Extreme Routing Student Guide v2.0 (Ebook)

Extreme Networks
Routing
Student Guide
Version 2.0
ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex
Terms & Condition of Use:
Extreme Networks, Inc. reserves all rights to its materials and the content of the
materials. No material provided by Extreme Networks, Inc. to a Partner (or
Customer, etc.) may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying and recording, or by any
information storage or retrieval system, or incorporated into any other published
work, except for internal use by the Partner and except as may be expressly
permitted in writing by Extreme Networks, Inc.
This document and the information contained herein are intended solely for
informational use. Extreme Networks, Inc. makes no representations or
warranties of any kind, whether expressed or implied, with respect to this
ok
information and assumes no responsibility for its accuracy or completeness.
Extreme Networks, Inc. hereby disclaims all liability and warranty for any
bo
information contained herein and all the material and information herein exists to
be used only on an "as is" basis. More specific information may be available on
-e
request. By your review and/or use of the information contained herein, you
expressly release Extreme Networks from any and all liability related in any way
ks
to this information. A copy of the text of this section is an uncontrolled copy, and
or
may lack important information or contain factual errors. All information herein is
Copyright ©Extreme Networks, Inc. All rights reserved. All information contained
w
in this document is subject to change without notice.

et
N
For additional information refer to:

e
m
http://www.extremenetworks.com/company/legal
tre
Ex
© 2015 Extreme Networks, Inc. All rights reserved. 2

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex
© 2015 Extreme Networks, Inc. All rights reserved 4

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Routing occurs at Layer 3 (the Network layer) of the 7-Layer OSI model. Routers
direct traffic through a network based on information learned from network layer
e
protocols such as, IP and IPX. In order to forward network layer traffic, routers use a
m
table known as the route table, to make forwarding decisions.

tre
Each port on the router is called an interface. Each configured interface defines the
boundary of a LAN segment, and layer 3 broadcast domain. Router interfaces are
Ex
assigned Layer 3 addresses (typically IP )and associated masks to define the

network address. Routers use MAC addresses to address packets over Layer 2
infrastructures.
Routers are capable of switching packets between different physical networks,
based upon network layer addressing. They do not flood MAC-layer broadcasts from
one attached network to another, and are protocol dependent (IP to IP; IPX to IPX).
They support packet fragmentation (the disassembly of lager packets into smaller
packets) when required, and they support multiple Physical and Mac-layer packet
encapsulation types, which gives them the ability to translate from one layer 2
technology to another, (for example, Ethernet to Packet-over-SONET).
Routers are traditionally used when: Communication is needed between VLANs,
MAC-layer multicast/broadcast traffic is adversely effecting network performance,
packet switching based upon upper-layer protocols such as, IP, IPX, AppleTalk is
desired, and multiple active forwarding paths between systems is required.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Routers perform two basic operations. The first is to forward packets towards their
correct destinations. The second is to maintain a routing table which allows the
e
router to determine the correct path. Let’s examine how these processes work.
m
Forwarding:
tre
Step 1:
PC-A formulates a packet for PC-B, and forwards it to Router A.
Ex

ok
bo
-e
ks
or
w
et
N
Step 2:
Router A strips off the Ethernet encapsulation, and examines the packet’s
e
Destination IP address. It determines that the packet is not address to itself, and
m
has therefore come to it to be routed.

tre
Step 3:
Router A examines its routing table. It finds the outgoing interface and next-hop
Ex
address that the destination network (10.2.1.0) is reachable through. The next-hop
address belongs to the next router that the packet will be forwarded to, (in this case
Router B).
Step 4:
If necessary, Router A ARPs for Router B’s MAC address. Router A then
encapsulates the packet in a new Layer 2 envelope, and forwards it to Router B.

ok
bo
-e
ks
or
w
et
N
Routers perform two basic operations. The first is to forward packets towards their
correct destinations. The second is to maintain a routing table which allows the
e
router to determine the correct path. Let’s examine how these processes work.
m
Forwarding:
tre
Step 1:
PC-A formulates a packet for PC-B, and forwards it to Router A.
Ex

ok
bo
-e
ks
or
w
et
N
The routing software and hardware routes IP traffic between router interfaces. A
router interface is simply a virtual LAN (VLAN) that has an IP address assigned to it.
e
As you create VLANs with IP addresses belonging to different IP subnets, you can
m
also choose to route

tre
between the VLANs. Both the VLAN switching and IP routing function occur within
the switch.
Ex

ok
bo
-e
ks
or
w
et
N
The switch maintains a set of IP routing tables for both network routes and host
routes. Some routes are determined dynamically from routing protocols, and some
e
routes are manually entered. When multiple routes are available to a destination,
m
configurable options such as route priorities, route sharing, and compressed routes
tre
are considered when creating and updating the routing tables.

Ex

ok
bo
-e
ks
or
w
et
N
The router typically learns dynamic routes because you have enabled the RIP,
OSPF, IS-IS or BGP protocols. It also learns routes from Internet Control Message
e
Protocol (ICMP) redirects exchanged with other routers. These routes are called
m
dynamic routes because they are not a permanent part of the configuration. The
tre
router learns these routes are learned when it starts up and dynamically updates
them as the network changes.
Ex
Older dynamic routes age out of the routing tables when an update for the network is
not received for a period of time, as determined by the routing protocol.
Once a routing protocol is configured, dynamic routes require no configuration and
are automatically updated as the network changes.

ok
bo
-e
ks
or
w
et
N
Static routes are routes that are manually entered into the routing tables and are not
advertised through the routing protocols. Static routes can be used to reach
e
networks that are not advertised by routing protocols and do not have dynamic route
m
entries in the routing tables. Static routes can also be used for security reasons, to
tre
create routes that are not advertised by the router.

Static routes are configured in the ExtremeXOS software, remain part of the
Ex
configuration when the switch is rebooted, and are immediately available when the
switch completes startup. Static routes are never aged out of the routing table,
however, the Bidirectional Forwarding Detection (BFD) feature can be used to bring
down static routes when the host link fails.
Without BFD, static routes always remain operationally active because there is no
dynamic routing protocol to report network changes. This can lead to a black hole
situation, where data is lost for an indefinite duration. Because upper layer protocols
are unaware that a static link is not working, they cannot switch to alternate routes
and continue to use system resources until the appropriate timers expire.
With BFD, a static route is marked operationally inactive if the BFD session goes
down. Upper layer protocols can detect that the static route is down and take the
appropriate action.
A default route is a type of static route that identifies the default router interface to
which all packets are routed when the routing table does not contain a route to the
packet destination. A default route is also called a default gateway.

ok
bo
-e
ks
or
w
et
N
The routing table has the following information:

The route’s origin. i.e. which network process added the route to the route table for
e
example; “d” (direct) for local interfaces, “s” for static routes including the default
m
route and “oa” for OSPF intra-area routes.

tre
The IP network. This field will be shown as a combination of the network address
and the subnet mask.
Ex
The network gateway. This is typically the next hop router. If the network is directly
connected, you should see the IP address of the VLAN's IP routing interface.
The route metric. This field defines the quality of the path to the target network.
Since the routing table can contain multiple entries to a destination network, the
router will pick the route with the lowest metric as it is considered to be of higher
quality.
Other information is also displayed such as the route status, VLAN for next hop
forwarding and age.

ok
bo
-e
ks
or
w
et
N
When there are multiple, conflicting choices of a route to a particular destination, the
router picks the route with the longest matching network mask. If these are still
e
equal, the router picks the route using the following default criteria (in the order
m
specified):
tre
• Directly attached network interfaces

• Static routes
Ex
• ICMP redirects
• Dynamic routes
• Directly attached network interfaces that are not active.
You can also configure black hole routes—traffic to these destinations is silently
dropped.
The criteria for choosing from multiple routes with the longest matching network
mask is set by choosing the relative route priorities.

ok
bo
-e
ks
or
w
et
N
A default precedence/distance for each type of route is listed, and the table notes the
precedence between protocols. The lower the precedence value, the more preferred
e
the routes are.

m
tre
Ex

ok
bo
-e
ks
or
w
et
N
A default precedence/distance for each type of route is listed, and the table notes the
precedence between protocols. The lower the precedence value, the more preferred
e
the routes are. In XOS, these values are configurable.

m
tre
Ex

ok
bo
-e
ks
or
w
et
N
IP route sharing allows a switch to communicate with a destination through multiple

equal-cost routes. In OSPF, BGP, and IS-IS, this capability is referred to as equal
e
cost multipath (ECMP) routing.

m
Without IP route sharing, each IP route entry in the routing tables lists a destination
tre
subnet and the next-hop gateway that provides the best path to that subnet. Every
time a packet is forwarded to a particular destination, it uses the same next-hop
Ex
gateway.
With IP route sharing, the router can use up to 2, 4, 8, 16, or 32 next-hop gateways
(depending on the platform and feature configuration) for each route in the routing
tables. When multiple next-hop gateways lead to the same destination, the switch
can use any of those gateways for packet forwarding. IP route sharing provides
route redundancy and can provide better throughput when routes are overloaded.
XOS routers support a separate ECMP table. The gateways in the ECMP table can
be defined with static routes (up to 32-way), or they can be learned through the
OSPF, BGP, or IS-IS protocols (up to 8-way).

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
The Extreme Networks K-Series™ is the most cost-effective flow-based switching

N
solution in the industry. The K-Series is built upon the Extreme Networks CoreFlow2
e
custom ASIC. This cornerstone switching technology provides greater visibility into
m
critical business applications and the ability to enable better controls to meet the
tre
Service Level Agreements (SLAs) demanded by the business.

Versatile, high density edge to small core switching with flexible connectivity and
Ex
power options reduces cost of ownership.

Advanced automated network provisioning maximizes the efficiency and reliability of
supporting new IT services such as virtualized desktops.
Integrated visibility, granularity and control delivers significant cost savings and
premium security for mission critical networks.
Easy to deploy access controls and prioritization provides more robust location,
identification and overall management capabilities including support for “bring your
own device” programs.
Extreme K-Series switches are available in the following form factors:

6-slot chassis offering up to a maximum of 144 triple-speed edge ports and 4 10Gb
uplinks
10-slot chassis offering up to a maximum of 216 triple-speed edge ports and 8 10Gb
uplinks
The K-Series supports up to 12 10Gb uplinks, including four on the fabric card and
two 10Gb IOMs.

ok
bo
-e
ks
or
w
et
N
The S-Series family contains 5 Chassis based switches and one standalone unit.
S8
e
S6
m
S4
tre
S3
S1
Ex
SSA- S-Stand Alone

The family of I/O modules includes
Triple speed copper
Gigabit Fiber SFP
10 Gigabit SFP+
40 Gigabit SFP
Option modules include Gigabit SFP and 10 Gigabit SFP+ connectivity with varying
port counts providing flexibility .
All S-Series chassis are designed for high density connectivity in a small rack unit
footprint.

ok
bo
-e
ks
or
w
et
N
The S-Series chassis utilize two distinct system architectures,

Fabric based architecture
e
the S8, S6, S4, and S1 chassis

m
Meshed fabric-less architecture

tre
S3 chassis
The S-Series I/O module architecture adds to the benefits of the S4 and S8 scalable
Ex
fabric based architecture. All I/O modules include premium featured switching and
routing functions along with advanced management. Essentially, each and every S-
Series I/O module provides as much switching and processing power as some
competing vendors entire chassis.
With a best of breed architecture optimized for multi tier networks based on multiple
distributed host CPUs and multiple ASIC switching engines the S-Series scales to
the most demanding network environments. The S-Series incorporates a unique
approach to operating software scalability and resiliency where switching and routing
applications are distributed across Fabrics and modules to load share system
operation and allow the system to scale to many thousands of users. In the unlikely
event of an I/O module or fabric failure, the system will transparently re-allocate
switching, routing and management functions will transparently to other modules and
fabrics with no user intervention therefore maintaining network performance and
reliability as well as business continuity.

ok
bo
-e
ks
or
w
et
N
System Throughput Calculation (Disti/Core)- Gbps

80Gbps Ingress + 80Gbps Egress = 160Gbps per IOM slot
e
#Slots * 160Gbps per IOM slot

m
S8 = 1.28Tbps Switching Throughput

tre
S6 = 960Gbps Switching Throughput

S4 = 640Gbps Switching Throughput
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Designed for cloud-scale requirements of data centers, high-performance computing

(HPC), and Internet exchange points (IXP), the BlackDiamond X8 provides a low-
e
latency, high-performance switch fabric with high-density wire-speed 10GbE, 40GbE,

m
and 100GbE connectivity for edge-to-core applications, all in a compact footprint

tre
using only one-third of a standard rack. As a “fabric-in-a-box” solution, the

BlackDiamond X8 eliminates expensive multi-tier architectures and the challenges of
Ex
inter-device connectivity, uplink bandwidth, and latency. The BlackDiamond X8 also

leverages a low-power design ideal for green operations and high degrees of energy
efficiency, resulting in lower total cost of ownership (TCO).

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
RIP v1/v2- Routing Information Protocol version 1 and 2

OSPF-Open Shortest Path First
e
BGP- Border Gateway protocol

m
IS-IS- Intermediate system to Intermediate system

tre
DVMRP- Distance Vector Multicast Routing Protocol

PIM-SM- Protocol Independent Multicasts- Sparse Mode
Ex
IPv6- Internet Protocol version 6

IRDP- ICMP Router Discovery Protocol
VRRP- Virtual Router redundancy protocol
LSNAT- Load Sharing Network Address Translation
ACLs- Access Control Lists
PBR- Policy Based Routing
DoS Prevention- Denial of Service Prevention
DHCP Server- Dynamic Host Configuration Protocol server

ok
bo
-e
ks
or
w
et
N
.
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Prior to provisioning an Extreme Switch for Layer 3 operation, several pre-routing

considerations must be taken into account.
e
Extreme switches operate predominately as Layer 2 devices and are provisioned for
m
Layer 3 services when needed. As a result, there are certain Layer 2 features that
tre
can adversely affect routing behavior. Prior to configuring VLAN interfaces for
routing, it may be necessary to turn off specific switching features such as Layer 2
Ex
loop protection on specific ports.

.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
GVRP is used to dynamically create VLANs across a switched network. If GVRP is

not currently in use as part of your Layer 3 network design, it is recommended that
e
the protocol be disabled. This can be done by issuing the

m
set gvrp disable

tre
command to disable dynamic VLAN capabilities (GVRP) at a global level, or the

set gvrp disable [port string] disable
Ex
command to disable the GVRP protocol at the port level.

ok
bo
-e
ks
or
w
et
N
Before you configure routing, you must first create VLANs on your switch, and add
ports to them.
e
m
On XOS switches:
tre
Use the create vlan [vlan name] command to create the VLANs you require.
Once VLANs are created, they will be available for layer 3 provisioning.
Ex
Next, make your vlan a tagging vlan with the configure vlan [vlan-name] tag
[vlan-id] command. Note that the vlan argument in this command is optional;
you can use the command configure [vlan-name] tag [vlan-id] and get the
same results.
Next, add ports to your vlan with the configure vlan [vlan-name] add ports
[ports] [tagged|untagged] command. Note that the vlan argument in this
command is optional; you can use the command configure [vlan-name] add
ports [ports] [tagged|untagged] and get the same results.

ok
bo
-e
ks
or
w
et
N
Before you configure routing, you must first create VLANs on your switch, and add
ports to them.
e
m
On EOS switches:
tre
Use the set vlan create <VLAN id> command to create the VLANs you require.
Once VLANs are created in switch configuration mode, they will be available for
Ex
layer 3 provisioning.
Next, assign switch ports to your VLANs to provide physical connectivity for the layer
3 VLAN interfaces. You can use either of two methods for assigning untagged ports
to a VLAN.
Enter the set port vlan [port string] [vlan id] command, and enter “Y” at the prompt to
add the port to a VLAN’s egress list as untagged and clear the existing PVID.
Append the modify-egress option onto the set port vlan [port string] [vlan id]
command. Setting modify-egress is equivalent of entering “Y”.
If you choose “N” when entering the set port vlan [port string] [vlan id] command in
step 3, you can set the port to a VLAN’s egress list as untagged by using the
command displayed in step 4. Issuing the set vlan egress vlan id port string
untagged command represents the equivalent of setting modify-egress or entering
“Y”.

ok
bo
-e
ks
or
w
et
N
Direct Routing is the simplest form of routing. Direct routing allows devices that are
on different VLANs to communicate with each other by crossing the routing function
e
in a single switch. With direct routing the routers involved do not advertise their IP
m
routes to each other.

tre
So for example, VLAN 5 and VLAN 10 on Router A in this example can

communicate, because we have enabled direct routing on Router A. Router B,
Ex
however, does not know about either VLAN 5 or VLAN 10, and users on VLAN 20 on
Router B are unable to communicate with users on any of Router A’s VLANs.

ok
bo
-e
ks
or
w
et
N
For all Extreme switches, a device with a VLAN that does not have a corresponding
IP interface defined for it will function as a Layer 2 device only, regardless of the
e
operation mode.
m
You must configure each VLAN separately for IP routing.

tre
On XOS Switches:
Ex
Assign a VLAN a layer 3 IP interface address and subnet mask to enable IP routing
between VLANs. Give the VLAN an IP address and subnet mask, and issue the
enable ip forwarding [vlan-name] command to tie the VLAN into the routing function.

ok
bo
-e
ks
or
w
et
N
On EOS Switches:
Assign a VLAN a layer 3 IP interface address and subnet mask to enable IP routing
e
between VLANs. The Layer 3 VLANs can be thought of as network links, rather than
m
as a collection of associated end users.

tre
Implement IP routing by creating IP interfaces on a configured VLAN. From

interface configuration mode, assign an IP address and turn on the Layer 3 interface
Ex
with the no shutdown command. These two commands will tie the VLAN into the
routing function on the switch.

ok
bo
-e
ks
or
w
et
N
A loopback interface is a logical IP interface on your router that is not associated with
a specific physical connection. It is best network practice to create a loopback
e
interface on your routers for management purposes. If your management station

m
connects to your router using the IP address of one of the router’s physical
tre
interfaces, and if that interface goes down, your management station will lose
contact with the router, and you will be unable to repair the problem. If your
Ex
management station connects to the router using the IP address of the loopback
interface, then it will be able to maintain connection as long as the router has one or
more active physical interfaces.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Routing tables can be maintained either statically or dynamically. All the Extreme
switch routers support static routes and at least one form of dynamic routing.
e
Dynamic routing uses routing protocols to maintain the routing table.

m
Static Routes
tre
Static routes are manually configured by a network administrator for entry into a
switch’s routing table, they are flagged as “S” which indicates static . Static routes
Ex
point to remote network destinations, and will take precedence over routes chosen
by dynamic routing protocols pointing to the same destination. Although easy to
configure and use, a major drawback of static route implementation on a large scale
is that every time the network topology changes, the routing information will need to
be manually reentered into the route table. Therefore, static routing is not suited to
large, dynamic networks.
Dynamic Routes
Dynamic Routes are created using routing protocols to determine the best path
between routers. When network topologies change, routers using dynamic routing
will automatically recalculate the best possible route. The methods for route
recalculation vary between the protocols.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
The router keeps a record of all its decisions about the best path between it and
other IP subnets in your network in the form of a routing table. The routing table
e
specifies how the router knows about the IP subnet, the IP address of the subnet,
m
the next hop router on the path to that subnet, and the IP interface out of which the
tre
router must send the packet to get to its destination.

Ex

ok
bo
-e
ks
or
w
et
N
Routing tables can be comprised of directly connected, manually configured (static),

and dynamically learned routes. All the Extreme Switch Routers support static routes
e
as well as dynamic routing. Whereas dynamic routing uses protocols such as OSPF
m
to construct a routing table, static routes are manually configured and entered into a
tre
switch’s routing table by a network administrator.

Ex
When configured, static routes take precedence over routes learned by dynamic
routing protocols. For example, if two paths exist to a remote Layer 3 (IP)
destination, and one path was learned dynamically and the other path was statically
configured, the statically configured path would be chosen as the more preferred
route to the destination.

ok
bo
-e
ks
or
w
et
N
To configure a static route in XOS use the configure iproute add command, where:
e
destination-route: specifies an IPv4 address as a single destination for which a

m
static route is being defined

tre
subnet-mask: specifies the prefix mask for the destination network

next-hop: specifies the next-hop router address for the static route
Ex
Optionally, you can set the virtual router upon which you are configuring this static
route. If you do not specify a virtual router, XOS will set the static route in the Default
VR.

ok
bo
-e
ks
or
w
et
N
To configure a static route in EOS use the ip route command from configuration
mode, where the:
e
m
destination-route: specifies an IPv4 address as a single destination for which a

tre
static route is being defined.

subnet-mask: specifies the prefix mask for the destination network.
Ex
next-hop: specifies the next-hop router address for the static route.
Optionally, you can set the: Distance: which specifies an administrative distance,
(i.e. precedence) for this route. This value can be in the range of 1 to 255, and it
defaults to 1 if not specified.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
In XOS, DHCP relay is a device level function. For DHCP relay to succeed, the
router must have a path to the network on which the DHCP server resides in its
e
routing table. Configure DHCP relay in two steps:

m
Configure the relay

tre
Enable the relay

Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
ARP is a protocol used to map an IP address to a physical (MAC) address. Each IP

device on a network (end stations, routers, etc...) maintain address resolution (ARP),
e
tables. IP devices use their ARP tables to associate MAC addresses to IP

m
addresses. When an IP host needs to communicate with another IP device on a

tre
common LAN segment, and an IP address to MAC address mapping does not exist
in its ARP table, the device will issue an ARP request. If the destination device is on
Ex
line, it will hear the ARP broadcast request, recognize its IP address, and respond
back to the requesting host with its MAC address. Thereby, providing the requesting
device the IP address to MAC address mapping it requires to deliver data across
the layer 2 LAN segment. This IP address to MAC address mapping will then be
maintained in the devices ARP table/cache for some predefined/configurable period
of time.
Note: The ARP function is critical in IP networks. If a network device can not obtain
an IP-to-MAC mapping of the device it is attempting to communicate with, they will
be unable to exchange data across the LAN. Insure proper ARP table entries are
present via the show ip arp [ip-address] command if a connectivity problem has
been encountered.

ok
bo
-e
ks
or
w
et
N
As a router, if an IP datagram is received and not addressed to any interface on

system, it must be forwarded to its destination through a single port as per
e
instructions of the routing table. Inability to forward requires the packet be dropped
m
and transmission of an ICMP error message back to the source with the reason why.
tre
.
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
OSPF is classified as an Internal Gateway Protocol (IGP). This means that it

distributes routing information between routers belonging to a single Autonomous
e
System. The OSPF protocol is based on SPF or link-state technology. This is a

m
departure from the Bellman-Ford base used by traditional distance vector internet
tre
routing protocols.
The OSPF protocol was developed by the OSPF working group of the Internet
Ex
Engineering Task Force. It has been designed expressly for the internet
environment, including explicit support for IP subnetting, TOS-based routing and the
tagging of externally-derived routing information. OSPF also provides for the
authentication of routing updates, and utilizes IP multicast when sending/receiving
the updates. In addition, much work has been done to produce a protocol that
responds quickly to topology changes, yet involves small amounts of routing protocol
traffic.

ok
bo
-e
ks
or
w
et
N
OSPF allows collections of contiguous networks and hosts to be grouped together.

Such a group, together with the routers that have interfaces to any one of the
e
included networks, is called an area. Each area runs a separate copy of the basic
m
shortest-path-first routing algorithm. This means that each area has its own
tre
topological database.
The topology of an area is invisible from the outside of the area. Conversely, routers
Ex
internal to a given area know nothing of the detailed topology external to the area.
This isolation of knowledge enables the protocol to effect a marked reduction in
routing traffic as compared to treating the entire autonomous system as a single SPF
domain.
With the introduction of areas, it is no longer true that all routers in the AS have an
identical topological database. A router actually has a separate topological database
for each area to which it is connected. Routers connected to multiple areas are
called area border routers. Two routers belonging to the same area have, for that
area, identical area topological databases.
Routing in the autonomous system takes place on two levels, depending on whether
the source and destination of a packet reside in the same area (intra-area routing is
used) or different areas (inter-area routing is used). In intra-area routing, the packet
is routed solely on information obtained within the area; no routing information
obtained from outside the area can be used. This protects intra-area routing from the
injection of bad routing information.

ok
bo
-e
ks
or
w
et
N
Every OSPF routing domain AS that has more than one area must have a
backbone. The backbone is a special OSPF area that must have an area ID of
e
0.0.0.0 (or simply 0). It consists of those networks not contained in any specific area,
m
their attached routers, and those routers that belong to multiple areas. The backbone
tre
must be contiguous. Each router's interface that is configured in Area 0 must be

reachable via other routers where each interface in the path is configured as being in
Ex
Area 0.
However, it is possible to define areas in such a way that the backbone is no longer
contiguous--where the continuity between routers is broken. In this case, you must
establish backbone continuity by configuring virtual links. Virtual links are useful
when the backbone area is either purposefully partitioned or when restoring
inadvertent breaks in backbone continuity.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
OSPF supports a two level routing design through the use of Areas. OSPF areas are
identified by an area ID. The area consists of the network segments and routers that
e
reside in the area. Each area has its own link state database (LSDB) which is
m
separate from LSDBs in other OSPF areas. The LSDB consists of router-LSAs and
tre
network-LSAs which describes how the areas routers and network segments are
connected. Detailed information regarding the areas topology is hidden from all
Ex
other areas, (router-LSAs and network-LSAs are not flooded to routers outside the
area and are used for Intra-Area routing).
As a result of OSPF using area based routing, the positioning of routers with respect
to these areas represents a critical element in an OSPF routing environment.

ok
bo
-e
ks
or
w
et
N
Within OSPF routers take on special responsibilities depending on their topological

orientation. All routers running OSPF on at least one of its interfaces can be
e
categorized into one of the following categories: ABR’s, ASBR’s, or internal routers.
m
Depending on what type of router is it, the router has different responsibilities in
tre
restricting or allowing the propagation of certain types of LSAs.

Ex

ok
bo
-e
ks
or
w
et
N
Inter-Area routing is achieved through the use of summary-LSAs that are passed
from area to area (via ABRs). summary-LSAs allow routers in the interior of an area
e
to dynamically learn about destinations in other areas, so they can to select the best
m
path when forwarding packets to these destinations.

tre
Ex

ok
bo
-e
ks
or
w
et
N
Stub areas are typically implemented when routers with limited resources (small
amounts of memory or limited CPU processing capacity) must be deployed in an
e
OSPF routing domain. To conserve router resources, the link state database (LSDB)
m
within a stub area is kept as small as possible. AS-external-LSAs are not passed
tre
into the area. Routing to external destinations from a stub area is accomplished by
using a default routes originated by the areas ABR.
Ex
There are several requirements to take into consideration when configuring a stub
area. All routers participating the stub area must be configured to function as stub
area routers.
In addition:
AS-external-LSAs are not flooded into Stub Areas
Routing to external designations from Stub Areas are based on Default Routes
originated by a Stub Area’s ABR.
Summary LSAs can also use the Default Route for Inter-area routing.
Criteria:
Stub areas must not have an ASBR
Stub areas should have one ABR
Or, if more than one, accept non-optimal routing paths to the External
AS
No Virtual Links allowed in a stub area

ok
bo
-e
ks
or
w
et
N
A Totally Stubby Area (TSA) is a variation of a stub area. For very large OSPF
networks it is sometimes necessary to limit the amount of routing information flooded
e
into an area to an even greater degree. In addition to filtering AS-external-LSAs, a

m
Totally Stubby Area filters Network-Summary-LSAs as well, further reducing the

tre
volume of OSPF routing information present in the area.

Ex

ok
bo
-e
ks
or
w
et
N
A Not-So-Stubby Areas (NSSA) is a second variation of a stub area in which external

routing information (in the form of AS-external-LSAs) can be imported into the stub
e
area via an Autonomous System Border Router (ASBR) that resides in the NSSA.
m
AS-external-LSAs from outside the area (e.g., AS-external-LSAs from Area 0) are
tre
still not allowed access to the NSSA.

Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
For the current slide, Router A and Router B have been elected Designated Router
(DR) and Backup Designated Router based on priority (Priority 100 and Priority 75).
e
A set of adjacencies for over the Gig-Ethernet LAN segment as indicated on the
m
slide. To demonstrate over a broadcast LAN how database updates occur using a
tre
DR and BDR, Router E receives a new LSA (perhaps you configure a new VLAN to
participate in OSPF). It installs the LSA in its database, and then floods the LSA, (LS
Ex
Update) to the DR and BDR (using 224.0.0.6 (AllDRouters) so only these routers
receive the update.
The Designated Router then sends the LS Update back on to the Gig-Ethernet LAN
segment using address 224.0.0.5 (AllSFPRouters). All the routers hear and process
the update. Router B and Router E update their timers; Router C and Router D add
the LSA to their Link State Database. All the routers stop passing data traffic, run
Dijkstra’s Algorithm to recomputed their Shortest Path Trees, reconverge, and begin
passing traffic again.

ok
bo
-e
ks
or
w
et
N
Using the loopback interface as the router ID is the preferred method. Its major
advantage is as follows: If a real interface is used, any time that interface goes down
e
the router must find another Router ID. This causes all the other routers to learn the
m
router’s new ID number, and update their databases. This would result in the router
tre
not processing OSPF packets during this time frame. As long as the router is turned
on and running, the loopback will never go away, so when a router interface goes
Ex
down it won’t affect the other routers in the network.

OSPF packet type 1, these packet types are sent out of all interfaces, transmitted via
multicast to AllSPFRouters (224.0.0.5), a Form of “keep alive”, and used for
Designated Router / Backup Designated Router election.
OSPF packet type 2, exchanged when an adjacency being initiated, describes
topology database, and multiple packets may be used to describe a database.
OSPF packet type 3, requests pieces of the topological database from neighbor
routers. These messages are exchanged after a router discovers (by examining
database-description packets) that parts of its topological database are out of date.
OSPF packet type 4, implement the flooding of LSAs, several LSA may be included
within a single packet, response to Link State request packets, performs the
database update, and acknowledged by Link State Acknowledgement packets.
OSPF packet type 5, performs flooding acknowledgement for LSA’s, sent either
multicast to AllSPFRouters, AllDRouters or unicast, packet format is similar to Data
Description packets, and packet body consists of a list of LSA headers.

ok
bo
-e
ks
or
w
et
N
OSPF packet type 1, these packet types are sent out of all interfaces, transmitted via
multicast to AllSPFRouters (224.0.0.5), a Form of “keep alive”, and used for
e
Designated Router / Backup Designated Router election.

m
OSPF packet type 2, exchanged when an adjacency being initiated, describes

tre
topology database, and multiple packets may be used to describe a database.

OSPF packet type 3, requests pieces of the topological database from neighbor
Ex
routers. These messages are exchanged after a router discovers (by examining
database-description packets) that parts of its topological database are out of date.
Type 3 packets allow the router to come to full adjacency with the Designated
Router.
OSPF packet type 4, implement the flooding of LSAs, several LSA may be included
within a single packet, response to Link State request packets, performs the
database update, and acknowledged by Link State Acknowledgement packets.
OSPF packet type 5, performs flooding acknowledgement for LSA’s, sent either
multicast to AllSPFRouters, AllDRouters or unicast, packet format is similar to Data
Description packets, and packet body consists of a list of LSA headers.

ok
bo
-e
ks
or
w
et
N
OSPF creates adjacencies between neighboring routers to control the distribution of

routing protocol packets.
e
An adjacency is a relationship formed between selected neighboring routers for the

m
purpose of exchanging routing information. Topological databases are synchronized

tre
between pairs of adjacent routers.

Not every pair of neighboring routers becomes adjacent. Instead, adjacencies are
Ex
established with some subset of the router's neighbors. Routers connected by point-
to-point networks and virtual links always become adjacent. On multi-access
networks, all routers become adjacent to both the designated router and the backup
designated router.
Routing protocol packets are sent and received only on adjacencies. In particular,
distribution of topological database updates proceeds along adjacencies.

ok
bo
-e
ks
or
w
et
Why Form Adjacencies Between Routers?

N
OSPF creates adjacencies between neighboring routers to exchange LSDB information.

e
It uses the Hello protocol to determine if two routers are to become adjacent. The Hello
m
protocol verifies that both routers are in the same area, have the same interface timers and
network mask, and their router capabilities match. If all of these tests are passed, each
tre
router lists the other as a neighbor in the Hello packet. This establishes two-way adjacency.
If one of the routers is a DR, they then exchange link state information.
Ex
Forming an Adjacency
The general process that OSPF routers use to form an adjacency is described below. For
more detailed information about this process refer to RFC 2328.
Routers A and B exchange hello packets. Based on the contents, A and B decide whether
to become fully adjacent.
Routers A and B compare LSDBs by exchanging database description packets. These
packets do not provide enough detail to actually update the database, only enough detail to
find out which LSAs are not yet in the local database and which LSAs presently in the
database are out of date.
Each router updates its database by transmitting a link state request to the other router. The
request is considered fulfilled when a link state update is received containing the requested
LSAs. Each router updates its database with information it considers better than what it
already has. A sequence number contained in each LSA determines what constitutes better
information. The receipt of each LSA is acknowledged by using the link state ACK packet.
When this process is complete, the adjacency is formed, the link state databases are
synchronized, and the Neighbor State is Full.
The two routers continue to exchange Hello messages, maintaining their adjacency.

ok
bo
-e
ks
or
w
et
This graphic illustrates neighbor states.

N
The conversation between neighboring routers has defined states. On the

e
router, you see some of these states when you view the log or trace file. The
m
states that can exist between neighboring routers are:

tre
Down - This is the initial state of a neighbor conversation. There has been no
recent information received from the neighbor. This appears only for statically
Ex
configured neighbors.
Attempt - This state only occurs on non-broadcast networks. It indicates that no
recent information has been received from a neighbor.
Init - A hello packet is seen from the neighbor but bi-directional communication is
not established with the neighbor.
Two-Way - Communication between the two routers is bi-directional. This
occurs when router A receives router B’s hello and sees itself listed as a
neighbor.
ExStart - This is the first step in creating an adjacency. A master or slave
relationship is negotiated, governing the subsequent message exchange.
Exchange - The router is describing its entire LSDB by sending database
description packets to the neighbor. The router with the highest router ID
becomes the master.
Loading - Link state request packets are sent to the neighbor asking for more
recent advertisements that were learned but not received, and link state updates
are sent in response.
Full - The neighboring routers are fully adjacent, and the LSDBs are identical.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
In order for two OSPF routers to come to adjacency, their timers must all match.
The defaults are given in the table above; all Extreme routers by default are
e
configured to use the default values.

m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Type 1 LSAs are called router-LSAs. Each router originates a single route-LSA to
describe its set of active interface and neighbors. If your routing domain consists
e
entirely of routers connected by point-to-point links – that is, if you have no client-
m
facing VLANs attached to your routers – the link-state database will consist only of
tre
router-LSAs.
Ex

ok
bo
-e
ks
or
w
et
N
Type 2 LSAs are called network-LSAs. The Type 2 LSA describes a broadcast
network segment (such as Ethernet) or other Non-Broadcast Multiple Access
e
(NBMA) network (such as Asynchronous Transfer Mode (ATM)), along with the
m
Router-IDs of any routers currently attached to the network.

tre
Ex

ok
bo
-e
ks
or
w
et
N
A Type 3 LSA is called a network-summary-LSA. It advertises a network that resides

in one area into another area. Only ABRs send Type 3 LSAs. You can configure your
e
ABR to summarize the networks it is advertising, if those networks are

m
summarizable. If they are not, your ABR will issue a Type 3 LSA for every network in
tre
the area.
Ex

ok
bo
-e
ks
or
w
et
N
A Type 4 LSA is called an ASBR-summary-LSA. When an Area Border Router has

an ASBR in its area, it originates an Type 4 LSA to let all the other routers in the
e
OSPF network know the path to the ASBR. The Type 4 LSA floods throughout the
m
OSPF backbone area; all other routers in the backbone area receive and process it
tre
directly. Any other ABRs in the domain will re-originate the Type 4 LSA into the
area(s) to which they are connected.
Ex

ok
bo
-e
ks
or
w
et
N
Type 5 Link State Advertisements are called Autonomous-System-external-LSAs.

ASBRs originate Type 5 LSAs to advertise routes in the non-OSPF routing domains
e
to which they are attached.

m
ASBRs flood throughout your OSPF domain, crossing ABRs. This behavior, in
tre
contrast to the ABR re-originating the LSA, is designed to reduce the size of your
Link State Database. Consider the graphic above. If both ABRs in Area 0.0.0.1 re-
Ex
originated the Type 5 LSA sent out by the ASBR – that is, they both resent the
advertisement with their own Router IDs as the originating router – every other router
in the network would be required to store two LSAs for paths to the single ASBR
router. By simply having the ABRs simply flood the original Type 5 LSA, OSPF
allows each router throughout the domain to calculate a path to the ASBR directly.

ok
bo
-e
ks
or
w
et
N
If an ASBR is on the back side of a Not So Stubby Area (NSSA), it advertises routes
it learns from the non-OSPF routing protocol into the NSSA as Type 7 LSAs. The
e
Area Border Router advertises these routes into the rest of the OSPF domain as
m
Type 5 LSAs.
tre
Ex

ok
bo
-e
ks
or
w
et
N
OSPF supports Equal-Cost Multi-Path (ECMP) routing. ECMP is a mechanism for

routing packets over multiple paths of equal cost in order to achieve almost equally
e
distributed link load sharing.

m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
If you have Equal Cost Multi-Paths through your network, the router will include all of
those paths in the results of the show ip route command. Note that in this network,
e
two paths exist to the 6.6.6.0/24 network.

m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
OSPF Router priority is an interface level command and is used to influence the
election process for the Designated Router (DR) and Backup Designated Router
e
(BDR) in a broadcast LAN environment. The routers with the highest priority
m
interfaces will win the election process for DR and BDR on a broadcast network
tre
segment. If two routers have the same priority, the router with the highest router ID
will be elected as the DR. Setting the interface to a priority of “0” precludes that
Ex
router from becoming a DR for the LAN segment. Valid values range from 0-255. A
priority of 0 means that an interface will become the DR only if it is the only interface
in the area.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Note: in XOS, the show vlan command will also tell you which VLANs have OSPF
enabled on them.
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Area 0 can be defined as 0 or 0.0.0.0.

e
Area 2 can be defined as 2 or 0.0.0.2.

m
tre
Note that if you are already running OSPF in your network and are changing the
area an interface belongs to, you must first disable OSPF with the disable ospf
Ex
command. (You will use this process in the lab.)

ok
bo
-e
ks
or
w
et
N
Translate specifies whether type-7 LSAs are translated into type-5 LSAs.
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Note that the summarization process advertises a single path to all the summarized
routes. Summarization does not allow you to selectively advertise a route within the
e
summarized range.
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
OSPF supports three different ways in which the routers can authenticate
themselves to each other:
e
Null authentication, the default. With Null authentication, the routers do not
m
authenticate each other, and accept Hello packets from any source.
tre
Plain Text authentication, in which you configure simple password authentication

between your routers.
Ex
Message Digest-5 (MD5) authentication, in which you configure an MD5 password

on your routers.

ok
bo
-e
ks
or
w
et
N
On all Extreme switches you must configure simple authentication both for your
OSPF area and on each interface in the area.
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
The md5-key-id specifies and RSA Data Security, Inc. MD5 Message-Digest
Algorithm key; the valid key numbers range fro 0-255. The md5_key_id must match
e
across all routers in a given area, as must the password.

m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
The minimum steps to enable OSPF on a router would consist of the following:
Create IP Interfaces
e
Add IP Address to IP interfaces

m
Create OSPF Instance

tre
Add IP OSPF Networks and Areas

Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Network Address Translation (NAT) allows a router to modify the IP address

information in the Layer 3 header of a packet as it crosses the router. It is most
e
commonly used to allow multiple hosts in a private IP address space to access the
m
Internet using a single publicly valid IP address.

tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Every TCP/IP packet contains a source IP address, destination IP address, source

TCP port, and target or destination TCP port. NAT, of whatever type, works by
e
mapping these four values in the internal machine to their four corresponding values
m
in the external machine.

tre
Ex

ok
bo
-e
ks
or
w
et
N
Consider this example network. The client at 172.16.11.12 wishes to access the
Google server at 74.125.224.72, and formulates an HTTP Get request directed to
e
that IP address. The client includes its current available TCP port number, 56123, in
m
the source port field of the TCP header, and includes port 80, the well-known HTTP
tre
port number, in the destination port field of the TCP header.

When the NAT router receives the Get request from the internal client, performs the
Ex
Network Address Translation, replacing the Source IP address of the client with its
publicly valid IP address, 63.27.141.3. It then creates an entry in the NAT table that
says, in essence, “I need to remember that any reply coming from 74.125.224.72
with a destination port of 56123 is really going to my internal client at 172.16.111.12.
When I get that reply, it’s going to be coming to my IP address of 63.27.141.3. I’m
going to have to replace that publicly valid IP address in the Destination IP address
field with the IP address of my internal client, 172.16.111.12, and send the packet
along.”

ok
bo
-e
ks
or
w
et
N
Extreme Routers support three types of CONE NAT:

Full Cone NAT
e
Restricted Cone NAT

m
Port Restricted Cone NAT

tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Access Control Lists (ACLs) are used to define packet filtering and forwarding rules
for traffic traversing the switch. Each packet arriving on an ingress port and/or VLAN
e
is compared to the access list applied to that interface and is either permitted or
m
denied. Packets egressing an interface can also be filtered on certain platforms

tre
listed in the ExtremeXOS Concepts Guide. However, only a subset of the filtering
conditions available for ingress filtering are available for egress filtering.
Ex
NOTE
Port Isolation (new in 15.3). This feature blocks accidental and intentional inter-
communication between different customers residing on different physical ports.
Previously, this kind of security was obtained through the access-list module, but this
can be complicated to manage and can be resource intensive. This feature provides
a much simpler blocking mechanism without the use of ACL hardware. A set of
physical or load-share ports can be selected that will be deemed isolated - once
isolated, the ports cannot communicate with other isolated ports, but can
communicate with any other ports. Use the following command: configure ports
<port-list> isolation [on | off].

ok
bo
-e
ks
or
w
et
N
Match Conditions
You can specify multiple, single, or zero match conditions. If no match condition is
e
specified, all packets match the rule entry. The table above lists a selection of the
m
available match conditions. For the complete list of match conditions refer to the
tre
Chapter 18 of the ExtremeXOS Concepts Guide.

Match Operators
Ex
You can also use the operators <, <=, >, and >= to specify match conditions. For
example, the match condition, source-port > 190, will match packets with a source
port greater than 190. Be sure to use a space before and after an operator.

ok
bo
-e
ks
or
w
et
N
Match Conditions
You can specify multiple, single, or zero match conditions. If no match condition is
e
specified, all packets match the rule entry. The table above lists a selection of the
m
available match conditions. For the complete list of match conditions refer to the
tre
Chapter 18 of the ExtremeXOS Concepts Guide.

Match Operators
Ex
You can also use the operators <, <=, >, and >= to specify match conditions. For
example, the match condition, source-port > 190, will match packets with a source
port greater than 190. Be sure to use a space before and after an operator.

ok
bo
-e
ks
or
w
et
N
Actions
The action is either permit or deny or no action is specified. No action specified
e
permits the packet. The deny action drops the packet.

m
tre
Action Modifiers
The above table lists a selection action modifiers such as count, qosprofile and
Ex
meter. The count action increments the counter named in the condition. The QoS
profile action forwards the packet to the specified QoS profile; The meter action
modifier associates a rule entry with an ACL meter for rate limiting. For a full list of
action modifiers refer to Chapter 18 of the ExtremeXOS Concepts Guide.
NOTE
Often an ACL policy will have a rule entry at the end of the ACL with no match
conditions. This entry will match any packets.

ok
bo
-e
ks
or
w
et
N
Wide Key ACLs

This feature allows the use of a 362-bit double wide match key instead of a standard
e
181-bit single key to be used with match conditions. A wide match key allows you to
m
add more match conditions to an ACL. It also allows matching on a full destination-
tre
source IPv6 address. The platforms that support this feature can operate either in
wide mode or in the current single mode. A individual switch or module cannot be
Ex
configured to operate in a mixed wide and single mode. However, a BlackDiamond

8800 chassis or a SummitStack can have a mixture of modules and switches with
some of them operating in a single mode and some in a wide mode.
NOTE
Wide key ACLs are supported only on the BlackDiamond 8000 c-, xl-, and xm-series
modules and Summit X460, X480, and X670 switches. When using wide key ACLs,
you can only install half as many rules into the internal ACL TCAM as you can when
in a standard mode.

ok
bo
-e
ks
or
w
et
N
A number of slices and rules are used by features present on the switch. You
consume these resources when the feature is enabled so the availability of
e
resources depends on the type and number of features and protocols that are
m
enabled on a switch. Below is a list of the most common features and there resource
tre
consumption. For a detailed list, refer to the ExtremeXOS Concepts Guide.

● dot1p examination - enabled by default - 1 slice, 8 rules per chip
Ex
● IGMP snooping - enabled by default - 2 slice, 2 rules

● VLAN without IP configured - 2 rules - 2 slices
● IP interface - disabled by default - 2 slices, 3 rules (plus IGMP snooping rules
above)
● VLAN QoS - disabled by default - 1 slice, n rules (n VLANs)
● Port QoS - disabled by default - 1 slice, 1 rule
● VRRP - 2 slices, 2 rules
● EAPS - 1 slice, 1 rule (master), n rules (transit - n domains)
● ESRP - 2 slices, 2 rules
● ESRP Aware - 1 slice, 1 rule
● IPv6 - 2 slices, 3 rules
● Netlogin - 1 slice, 1 rule
● VLAN Mirroring - 1 slice, n rules (n VLANs)

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
For example, physical ports, dest IP, source IP and IP fragments are all compatible
and will require one slice. If an ACL requires the use of field selectors from two
e
different rows, it must be implemented on two different slices.

m
tre
For more information, refer to the ExtremeXOS Concepts Guide.

Ex

ok
bo
-e
ks
or
w
et
N
As the layer 2 rules contained in the mac.pol policy file are not compatible with the
previous rules, as defined in on the previous page, a new slice will be used.
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Notice that slice 14 now contains 10 rules: the eight system rules in this
configuration, plus the two compatible IP rules. As there are a mixture of system
e
rules and user rules contained in the slice, the slice status now indicates
m
“user/other”. Slice 15 now contains the two non-compatible L2 user rules.

tre
NOTE
Older BD8K and SummitX series switches do not use slices, but use an another
Ex
method called masks. Although they operate in a similar way, masks are much less
flexible. To view the available mask usage, enter the show access-list usage
command specifying the acl-mask command option along with the relevant port
number. ACL mask operation for older BD8K and SummitX series switches is not
covered in this course material.

ok
bo
-e
ks
or
w
et
N
As an example of precedence among interface types, suppose a physical port 1:2 is

a member port of the VLAN yellow. ACLs could be configured on the port, either
e
singly or as part of a port list, on the VLAN yellow, and on all ports in the switch (the
m
wildcard ACL). For all packets crossing this port, the port-based ACL has highest
tre
precedence, followed by the VLAN-based ACL and then the wildcard ACL.
NOTE
Ex
ACLs applied to a VLAN are actually applied to all ports on the switch, without
regard to VLAN membership. The result is that resources are consumed per chip on
BlackDiamond 8000 a-, c-, e- xl-, and xmseries modules and Summit family
switches.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
The edit policy command spawns a VI-like editor to edit the named file. Edit operates
in one of two modes; command and input. When a file first opens, you are in the
e
command mode. To write in the file, use the keyboard arrow keys to position your
m
cursor within the file, then press one of the following keys to enter input mode:
tre
i - To insert text ahead of the initial cursor position

a- To append text after the initial cursor position
Ex
To escape the input mode and return to the command mode, press the Escape key.
There are several commands that can be used from the command mode:
dd - To delete the current line
yy - To copy the current line
p - To paste the line copied
:w - To write (save) the file
:q - To quit the file if no changes were made
:q! - To forcefully quit the file without saving changes
:wq - To write and quit the file

ok
bo
-e
ks
or
w
et
N
Notice from the output of the show policy command that the policy has been applied
as an ACL and is bound once to the VLAN “data”.
e
m
The output from the show access-list command shows the actual VLAN the ACL is
tre
bound to (notice that the ACL is bound to all ports as indicated by the asterisk “*”). It
also shows whether the policy is ingress or egress and how many rules are
Ex
contained in the policy.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Creating a dynamic ACL rule is similar to creating an ACL policy file rule entry. You
specify the name of the dynamic ACL rule, the match conditions, and the actions and
e
action-modifiers. You can configure a dynamic ACL to be permanent or non-

m
permanent. Permanent dynamic ACLs are stored in the running configuration and
tre
need to be saved to be persistent across system reboots. Non-permanent ACLs are

just programed into the hardware directly and are not added to the running
Ex
configuration. They are therefore not listed by the show configuration command.
User-created access-list names are not case sensitive. The match conditions,
actions, and action modifiers are the same as those that are available for ACL policy
files. In contrast to the ACL policy file entries, dynamic ACLs are created directly in
the CLI.
More than one dynamic ACL can be applied to an interface, and the precedence
among the dynamic ACLs can be configured when adding the dynamic ACL via the
CLI. By default, the priority among dynamic ACLs is established by the order in
which they are configured.
NOTE
Dynamic ACLs have a higher precedence than ACLs applied using a policy file.

ok
bo
-e
ks
or
w
et
N
In the above example, the previous policy denyTelnet is still applied to the BD8K1
switch preventing users from accessing the switch’s CLI via Telnet. As dynamic
e
ACLs take precedence over static ACLs, it is useful to configure a dynamic ACL to
m
temporarily override a static ACL rule for testing purposes.

tre
Ex

ok
bo
-e
ks
or
w
et
N
The equivalent policy file rule to permit Telnet would be as follows:

entry permitTelnet {
e
if match all {
m
protocol tcp ;
tre
destination-port 23 ;
}
Ex
then {
permit ;
}
}
To configure a non-permanent dynamic ACL, enter the create access-list command
specifying the rule name, conditions and actions then add the non-permanent
command option. The above example can be configured as follows:
create access-list permitTelnet "protocol tcp; destination-port 23" permit non-
permanent

ok
bo
-e
ks
or
w
et
N
To remove a dynamic ACL from a VLAN or port, enter the configure access-list
delete command specifying the dynamic rule to delete and the port or VLAN to which
e
the ACL was applied.

m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Notice from the output of the show access-list command that VLAN data now
indicates that a dynamic ACL has been applied as well as the policy. However, the
e
dynamic ACL name is not shown in the output of this command. To do this enter the
m
show access-list dynamic command.

tre
There may be a number of system dynamic ACLs present depending on the switch
you are using and the software version you are running. System ACLs are designed
Ex
to facilitate the operation of some features and are beyond the scope of this course.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Filter action of ACL rules is to drop or forward routed packets on ingress only. They
do not apply to switched traffic where policy profiles will apply.
e
Standard ACLs filter traffic based on source IP address only.

m
Extended ACLs filter traffic based on source or destination IP address,

tre
Authentication Header, Encapsulated Security Protocol header, or Generic Routing

Encapsulation header plus either :
Ex
IP protocol
ICMP type
TCP/UDP source port
Equal to
Not equal to
Greater than
Less than
Range
DSCP code point
IP precedence
ToS value

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
The S/K-Series system allows a total of 5,000 access rules to be applied to Access
Control Lists (ACLs). Further, individual ACLs will support up to 999 access rules.
e
The valid access list numbers for standard ACLs are 1 to 99. For extended ACLs,
m
valid values are 100 to 199.

tre
To configure extended ACLs, the advanced routing license is required.

Ex

ok
bo
-e
ks
or
w
et
N
The ip access-list standard command enters the rule configuration command mode
for the specified standard ACL. Standard ACLs specify a source address.
e
There are two ways to identify an ACL: a number or a name. The use of a number is
m
for IPv4 ACLs only. Standard IPv4 ACL numbers range from 1 to 99. Names must
tre
start with an alpha character. A name may be quoted, as the quotes are stripped, but
spaces are not supported the quoted string. A name cannot be one of the show
Ex
access-lists keywords brief or applied, or any prefix thereof such as ?br? or ?app?.
Names can be up to 64 characters in length.
The ip access-list extended command enters the rule configuration command mode
for the specified extended access-list. Extended access-lists specify both a source
and destination address. Extended ACL numbers range from 100 to 199. The rules
for naming extended ACLs are identical to those for standard ACLs.

ok
bo
-e
ks
or
w
et
Use the permit command to create a permit access list rule entry.
N
Parameters
protocol-num Specifies an IPv4 protocol for which to permit access. Valid values are
e
protocol numbers from 0 - 255.

m
ip: Specifies any IPv4 protocol (0 - 255)

tre
ah: Specifies the Authentication Header protocol

esp: Specifies the Encapsulation Security Payload protocol
gre: Specifies the Generic Router Encapsulation protocol
Ex
source: Specifies the IPv4 address of the network or host from which the packet will be
sent.
source-wildcard: Specifies the bits to ignore in the source address.
destination: Specifies the IPv4 address of the network or host to which the packet will be
sent.
destination-wildcard: Specifies the bits to ignore in the destination address.
any: Specifies that any source or destination (extended access list only) address applies to
this rule entry.
host: ip-address Specifies a specific host address that will be applied to this rule entry
dscp: code (Optional) Specifies a DiffServe Code Point (DSCP) value to match against this
packet’s DSCP code.
precedence value (Optional): Specifies an IP Precedence value. Valid values are 0 - 7, or in
order from high to low: critical, flash, flash-override, immediate, internet, network, priority,
routine.
tos value (Optional): Specifies a Type of Service (ToS) value. Valid values are 0 - 15, or
max-reliability, max-throughput, min-delay, min-monetary-cost, normal.
log | log-verbose (Optional): Enables syslog or verbose syslog messaging for an ACL rule
hit.

ok
bo
-e
ks
or
w
et
N
You can also create permit rules that look at TCP, UDP, or ICMP information. .
Specifying the tcp, udp, or
e
icmp keywords will provide the extended parameter set listed in the syntax for these
m
keywords.
tre
The additional parameters for those commands are below.

Ex
Parameters:
msg icmp-msg (Optional) Specifies a single ICMP message type by entering a
keyword. If the msg option is not specified for an ICMP rule, all ICMP message types
are permitted.
eq: Permits the specified source or destination port
gt: Permits source or destination ports greater than the value specified
lt: Permits source or destination ports less than the value specified
neq: Permits source or destination ports that are not equal to the value specified
range start-port end-port (Optional): Specifies a range of source or destination ports
permitted.
established (Optional): Specifies that only established TCP connections are
permitted. A match is made if ACK or RST bits are set.

ok
bo
-e
ks
or
w
et
N
The Deny command uses the same grammar as the permit command in all its
variations.
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Access list logging is throttled to 1 log message per second. If there are multiple
access list rules with logging enabled (log or log-verbose), and more then one frame
e
is transmitted per second that can hit those rules, only the first frame will generate a
m
message. Logging is sampling and does not report every time that a rule with
tre
logging enabled is hit.

Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Policy-Based Routing allows service providers and other organizations to direct

routed traffic through different connections than would be chosen by the routing
e
protocol.
m
For example, in this graphic the normal path from the branch office to corporate
tre
headquarters would pass across the high-bandwidth connections through the middle
of the network. However, the customer company is not willing to pay for that
Ex
connection, but opts for a lower-cost, slower connection to the network. Policy-
Based Routing allows the service provider to configure that customer’s traffic to pass
over lower speed links.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
IP multicast is used by a number of protocols and applications. Applications such as

video and audio conferencing and streaming use protocols such as the Real Time
e
Protocol (RTP) and Real Time Control Protocol (RTCP) to encapsulate multimedia
m
streams and to monitor the delivery of the data. Other protocols such as OSPF, RIP2
tre
as well as other application based protocols such as Session Announcement

Protocol (SAP) and Session Description Protocol (SDP) use multicast to announce
Ex
and learn the existence other routers or other multimedia conferences on the
network.

ok
bo
-e
ks
or
w
et
N
The IANA has reserved addresses within the range of 224.0.0.1 through to 224.0.0.255 for
use by network protocols within a local subnetwork. Packets with addresses in this range
e
are not forwarded by routers and are therefore used for routing protocols, topology
m
discovery, and maintenance protocols. Any router that receives a packet with one of these
tre
addresses in the destination field must either process the

information contained within or discard it. These packets are never forwarded.
Ex
The illustration shows a partial list of reserved link-local multicast addresses and the
network protocol or function to which they are assigned. There are more than 48 link-local
reserved multicast addresses assigned as well as also additional reserved addresses such
as those for Source Specific Multicast and Internetwork Control Block addresses.
For the current complete list of link-local reserved addresses, visit the following URL:
http://www.iana.org/assignments/multicast-addresses
Administratively Scoped Addresses
IANA has reserved the address range of 239.0.0.0 to 239.255.255.255 as administratively
scoped addresses for use in private multicast domains. Addresses in this range have a
similar function to reserved unicast addresses such as 10.0.0.0 as defined in RFC 1918.
Addresses in this range are not assigned to any other group and can be used inside a
domain without conflicting with other addresses on the Internet. For more information on
administratively scoped addresses see RFC2365.

ok
bo
-e
ks
or
w
et
N
When an IP multicast address is mapped to a MAC address, only the last 23 bits are
used. The IP multicast address has 28 unique bits. Since only 23 of these can be
e
mapped to a MAC address, this leaves 5 bits of address information that is lost. This
m
results in a certain amount of address ambiguity. Five bits allows for 32 different
tre
combinations, so for every multicast MAC address there are 32 possible IP group
addresses.
Ex
Why only 23 bits? The story is that when Steve Deering was finishing up his
multicasting research, he wanted to purchase 16 consecutive OUIs from the IEEE to
use as IP multicast MAC addresses. Since each OUI provides 24 manageable bits,
having 16 consecutive OUIs would have provided a full 28 bits of MAC address
space, and would have permitted a one-tone mapping of IP multicast addresses to
MAC multicast addresses. However, OUIs cost $1000 each at the time, and
Deering’s manager, Jon Postel, was only willing to purchase a single OUI.
Additionally, Postel divided the OUI between Deering and another researcher, so
Steve ended up with only 23 bits to use in his research.

ok
bo
-e
ks
or
w
et
N
The goal of IP multicast is to deliver traffic to a specific subset of all the devices on
your network. That said, how do you tell your switches which devices on your
e
network want to receive the traffic stream?

m
tre
Ex

ok
bo
-e
ks
or
w
et
N
The Internet Group Management Protocol (IGMP) is a layer-2 protocol that runs
between hosts and their immediately neighboring multicast routers.
e
Routers implement IGMP to allow hosts to signal to the network their desire to
m
receive multicast traffic for a specific group. This enables the routers to learn about
tre
the presence of group members on their directly attached subnetworks.

This receiver-initiated join process has excellent scaling properties since, as the
Ex
multicast group increases in size, it becomes ever more likely that a new group
member is able to locate a nearby branch of the multicast distribution tree.

ok
bo
-e
ks
or
w
et
N
The Internet Group Management Protocol (IGMP) is used between IP hosts and
their local network to support the creation of transient multicast membership groups,
e
the addition and deletion of members of a group, and the periodic confirmation of
m
group membership.
tre
A Server has no direct IGMP involvement, as it does not receive a multicast stream
and only sends a multicast stream.
Ex

ok
bo
-e
ks
or
w
et
N
IGMP relies on a query and response process. A router on the subnet, called the
“Querier Router”, sends out a query message asking, “Does anyone on this subnet
e
want a multicast stream?” Hosts that want a multicast stream send a response.
m
IGMP query messages are addressed to the all-hosts group address (224.0.0.1) and
tre
have a Time to Live (TTL) value of 1. The router periodically multicasts an IGMP
membership query to the “all hosts” multicast group, on the local subnetwork. All
Ex
hosts that support IGMP are automatically members of the all hosts group and
accept packets address to the all hosts group.
The default query interval is 60 seconds.

ok
bo
-e
ks
or
w
et
N
Version 1 of IGMP uses two message types: Membership Queries and Membership
Reports. Querying Routers use Membership Query messages to ask for hosts that
e
want to receive multicast streams. Hosts use Membership Reports to tell the Querier
m
Router what multicast streams they want to receive.

tre
The pertinent fields are described below:

Ex
Version: Set to 1. This field is eliminated in IGMPv2.

Type: Indicates whether this is a Membership Query or a Membership Report.
Group Address: This field is always 0 for Membership Queries. It contains the IP
address of the multicast group the hosts wants to join in a Membership Report
message.

ok
bo
-e
ks
or
w
et
N
Querier Election
In a multi-access network there may be more than one router that is IGMP enabled.
e
Only one multicast querier (router) can exist for each LAN at a time. So, there needs
m
to be an election to determine which router becomes the IGMP querier.

tre
IGMP v1 does not have an election mechanism and relies on the routing protocol to
select a designated router.
Ex
IGMP v2 uses a General Query message on start-up. When routers receive the
General Query messages they compare the source IP address with their own. The
router with the lowest IP address is elected the IGMP querier. General query
messages are sent to the all-routers multicast group using address 224.0.0.2.

ok
bo
-e
ks
or
w
et
N
All hosts receive the membership query and one or more hosts, host 2 in our
example, respond by multicasting an IGMP Membership Report to the multicast
e
group, of which the host is a member. (225.1.1.1) This report tells the router on the
m
subnetwork that a host is interested in receiving multicast traffic for group 225.1.1.1.
tre
The host responds within the configured Host Response Interval. The default
response interval is 10 seconds.
Ex
The multicast router promiscuously accept all possible multicast addresses, updating
its IGMP multicast group table with each new update.
After a multicast router knows what multicast groups that its leaf subnetworks
require, it then uses a multicast routing protocol to communicate with other routers to
ensure that the correct multicast group traffic is delivered from the source.
Routers maintain an IGMP multicast group table for each interface.

ok
bo
-e
ks
or
w
et
N
In a shared network environment, the IGMP membership report that was previously
multicast by one host is received by the other hosts.
e
Host 1 then suppresses the sending of its report for group 255.1.1.1 because host 2
m
has already informed the routers on that subnetwork that there is at least one host
tre
interested in receiving multicast traffic. This suppression technique is used to reduce

the amount of traffic on the local network.
Ex
When a host receives a query message, it responds with a Host Membership Report
for each host group to which it belongs. To avoid a flurry of reports, each host starts
a randomly chosen report delay timer for each of its group memberships. If, during
the delay period, another report is received for the same group, the local host resets
its timer to a new random value. If another report is not received, the host transmits
a report to the reported group address, causing all other members of the group to
reset their report message timers. This procedure guarantees that reports are
spread out over a period of time and that report traffic is minimized for each group
with at least one member on the subnetwork.
The mechanism described here is that of a shared network. In a switched Ethernet
environment not all hosts receive each others responses.

ok
bo
-e
ks
or
w
et
N
When a host wishes to join a multicast group, it transmits a group membership

protocol message for the group(s) that it wishes to receive, and configures its IP
e
process and network interface card to receive frames addressed to the multicast
m
group.
tre
A new host does not have to wait for a router's membership query before sending its
host membership report. This reduces join latency if it is the first to join a particular
Ex
multicast group on a subnetwork.

Latency is the amount of time it takes for the host to receive its first packet after
joining. Note that latency can be near zero if the group is already active on the LAN.
The end station starts receiving the multicast stream even before it transmits a
report.
The following applies to the join process:
Individual hosts are free to join or leave a multicast group at any time
There are no restrictions on the physical location or the number of members in a
multicast group
A host may be a member of more than one multicast group at any given time
A host does not have to belong to a group to send messages to members of a group

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
In IGMPv2, the Version and Type fields are merged. The values of the Type field
have been specified in such a manner as to allow for backwards compatibility with
e
IGMPv1 deployments.
m
The Group Address field now supports two forms of Membership Queries:
tre
The General Membership Query, which functions as it does in IGMPv1

The Group-Specific Membership Query, which a router uses to determine whether a
Ex
specific multicast group has any remaining members.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
IGMP version 2 supports a Leave Group Message that hosts send to all routers on
that subnetwork when they leave the group. The host leaving a group sends a Leave
e
Group Message to the all-routers multicast group address 224.0.0.2.

m
Due to the report suppression mechanism, if a router receives a leave group

tre
message it does not know if there are other group members on the same interface.
Therefore, another message type is supported in IGMP version 2, the Group-
Ex
Specific Query. This message allows a router to determine if there are any other
remaining group members on the same interface.
The Querier Router sends a Group-specific query to the group and expects a
response within the last member query interval. If no response is received within the
last member query interval, the router assumes that there are no remaining local
group members.
The addition of the leave group and group-specific IGMP version 2 messages,
coupled with the maximum response time field, permits IGMPv2 to reduce the leave
latency to only a few seconds.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
In XOS, use the configure igmp command with the query_interval parameter to
N
change the time period that the router sends a general query from the default of 125
e
seconds. The query_response_interval specifies the maximum query response time

m
(in seconds). The last_member_query_interval specifies the maximum group-specific

tre
query response time (in seconds). The example on the slide sets the query interval
to 60, and accepts the defaults for query response interval and last member query
Ex
interval.
In EOS, you configure all your igmp parameters with the set igmp config
command. Choose the parameters you wish to modify and specify their values. The
example on the slide sets the query interval to 60 seconds on all VLANs.

ok
bo
-e
ks
or
w
et
N
IGMPv3 supports the standard Membership Query report and adds the Version 3
Membership Report. IGMPv3 Membership Reports are sent to destination address
e
of 224.0.0.22.
m
Membership Queries are sent by IP multicast routers to query the multicast reception
tre
state of neighboring interfaces. Membership queries can be General (IGMPv2

compatible), Group Specific, or Group-and-Source-Specific.
Ex
IGMPv3 adds support for source filtering which is the ability for a system to report
interest in receiving packets only from specific source addresses, or from all but
specific source addresses, sent to a particular multicast address. This information
can be used by multicast routing protocols to avoid delivering multicast packets from
specific sources to networks where there are no interested receivers.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
A Querying Router sends a "General Query" to learn the complete multicast

reception state of the hosts on the network upon which it sends the Query. In a
e
General Query, both the Group Address field and the Number of Sources (N) field
m
are zero.
tre
In a Group-Specific Query, the Group Address field contains the multicast address of
interest, and the Number of Sources (N) field contains zero.
Ex
A Querier Router sends a Group-and-Source-Specific query to learn if any

neighboring interface desires reception of packets sent to a specified multicast
address, from any of a specified list of sources. Group-Specific and Group-and-
Source-Specific Queries are sent to the IP destination address equal to the multicast
address of interest.
In a Group-and-Source-Specific query, the Number of Sources identifies how many

source addresses are present in the query. A Group-and-Source-Specific query is
used to learn if any neighboring interface desires reception of packets sent to a
specified multicast address, from any of a specified list of sources.
Group-Specific and Group-and-Source-Specific Queries are sent to the IP
destination address equal to the multicast address of interest.

ok
bo
-e
ks
or
w
et
N
IGMP builds a multicast source trees for each IGMP router in a layer 2 network.
IGMP Snooping builds a multicast source tree for a local switch. It is the ability of a
e
switch to interpret IGMP messages sent by hosts and then to restrict the forwarding
m
of the multicast packets to only those ports (member ports) on which IGMP
tre
messages have been received without forwarding the multicast traffic to the non-
member ports. If IGMP snooping is disabled, all multicast packets will be flooded to
Ex
every active port on the

switch.
NOTE
When a host is no longer interested in receiving the multicast stream and it only
supports IGMPv1, the switch stops sending the multicast stream to that host after a
host timer expires. The switch responds by sending
an IGMP query to all ports in the VLAN to detect if there are other interested hosts.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
IGMP snooping filters allow you to configure a policy file on a port to allow or deny
IGMP report and leave packets coming into the port. The IGMP snooping filter
e
feature is supported by IGMPv2 and IGMPv3.

m
For the policies used as IGMP snooping filters, all the entries should be IP address
tre
type entries, and the IP address of each entry must be in the class-D multicast
address space but should not be in the multicast control subnet range (224.0.0.x/24).
Ex

ok
bo
-e
ks
or
w
et
N
After you create a policy file, use the configure igmp snooping command to
associate the policy file and filter to a set of ports. Use the none option to remove
e
the filter.
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
When you configure an IGMP input filter, IGMP will check all incoming packets
received from the range of IP addresses specified in the filter’s rules. The protocol
e
action and flow action occur when an incoming packet matches an IP address range.
m
If an incoming packet matches a rule’s address range, the other rules in the filter are
tre
not checked.
To activate the filter, you must assign the filter to a VLAN and enable the filter.
Ex

ok
bo
-e
ks
or
w
et
N
IGMP input filter parameters include:

filter-id: The ID of the filter. You can create up to 16 IGMP input filters. Each filter
e
must have a unique ID. Possible values are 1–16.

m
rule-id: The ID of a rule associated with the input filter. The rule ID sets the order in
tre
which multiple rules check incoming packets. You can create up to eight rules for
each input filter. Each rule must have a unique ID. Possible values are 1–8.
Ex
start-ip ip-address: The starting IP address of the rule’s IP address range

end-ip ip-address: The ending IP address of the rule’s IP address range
protocol-action: The response to protocols in packets that match a rule’s IP address
range:
deny — Deny packets matching this rule
allow — Allow packets matching this rule
flow-action: The response to flows in packets that match a rule’s IP address range:
drop — Drop packets matching this rule
flood — Flood packets matching this rule
allow — Allow packets matching this rule

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
PIM Snooping
PIM snooping enables routers connected to a L2 switch to forward multicast streams
e
to each other. In this scenario, multicast traffic is essentially treated as broadcast

m
traffic in order for the multicast streams to be propagated because IGMP snooping
tre
does not process PIM join messages.

PIM snooping addresses this flooding behavior by efficiently replicating multicast
Ex
traffic only onto ports which routers advertise the PIM join requests. The application
for this feature is for connecting PIM Autonomous Systems usually within an Internet
Exchange’s ISP peering network. PIM snooping does not require PIM to be enabled.
A discussion on PIM snooping is beyond the scope of this course.

ok
bo
-e
ks
or
w
et
N
Source and Group Notation

Source and group notation is used in the explanations of how multicasting works and
e
is displayed in show commands.

m
● (S,G) indicates a specified source and specific group combination. i.e.

tre
(10.1.10.102, 225.0.0.1)
● (*,G) indicates any source and a specific group combination, e.g. (*, 225.0.0.1)
Ex
Reverse Path Forwarding

When multicasting traffic, a router cannot base a forwarding decision on the
destination address, because there is one address for a number of destination hosts
In multicast routing, the router has to decide which direction traffic needs to be sent
by looking at the source address and then forwarding traffic away from the source.
This is essentially unicast routing in reverse. Reverse Path Forwarding involves a
simple check to see if the interface the traffic is being received on is the shortest
path to the source. If it is, the router can then forward traffic out of all other
interfaces. If it is not, it means there is a loop in the network and the packet can then
be discarded. This process is called an “incoming interface check” or an “RPF
check”.

ok
bo
-e
ks
or
w
et
N
PIM relies on IGMP technology to determine group memberships and uses existing
unicast routes to perform reverse path forwarding (RPF) checks. RFP is, essentially
e
a method that uses the unicast routing table created by IP protocols such as OSPF,
m
to determine the source address of a packet. PIM uses RPF to set up distribution
tre
trees for multicast traffic.

Ex

ok
bo
-e
ks
or
w
et
N
Although configuration of a unicast routing protocol such as OSPF is required with

PIM, PIM-SM is protocol independent. That is, it does not rely on any one particular
e
underlying routing protocol to perform reverse path forwarding RPF checks. It can
m
perform this function using protocol‐specific routes from, OSPF, RIP, static config.
tre
Ex

ok
bo
-e
ks
or
w
et
N
PIM-SM relies on IGMP technology to determine group memberships and uses

existing unicast routes to perform reverse path forwarding (RPF) checks, which are,
e
essentially, a route lookup on the source. Its routing engine then returns the best
m
interface, regardless of how the routing table is constructed. In this sense, PIM is
tre
independent of any routing protocol. It can perform RPF checks using

protocol‐specific routes (for example, OSPF routes), static routes, or a combination
Ex
of route type.

ok
bo
-e
ks
or
w
et
N
PIM-SM uses a shared-tree-type technology, which requires a rendezvous point. The

rendezvous point can be administratively assigned or dynamically elected on a
e
specific router in the PIM domain. Source devices have to register with the
m
rendezvous point by forwarding a join message. Initially, the source device may not
tre
know which router is the rendezvous point so a join message is used. The multicast
source initiates an IGMP join message. The Designated Router (DR) on the segment
Ex
will forward the join message onto the RP router. The RP router will respond building
a path (tree) between the DR and itself.

ok
bo
-e
ks
or
w
et
N
Note: Within PIM-SM a Designated Router (DR) is a router that performs the
function of forwarding multicast traffic from a unicast source to the appropriate
e
distribution (rendezvous point). A PIM-SM, DR is different from an OSPF

m
Designated Router (DR), and should not be interpreted as being the same.
tre
Note: All traffic from the source device must be forwarded to the RP router.
Ex
Once the RP router receives the multicast traffic, it will then forward traffic to the
receivers. This may cause some delay with multicast packets reaching their final
destination since all packets must first go through the rendezvous point.

ok
bo
-e
ks
or
w
et
N
PIM-SM operates on an explicit join model. PIM-SM routers only send multicast
streams to hosts that explicitly request it.
e
When a host wants a multicast stream, it sends an IGMP Join message with the
m
(*,G) information to its Querier Router. The router adds the interface on which it
tre
receives the Join to the outgoing interface list in its multicast routing table, and
forwards the Join to the Rendezvous Point.
Ex

ok
bo
-e
ks
or
w
et
N
The Rendezvous Point processes the Join, and adds the interface upon which the
Join arrived to outgoing interfaces for this group in its multicast routing table.
e
If the Rendezvous Point is currently part of the Shortest Path Tree (SPT) for this
m
multicast group and thus is currently receiving the multicast stream, it immediately
tre
begins to forward the stream out that interface. If the RP is not currently receiving
the multicast stream, the Join process ends here. Note that it is possible for the two
Ex
routers involved to have interfaces that are outgoing interfaces for the multicast
group, without having multicast actually flowing.

ok
bo
-e
ks
or
w
et
N
At this point, the multicast source begins sending multicast packets to the
Designated Router for its network.
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
The Designated Router encapsulates the multicast packet in a Register (S,G) packet
and unicasts it to the Rendezvous Point. It continues to do so until it receives a Join
e
(S,G) message from the RP.

m
tre
Ex

ok
bo
-e
ks
or
w
et
N
The Rendezvous Point sends a Join, (S,G) message to the Designated router to
begin receiving the multicast stream as multicast, and immediately begins to forward
e
the stream out all of its outgoing interfaces for that group. Each of the receiving
m
routers also begins immediately to forward the multicast stream out all of their
tre
outgoing interfaces for that group.

Ex

ok
bo
-e
ks
or
w
et
N
The Designated Router receives the Join (S,G) from the Rendezvous Point, and
begins forwarding the multicast stream as multicast to the RP.
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
The Rendezvous Point also sends a Register Stop (S,G) message to the first hop
router to tell it to stop sending Register messages with the encapsulated multicast
e
packets.
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
In the meantime, as soon as Router E, the Last Hop Router for Host A, receives the
multicast stream, it looks up the IP network for the Source in the (S,G) stream it is
e
receiving, to see if there is a shorter path back through the network to that source –
m
i.e., a path that is faster than going through the Rendezvous Point.
tre
Ex

ok
bo
-e
ks
or
w
et
N
Router E discovers that it has a faster connection to Router B, which is functioning

as the gateway router for the multicast source device. Router E sends a Join (S,G)
e
message to Router B, to receive the multicast stream along the shortest path
m
through the network.

tre
Ex

ok
bo
-e
ks
or
w
et
N
Router B adds its connection to Router E to the outgoing interfaces list for this
multicast stream, and begins replicating the multicast packets and forwarding them
e
to Router E.
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
As soon as Router E begins receiving the multicast stream directly, it sends a Prune
(S,G) message up the shared tree to the Rendezvous Point.
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
The Rendezvous point removes the interface from its outgoing interface list for that
group, and stops forwarding the multicast traffic.
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
In addition, the Rendezvous Point no longer has any active outgoing interfaces for
this multicast group, so it sends a Prune (S,G) message back up the Shared Path
e
Tree toward the multicast source – in this case, Router B.

m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Router B prunes the stream to the Rendezvous point, and the Join process is
complete.
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
On a multi-access network such as Ethernet, PIM-SM implements a function called

the Designated Router.
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Every router that has

e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
PIM-SM routers are organized into domains. A domain is defined as a contiguous set
of routers that all implement PIM and are configured to operate within a common
e
boundary.
m
The Bootstrap Router (BSR) distributes Rendezvous Point information to the other
tre
PIM-SM routers within the domain. Each PIM-SM domain has one active BSR. You
can configure multiple routers as candidate BSRs for redundancy.
Ex
PIM-SM routers learn the addresses of Rendezvous Points and the groups for which
they are responsible from messages that the BSR sends to each of the routers.

ok
bo
-e
ks
or
w
et
N
Rendezvous Point (RP): A router elected as a rendezvous point for a multicast group
receives requested multicast traffic from a DR and forwards it toward the multicast
e
receiver(s) requesting the traffic.

m
Designated Router (DR): A router performing this function forwards multicast traffic
tre
from a unicast source to the appropriate distribution (rendezvous) point.

Bootstrap Router (BSR): A router elected to this function keeps all routers in a PIM-
Ex
SM domain informed of the currently assigned RP for each multicast group currently
known in the domain.
Static Rendezvous Point (Static-RP): Traffic is forwarded in the same way, but all
routers within the domain are manually configured with RP address information.
PIM Domain: A contiguous set of routers that implement PIM and are configured to
operate within a common boundary.
Shortest Path Tree (SPT): The shortest path from the source DR through any
intermediate PIM-SM routers leading to the leaf router for the multicast receiver
requesting the traffic for a particular multicast group.
Reverse Path Forwarding (RPF): PIM-SM uses the unicast routing table created by
IP protocols such as RIP and OSPF to determine the source address of a packet.
PIM uses RPF to set up a shared tree for multicast traffic.

ok
bo
-e
ks
or
w
et
Hello – These messages announce the sender’s presence to other PIM‐SM devices.
N
The hello packet includes options such as:

e
Hold time — the length of time to keep the sender reachable.

m
Designated router (DR) priority — used to designate which PIM‐ SM devices

tre
will act on behalf of sources and receivers in PIM domain

Register – These messages are used by a source’s DR to encapsulate (register)
Ex
multicast data and send it to the RP.

Register – Stop – Are used by the RP to tell the source’s DR to stop registering
traffic for a particular source.
Join/Prune (J/P) - Contain information on group membership received from
downstream routers.
Bootstrap – These messages are sent by the PIM‐SM router that has been elected
as the bootstrap router (BSR) to inform all PIM‐SM routes of the RP/group
mappings.
Candidate RP message - Are sent by the configured candidate RP routers to the
BSR to inform the BSR of its RP/group candidacy.
Assert - Used to indicate that a device has received a data packet on its outbound
(receiving) interface for the group. They report the metric or distance to the source or
RP to help the device identify the most direct path to the root of the tree.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Note: you must use two separate commands to configure the groups for which this
interface is a Candidate Rendezvous Point and the priority this interface has for
e
being the RP.

m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
As shown in this graphic, the mroute table displays the multicast source and group
address, incoming interface, RPF neighbor, outgoing interface, whether interface is
e
in a pruned/forwarding state, and the uptime for the stream.

m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
The PIM ECMP feature allows downstream PIM routers to choose multiple ECMP
paths to source via hash without affecting existing unicast routing algorithm.
e
This feature operates on a per (S,G) basis splitting the load onto available equal-cost
m
paths by hashing according to the selection criteria configured by the user. It does
tre
not operate by counting the flows. Load splitting need not balance the traffic on the
available paths. PIM ECMP load splitting uses a hash algorithm based on the
Ex
selected criteria to pick up the path to use and will result in load-sharing the traffic
when there are many multicast streams that utilize approximately the same amount
of bandwidth.

ok
bo
-e
ks
or
w
et
N
By default, PIM chooses the first entry in the routing table when it calculates its
Shortest Path Tree. Consider the situation in this network. Our receiver is attached
e
to the Last-Hop router, which has learned three equal-cost paths to Source A through
m
OSPF. In this case the Last-Hop Router learned about Source A from Router 2 first,
tre
so Router 2 is the first entry in the routing table. PIM by default will always choose
to go through Router 2 to create its SPT back to Source A.
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
XOS:
When you enable PIM ECMP load splitting based on source address, the RPF interface for
e
each (*, G) or (S,G) state is selected among the equal cost paths based on the hash derived
m
from the source address.

tre
When you enable PIM ECMP load splitting based on group address, the RPF interface for
each (*, G) or (S,G) state is selected based on the hash derived from the group address.
Ex
When you enable PIM ECMP load splitting based on source-group address, the RPF
interface for each (*, G) or (S,G) state is selected among the equal cost paths based on the
hash derived from the source and group addresses among the equal cost paths based on
the hash derived from the group address.
When you enable PIM ECMP load splitting based on source-group-next hop address, the
RPF interface for each (*, G) or (S,G) state is selected among the equal cost paths based on
the hash derived from the source, group and next hop addresses.
EOS:
Multipath provides the ability to define the mechanism by which PIM chooses the nexthop.
By default, PIM uses the first learned next hop. You can change multipath to use the highest
next hop or a next hop based on a hash of the source IP address.
For a deterministic next hop, the highest-nexthop algorithm chooses the numerically highest
next hop. The hash algorithm will attempt to spread multicast over all possible next hops.

ok
bo
-e
ks
or
w
et
N
You can configure PIM-SM to continue to forward existing multicast packet streams
during a routing process failure and restart. For example, say that your Rendezvous
e
Point router fails. PIM Graceful lets your multicast streams continue until your
m
Backup Rendezvous Point router takes over the RP functions.

tre
PIM Graceful tells the router to delay advertising the absence of a peer for a “grace
Ex
period”. It thus helps minimize disruption to your multicast flows.

ok
bo
-e
ks
or
w
et
N
PIM‐SSM is a subset of the PIM‐SM protocol. PIM‐SSM is not independent of

PIM‐SM. PIM‐SM must be enabled on all interfaces that use PIM‐SSM. PIM‐SSM is
e
disabled by default and must be explicitly enabled.

m
PIM‐SSM only builds source-based shortest path trees. Where PIM-SM always joins
tre
a shared tree first and then switches to the source tree, SSM eliminates the need for
starting with a shared tree by immediately joining a source through the shortest path
Ex
tree. This behavior means that PIM‐SSM does not require an RP or BSR. Members
of an SSM group can only receive from a single source. This is ideal for applications
like TV channel distribution, and for certain banking and trade applications, but rules
out SSM for applications such as multicast VoIP teleconferencing.
The Internet Assigned Numbers Authority (IANA) has reserved addresses for PIM-
SSM in the 232.0.0.0/8 range for IPv4 and in the ff3x:0000/32 range, where (x =
4,5,8, or E), for IPv6. SSM recognizes packets in this range and controls the
behavior of multicast routing devices and hosts that use one of these addresses. In
PIM‐SSM, an IP datagram is transmitted by a source S to an SSM destination
address G, and receivers can receive this datagram by subscribing to channel (S,G).
A channel is a source-group (S,G) pair where S is the source sending to the
multicast group and G is an SSM group address. SSM defines channels on a per-
source basis. In SSM, each channel is associated with one and only one source.
.

ok
bo
-e
ks
or
w
et
N
In a mixed PIM‐SM and PIM‐SSM configuration you configure the RP and BSR only
for the PIM‐SM group address range. PIM-SSM does not use Rendezvous Points
e
or Boot Strap Routers.

m
Enable IGMPv3 on all PIM‐SSM interfaces and enable IGMP querying on the
tre
PIM‐SSM receiver interface. PIM‐SSM requires IGMPv3 and/or MLDv2 at the edge
of the network to process the source‐specific IGMP and MLD joins.
Ex

ok
bo
-e
ks
or
w
et
N
PIM-SSM provides several key features:

Is easier to provision and maintain due to the single source address that a receiver
e
can request data from

m
Provides the ideal mechanism for multicasts that originate from a single source and
tre
go to multiple receivers
Does not require unique multicast addresses; it depends upon the receiver request
Ex
for the destination address of the multicast

ok
bo
-e
ks
or
w
et
N
PIM‐SM and PIM‐SSM can coexist on a single router and are both implemented
using the PIM‐SM protocol.
e
Extreme PIM‐SSM enabled devices use the following PIM‐SM message types:
m
Hello — These messages announce the sender’s presence to other PIM‐SM

tre
devices. The hello packet includes options such as:

Hold time — the length of time to keep the sender reachable
Ex
Designated router (DR) priority — used to designate which PIM‐SM device

will act on behalf of sources and receivers in the PIM‐SM domain
Join/Prune (J/P) — These messages contain information on group membership
received from downstream routers.
PIM‐SM adopts RPF technology in the join/prune process. When a multicast packet
arrives, the router first judges the correctness of the arriving interfaces:
If the packet is a source address/multicast group (S,G) entry (on the shortest
path tree (SPT)), then the correct interface is the reverse path forwarding
(RPF) interface towards the source.
Assert — These messages indicate that the device received a data packet on its
outbound (receiving) interface for the group. They report the metric or distance to the
source to help the device identify the most direct path to the root of the tree. If
multiple routers claim to have the most direct path to the source, each device sends
its own assert message and the router with the best metric wins.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
End-hosts on a LAN segment are typically configured to send packets through the
gateway defined by a default route (or static routes) for remote destinations. Loss of
e
the default router results in a catastrophic event, isolating all end-hosts that are
m
unable to detect any alternate path that may be available. The Virtual Router
tre
Redundancy Protocol (VRRP) is designed to eliminate the single point of failure

inherent in the static default routed environment.
Ex
VRRP specifies an election protocol that dynamically assigns responsibility for a

virtual router to one of the VRRP routers on a LAN.
The VRRP router controlling the IP address(es) associated with a virtual router is
called the Master, and forwards packets sent to these IP addresses.
The election process provides dynamic fail-over in the forwarding responsibility
should the Master become unavailable.
Any of the virtual router's IP addresses on a LAN can then be used as the default
first hop router by end-hosts.

ok
bo
-e
ks
or
w
et
N
The advantage gained from using VRRP is a higher availability default path that
does not require routing or router discovery protocols on end-hosts.
e
Load sharing can also be implemented by configuring multiple VRRP routers across
m
multiple IP routers, each IP router being the master of a different virtual router.
tre
Ex

ok
bo
-e
ks
or
w
et
Before we go any further, let’s get familiar with the terminology defined in RFC 3768:
N
VRRP Router - A router running the Virtual Router Redundancy Protocol.

e
Virtual Router - An abstract object managed by VRRP that acts as a default router for hosts on a
m
shared LAN. A VRRP router may participate in one or more virtual routers.
VRID – Uniqueness is required on a LAN segment only
tre
IP Address Owner - The VRRP router that has the VR’s IP address(es) also as the real interface
Ex
address(es). This is the router that, when up, will be the master of the virtual router instance and
will respond to packets addressed to these IP addresses for ICMP pings, TCP connections, etc.
Virtual Router Master - The VRRP router that assumes the responsibility of forwarding packets
sent to the IP address(es) associated with the virtual router, and answering ARP requests for
these IP addresses.
Virtual Router Backup - The set of VRRP routers available to assume forwarding responsibility
for a virtual router should the current Master fail.
If the virtual router IP address is the same as the interface (VLAN) address owned by a VRRP
router, then the router owning the address becomes the master. The master sends an
advertisement to all other VRRP routers declaring its status, and assumes responsibility for
forwarding packets associated with its virtual router ID (VRID). If the virtual router IP address is
not owned by any of the VRRP routers, then the routers compare their priorities and the higher-
priority owner becomes the master. If priority values are the same, then the VRRP router with
the higher IP address is selected as the master.

ok
bo
-e
ks
or
w
et
N
The VRRP protocol design provides rapid transition from Backup to Master to
minimize service interruption, and incorporates optimizations that reduce protocol
e
complexity while guaranteeing controlled Master transition for typical operational

m
scenarios.
tre
All protocol messaging is performed using IP multicast datagrams, thus the protocol
can operate over a variety of multiaccess LAN technologies supporting IP multicast.
Ex
Each VRRP virtual router has a single well-known MAC address allocated to it. The
virtual router MAC address is used as the source in all periodic VRRP messages
sent by the Master router to enable bridge learning in an extended LAN.
Master_Down_Timer - The amount of time that a Backup router will wait before it
becomes the new Master. Therefore, the higher the priority, the faster a Backup
router will detect that the Master is down.
The virtual router MAC address associated with a virtual router is an IEEE 802 MAC
Address in the following format:
00-00-5E-00-01-{VRID} (in hex in internet standard bit-order)
The first 3 octets are derived from the IANA's OUI. The next 2 octets indicate
the address block assigned to the VRRP protocol. {VRID} is the VRRP Virtual
Router Identifier.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
The decision tree for which router becomes the master router is as follows:
• Address Owner: if one of the routers participating in the VRRP instance is the IP
e
address owner, it becomes the master

m
• Priority: if there is no address owner, the router with the highest advertised priority
tre
becomes the master

• IP Address: if there is no address owner, and all priorities are the same, the router
Ex
with the highest IP address becomes the master

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
ICMP Echo
The VRRP RFC specifies that a VR master that is not the IP address owner should
e
not respond to an ICMP ping associated with the virtual IP address.

m
This poses a problem for network management applications which determine

tre
reachability to a given IP address using ICMP Echos. Best is to make it configurable

for allowing non-owner as well.
Ex
Note the difference in CLI syntax in various platforms.

ok
bo
-e
ks
or
w
et
N
Notice that in EOS, VRRP Accept Mode is an interface-level configuration option.

e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
ICMP Redirects
When a default router finds another router on the same LAN (whose IP address is
e
also on the same subnet) provides a better first hop in the path to a destination, it
m
sends an ICMP Redirect message to the host to indicate that future packets to that
tre
destination can use the other router as the gateway.

Per RFC, ICMP Redirects may be used normally when VRRP is running between a
Ex
group of routers. This allows VRRP to be used in environments where the topology
is not symmetric.
The IP source address of an ICMP redirect should be the address the end host used
when making its next hop routing decision. If a VRRP router is acting as Master for
virtual router(s) containing addresses it does not own, then it must determine which
virtual router the packet was sent to when selecting the redirect source address.
One method to deduce the virtual router used is to examine the destination MAC
address in the packet that triggered the redirect.
It may be useful to disable Redirects for specific cases where VRRP is being used to
load share traffic between a number of routers in a symmetric topology.

ok
bo
-e
ks
or
w
et
N
Three types of ARP requests can be employed on a VRRP router:

Host ARP - Host ARP performs according to the following rules:
e
When a host sends an ARP request for one of the VR IP addresses, the master VR
m
returns the virtual MAC address (00-00-5e-00-01-VRID).

tre
The backup VR must not respond to the ARP request for one of the VR IP
addresses.
Ex
If the master VR is the IP address owner, when a host sends an ARP request for this
address, the master VR must respond with the virtual MAC address, not the real
physical MAC address.
For other IP addresses, the VRRP router must respond with the real physical MAC
address, regardless of master or backup.
Gratuitous ARP - behaves in the following manner on a VRRP router:
Each VR sends gratuitous ARP when it becomes the master with virtual IP and MAC
addresses. One gratuitous ARP is issued per VR IP address.
To make the switch learn the correct VR MAC address, the VR master sends
gratuitous ARP for every virtual IP address in the corresponding VR every 10
seconds.
Proxy ARP
If used, the VRRP master router must bind the virtual MAC address to remote IP
destination addresses in proxy ARP replies.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Authentication can help to guarantee that routing information is imported only from trusted
routers. A variety of authentication schemes can be used, but a single scheme must be
e
configured for each network. The use of different schemes enables some interfaces to use
m
much stricter authentication than others.

tre
The two authentication schemes available are simple, and MD5. The authentication
command specifies the type of authentication and key values used in VRRP Authentication
Ex
is used by VRRP to generate and verify the authentication field in the VRRP header.
vrrp authentication simple: Use this command to set a VRRP authentication password on an
interface in clear test format
Example
This example shows how to set the VRRP authentication password to “vrrpkey” on VLAN 10
VRID1:
RouterA(su-config)->interface vlan.0.10
RouterA(su-config-intf-vlan.0.10)->vrrp authentication simple
vrrpkey
ip vrrp message-digest-key vrid md5 password [hmac-96]: Use this command to set a VRRP
MD5 authentication password on an interface.
Example
This example shows how to set the VRRP MD5 authentication password to “vrrpkey2” on
VLAN 20 VRID 2:
RouterA(su-config)->interface vlan.0.20
RouterA(su-config-intf-vlan.0.20)->vrrp authentication md5
vrrpkey2 hmac-96

ok
bo
-e
ks
or
w
et
N
Authentication can help to guarantee that routing information is imported only from
trusted routers. A variety of authentication schemes can be used, but a single
e
scheme must be configured for each network. The use of different schemes enables
m
some interfaces to use much stricter authentication than others.

tre
The two authentication schemes available are simple, and MD5. The authentication
Ex
command specifies the type of authentication and key values used in VRRP
Authentication is used by VRRP to generate and verify the authentication field in the
VRRP header.
Note: XOS does not support VRRP authentication.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
RouterA is the master VRRP instance VLAN 10, VRID 1, based on priority (200) as
shown by the show ip vrrp command.
e
RouterB is the master VRRP instance VLAN 20 VRID 2, based on IP address

m
ownership and priority of 255.

tre
Note: If VLAN/VRID priority is equal, the router with the highest IP address for the
VLAN will assume the master role.
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
The ability to track remote interfaces is designed to address a condition in which the
Master VRRP it Router continues to process packets sent to the VRRP IP address,
e
even when it cannot forward the packet toward the packet’s ultimate destination.
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
When you configure tracking of an IP route, you create a tracking entry for the
specified route. When this route becomes unreachable, this entry is considered to be
e
failing. If the route you configure does not exist, an immediate VRRP failover will
m
occur.
tre
When you configure tracking using ping, you create a tracking entry for the specified
IP address. The entry is tracked using pings to the IP address, sent at the specified
Ex
frequency. The values are:

vlan_name: Specifies the name of a VRRP VLAN.
vridval: Specifies the VRID of the target VRRP instance. To display the
configured VRRP router instances, enter the show vrrp command.
ipaddress: Specifies the IPv4 or IPv6 address to be tracked.
seconds: Specifies the number of seconds between pings to the target IP address.
The range is 1 to 600 seconds.
misses: Specifies the number of misses allowed before this entry is considered to
be failing. The range is 1 to 255 pings.

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
Note: A UDP probe can also be configured for Application Content Verification (ACV)
if the remote server supports a protocol that responds to a UDP packet, such as the
e
UDP Echo protocol. Additionally, A TCP probe, if configured, is also capable ACV for
m
the verification of a layer 7 (OSI model) application running on the server.

tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
VRRP supports the assigning of an ICMP probe to monitor a remote VRRP critical IP
address. The example shown above:
e
m
Creates the ICMP-VRRP ICMP probe

tre
Sets the fail detection and pass detection intervals to 5 seconds

Ex
Sets the internet facing IP address 20.20.20.2 on VLAN 20 as the critical-IP address
for VRRP instance 1
Sets the decrement operational priority to 10 should the interface go down
Assigns ICMP probe ICMP-VRRP to monitor the interface and Enables the interface

ok
bo
-e
ks
or
w
et
N
This capture is an example of an advertisement in which the Master Router has

reduced its priority, inducing an immediate failover.
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
In addition to the VRRP and EAPS, the core switches are usually configured with
OSPF.
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
MLAG allows for the provision of multiple connections to the core switches without
the need for a loop prevention protocol. In an edge/core environment the core
e
switches will usually also run OSPF.

m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex

Extreme Routing Student Guide v2.0 (Ebook)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Extreme Routing Student Guide v2.0 (Ebook)

Uploaded by

Copyright:

Available Formats

Extreme Networks

in this document is subject to change without notice.

For additional information refer to:

© 2015 Extreme Networks, Inc. All rights reserved. 2

© 2015 Extreme Networks, Inc. All rights reserved. 3

© 2015 Extreme Networks, Inc. All rights reserved 4

© 2015 Extreme Networks, Inc. All rights reserved. 5

© 2015 Extreme Networks, Inc. All rights reserved 6

table known as the route table, to make forwarding decisions.

assigned Layer 3 addresses (typically IP )and associated masks to define the

© 2015 Extreme Networks, Inc. All rights reserved. 7

© 2015 Extreme Networks, Inc. All rights reserved. 8

© 2015 Extreme Networks, Inc. All rights reserved. 9

has therefore come to it to be routed.

© 2015 Extreme Networks, Inc. All rights reserved. 10

© 2015 Extreme Networks, Inc. All rights reserved. 11

also choose to route

© 2015 Extreme Networks, Inc. All rights reserved. 12

are considered when creating and updating the routing tables.

© 2015 Extreme Networks, Inc. All rights reserved. 13

© 2015 Extreme Networks, Inc. All rights reserved. 14

create routes that are not advertised by the router.

© 2015 Extreme Networks, Inc. All rights reserved. 15

The routing table has the following information:

route and “oa” for OSPF intra-area routes.

© 2015 Extreme Networks, Inc. All rights reserved. 16

• Directly attached network interfaces

© 2015 Extreme Networks, Inc. All rights reserved. 17

the routes are.

© 2015 Extreme Networks, Inc. All rights reserved. 18

the routes are. In XOS, these values are configurable.

© 2015 Extreme Networks, Inc. All rights reserved. 19

IP route sharing allows a switch to communicate with a destination through multiple

cost multipath (ECMP) routing.

© 2015 Extreme Networks, Inc. All rights reserved. 20

© 2015 Extreme Networks, Inc. All rights reserved. 21

© 2015 Extreme Networks, Inc. All rights reserved. 22

© 2015 Extreme Networks, Inc. All rights reserved. 23

© 2015 Extreme Networks, Inc. All rights reserved. 24

© 2015 Extreme Networks, Inc. All rights reserved. 25

The Extreme Networks K-Series™ is the most cost-effective flow-based switching

Service Level Agreements (SLAs) demanded by the business.

power options reduces cost of ownership.

Extreme K-Series switches are available in the following form factors:

© 2015 Extreme Networks, Inc. All rights reserved 26

SSA- S-Stand Alone

© 2015 Extreme Networks, Inc. All rights reserved. 27

The S-Series chassis utilize two distinct system architectures,

the S8, S6, S4, and S1 chassis

Meshed fabric-less architecture

© 2015 Extreme Networks, Inc. All rights reserved. 28

System Throughput Calculation (Disti/Core)- Gbps

#Slots * 160Gbps per IOM slot

S8 = 1.28Tbps Switching Throughput

S6 = 960Gbps Switching Throughput

© 2015 Extreme Networks, Inc. All rights reserved. 29

© 2015 Extreme Networks, Inc. All rights reserved. 30

© 2015 Extreme Networks, Inc. All rights reserved. 31

Designed for cloud-scale requirements of data centers, high-performance computing

latency, high-performance switch fabric with high-density wire-speed 10GbE, 40GbE,

and 100GbE connectivity for edge-to-core applications, all in a compact footprint

using only one-third of a standard rack. As a “fabric-in-a-box” solution, the

inter-device connectivity, uplink bandwidth, and latency. The BlackDiamond X8 also