev er aging sum m ar izat ion.

10:

Should a failing dest inat ion net w or k in t he access lay er cause t he r out er s in t he cor e t o r e- com put e t heir r out ing t ables?

A:

No. Topology changes w it hin each lay er shouldn't cause r out er s in ot her lay er s t o r ecalculat e t heir r out ing t ables. The conv er gence ar ea should be bound by t he dist ribut ion layer.

11:

What is t he pr im ar y goal of t he net w or k cor e? What ar e t he st r at egies used t o r each t hat goal?

A:

12: A:

13: A:

The pr im ar y goal of t he net w or k cor e is sw it ching pack et s. Any t hing t hat t ak es pr ocessing pow er fr om cor e dev ices or incr eases pack et sw it ching lat encies should be ser iously discour aged. The st r at egies em ploy ed t o m eet t his goal ar e full r eachabilit y , no policy im plem ent at ions, and no access cont r ol. Why is opt im um r out ing so im por t ant in t he cor e? You don't w ant pack et s t ak ing ex t r a hops acr oss t he cor e because t he cor e's j ob is t o get t he pack et sw it ched and back out t o t he dest inat ion as quick ly as possible. What ar e t he pr im ar y goals of t he dist r ibut ion lay er ? Topology change isolat ion, r out e sum m ar izat ion, and t r affic aggr egat ion.

14:

What st r at egies ar e used in t he dist r ibut ion lay er t o achiev e it s goals?

A:

Rout e sum m ar izat ion and m inim izing connect ions t o t he net w or k cor e.

15: A:

What ar e t he pr im ar y goals of t he access layer ? To feed t r affic int o t he net w or k and im plem ent net w or k policy .

290

An sw e r s t o Ch a pt e r 2 Re v ie w Qu e st ion s 1:

Why is it difficult t o change I P addr esses aft er t hey 'v e been assigned?

A:

Each host on t he net w or k m ust be r enum ber ed.

2:

Why is addr ess allocat ion so closely t ied t o net w or k st abilit y ?

A:

Because addr ess allocat ion dir ect ly im pact s sum m ar izat ion, and sum m ar izat ion dir ect ly affect s st abilit y .

3:

What ar e t he goals you should keep in m ind w hen allocat ing addr esses?

A:

Cont r olling t he size of t he r out ing t able, and cont r olling t he dist ance infor m at ion about t opology changes t hat m ust t r av el t hr ough t he net w or k .

4:

What does it m ean t o say t hat sum m ar izat ion hides t opology det ails?

A:

Dev ices bey ond t he sum m ar izat ion point don't k now about ev er y subnet w or k or link t hat has been sum m ar ized int o a single dest inat ion.

5:

How does hiding t opology det ails im pr ov e st abilit y ?

A:

Dev ices bey ond t he sum m ar izat ion don't lear n about t opology changes t hey don't need t o k now about , and t hey can also w or k w it h less infor m at ion, r educing pr ocessing effor t .

6:

Wher e should sum m ar izat ion t ak e place?

A:

The general rule of t hum b is t o " only provide full t opology infor m at ion w her e it 's needed." I n a hier ar chical net w or k, t he dist r ibut ion layer is t he m ost nat ur al sum m ar izat ion point , alt hough sum m ar izat ion can occur any w her e in t he net w or k design.

7:

What is t he one case w her e access lay er dev ices should be passed m or e t han a default r out e? Why?

A:

Dual- hom ed r em ot es—t o r educe subopt im al rout ing.

8:

An I P addr ess can be div ided int o t w o par t s; w hat ar e t hey ?

A:

Net w or k and Host .

9:

What is t he prefix lengt h of a net w ork?

A:

The num ber of bit s set in t he subnet m ask.

10: A:

Find t he longest pr efix sum m ar y for t hese addr esses. • • •

Set A: 172.16.1.1/ 30, 172.16.1.5/ 30, 172.16.1.9/ 30, 172.16.1.14/ 30 Set B: 10.100.40.14/ 24, 10.100.34.56/ 24, 10.100.59.81/ 24 Set C: 172.18.10.10/ 23, 172.31.40.8/ 24, 172.24.8.1/ 12,

291

•

172. 30. 200. 1/ 24 Set D: 192.168.8.10/ 27, 192.168.60.14/ 27, 192. 168. 74. 90/ 27, 192. 168. 129. 48/ 27

For Set A, t he longest pr efix sum m ar y is 172.16.1.0/ 28. For Set B, t he longest prefix sum m ary is 10.100.32.0/ 19. For Set C, t he longest pr efix sum m ar y is 172.16.0.0/ 20. For Set D, t he longest prefix sum m ary is 192.168. 0.0/ 16. 11: A:

12:

A:

13:

A:

14: A:

Ex plain t he effect s of point ing a default r out e t o a br oadcast net w or k int er face. The r out er w ill ARP for each dest inat ion addr ess t hat it r eceiv es a pack et for , w hich m eans possibly overrunning t he ARP cache. So, use next - hop address not t he br oadcast int er face. What does a pair of colons w it h no num bers in bet w een signify in an I Pv6 addr ess? How m any t im es can you use t his sym bol in an addr ess? Ev er y bit bet w een t he colons is 0. This can be used only once in an I Pv 6 address. Ex plain t he differ ence bet w een Net w or k Addr ess Tr anslat ion ( NAT) and Port Addr ess Tr anslat ion ( PAT) . I n NAT, each inside host is assigned a single out side ( out side global) addr ess. I n PAT, each session is assigned a por t num be r fr om an out side global addr ess. Addr ess t he net w or k depict ed in Figure 2- 19 by: •

•

•

15:

A:

Or ga n iz a t ion — Addr essing by or ganizat ion places Leningr ad Sales, NY Sales, and Par is Sales in one set of I P addr esses, Tok y o Manufact ur ing in anot her set of I P addr esses, Tok y o Finance in a t hir d set of I P addr esses, and t he New Yor k Headquar t er s in a four t h set of I P addr esses. This leav es y ou w it h no possible sum m ar izat ion. Ge og r a p h ica l loca t ion— Addr essing by geogr aphical locat ion places each locat io n ( Leningrad, New York, Paris, and Tokyo) in t heir own addr ess space. Again, because of t he design of t his net w or k, t her e is no place t o sum m ar ize any addr esses. Topology — Addr essing by t opology places each locat ion at t ached t o a given rout er an I P address w it hin a r ange. This allow s sum m ar izat ion at each of t hese r out er s t ow ar d t he ot her r out er s in t he net w or k.

Which addr essing schem e is t he best ? I s t her e any w ay t o com bine t w o differ enet addr essing schem es t o pr ov ide adm inist r at iv e ease? — New Yor k Sales: 10.1.1.0/ 24

292

— New Yor k Headquar t er s: 10.1.2.0/ 24 — Par is Sales: 10.2.1.0/ 24 — Tok y o Manufact ur ing: 10.3.3.0/ 24 — Leningr ad Sales: 10.4.1.0/ 24 — Tokyo Finance: 10. 5. 4. 0/ 24

An sw e r s t o Ch a pt e r 3 Re v ie w Qu e st ion s 1:

Why is it im por t ant t o consider link capacit ies w hen designing r edundancy ?

A:

The back up link should be able t o handle t he full t r affic load nor m ally placed on t he prim ary link.

2:

Why is designing r edundancy in t he cor e easier t han at ot her lay er s?

A:

Subopt im al r out ing should be easier t o deal w it h because t he dev ices in t he net w or k cor e should have full r out ing infor m at ion.

3:

I f all t he cor e r out er s ar e in one building, w hat is a nat ural w ay t o provide r edundancy ?

A:

Connect t hem w it h m ult iple high speed LANs.

4:

How m any links on a r ing cor e can fail befor e at least one sect ion of t he cor e is isolat ed?

A:

Tw o.

5:

Do r ing designs pr ov ide consist ent hop count t hr ough t he cor e net w or k w hen a link fails?

A:

No—t he hop count can incr ease dr am at ically when a single link fails.

6:

What r ing t echnologies pr ov ide r edundancy at Lay er 2?

A:

FDDI and SONET.

7:

Do r edundant r ing t echnologies pr ov ide r edundancy against failed dev ices?

A:

No.

8:

Given a full m esh core w it h 25 rout ers, how m any pat hs w ould t here be t hrough t he net work?

293

A:

300

9:

What m et hod does a Cisco r out er use t o differ ent iat e bet w een r out es fr om t w o differ ent r out ing pr ot ocols?

A:

Adm inist r at iv e dist ance.

10:

A: 11:

A: 12:

A:

13:

A:

14:

A:

15:

A:

What is t he first , and m ost im port ant fac t or , used in deciding w hich r out e t o use for a par t icular dest inat ion? Pr efix lengt h. The longest specific m at ch is used. What m echanism in OSPF needs t o be consider ed w hen it is being configur ed on a part ial m esh net w ork? Designat ed r out er elect ion. What ar e t he possible t echniques you can use in OSPF par t ial m esh net w or k designs t o get around t his problem ? Using point - t o- point subint er faces, using t he r out er pr ior it y t o pr edet er m ine t hat only t he hub r out er becom es DR, using OSPF net w or k t ype point - t om ult ipoint , or configur ing t he net w or k as a non- br oadcast OSPF net w or k t y pe and m anually configur ing t he neighbor s. When dual hom ing a dist r ibut ion lay er or access lay er r out er , w hat m aj or pr oblem should y ou be car eful of? Tr ansit ing t r affic acr oss t he r out er t hat should be passed t hr ough t he nex t higher layer in t he net w ork and increasing t he size of t he rout ing t able in t he next higher layer of t he net w or k. When int er connect ing t he dist r ibut ion or access lay er r out er t o pr ov ide r edundancy , w hat issues should y ou be car eful of ? Tr ansit ing t r affic acr oss t he r out er t hat should be passed t hr ough t he nex t higher layer in t he net w ork, increasing t he size of t he rout ing t able in t he next higher lay er of t he net w or k , and t hat t he pat h bet w een t he r out er s could be pr efer r ed ov er t he nor m al ( cor r ect ) pat h t hr ough t he nex t higher lay er . What ar e t he tw o m ain goals you m ust be careful t o address w hen building r edundancy int o a net w or k? Redundant pat hs should only be used w hen t he m ain pat h is dow n, unless t hey ar e engineer ed specifically for load shar ing. Tr affic shouldn't be allow ed, under any net w or k condit ions, t o pass t hr ough links t hat aren't designed t o handle t he full load of t he prim ary link.

294

An sw e r s t o Ch a pt e r 4 Re v ie w Qu e st ion s 1:

What does hier ar chy pr ovide in a w ell- designed net work?

A:

The foundat ion, or t he sk elet on on w hich ev er y t hing else hangs.

2:

What is t he pr im ar y t ool used t o bound t he ar ea affect ed by net work changes?

A:

Sum m ar izat ion.

3:

How can it be det erm ined w hich lin ks can be r em oved fr om a full m esh cor e net w or k t o decr ease t he num ber of link s?

A:

By look ing at t he nor m al t r affic pat t er ns and det er m ining w hich point s t he m aj or it y of t he t r affic w ill flow bet w een.

4:

What pr ovides w ays ar ound failur e point s in t he net w or k?

A:

Redundancy .

5:

What t w o t hings ar e m ost desir able in a r out ing pr ot ocol?

A:

Low ov er head and fast conv er gence.

6:

What can a r out ing pr ot ocol do t o decr ease it s bur den t o host s t hat ar e not running rout ing on a net work?

A:

Use m ult icast or unicast r out ing updat es, r educe t he fr equency of updat es, and r educe t he num ber of pack et s r equir ed t o t r ansm it t he r equir ed infor m at ion.

7:

List t he addr essing pr oblem s t hat ar e caused by hav ing m ult iple link s t o ex t er nal net w or k s.

A:

• •

Addr essing conflict s w it h par t ner s I nj ect ing m ult iple r out es fr om ext er nal net w or ks int o your net w or k

8:

Given t he net w ork in Figur e 4- 10, how m any r out es do you t hink a cor e r out er w ill have in it s t able if no sum m arizat ion is done?

A:

48 dial- ins, 95 r em ot e sit es, 8 links bet w een t he access and dist r ibut ion layer s, 6 com m on ser v ices net w or k s, 9 HQ VLANs, 2 default r out es, 3 r out es t o par t ner net w or k s, 10 link s fr om t he cor e t o ot her par t s of t he net w or k , and 7 cor e net w or k links. The t ot al w ould be at least 179, not count ing r edundancy .

9:

Given t he net w ork in Figur e 4- 10, how m any r out es do you t hink a cor e r out er w ill hav e in it s t able if all possible sum m ar izat ion is done?

A:

9 sum m ar ies fr om r out er s out side t he cor e, 10 links fr om t he cor e t o ot her par t s of t he net w ork, and 7 core net w ork links. The t ot al w ould be around 26.

295

An sw e r s t o Ch a pt e r 5 Re v ie w Qu e st ion s 1:

What par am et er s m ust be m at ched for OSPF r out er s t o becom e adj acent ?

A:

Hello int er val, Dead int er val, Wait int er v al, and t he link t y pe.

2:

I s it ev er nor m al for t w o OSPF r out er s t o r each only a t w o- w ay st at e? When?

A:

Yes; when neit her one of t hem are DR or BDR on a m ult i- access net w ork.

3:

What is a good w ay t o t est for MTU m ism at ches?

A:

Ex t ended pin g using v ar ious pack et sizes.

4:

Ex plain w hy hav ing a r out er dial back up bey ond t he point of sum m ar izat ion is bad.

A:

The only w ay t o m ake it w or k is t o inj ect m or e specific r out es int o t he r out ing t able of all t he ot her rout ers in t he net w or k , w hich can cause pr oblem s. ( I t w on't scale. )

5:

What opt ions do y ou hav e w it h a r em ot e dual- hom ed int o t w o differ ent ar eas?

A:

Place t he r em ot e link in one of t he t w o ar eas, w hich r esult s in subopt im um r out ing and loss of connect iv it y if t he r out er loses it s connect ion t o t hat ar ea. Place t he rem ot e link in a t hird area and build v ir t ual link s t o ar ea 0; cr eat e st at ics and r edist r ibut e t hem int o t he t w o ar eas.

6:

Explain how you can end up t hr ow ing packet s aw ay if you sum m ar ize on Rout ers A and B in Figur e 5- 17 t o 172.27.0.0/ 16?

A:

I f Rout er A or Rout er B lose t heir connect ion t o one of t he Et her net link s, but t hey ar e st ill adv er t ising t he 172.27.0.0/ 16 sum m ar y , t hey w ill t hr ow aw ay pack et s t hat ar e dest ined t o t he net w or k t o w hich t hey ar e no longer connect ed.

Figu r e 5 - 1 7 D ia gr a m for Re vie w Qu e st ion 6

296

7:

Can you have m ult iple ar eas w it h t he sam e ar ea num ber ?

A:

Yes. When r out es ar e adver t ised int o ar ea 0 ( t he cor e ar ea) , all infor m at ion about t he ar ea t hat t hey or iginat ed fr om is r em ov ed.

297

8:

What one issue m ust y ou design ar ound w hen dealing w it h dial- in link s?

A:

Host r out es inj ect ed by t he t er m inal serv ice w henev er a client connect s.

9:

Wher e ar e ext er nal LSAs flooded?

A:

Thro ugh all ar eas ex cept for st ubby ar eas.

10:

What t y pe of SPF r un is r equir ed w hen t he st at e of ex t er nal link s change?

A:

Par t ial. ( Not e t hat t his doesn't m ean all r out er s im plem ent par t ial SPFs; it m eans only t hat a par t ial is all t hat is r equir ed.)

11: A: 12:

A:

13: A:

14: A:

How do y ou inj ect default r out es int o OSPF? Wit h t he default - in f or m a t ion or ig in a t e com m and. What does t he a lw a ys k ey w or d do on t he end of t he default - in f or m a t ion or igin a t e com m and? a lw a y s or iginat es a default r out e, r e gar dless of t he exist ence of a default in t he rout ing t able. What is t he For w ar d Addr ess in t he OSPF dat abase used for ? To allow an OSPF r out er t o for w ar d pack et s dir ect ly t o t he nex t hop t ow ar d an ext er nal dest inat ion r at her t han t hr ough t he ASBR. What is t he differ ence bet w een a t ot ally st ubby ar ea and a st ubby ar ea? Tot ally st ubby ar eas do not r eceiv e infor m at ion on int er nal or ex t er nal OSPF r out es out side of t he ar ea; st ubby ar eas r eceiv e int er nal, but not ex t er nal, r out ing infor m at ion. Neit her can cont ain an ASBR.

An sw e r s t o Ch a pt e r 6 Re v ie w Qu e st ion s 1:

What pr ot ocol w as I S - I S or iginally designed t o pr ovide r out ing infor m at ion for ?

A:

Connect ionless Net w or k Ser vice ( CLNS) .

2:

Wher e can sum m ar izat ion t ake place in I S - I S?

A:

On any L2 rout er.

3:

How m any levels of rout ing are t here in an I S- I S net w ork?

A:

Two. L1 and L2.

298

4:

How m any pseudonodes are allow ed in an I S- I S area?

A:

255.

5:

I s it possible t o ov er flow t he LSP dat abase on a r out er ? What ar e t he indicat ions t his is occur r ing?

A:

Yes. The ov er flow bit w ill set in LSAs adv er t ised by t he r out er w it h t he dat abase t hat has ov er flow ed.

6:

What is t he range of int ernal m et rics in I S- I S? Ar e t hey ext er nal? Why is t his a problem in a large- scale net work?

A:

I nt er nals 0–63, Ex t er nals 64 –127. Wit h t his sm all of a r ange of m et r ics, you m ay not be able t o configur e t he cost s of each int er face so t hat t he m ost opt im um rout e is alw ays t aken t hrough t he net w ork.

7:

Why isn't it good t o have a dial backup dial int o a rout er behind a sum m ar izat ion point for t he net w or k s behind t he dial back up r out er ?

A:

Because w hen t he dial back up is connect ed due t o a link failure, t he rout es t hr ough t he dial back up link cannot be sum m ar ized. This pr oduces a lot of possible confusion and effor t in t he cor e and dist r ibut ion layer s of t he net w or k.

8:

Will r out er s in differ ent ar eas for m L1 neighbor adj acencies?

A:

No, t hey w ill for m L2 adj acencies only .

9:

Should you j ust let all t he rout ers in your net work run bot h L1 and L2 rout ing?

A:

No, t his incur s unnecessary over head.

10:

Will I S- I S aut om at ically r epair a par t it ioned L2 r out ing dom ain?

A:

Alt hough t he m echanism s have been defined for doing so, m ost im plem ent at ions do not suppor t t his.

11:

Will rout ers running int egrat ed I S- I S, w hich ar e in t he sam e ar ea but differ ent I P subnet s, for m an adj acency ? What could y ou look at , and w hat w ould y ou see t o det er m ine t his is happening?

A:

No. When you look at a rout er 's CLNS neighbor s, y ou w ould see t he follow ing:

A#show clns neighbor System Id Interface Type Protocol 00C0.1465.A460 Se0 ES-IS

SNPA

State

Holdtime

*HDLC*

Up

297

IS

Not e t h at t h e prot ocol is ES- I S rat her t han I S- I S; you w ould expect an I S - I S adj acency bet w een t hese t w o neighbor s. Because t hey ar e ES- I S neighbors,

299

t hey w ill not exchange r out ing t ables. 12: A:

13: A:

14: A: 15:

A:

16:

A:

Must all L2 r out er s for m one cont iguous gr oup of r out er s? Yes. By definit ion, all L2 rout ers m ust form a cont iguous core. I n ot her w ords, t w o L2 r out er s cannot be separ at ed by an L1 r out er som eplace in t he m iddle. I t is im por t ant t o leav e enough r edundancy bet w een t he L2 r out er s so t hat a single link failur e w ill not cause t he cor e t o be par t it ioned. How oft en does I S- I S flood link- st at e pack et s? I s t his adj ust able? 20 m inut es. Yes, t he r at e at w hich LSPs ar e flooded can be set using t he lspr e f r e sh- in t e r v a l com m and. How do you advert ise a default rout e in I S- I S? Use t he de fa u lt - in f or m a t ion or ig in a t e com m and under r out er I S - I S. How do you configur e a r out er so t hat a default r out e is adver t ised only under som e condit ions? You can at t ach a r out e m ap t o t he default infor m at ion or iginat e com m and t o condit ionally adv er t ise a default r out e. What is t he effect of an LSP t hat is cor r upt ed at t he dat a link lay er , but t he er r or cor r ect ion codes ar e cor r ect ? A possible LSP updat e st orm .

An sw e r s t o Ch a pt e r 7 Re v ie w Qu e st ion s 1:

What ar e t he t w o basic t ools y ou can use t o sum m ar ize r out es ( or hide dest inat ion det ails) in EI GRP?

A:

Sum m ar izat ion and dist r ibut ion list s.

2:

How can y ou t ell t hat a r out e is a sum m ar y w hen y ou look at t he r out ing t able?

A:

I t 's m arked as a sum m ary, and t he next hop int erface is null0.

3:

What is t he default adm inist r at iv e dist ance for a sum m ar y r out e? What is t he problem w it h t his?

A:

The default adm inist r at iv e dist ance is fiv e. Using t he default adm inist r at iv e dist ance for a sum m ar y r out e can displace v alid r out es lear ned fr om ot her r out er s and can c ause a r out er t o t hr ow pack et s aw ay unint ent ionally .

4:

What bounds a quer y?

300

A:

Dist r ibut ion list s and sum m ar izat ion because t hey lim it k now ledge of specific dest inat ions.

5:

How far beyond one of t he possible quer y bounds w ill a quer y t r avel?

A:

One hop, gener ally , or unt il a r out er t hat doesn't hav e any infor m at ion about t hat specific dest inat ion r eceiv es t he quer y .

6:

What is t he pr im ar y adv ant age t o sum m ar izing bet w een cor e r out er s r at her t han bet w een t he dist r ibut ion layer and cor e?

A:

The cor e r out er s w ill hav e enough infor m at ion t o m ak e opt im al r out ing decisions.

7:

How is it possible t o " black hole" packet s w hen sum m ar izing dest inat ions behind dual- hom ed r em ot es int o t he cor e?

A:

Ev en if one of t he dist r ibut ion r out er s loses connect iv it y w it h one of t he r em ot es, it w ill st ill adv er t ise a sum m ar y cov ering t he dest inat ions av ailable at t he disconnect ed host .

8:

Why should sum m ar izat ion be configur ed out bound fr om t he dist r ibut ion lay er rout ers t ow ard access layer ro ut er s at r em ot e sit es?

A:

To r educe t he am ount of t r affic on t he dist r ibut ion lay er t o t he r em ot e r out er link and t o bound queries at t he rem ot e rout er.

9:

What is t he m ost com m on pr oblem w it h dual- hom ed r em ot es? What opt ions ar e av ailable t o r esolv e it ?

A:

The r em ot e r out er s appear t o be t r ansit pat hs t o EI GRP. To r esolv e t his, y ou should sum m ar ize r out es out bound fr om t he dist r ibut ion layer t ow ar d t he access lay er r out er s.

10: A:

11:

A:

12: A: 13:

What m et hods can be used t o break a redist ribut ion rout ing loop? Dist ribut e list s, rout e m aps, prefix list s, set t ing t he adm inist rat ive dis t an ce on r out es t hat ar e likely t o pr oduce loops, and using adm inist r at ive t ags in ex t er nal r out es t o m ak e t he r out es and block t heir r edist r ibut ion. Under w hat condit ions is t he adm inist r at iv e dist ance ignor ed bet w een EI GRP and I GRP? This happens w hen an I GRP r out e and an EI GRP r out e in t he sam e AS com pet e for inclusion in t he r out ing t able. What opt ions do y ou hav e for gener at ing a default r out e in EI GRP? Eit her configur ing a default net w or k , or r edist r ibut ing a 0.0.0.0/ 0 default r out e. How can y ou pr ev ent m ult iple par allel link s w it hin a net w or k from all being used as t r ansit pat hs?

301

A:

14: A: 15:

By not r unning EI GRP on som e of t hem ; t his is accom plished by using t he p a ssiv e - in t e r fa ce com m and. What does EI GRP use t o pace it s packet s on a link? The bandw idt h configur ed on t he int er face. I m plem ent EI GRP on t he net w or k you r edesigned for Review Quest ion 11 in Chapt er 4, " Applying t he Principles of Net w or k Design." Discuss decisions on sum m ar izat ion point s and be car eful of non- t r ansit pat hs and ot her design flaw s.

An sw e r s t o Ch a pt e r 8 Re v ie w Qu e st ion s 1:

What is an EGP?

A:

An EGP is an Ex t er ior Gat ew ay Pr ot ocol, w hich is a pr ot ocol designed t o car r y r out ing infor m at ion bet w een ASs. BGP is an EGP.

2:

What pr event s iBGP fr om being an effect ive I GP?

A:

iBGP cannot det er m ine if a pat h w it hin an AS is a loop because t he AS pat h r em ains t he sam e w it hin t he AS.

3:

Where w ill r out es lear ned fr om an eBGP peer be pr opagat ed?

A:

To all peers, iBGP and eBGP.

4:

Why shouldn't y ou r edist r ibut e iBGP r out es int o an I GP?

A:

Because BGP isn't an effect ive I GP, and redist ribut ing iBGP rout es int o an I GP can cause r out ing loops.

5:

What pr ot ocol do all BGP pack et s r ide on t op of?

A:

TCP.

6:

I f a neighbor r elat ionship bet w een t w o BGP peer s const ant ly cy cles t hr ough t he I dle, Act iv e, and Connect st at es, w hat act ion should y ou t ak e?

A:

Check t o m ake cer t ain I P connect ivit y is good bet w een t hem .

7:

Explain t he significance of t he next hop in BGP.

A:

I n BGP, t he NEXT_HOP alw ays r efer s t o t he I P addr ess of t he peer ( in t he neighbor ing AS) fr om w hich t he r out e w as r eceiv ed. This at t r ibut e is k ey for t h e corr ect behav ior of t he net w or k as t he NEXT_HOP has t o be r eachable ( v ia an I GP r out e) for t he pr efix t o be consider ed.

302

8:

What possible solut ions are t here for load sha r ing out bound t r affic t o m ult iple I SPs?

A:

Using only default r out es out , accept ing t he full I nt er net r out ing t able, using local pr efer ence or MEDs t o pr efer one pat h t o anot her for cer t ain ex t er nal dest inat ions, and accept ing only a par t ial r out ing t able.

9:

All at t r ibut es being t he sam e, w hat w ill br eak a t ie in t he BGP decision pr ocess?

A:

The r out er I D of t he adver t ising r out er .

10:

A:

11: A: 12: A:

13:

A: 14: A:

15:

A:

What t w o t hings c an be done t o r educe t he num ber of updat es gener at ed and sent by a r out er ? Eit her r educing t he num ber of neighbor s or r educing t he num ber of updat es t hat is requi r ed t o send t he ent ir e r out ing t able using peer gr oups. What is t he default half - life of a dam pened rout e? The r at e at w hich t he penalt y w ill be div ided in half. How does a r out e r eflect or adv er t ise r out es lear ned fr om an iBGP peer ? When using r out e r eflect or s ( RR) , t he RR w ill r eflect r out es t hat ar e lear ned by iBGP t o ot her client s ( I BGP peers) of t he RR. What does a confeder at ion of r out er s appear as out side t he confeder at ion area? A single AS. Giv e an ex am ple of an applicat ion of condit ional adv er t isem ent . To adv ert ise dest inat ions t hat ar e nor m ally sent t o one pr ov ider t hr ough anot her pr ov ider if t he connect ion t hr ough t he nor m al pr ov ider fails. Tr eat ing t he net w or k show n in Figur e 4- 10 in Chapt er 4, " Applying t he Pr inciples of Net w or k Design," as a ser v ice pr ov ider net w or k ( w it h t he access layer connect ing t o ext er nal net w or ks) , configur e t he net w or k t o r un BGP t hr oughout . What changes w ould y ou m ak e t o t he net w or k ? Would y ou use r out e r eflect or s or confeder at ions any w her e? No one cor r ect answ er .

An sw e r s t o Ch a pt e r 9 Re v ie w Qu e st ion s 1:

I s NHRP a r out ing pr ot ocol, or is it a pr ot ocol t hat helps r out ing pr ot ocols do

303

t heir j ob? A:

A r out ing pr ot ocol.

2:

How m any pat hs exist t hrough a net w ork w it h 30 nodes? 40?

A:

30 nodes has 870 pat hs; 40 nodes has 1560 pat hs.

3:

What t ask does a rout e server in NHRP perform ?

A:

Collect s and st or es r out ing infor m at ion fr om t he r out er s on t he NHRP net w or k.

4:

When a r out er on an NHRP net w or k w ant s t o find t he SVC t o use for a given dest inat ion, w hat does it do?

A:

I t queries t he rout e server.

5:

What t hr ee st eps ar e nor m ally inv olv ed in r out ing a pack et ?

A:

1. Look up t he dest inat ion in t he r out ing t able. 2. Per for m a longest pr efix m at ch t o find t he cor r ect dest inat ion. 3. Rew r it e t he MAC header on t he pack et .

6:

What t ype of sw it ching paradigm do ATM and Fram e Relay use?

A:

Label sw apping.

7:

What t y pe of sw it ching par adigm does MPLS use?

A:

Label sw apping.

8:

What is a push? A pop?

A:

A push is when a la bel is pushed ont o t he t op of t he label st ack ; a pop is w hen a label is r em oved fr om t he t op of t he label st ack.

9:

What is a FEC?

A:

A for w ar ding equiv alence class; a st r eam or flow of pack et s bet w een a giv en set of sour ces and a given dest inat ion.

10: A:

11: A:

Why do y ou m er ge FECs? FECs, or st r eam s, ar e m er ged for scalabilit y. Once sever al FECs have been m er ged, dow nst r eam LSRs need only t o deal w it h a single label and a single pat h for m ult iple sour ce/ dest inat ion pair s. Ex plain each t y pe of label assignm ent : •

H ost pa ir — A label is assigned for each sour ce/ dest inat ion addr ess.

304

• • • • • •

12: A: 13: A: 14: A:

Which device assigns labels in an MPLS net w ork? The cont r ol com ponent . Do dow nst r eam devices or upst r eam devices assign labels? Dow nst r eam dev ices. What ar e t he t w o w ays of dr iving label assign m en t ? • •

15: A:

Por t qu a dr u ple — A label is assigned for each sour ce addr ess and por t / dest inat ion addr ess and por t . Por t qu a dr u ple w it h ToS — A label is assigned for each sour ce addr ess and por t / dest inat ion addr ess and por t w it h a giv en ToS, or class of ser v ice. N e t w or k p a ir— A label is assigned for each sour ce/ dest inat ion net work. D e st in a t ion n e t w or k— A label is assigned for each dest inat ion net work. Egr e ss r ou t e r — A label is assigned for each egress rout er. D e st in a t ion AS— A label is assigned for each dest inat ion BGP AS.

Dat a dr iv en, w her e a label is assigned w hen t he fir st dat a pack et ar r iv es in t he net work. Cont r ol dr iven, w her e a label is assigned w hen t he r out ing infor m at ion changes.

How is t unneling per for m ed in an MPLS net w or k? By st acking labels. An ext r a label is pushed ont o t he st ack by t he LSR at t he t unnel ent r ance and is popped at t he egr ess of t he t unnel. ( Act ually , it could be popped one hop befor e t he t unnel ex it .)

305

Glossa r y A ABR. a r e a b or d e r r ou t e r . A rout er t hat connect s t o ar eas in an OSPF net w or k .

a cce ss la y e r . The ar ea or lay er of t he net w or k t hat is r esponsible for cont r olling t he t r affic adm it t ed t o t he net w or k and for pr ov iding end user at t achm ent s t o t he net work.

a ct iv e . An EI GRP r out e st at e t hat indicat es t he rout er is act ively searching for alt er nat iv e pat hs t o t he dest inat ion in quest ion by quer y ing it s neighbor s.

a ddr e ss r e solu t ion pr ot ocol. See [ ARP. ] a d m in ist r a t iv e d ist a n ce . A sy st em of w eight s or dist ances assigned t o r out ing pr ot ocols by Cisco r out er s; it is used for det er m ining w hich pat h t o t ak e t o a dest inat ion net w or k w hen sev er al r out ing pr ot ocols hav e r out es t o it .

a r e a bor de r r ou t e r . See [ ABR. ] ARP. Addr e ss Re solu t ion Pr ot ocol. A m et hod for binding net w or k ( I nt er net pr ot ocol) addr esses t o a phy sical layer addr ess; it is descr ibed in I ETF RFCs.

306

AS. a u t on om ou s sy st e m . A gr oup of r out er s under t he sam e adm inist r at ive cont r ol.

AS pa t h. The set of aut onom ous syst em s a rout e has passed t hrough in BGP; it is used t o det erm ine if a given pat h is a rout ing loop.

ASBR. a u t on om ou s sy st e m b or d e r rou t e r . An OSPF r out er t hat connect s t w o r out ing dom ains and r edist r ibut es r out es fr om anot her r out ing pr ot ocol int o OSPF.

a u t on om ou s sy st e m . See [ AS. ] a u t on om ou s sy st e m b or d e r r ou t e r . See [ ASBR. ] a u t osu m m a r iz a t ion . Aut om at ically sum m arizes rout es t o t heir m aj or net m ask ( nat ural m ask) w hen a boundar y bet w een t w o m ajor net w or k s is passed.

B b a ck u p d e sig n a t e d r ou t e r . See [ BDR. ] BD R. An OSPF r out er t hat act s as t he backup for t he designat ed r out er on a br oadcast net w or k.

bra n ch . A sect ion of t he net w or k t hat is r elat iv ely independent of t he r est of t he net w or k ; for ex am ple, a gr oup of dist r ibut ion and access lay er r out er s t hat could logically split off as a separat e net w ork.

307

br oa dca st . A pack et t hat is addr essed so t hat ev er y dev ice on a segm ent w ill list en t o it .

C CI D R. cla ssle ss in t e r d om a in r ou t in g . For w ar ding pack et s based on t heir pr efix lengt h and dest inat ion, ignor ing t he m aj or net w or k in w hich t hey r eside.

CI D R block . Gr ouping or sum m ar izat ion of m aj or net w or ks. Giv en t hat 200.200.200.0/ 24 is a Class C addr ess, 200.200.0.0/ 16 is a CI DR block . The addr ess 10.1.0.0/ 16 is not a CI DR block; it is a subnet of t he 10.x.x.x net w or k. Wit h a CI DR block, t he prefix is short ened from t he " nat ural" m ask for t hat net w ork; wit h subnet t ing, t he prefix is lengt hened.

cla ssle ss in t e r d om a in r ou t in g . See [ CI DR. ] CLN S. Con n e ct ion le ss N e t w or k Se r v ice . A r out ed ( dat a car r y ing) pr ot ocol; rout ing inform at ion for CLNS is provided by IS- I S.

colla p se d cor e . A single r out er ( or sw it ch) act ing as t he cor e of a net w or k.

com m on se r v ice s. Ser vices int er nal t o an or ganizat ion t hat ar e used by all or m ost of t he end users of t he net work.

co n d it ion a l a d v e r t ise m e n t .

308

The capabilit y of a r out ing pr ot ocol t o adv er t ise a giv en dest inat ion under only cer t ain condit ions, such as t he ex ist ence of anot her pat h t o t hat dest inat ion.

con fe de r a t ion . A gr oup of BGP aut onom ous sy st em s t hat appear as one AS out side of t he confeder at ion.

con t r ol com p on e n t . A device t hat assigns labels in an MPLS net w or k.

co n t r o l- d r iv e n la b e l a ssig n m e n t . Assigning labels based on cont r ol t r affic, such as r out ing updat es.

con v e r ge n ce . The pr ocess of all t he r out er s in a net wor k det er m ining t he best pat h t o r each t he dest inat ions available; w hen t he net w or k has conver ged, all t he r out er s in t he net w or k hav e decided on t he best pat h t o each dest inat ion.

cor e . The ar ea of t he net w or k t hat concent r at es on sw it ching t r affic.

D da t a - d r iv e n la b e l a ssig n m e n t . Assigning labels based on dat a t r affic.

d a t a lin k la y e r . A layer in t he OSI m odel t hat is r esponsible for det er m ining t he w ay physical m edia w ill be accessed and t he w ay dat a is for m at t ed.

309

de fa u lt n e t w or k . A net w or k t hat is designat ed as t he default ; a r out er w ill send all pack et s t o dest inat ions for w hich it has no specific r out e t o t he default net w or k ; used only in EI GRP and I GRP.

de fa u lt r ou t e . A r out e t hat m at ches all I P addr esses ( 0.0.0.0) but has a shor t pr efix lengt h ( 0) ; t his is t he r out e t hat t he r out er w ill use w hen it has no m or e specific infor m at ion on how t o r each a giv en dest inat ion.

D e M ilit a r iz e d Zon e . See [ D M Z.] de sign a t e d r ou t e r . See [ DR. ] d ir e ct e d b r oa d ca st . A pack et t hat is dest ined t o t he br oadcast addr ess of anot her segm ent ; for ex am ple, 10.1.1.255 is t he dir ect ed br oadcast addr ess of t he 10.1.1.0/ 24 segm en t .

discon t igu ou s n e t w or k . A net w or k addr ess t hat is used in sev er al differ ent ar eas of a net w or k , w hich ar e not connect ed; gener ally , t his r efer s t o a m aj or net w or k , but it could r efer t o vir t ually any unit of addressing.

dist a n ce v e ct or . A r out ing pr ot ocol in w hich each r out er adv er t ises all r eachable dest inat ions k now n t o dir ect ly connect ed neighbor s; EI GRP is an adv anced dist ance v ect or pr ot ocol. Ot her dist ance vect or pr ot ocols ar e I GRP and RI P.

dist r ibu t io n.

310

The ar ea or lay er of t he net w or k t hat is r esponsible for t r affic aggr egat ion and r out e sum m ar izat ion.

d ist r ib u t ion list . Used t o block t he adv er t isem ent of giv en dest inat ions by a r out ing pr ot ocol.

D M Z. D e M ilit a r iz e d Zon e . A buffer bet w een a dir t y , or unt r ust ed, net w or k and t he clean, or t r ust ed, area of t he net w ork.

D R. de sign a t e d r ou t e r . An OSPF r out er t hat is r esponsible for flooding r out ing infor m at ion ont o a br oadcast link and adver t ising r eachabilit y t o t he link.

du a l- h om e d . At t aching one dev ice t o t w o places in t he nex t lay er of t he net w or k .

E e BGP. Ex t e r ior BGP. Tw o rout ers in t w o different ASs running BGP.

e BGP m u lt ih op . The capabilit y t o place eBGP neighbor s sev er al hops aw ay fr om each ot her .

e d g e se r v ice s. Ser v ices, such as filt ering, policy r out ing, or packet m ar king for QoS, t hat occur eit her on t he edge or at t he ent r ance point of t he net w or k.

EGP. Ex t e r ior Ga t e w a y Pr ot ocol.

311

A pr ot ocol designed t o pass lar ge am ount s of r out ing infor m at ion bet w een ASs; EGP, BGP, and I DRP ar e exam ples of EGPs.

En d Sy st e m - t o- I n t e r m e d ia t e Sy st e m . See ES- I S.

ES- I S.En d Sy st e m - t o- I n t e r m e d ia t e Sy st e m . A pr ot ocol t hat CLNS uses for buildings passing infor m at ion bet w een end syst em s and rout ers.

e x ch a n g e . A st at e in t he OSPF r out er adj acency pr ocess t hat occur s w hen t he r out er s ar e act ually ex changing infor m at ion about t heir dat abases.

e x st a r t . A st at e in t he OSPF r out er adj acency pr ocess w hen t he r out er s ar e ar r anging t o ex change r out ing infor m at ion.

Ex t e r ior BGP. See [ eBGP. ] Ex t e r ior Ga t e w a y Pr ot ocol. See [ EGP. ]

F FD D I . Fib e r D ist r ib u t e d D a t a I n t e r f a ce . A dual r ing ( r edundant ) net w or k m edia st andar dized by t he I EEE.

fe a sible su cce ssor . An EI GRP neighbor t hat is adver t ising a loop- fr ee r out e t o a given dest inat ion.

312

FEC. For w a r d in g Eq u iv a le n ce Cla ss. A set of for w ar ding par am et er s, such as dest inat ion, egr ess r out er , class of ser v ice, and so for t h, t hat can be used t o gr oup st r eam s.

Fibe r D ist r ibu t e d D a t a I n t e r f a ce . See [ FDDI . ] f loa t in g st a t ic. A st at ic r out e configur ed w it h a high adm inist r at iv e dist ance so t hat it is used only w hen all ot her pat hs t o t he dest inat ion ar e lost .

For w a r d in g Eq u iv a le n ce Cla ss. See [ FEC. ] fu ll m e sh . Topology in w hich ev er y dev ice has a dir ect connect ion t o ev er y ot her dev ice.

f u ll r e a ch a b ilit y . A default r out e is not needed t o r each any dest inat ion.

G– H h ie r a r ch y . The principle of building a net w ork in layers or sect ions, giving each layer specific t ask s and goals.

h old t im e r . I n EI GRP, t he am ount of t im e a neighbor w ill r em ain up and act iv e w it hout r eceiv ing any t r affic.

h ost r ou t e .

313

A rout e wit h a 32- bit m ask; a rout e t hat specifies t he pat h t o one host rat her t han t o a link o r net work.

H ot St a n dby Rou t e r Pr ot ocol. See [ H SRP. ] H SRP. H ot St a n dby Rou t e r Pr ot ocol. A Cisco pr ot ocol t hat pr ovides a vir t ual I P addr ess t hat is shar ed bet w een t w o r out er s; if one r out er fails, t he ot her t akes over by accept ing t r affic for t his vir t ual I P addr ess.

I –J iBGP. I n t e r ior BGP. BGP r unning bet w een t w o r out er s in t he sam e AS.

in it . A st at e in t he OSPF neighbor adj acency pr ocess w her e t he neighbo rs have seen each ot her 's Hellos but hav e not est ablished t hat t w o- way com m unicat ion is possible bet w een t hem .

I n t e gr a t e d I S- I S. IS- I S t hat is pr oviding r out ing infor m at ion for I P dest inat ions.

I n t e r ior BGP. See [ iBGP. ] I n t e r m e d ia t e Sy st e m - t o- I n t e r m e d ia t e Sy st e m . See [ I S- I S. ] I n t e r n e t Pr ot ocol v e r sion 6 . See [ I Pv6 . ] I Pv 6 . I n t e r n e t Pr ot ocol v e r sion 6 .

314

A r evision of t he I nt er net Pr ot ocol t hat pr ovides m or e secur it y, pr ovisions for label swit ching, and a m uch larger addr ess space.

I S- I S. I n t e r m e d ia t e Sy st e m - t o- I n t e r m e d ia t e Sy st e m . IS- I S is an I nt er ior Gat ew ay Pr ot ocol ( I GP) t hat uses link- st at e packet s ( linkst at e adv er t isem ent s) flooded t o all dev ices in t he net w or k t o adv er t ise dest inat ion r eachabilit y. Or iginally , I S- I S w as designed for r out ing CLNS t r affic, but it has been adapt ed t o pr ov ide r eachabilit y infor m at ion for I P.

K– L k v a lu e s. Values used t o det er m ine t he effect t hat t he bandw idt h, delay , load, and r eliabilit y w ill have on t he t ot al m et r ic EI GRP used t o r each a dest inat ion.

label. A short , fixed- lengt h header t hat m ay be used inst ead of an I P addr ess t o det er m ine how t o sw it ch a pack et .

la be l st a ck . A st ack of labels; an LSR ev aluat es t he t op label t o sw it ch t he pack et , and as labels ar e popped, t he st ack becom es shor t er , ex posing ot her sw it ching infor m at ion. Label st ack s ar e a w ay of t unneling pack et s t hr ough an MPLS net work.

La be l Sw it ch in g Rou t e r . See [ LSR. ] lin k- st a t e . A r out ing pr ot ocol in w hich each r out er adver t ises t he st at e of it s links t o all ot her r out er s on t he net w or k t hr ough a flooding m echanism ; each r out er t hen calculat es a shor t est pat h t r ee t o each dest inat ion. I S - I S and OSPF ar e t w o exam ples.

lin k- st a t e a d v e r t ise m e n t .

315

See [ LSA.] lin k- st a t e pa ck e t . See [ LSP. ] loca l p r e f e r e n ce . A m et r ic used by BGP t o det er m ine w hich pat h should be chosen w hen leaving t his AS.

Logica l AN D . To AND t he bit s fr om t w o binar y digit s t oget her ; for each bit , if bot h num ber s have a 1 in a given digit , t he r esult is 1; ot herwise, it is a 0.

LSA. lin k- st a t e a d v e r t ise m e n t . A pack et used by OSPF t o t r anspor t r out ing infor m at ion t hr ough t he net w or k .

LSP. lin k- st a t e p a ck e t . A packet used by I S- I S t o t r anspor t link st at e infor m at ion bet w een r out er s.

LSR. La b e l Sw it ch in g Rou t e r . An MPLS- capable r out er or sw it ch.

M m a sk . A set of four oct et s t hat separ at es t he net w or k por t ion of t he I P addr ess fr om t he host por t ion of t he I P addr ess.

M ED . M u lt iple Ex it D iscr im in a t or . Used in BGP t o pr ovide a hint about w hich pat h an ext er nal rout er should t ake t o reach a dest inat ion in t his AS.

316

M PLS. M u lt ip r ot ocol La b e l Sw it ch in g . A m et hod of sw it ching packet s based on sw apping shor t , fixed- lengt h labels.

m u lt ica st . Single pack et s copied by t he net w or k and sent t o a specific subset of net work addr esses. These addr esses ar e specified in t he Dest inat ion Addr ess field.

M u lt iple Ex it D iscr im in a t or . See [ M ED. ] M u lt ip r ot ocol La b e l Sw it ch in g . See [ MPLS. ]

N N AT. N e t w or k Addr e ss Tr a n sla t ion . Tr anslat ing sour ce and dest inat ion addr esses; com m only used t o per m it privat e addresses in a net w ork t o appear as re gist er ed addr esses on t he I nt er net .

N BM A. n on b r oa d ca st m u lt i- a cce ss. A net w or k m edia t hat allow s m ult iple dev ices t o at t ach, but dev ices cannot send packet s dir ect ly t o all ot her devices; for exam ple, Fr am e Relay configur ed as a m ult ipoint int er face.

ne t w or k . The m ost significant digit s in t he I P addr ess; defined by set t ing bit s in t he subnet m ask.

N e t w or k Addr e ss Tr a n sla t ion . See [ NAT. ] n e t w or k la y e r .

317

Th e layer of t he OSI m odel t hat is responsible for providing globally unique addressing and t he m eans t o find dest inat ions w it hin t he net w ork.

n e t w or k se r v ice a cce ss p oin t . See [ N SAP. ] N e x t H op Re solu t ion Pr ot ocol. See [ N HRP. ] N H RP. N e x t H op Re solu t ion Pr ot ocol. A r out ing pr ot ocol used ov er SVC- capable net w or k s t o gain t he adv ant ages of full m esh t opologies w it hout som e of t he pr oblem s.

n o n b r o a d ca st m u lt i- a cce ss. See [ N BM A.] not - so- st u b b y a r e a . See [ N SSA.] N SAP. n e t w or k se r v ice a cce ss p oin t . An ident ifier used t o ident ify a host and ser vice in CLNS.

N SSA. n ot - so- st u b b y a r e a . An OSPF ar ea int o w hich ex t er nal r out es ( t y pe 5 LSAs) ar e not adver t ised but in w hich ex t er nal r out es can or iginat e.

null0 . A v ir t ual int er face; pack et s sent t o t his int er face ar e t hr ow n aw ay .

O– P oct e t .

318

A gr oup of eight binar y digit s; an oct et can r epr esent t he num ber s 0 t o 255 in decim al.

OSI m ode l. The sev en- lay er m odel for designing net w or k pr ot ocols.

pa r t ia l m e sh . A net w or k w her e each r out er has only one connect ion t o a subset of all t he ot her rout ers in t he net work.

p a ssiv e . The st at e of a r out e in EI GRP w hen t he r out er has a successor t hrough w hich t o for w ar d pack et s.

p a ssiv e in t e r f a ce . An int er face on w hich t he pr ot ocol is not r unning, alt hough t he link it self is adv er t ised as r eachable by t he r out ing pr ot ocol.

PAT. Por t Ad d r e ss Tr a n sla t ion . Tr anslat ing sour ce and dest inat ion addr ess at t he por t lev el, w hich allow s m ult iplex ing m any sessions fr om differ ent host s ont o a single addr ess. Com m only used t o per m it pr iv at ely addr essed host s t o access ser v er s on t he I nt er net using r egist er ed addr esses.

pe e r gr ou p. A gr oup of BGP neighbor s t hat ar e t r eat ed t he sam e; a BGP r out er only builds one updat e per peer gr oup if t hey ar e configur ed, r at her t han one updat e per neighbor.

p e r m a n e n t v ir t u a l cir cu it

319

See [ PV C.] p h y sica l la y e r The physical plant , cables, and m odulat ion m et hods used t o t r ansm it dat a in a net work.

policy r ou t in g Rout ing pack et s based on som e cr it er ia ot her t han t he dest inat ion addr ess; choosing differ ent pat hs for QoS pur poses isn't gener ally consider ed policy rout ing.

pop. The act of r em ov ing a label fr om t he t op of t he MPLS label st ack .

Por t Addr e ss Tr a n sla t ion . See [ PAT. ] prefix le ngt h. The num ber of bit s in t he subnet m ask; for inst ance, t he subnet m ask 255.255.255.0 has 24 bit s set t o 1 and is, t her efor e, a 24- bit subnet m ask. The pr efix lengt h is oft en expr essed w it h " / x" aft er t he I P addr ess.

pr e se n t a t ion la y e r . The layer in t he OSI net w or k m odel t hat is r esponsible for pr esent ing dat a in an appr opr iat e for m at t o t he dev ices t hat ar e com m unicat ing.

p r iv a t e a d d r e ss. Addr ess or r ange of addr esses defined by t he I ETF as unusable ( unr out able) on t he I nt er net .

pse u don ode .

320

A m echanism used in I S- I S t o r educe t he full m esh adj acency nor m ally r equir ed on br oadcast net w or k s.

push. The act of put t ing a new label on t he t op of an MPLS label st ack.

PV C. p e r m a n e n t v ir t u a l cir cu it . A per m anent vir t ual ( or m ult iplexed) point - t o- point link ; com m on in Fr am e Relay , X.25, and ATM net w or k s.

Q– R QoS. Qu a lit y of Se r v ice . Specify ing differ ent lev els of ser v ice and possibly differ ent pat hs t hr ough t he net w or k based on a given level of ser vice r equir ed by a packet or a flow of pack et s.

Qu a lit y o f Se r v ice . See [ QoS. ] qu e r y . Used by EI GRP t o find alt er nat e pat hs t hat hav e not been adv er t ised due t o split hor izon or ot her net w or k condit ions.

r e du n da n c y . Alt er nat e ( ex t r a) equipm ent and link s placed in a net w or k t o ensur e t hat a single failur e in t he net w or k doesn't isolat e t he ent ir e net w or k.

r e g ist e r e d a d d r e ss Addr ess t hat is r egist er ed for a par t icular or ganizat ion's use on t he I nt er net .

r e ply.

321

An EI GRP r out er uses a r eply t o answ er a quer y about a given dest inat ion.

r in g. A net w or k design t hat uses a r ing of r out er s connect ed by point - t o- point links; also, a physical/ dat a link layer net w ork t hat uses a ring m edia.

Rou n d Tr ip Tim e ou t . See [ RTO.] r ou t e d a m p e n in g . The capabilit y of a r out ing pr ot ocol t o r efuse t o adv er t ise or use a r out e if it has changed st at e a num ber of t im es ov er a shor t per iod of t im e.

r ou t e r r e fle ct or . A BGP r out er t hat eit her adver t ises r out es lear ned fr om iBGP neighbor s t o ot her iBGP neighbor s or r eflect s t hem t o ot her iBGP neighbor s.

RTO. Rou n d Tr ip Tim e ou t . The am ount of t im e EI GRP w ill w ait befor e deciding t o t ak e fur t her act ion w hen a pack et isn't ack now ledged.

S sh or t e st pa t h f ir st . See [ SPF.] SI A. st u ck- in- a ct iv e . A rout e in EI GRP t hat has been act ive for 3 m inut es.

single p oin t of f a ilu r e .

322

Any point in a net w or k w her e losing a single link or device can m ake som e dest inat ions ( ser v er s or end dev ices) unr eachable.

Sm oot h Rou n d Tr ip Tim e . See [ SRTT. ] SON ET. Sy n ch r on ou s Op t ica l N e t w or k . A r edundant r ing net w or k m edia st andar dized by t he CCI TT.

sou r ce r ou t in g. When t he ingr ess dev ice in a net w or k ( possibly a r out er , LSR, or t he or iginat ing host ) det er m ines t he best pat h t hr ough t he net w or k and uses labels or ot her fields t o dir ect t he pack et along t hat pat h.

SPF. sh or t e st p a t h f ir st . An algorit hm used by I S- I S and OSPF t o calculat e t he shor t est pat h t r ee t o each r eachable dest inat ion in t he net w or k.

spoof in g. Changing t he sour ce addr ess of a packet so t hat it appear s t o be or iginat ing fr om a t r ust ed host or so t hat t he sour ce of an at t ack cannot be t r aced.

SRTT. Sm oot h Rou n d Tr ip Tim e . A w eight ed av er age of t he am ount of t im e it t ak es for a pack et t o be ack now ledged; used by EI GRP in det er m ining how long t o w ait for an ack now ledgem ent befor e t ak ing fur t her act ion.

st r e a m . A flow of pack et s bet w een t w o dev ices.

323

st r e a m m e r g e Com bining t w o or m or e st r eam s int o one FEC.

st u b sit e . A sit e t hrough w hich no t raffic should flo w ; only t r affic t o and fr om t he st ub sit e should flow along links t o and fr om t he sit e.

st u b b y a r e a . An OSPF ar ea int o w hich no ex t er nal r out es ( t y pe 5 LSAs) ar e adv er t ised.

st u ck- i n- a ct iv e . See [ SI A.] su bn e t . I n t he original m eaning, a part of a m aj or net w ork; current ly, t his t erm is used int er changeably w it h net w or k.

su b n e t m a sk See [ U n k n o w n m a sk] su b op t im a l r ou t in g Occur s w hen a r out er chooses a pat h t hr ough t he net w or k , w hich incur s ex t r a hops or slow er links t han t he best pat h.

su cce ssor . The EI GRP neighbor t his r out er is using t o for w ar d packet s t o a giv en dest inat ion.

su m m a r iz e .

324

To com bine m ult iple dest inat ions, adv er t isem ent s, or pr efix es int o one dest inat ion by short ening t he subnet m ask.

su m m a r y - a ddr e ss. A com m and used t o configur e addr ess sum m ar ies on int er faces in I OS.

SV C. sw it ch e d v ir t u a l circu it . A sw it ched point - t o- point link, com m on on ATM net w or ks but also suppor t ed on ot her m edia, such as Fram e Relay and X.25.

sw it ch e d v ir t u a l cir cu it . See [ SVC. ] Sy n ch r on ou s Opt ica l N e t w or k . See [ SON ET. ]

T Tim e To Liv e . See [ TTL. ] t op olog y . Physical layout of a net w ork.

t op olog y t a b le . A dat abase of r eachable dest inat ions used by EI GRP for inser t ing dest inat ions int o t he r out ing t able and det er m ining w hat alt er nat e r out es ar e av ailable.

t ot a lly st u b b y a r e a . An OSPF ar ea int o w hich no sum m ar y r out es ( t y pe 3 LSAs) or ex t er nal r out es ( t ype 5 LSAs) ar e adver t ised.

325

t r a n sit pa t h . A link in t he net w or k over w hich t r affic passes t o ot her ar eas of t he net w or k; t r ansit t r affic is not dest ined t o a net w or k at t ached dir ect ly t o eit her end of t he pat h.

t r a n spor t la y e r . The layer in t he OSI m odel t hat is responsible for end- t o- end t r anspor t of dat a fr om it s sour ce t o it s dest inat ion.

TTL. Tim e To Liv e . The am ount of t im e or num ber of hops a packet is allow ed t o exist in a net w or k; it pr event s packet s t hat ar e looping fr om doing so for ever .

t u n n e lin g. Encapsulat ing a pack et int o m ult iple lay er s of header s so t hat t he out er header has no bear ing on t he final dest inat ion of t he pack et ; t he cont ent s of t he pack et , including t he inner ( encapsulat ed) header s ar e som et im es encr y pt ed.

tw o - w a y . A st at e in t he pr ocess of building neighbor adj acencies in OSPF; t he neighbor s hav e est ablished t hat t w o- w ay com m unicat ion is possible bet w een t he r out er s at t his st age.

U– Z u n ica st . A pack et t hat is addr essed t o only one dev ice.

Va r ia ble - Le n g t h Su b n e t M a sk in g . See [ VLSM . ]

326

vir t ua l LAN . See [ VLAN . ] vir t ua l link . A link bet w een som e ot her ar ea and ar ea 0 ( t he cor e) in an OSPF net w or k; t he link effect iv ely ex t ends ar ea 0 so t hat it r eaches isolat ed ar eas of t he net work.

V LAN . v ir t u a l LAN . A t er m used for net w or k s at t ached t o sw it ched link s, w hich ar e div ided int o separ at e br oadcast dom ains or subnet s using I SL.

V LSM . V a r ia ble - Le n g t h Su b n e t M a sk in g . When sever al subnet s of a m aj or net ar e subnet t ed w it h differ ing lengt hs; for ex am ple, 10.1.1.0/ 24 and 10.1.2.0/ 25 ar e VLSM subnet s. 10.1.1.0/ 24 and 11.1.2.0/ 25 ar e not because t hey ar e not in t he sam e m aj or net w or k.

327