Professional Documents
Culture Documents
Routing
Student Guide
Version 2.0
ok
bo
-e
ks
or
w
et
N
e
m
tre
Ex
Terms & Condition of Use:
Extreme Networks, Inc. reserves all rights to its materials and the content of the
materials. No material provided by Extreme Networks, Inc. to a Partner (or
Customer, etc.) may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying and recording, or by any
information storage or retrieval system, or incorporated into any other published
work, except for internal use by the Partner and except as may be expressly
permitted in writing by Extreme Networks, Inc.
This document and the information contained herein are intended solely for
informational use. Extreme Networks, Inc. makes no representations or
warranties of any kind, whether expressed or implied, with respect to this
ok
information and assumes no responsibility for its accuracy or completeness.
Extreme Networks, Inc. hereby disclaims all liability and warranty for any
bo
information contained herein and all the material and information herein exists to
be used only on an "as is" basis. More specific information may be available on
-e
request. By your review and/or use of the information contained herein, you
expressly release Extreme Networks from any and all liability related in any way
ks
to this information. A copy of the text of this section is an uncontrolled copy, and
or
may lack important information or contain factual errors. All information herein is
Copyright ©Extreme Networks, Inc. All rights reserved. All information contained
w
http://www.extremenetworks.com/company/legal
tre
Ex
Routing occurs at Layer 3 (the Network layer) of the 7-Layer OSI model. Routers
direct traffic through a network based on information learned from network layer
e
protocols such as, IP and IPX. In order to forward network layer traffic, routers use a
m
Each port on the router is called an interface. Each configured interface defines the
boundary of a LAN segment, and layer 3 broadcast domain. Router interfaces are
Ex
Routers perform two basic operations. The first is to forward packets towards their
correct destinations. The second is to maintain a routing table which allows the
e
router to determine the correct path. Let’s examine how these processes work.
m
Forwarding:
tre
Step 1:
PC-A formulates a packet for PC-B, and forwards it to Router A.
Ex
Step 2:
Router A strips off the Ethernet encapsulation, and examines the packet’s
e
Destination IP address. It determines that the packet is not address to itself, and
m
Step 3:
Router A examines its routing table. It finds the outgoing interface and next-hop
Ex
address that the destination network (10.2.1.0) is reachable through. The next-hop
address belongs to the next router that the packet will be forwarded to, (in this case
Router B).
Step 4:
If necessary, Router A ARPs for Router B’s MAC address. Router A then
encapsulates the packet in a new Layer 2 envelope, and forwards it to Router B.
Routers perform two basic operations. The first is to forward packets towards their
correct destinations. The second is to maintain a routing table which allows the
e
router to determine the correct path. Let’s examine how these processes work.
m
Forwarding:
tre
Step 1:
PC-A formulates a packet for PC-B, and forwards it to Router A.
Ex
The routing software and hardware routes IP traffic between router interfaces. A
router interface is simply a virtual LAN (VLAN) that has an IP address assigned to it.
e
As you create VLANs with IP addresses belonging to different IP subnets, you can
m
between the VLANs. Both the VLAN switching and IP routing function occur within
the switch.
Ex
The switch maintains a set of IP routing tables for both network routes and host
routes. Some routes are determined dynamically from routing protocols, and some
e
routes are manually entered. When multiple routes are available to a destination,
m
configurable options such as route priorities, route sharing, and compressed routes
tre
The router typically learns dynamic routes because you have enabled the RIP,
OSPF, IS-IS or BGP protocols. It also learns routes from Internet Control Message
e
Protocol (ICMP) redirects exchanged with other routers. These routes are called
m
dynamic routes because they are not a permanent part of the configuration. The
tre
router learns these routes are learned when it starts up and dynamically updates
them as the network changes.
Ex
Older dynamic routes age out of the routing tables when an update for the network is
not received for a period of time, as determined by the routing protocol.
Once a routing protocol is configured, dynamic routes require no configuration and
are automatically updated as the network changes.
Static routes are routes that are manually entered into the routing tables and are not
advertised through the routing protocols. Static routes can be used to reach
e
networks that are not advertised by routing protocols and do not have dynamic route
m
entries in the routing tables. Static routes can also be used for security reasons, to
tre
configuration when the switch is rebooted, and are immediately available when the
switch completes startup. Static routes are never aged out of the routing table,
however, the Bidirectional Forwarding Detection (BFD) feature can be used to bring
down static routes when the host link fails.
Without BFD, static routes always remain operationally active because there is no
dynamic routing protocol to report network changes. This can lead to a black hole
situation, where data is lost for an indefinite duration. Because upper layer protocols
are unaware that a static link is not working, they cannot switch to alternate routes
and continue to use system resources until the appropriate timers expire.
With BFD, a static route is marked operationally inactive if the BFD session goes
down. Upper layer protocols can detect that the static route is down and take the
appropriate action.
A default route is a type of static route that identifies the default router interface to
which all packets are routed when the routing table does not contain a route to the
packet destination. A default route is also called a default gateway.
example; “d” (direct) for local interfaces, “s” for static routes including the default
m
The IP network. This field will be shown as a combination of the network address
and the subnet mask.
Ex
The network gateway. This is typically the next hop router. If the network is directly
connected, you should see the IP address of the VLAN's IP routing interface.
The route metric. This field defines the quality of the path to the target network.
Since the routing table can contain multiple entries to a destination network, the
router will pick the route with the lowest metric as it is considered to be of higher
quality.
Other information is also displayed such as the route status, VLAN for next hop
forwarding and age.
When there are multiple, conflicting choices of a route to a particular destination, the
router picks the route with the longest matching network mask. If these are still
e
equal, the router picks the route using the following default criteria (in the order
m
specified):
tre
• ICMP redirects
• Dynamic routes
• Directly attached network interfaces that are not active.
You can also configure black hole routes—traffic to these destinations is silently
dropped.
The criteria for choosing from multiple routes with the longest matching network
mask is set by choosing the relative route priorities.
A default precedence/distance for each type of route is listed, and the table notes the
precedence between protocols. The lower the precedence value, the more preferred
e
A default precedence/distance for each type of route is listed, and the table notes the
precedence between protocols. The lower the precedence value, the more preferred
e
Without IP route sharing, each IP route entry in the routing tables lists a destination
tre
subnet and the next-hop gateway that provides the best path to that subnet. Every
time a packet is forwarded to a particular destination, it uses the same next-hop
Ex
gateway.
With IP route sharing, the router can use up to 2, 4, 8, 16, or 32 next-hop gateways
(depending on the platform and feature configuration) for each route in the routing
tables. When multiple next-hop gateways lead to the same destination, the switch
can use any of those gateways for packet forwarding. IP route sharing provides
route redundancy and can provide better throughput when routes are overloaded.
XOS routers support a separate ECMP table. The gateways in the ECMP table can
be defined with static routes (up to 32-way), or they can be learned through the
OSPF, BGP, or IS-IS protocols (up to 8-way).
solution in the industry. The K-Series is built upon the Extreme Networks CoreFlow2
e
custom ASIC. This cornerstone switching technology provides greater visibility into
m
critical business applications and the ability to enable better controls to meet the
tre
The S-Series family contains 5 Chassis based switches and one standalone unit.
S8
e
S6
m
S4
tre
S3
S1
Ex
S3 chassis
The S-Series I/O module architecture adds to the benefits of the S4 and S8 scalable
Ex
fabric based architecture. All I/O modules include premium featured switching and
routing functions along with advanced management. Essentially, each and every S-
Series I/O module provides as much switching and processing power as some
competing vendors entire chassis.
With a best of breed architecture optimized for multi tier networks based on multiple
distributed host CPUs and multiple ASIC switching engines the S-Series scales to
the most demanding network environments. The S-Series incorporates a unique
approach to operating software scalability and resiliency where switching and routing
applications are distributed across Fabrics and modules to load share system
operation and allow the system to scale to many thousands of users. In the unlikely
event of an I/O module or fabric failure, the system will transparently re-allocate
switching, routing and management functions will transparently to other modules and
fabrics with no user intervention therefore maintaining network performance and
reliability as well as business continuity.
.
e
m
tre
Ex
Extreme switches operate predominately as Layer 2 devices and are provisioned for
m
Layer 3 services when needed. As a result, there are certain Layer 2 features that
tre
can adversely affect routing behavior. Prior to configuring VLAN interfaces for
routing, it may be necessary to turn off specific switching features such as Layer 2
Ex
Before you configure routing, you must first create VLANs on your switch, and add
ports to them.
e
m
On XOS switches:
tre
Use the create vlan [vlan name] command to create the VLANs you require.
Once VLANs are created, they will be available for layer 3 provisioning.
Ex
Next, make your vlan a tagging vlan with the configure vlan [vlan-name] tag
[vlan-id] command. Note that the vlan argument in this command is optional;
you can use the command configure [vlan-name] tag [vlan-id] and get the
same results.
Next, add ports to your vlan with the configure vlan [vlan-name] add ports
[ports] [tagged|untagged] command. Note that the vlan argument in this
command is optional; you can use the command configure [vlan-name] add
ports [ports] [tagged|untagged] and get the same results.
Before you configure routing, you must first create VLANs on your switch, and add
ports to them.
e
m
On EOS switches:
tre
Use the set vlan create <VLAN id> command to create the VLANs you require.
Once VLANs are created in switch configuration mode, they will be available for
Ex
layer 3 provisioning.
Next, assign switch ports to your VLANs to provide physical connectivity for the layer
3 VLAN interfaces. You can use either of two methods for assigning untagged ports
to a VLAN.
Enter the set port vlan [port string] [vlan id] command, and enter “Y” at the prompt to
add the port to a VLAN’s egress list as untagged and clear the existing PVID.
Append the modify-egress option onto the set port vlan [port string] [vlan id]
command. Setting modify-egress is equivalent of entering “Y”.
If you choose “N” when entering the set port vlan [port string] [vlan id] command in
step 3, you can set the port to a VLAN’s egress list as untagged by using the
command displayed in step 4. Issuing the set vlan egress vlan id port string
untagged command represents the equivalent of setting modify-egress or entering
“Y”.
Direct Routing is the simplest form of routing. Direct routing allows devices that are
on different VLANs to communicate with each other by crossing the routing function
e
in a single switch. With direct routing the routers involved do not advertise their IP
m
however, does not know about either VLAN 5 or VLAN 10, and users on VLAN 20 on
Router B are unable to communicate with users on any of Router A’s VLANs.
For all Extreme switches, a device with a VLAN that does not have a corresponding
IP interface defined for it will function as a Layer 2 device only, regardless of the
e
operation mode.
m
On XOS Switches:
Ex
Assign a VLAN a layer 3 IP interface address and subnet mask to enable IP routing
between VLANs. Give the VLAN an IP address and subnet mask, and issue the
enable ip forwarding [vlan-name] command to tie the VLAN into the routing function.
On EOS Switches:
Assign a VLAN a layer 3 IP interface address and subnet mask to enable IP routing
e
between VLANs. The Layer 3 VLANs can be thought of as network links, rather than
m
with the no shutdown command. These two commands will tie the VLAN into the
routing function on the switch.
A loopback interface is a logical IP interface on your router that is not associated with
a specific physical connection. It is best network practice to create a loopback
e
connects to your router using the IP address of one of the router’s physical
tre
interfaces, and if that interface goes down, your management station will lose
contact with the router, and you will be unable to repair the problem. If your
Ex
management station connects to the router using the IP address of the loopback
interface, then it will be able to maintain connection as long as the router has one or
more active physical interfaces.
Routing tables can be maintained either statically or dynamically. All the Extreme
switch routers support static routes and at least one form of dynamic routing.
e
Static Routes
tre
Static routes are manually configured by a network administrator for entry into a
switch’s routing table, they are flagged as “S” which indicates static . Static routes
Ex
point to remote network destinations, and will take precedence over routes chosen
by dynamic routing protocols pointing to the same destination. Although easy to
configure and use, a major drawback of static route implementation on a large scale
is that every time the network topology changes, the routing information will need to
be manually reentered into the route table. Therefore, static routing is not suited to
large, dynamic networks.
Dynamic Routes
Dynamic Routes are created using routing protocols to determine the best path
between routers. When network topologies change, routers using dynamic routing
will automatically recalculate the best possible route. The methods for route
recalculation vary between the protocols.
The router keeps a record of all its decisions about the best path between it and
other IP subnets in your network in the form of a routing table. The routing table
e
specifies how the router knows about the IP subnet, the IP address of the subnet,
m
the next hop router on the path to that subnet, and the IP interface out of which the
tre
as well as dynamic routing. Whereas dynamic routing uses protocols such as OSPF
m
to construct a routing table, static routes are manually configured and entered into a
tre
When configured, static routes take precedence over routes learned by dynamic
routing protocols. For example, if two paths exist to a remote Layer 3 (IP)
destination, and one path was learned dynamically and the other path was statically
configured, the statically configured path would be chosen as the more preferred
route to the destination.
To configure a static route in XOS use the configure iproute add command, where:
e
Optionally, you can set the virtual router upon which you are configuring this static
route. If you do not specify a virtual router, XOS will set the static route in the Default
VR.
To configure a static route in EOS use the ip route command from configuration
mode, where the:
e
m
next-hop: specifies the next-hop router address for the static route.
Optionally, you can set the: Distance: which specifies an administrative distance,
(i.e. precedence) for this route. This value can be in the range of 1 to 255, and it
defaults to 1 if not specified.
In XOS, DHCP relay is a device level function. For DHCP relay to succeed, the
router must have a path to the network on which the DHCP server resides in its
e
common LAN segment, and an IP address to MAC address mapping does not exist
in its ARP table, the device will issue an ARP request. If the destination device is on
Ex
line, it will hear the ARP broadcast request, recognize its IP address, and respond
back to the requesting host with its MAC address. Thereby, providing the requesting
device the IP address to MAC address mapping it requires to deliver data across
the layer 2 LAN segment. This IP address to MAC address mapping will then be
maintained in the devices ARP table/cache for some predefined/configurable period
of time.
Note: The ARP function is critical in IP networks. If a network device can not obtain
an IP-to-MAC mapping of the device it is attempting to communicate with, they will
be unable to exchange data across the LAN. Insure proper ARP table entries are
present via the show ip arp [ip-address] command if a connectivity problem has
been encountered.
instructions of the routing table. Inability to forward requires the packet be dropped
m
and transmission of an ICMP error message back to the source with the reason why.
tre
.
Ex
departure from the Bellman-Ford base used by traditional distance vector internet
tre
routing protocols.
The OSPF protocol was developed by the OSPF working group of the Internet
Ex
Engineering Task Force. It has been designed expressly for the internet
environment, including explicit support for IP subnetting, TOS-based routing and the
tagging of externally-derived routing information. OSPF also provides for the
authentication of routing updates, and utilizes IP multicast when sending/receiving
the updates. In addition, much work has been done to produce a protocol that
responds quickly to topology changes, yet involves small amounts of routing protocol
traffic.
included networks, is called an area. Each area runs a separate copy of the basic
m
shortest-path-first routing algorithm. This means that each area has its own
tre
topological database.
The topology of an area is invisible from the outside of the area. Conversely, routers
Ex
internal to a given area know nothing of the detailed topology external to the area.
This isolation of knowledge enables the protocol to effect a marked reduction in
routing traffic as compared to treating the entire autonomous system as a single SPF
domain.
With the introduction of areas, it is no longer true that all routers in the AS have an
identical topological database. A router actually has a separate topological database
for each area to which it is connected. Routers connected to multiple areas are
called area border routers. Two routers belonging to the same area have, for that
area, identical area topological databases.
Routing in the autonomous system takes place on two levels, depending on whether
the source and destination of a packet reside in the same area (intra-area routing is
used) or different areas (inter-area routing is used). In intra-area routing, the packet
is routed solely on information obtained within the area; no routing information
obtained from outside the area can be used. This protects intra-area routing from the
injection of bad routing information.
Every OSPF routing domain AS that has more than one area must have a
backbone. The backbone is a special OSPF area that must have an area ID of
e
0.0.0.0 (or simply 0). It consists of those networks not contained in any specific area,
m
their attached routers, and those routers that belong to multiple areas. The backbone
tre
Area 0.
However, it is possible to define areas in such a way that the backbone is no longer
contiguous--where the continuity between routers is broken. In this case, you must
establish backbone continuity by configuring virtual links. Virtual links are useful
when the backbone area is either purposefully partitioned or when restoring
inadvertent breaks in backbone continuity.
OSPF supports a two level routing design through the use of Areas. OSPF areas are
identified by an area ID. The area consists of the network segments and routers that
e
reside in the area. Each area has its own link state database (LSDB) which is
m
separate from LSDBs in other OSPF areas. The LSDB consists of router-LSAs and
tre
network-LSAs which describes how the areas routers and network segments are
connected. Detailed information regarding the areas topology is hidden from all
Ex
other areas, (router-LSAs and network-LSAs are not flooded to routers outside the
area and are used for Intra-Area routing).
As a result of OSPF using area based routing, the positioning of routers with respect
to these areas represents a critical element in an OSPF routing environment.
categorized into one of the following categories: ABR’s, ASBR’s, or internal routers.
m
Depending on what type of router is it, the router has different responsibilities in
tre
Inter-Area routing is achieved through the use of summary-LSAs that are passed
from area to area (via ABRs). summary-LSAs allow routers in the interior of an area
e
to dynamically learn about destinations in other areas, so they can to select the best
m
Stub areas are typically implemented when routers with limited resources (small
amounts of memory or limited CPU processing capacity) must be deployed in an
e
OSPF routing domain. To conserve router resources, the link state database (LSDB)
m
within a stub area is kept as small as possible. AS-external-LSAs are not passed
tre
into the area. Routing to external destinations from a stub area is accomplished by
using a default routes originated by the areas ABR.
Ex
There are several requirements to take into consideration when configuring a stub
area. All routers participating the stub area must be configured to function as stub
area routers.
In addition:
AS-external-LSAs are not flooded into Stub Areas
Routing to external designations from Stub Areas are based on Default Routes
originated by a Stub Area’s ABR.
Summary LSAs can also use the Default Route for Inter-area routing.
Criteria:
Stub areas must not have an ASBR
Stub areas should have one ABR
Or, if more than one, accept non-optimal routing paths to the External
AS
No Virtual Links allowed in a stub area
A Totally Stubby Area (TSA) is a variation of a stub area. For very large OSPF
networks it is sometimes necessary to limit the amount of routing information flooded
e
area via an Autonomous System Border Router (ASBR) that resides in the NSSA.
m
AS-external-LSAs from outside the area (e.g., AS-external-LSAs from Area 0) are
tre
For the current slide, Router A and Router B have been elected Designated Router
(DR) and Backup Designated Router based on priority (Priority 100 and Priority 75).
e
A set of adjacencies for over the Gig-Ethernet LAN segment as indicated on the
m
slide. To demonstrate over a broadcast LAN how database updates occur using a
tre
DR and BDR, Router E receives a new LSA (perhaps you configure a new VLAN to
participate in OSPF). It installs the LSA in its database, and then floods the LSA, (LS
Ex
Update) to the DR and BDR (using 224.0.0.6 (AllDRouters) so only these routers
receive the update.
The Designated Router then sends the LS Update back on to the Gig-Ethernet LAN
segment using address 224.0.0.5 (AllSFPRouters). All the routers hear and process
the update. Router B and Router E update their timers; Router C and Router D add
the LSA to their Link State Database. All the routers stop passing data traffic, run
Dijkstra’s Algorithm to recomputed their Shortest Path Trees, reconverge, and begin
passing traffic again.
Using the loopback interface as the router ID is the preferred method. Its major
advantage is as follows: If a real interface is used, any time that interface goes down
e
the router must find another Router ID. This causes all the other routers to learn the
m
router’s new ID number, and update their databases. This would result in the router
tre
not processing OSPF packets during this time frame. As long as the router is turned
on and running, the loopback will never go away, so when a router interface goes
Ex
OSPF packet type 1, these packet types are sent out of all interfaces, transmitted via
multicast to AllSPFRouters (224.0.0.5), a Form of “keep alive”, and used for
e
routers. These messages are exchanged after a router discovers (by examining
database-description packets) that parts of its topological database are out of date.
Type 3 packets allow the router to come to full adjacency with the Designated
Router.
OSPF packet type 4, implement the flooding of LSAs, several LSA may be included
within a single packet, response to Link State request packets, performs the
database update, and acknowledged by Link State Acknowledgement packets.
OSPF packet type 5, performs flooding acknowledgement for LSA’s, sent either
multicast to AllSPFRouters, AllDRouters or unicast, packet format is similar to Data
Description packets, and packet body consists of a list of LSA headers.
established with some subset of the router's neighbors. Routers connected by point-
to-point networks and virtual links always become adjacent. On multi-access
networks, all routers become adjacent to both the designated router and the backup
designated router.
Routing protocol packets are sent and received only on adjacencies. In particular,
distribution of topological database updates proceeds along adjacencies.
It uses the Hello protocol to determine if two routers are to become adjacent. The Hello
m
protocol verifies that both routers are in the same area, have the same interface timers and
network mask, and their router capabilities match. If all of these tests are passed, each
tre
router lists the other as a neighbor in the Hello packet. This establishes two-way adjacency.
If one of the routers is a DR, they then exchange link state information.
Ex
Forming an Adjacency
The general process that OSPF routers use to form an adjacency is described below. For
more detailed information about this process refer to RFC 2328.
Routers A and B exchange hello packets. Based on the contents, A and B decide whether
to become fully adjacent.
Routers A and B compare LSDBs by exchanging database description packets. These
packets do not provide enough detail to actually update the database, only enough detail to
find out which LSAs are not yet in the local database and which LSAs presently in the
database are out of date.
Each router updates its database by transmitting a link state request to the other router. The
request is considered fulfilled when a link state update is received containing the requested
LSAs. Each router updates its database with information it considers better than what it
already has. A sequence number contained in each LSA determines what constitutes better
information. The receipt of each LSA is acknowledged by using the link state ACK packet.
When this process is complete, the adjacency is formed, the link state databases are
synchronized, and the Neighbor State is Full.
The two routers continue to exchange Hello messages, maintaining their adjacency.
router, you see some of these states when you view the log or trace file. The
m
Down - This is the initial state of a neighbor conversation. There has been no
recent information received from the neighbor. This appears only for statically
Ex
configured neighbors.
Attempt - This state only occurs on non-broadcast networks. It indicates that no
recent information has been received from a neighbor.
Init - A hello packet is seen from the neighbor but bi-directional communication is
not established with the neighbor.
Two-Way - Communication between the two routers is bi-directional. This
occurs when router A receives router B’s hello and sees itself listed as a
neighbor.
ExStart - This is the first step in creating an adjacency. A master or slave
relationship is negotiated, governing the subsequent message exchange.
Exchange - The router is describing its entire LSDB by sending database
description packets to the neighbor. The router with the highest router ID
becomes the master.
Loading - Link state request packets are sent to the neighbor asking for more
recent advertisements that were learned but not received, and link state updates
are sent in response.
Full - The neighboring routers are fully adjacent, and the LSDBs are identical.
In order for two OSPF routers to come to adjacency, their timers must all match.
The defaults are given in the table above; all Extreme routers by default are
e
Type 1 LSAs are called router-LSAs. Each router originates a single route-LSA to
describe its set of active interface and neighbors. If your routing domain consists
e
entirely of routers connected by point-to-point links – that is, if you have no client-
m
facing VLANs attached to your routers – the link-state database will consist only of
tre
router-LSAs.
Ex
Type 2 LSAs are called network-LSAs. The Type 2 LSA describes a broadcast
network segment (such as Ethernet) or other Non-Broadcast Multiple Access
e
(NBMA) network (such as Asynchronous Transfer Mode (ATM)), along with the
m
summarizable. If they are not, your ABR will issue a Type 3 LSA for every network in
tre
the area.
Ex
OSPF network know the path to the ASBR. The Type 4 LSA floods throughout the
m
OSPF backbone area; all other routers in the backbone area receive and process it
tre
directly. Any other ABRs in the domain will re-originate the Type 4 LSA into the
area(s) to which they are connected.
Ex
ASBRs flood throughout your OSPF domain, crossing ABRs. This behavior, in
tre
contrast to the ABR re-originating the LSA, is designed to reduce the size of your
Link State Database. Consider the graphic above. If both ABRs in Area 0.0.0.1 re-
Ex
originated the Type 5 LSA sent out by the ASBR – that is, they both resent the
advertisement with their own Router IDs as the originating router – every other router
in the network would be required to store two LSAs for paths to the single ASBR
router. By simply having the ABRs simply flood the original Type 5 LSA, OSPF
allows each router throughout the domain to calculate a path to the ASBR directly.
If an ASBR is on the back side of a Not So Stubby Area (NSSA), it advertises routes
it learns from the non-OSPF routing protocol into the NSSA as Type 7 LSAs. The
e
Area Border Router advertises these routes into the rest of the OSPF domain as
m
Type 5 LSAs.
tre
Ex
If you have Equal Cost Multi-Paths through your network, the router will include all of
those paths in the results of the show ip route command. Note that in this network,
e
OSPF Router priority is an interface level command and is used to influence the
election process for the Designated Router (DR) and Backup Designated Router
e
(BDR) in a broadcast LAN environment. The routers with the highest priority
m
interfaces will win the election process for DR and BDR on a broadcast network
tre
segment. If two routers have the same priority, the router with the highest router ID
will be elected as the DR. Setting the interface to a priority of “0” precludes that
Ex
router from becoming a DR for the LAN segment. Valid values range from 0-255. A
priority of 0 means that an interface will become the DR only if it is the only interface
in the area.
Note: in XOS, the show vlan command will also tell you which VLANs have OSPF
enabled on them.
e
m
tre
Ex
Note that if you are already running OSPF in your network and are changing the
area an interface belongs to, you must first disable OSPF with the disable ospf
Ex
Translate specifies whether type-7 LSAs are translated into type-5 LSAs.
e
m
tre
Ex
Note that the summarization process advertises a single path to all the summarized
routes. Summarization does not allow you to selectively advertise a route within the
e
summarized range.
m
tre
Ex
OSPF supports three different ways in which the routers can authenticate
themselves to each other:
e
Null authentication, the default. With Null authentication, the routers do not
m
authenticate each other, and accept Hello packets from any source.
tre
On all Extreme switches you must configure simple authentication both for your
OSPF area and on each interface in the area.
e
m
tre
Ex
The md5-key-id specifies and RSA Data Security, Inc. MD5 Message-Digest
Algorithm key; the valid key numbers range fro 0-255. The md5_key_id must match
e
The minimum steps to enable OSPF on a router would consist of the following:
Create IP Interfaces
e
commonly used to allow multiple hosts in a private IP address space to access the
m
mapping these four values in the internal machine to their four corresponding values
m
Consider this example network. The client at 172.16.11.12 wishes to access the
Google server at 74.125.224.72, and formulates an HTTP Get request directed to
e
that IP address. The client includes its current available TCP port number, 56123, in
m
the source port field of the TCP header, and includes port 80, the well-known HTTP
tre
Network Address Translation, replacing the Source IP address of the client with its
publicly valid IP address, 63.27.141.3. It then creates an entry in the NAT table that
says, in essence, “I need to remember that any reply coming from 74.125.224.72
with a destination port of 56123 is really going to my internal client at 172.16.111.12.
When I get that reply, it’s going to be coming to my IP address of 63.27.141.3. I’m
going to have to replace that publicly valid IP address in the Destination IP address
field with the IP address of my internal client, 172.16.111.12, and send the packet
along.”
Access Control Lists (ACLs) are used to define packet filtering and forwarding rules
for traffic traversing the switch. Each packet arriving on an ingress port and/or VLAN
e
is compared to the access list applied to that interface and is either permitted or
m
listed in the ExtremeXOS Concepts Guide. However, only a subset of the filtering
conditions available for ingress filtering are available for egress filtering.
Ex
NOTE
Port Isolation (new in 15.3). This feature blocks accidental and intentional inter-
communication between different customers residing on different physical ports.
Previously, this kind of security was obtained through the access-list module, but this
can be complicated to manage and can be resource intensive. This feature provides
a much simpler blocking mechanism without the use of ACL hardware. A set of
physical or load-share ports can be selected that will be deemed isolated - once
isolated, the ports cannot communicate with other isolated ports, but can
communicate with any other ports. Use the following command: configure ports
<port-list> isolation [on | off].
Match Conditions
You can specify multiple, single, or zero match conditions. If no match condition is
e
specified, all packets match the rule entry. The table above lists a selection of the
m
available match conditions. For the complete list of match conditions refer to the
tre
You can also use the operators <, <=, >, and >= to specify match conditions. For
example, the match condition, source-port > 190, will match packets with a source
port greater than 190. Be sure to use a space before and after an operator.
Match Conditions
You can specify multiple, single, or zero match conditions. If no match condition is
e
specified, all packets match the rule entry. The table above lists a selection of the
m
available match conditions. For the complete list of match conditions refer to the
tre
You can also use the operators <, <=, >, and >= to specify match conditions. For
example, the match condition, source-port > 190, will match packets with a source
port greater than 190. Be sure to use a space before and after an operator.
Actions
The action is either permit or deny or no action is specified. No action specified
e
Action Modifiers
The above table lists a selection action modifiers such as count, qosprofile and
Ex
meter. The count action increments the counter named in the condition. The QoS
profile action forwards the packet to the specified QoS profile; The meter action
modifier associates a rule entry with an ACL meter for rate limiting. For a full list of
action modifiers refer to Chapter 18 of the ExtremeXOS Concepts Guide.
NOTE
Often an ACL policy will have a rule entry at the end of the ACL with no match
conditions. This entry will match any packets.
181-bit single key to be used with match conditions. A wide match key allows you to
m
add more match conditions to an ACL. It also allows matching on a full destination-
tre
source IPv6 address. The platforms that support this feature can operate either in
wide mode or in the current single mode. A individual switch or module cannot be
Ex
NOTE
Wide key ACLs are supported only on the BlackDiamond 8000 c-, xl-, and xm-series
modules and Summit X460, X480, and X670 switches. When using wide key ACLs,
you can only install half as many rules into the internal ACL TCAM as you can when
in a standard mode.
A number of slices and rules are used by features present on the switch. You
consume these resources when the feature is enabled so the availability of
e
resources depends on the type and number of features and protocols that are
m
enabled on a switch. Below is a list of the most common features and there resource
tre
For example, physical ports, dest IP, source IP and IP fragments are all compatible
and will require one slice. If an ACL requires the use of field selectors from two
e
As the layer 2 rules contained in the mac.pol policy file are not compatible with the
previous rules, as defined in on the previous page, a new slice will be used.
e
m
tre
Ex
Notice that slice 14 now contains 10 rules: the eight system rules in this
configuration, plus the two compatible IP rules. As there are a mixture of system
e
rules and user rules contained in the slice, the slice status now indicates
m
NOTE
Older BD8K and SummitX series switches do not use slices, but use an another
Ex
method called masks. Although they operate in a similar way, masks are much less
flexible. To view the available mask usage, enter the show access-list usage
command specifying the acl-mask command option along with the relevant port
number. ACL mask operation for older BD8K and SummitX series switches is not
covered in this course material.
singly or as part of a port list, on the VLAN yellow, and on all ports in the switch (the
m
wildcard ACL). For all packets crossing this port, the port-based ACL has highest
tre
precedence, followed by the VLAN-based ACL and then the wildcard ACL.
NOTE
Ex
ACLs applied to a VLAN are actually applied to all ports on the switch, without
regard to VLAN membership. The result is that resources are consumed per chip on
BlackDiamond 8000 a-, c-, e- xl-, and xmseries modules and Summit family
switches.
The edit policy command spawns a VI-like editor to edit the named file. Edit operates
in one of two modes; command and input. When a file first opens, you are in the
e
command mode. To write in the file, use the keyboard arrow keys to position your
m
cursor within the file, then press one of the following keys to enter input mode:
tre
To escape the input mode and return to the command mode, press the Escape key.
There are several commands that can be used from the command mode:
dd - To delete the current line
yy - To copy the current line
p - To paste the line copied
:w - To write (save) the file
:q - To quit the file if no changes were made
:q! - To forcefully quit the file without saving changes
:wq - To write and quit the file
Notice from the output of the show policy command that the policy has been applied
as an ACL and is bound once to the VLAN “data”.
e
m
The output from the show access-list command shows the actual VLAN the ACL is
tre
bound to (notice that the ACL is bound to all ports as indicated by the asterisk “*”). It
also shows whether the policy is ingress or egress and how many rules are
Ex
Creating a dynamic ACL rule is similar to creating an ACL policy file rule entry. You
specify the name of the dynamic ACL rule, the match conditions, and the actions and
e
permanent. Permanent dynamic ACLs are stored in the running configuration and
tre
configuration. They are therefore not listed by the show configuration command.
User-created access-list names are not case sensitive. The match conditions,
actions, and action modifiers are the same as those that are available for ACL policy
files. In contrast to the ACL policy file entries, dynamic ACLs are created directly in
the CLI.
More than one dynamic ACL can be applied to an interface, and the precedence
among the dynamic ACLs can be configured when adding the dynamic ACL via the
CLI. By default, the priority among dynamic ACLs is established by the order in
which they are configured.
NOTE
Dynamic ACLs have a higher precedence than ACLs applied using a policy file.
In the above example, the previous policy denyTelnet is still applied to the BD8K1
switch preventing users from accessing the switch’s CLI via Telnet. As dynamic
e
ACLs take precedence over static ACLs, it is useful to configure a dynamic ACL to
m
if match all {
m
protocol tcp ;
tre
destination-port 23 ;
}
Ex
then {
permit ;
}
}
To configure a non-permanent dynamic ACL, enter the create access-list command
specifying the rule name, conditions and actions then add the non-permanent
command option. The above example can be configured as follows:
create access-list permitTelnet "protocol tcp; destination-port 23" permit non-
permanent
To remove a dynamic ACL from a VLAN or port, enter the configure access-list
delete command specifying the dynamic rule to delete and the port or VLAN to which
e
Notice from the output of the show access-list command that VLAN data now
indicates that a dynamic ACL has been applied as well as the policy. However, the
e
dynamic ACL name is not shown in the output of this command. To do this enter the
m
There may be a number of system dynamic ACLs present depending on the switch
you are using and the software version you are running. System ACLs are designed
Ex
to facilitate the operation of some features and are beyond the scope of this course.
Filter action of ACL rules is to drop or forward routed packets on ingress only. They
do not apply to switched traffic where policy profiles will apply.
e
IP protocol
ICMP type
TCP/UDP source port
Equal to
Not equal to
Greater than
Less than
Range
DSCP code point
IP precedence
ToS value
The S/K-Series system allows a total of 5,000 access rules to be applied to Access
Control Lists (ACLs). Further, individual ACLs will support up to 999 access rules.
e
The valid access list numbers for standard ACLs are 1 to 99. For extended ACLs,
m
The ip access-list standard command enters the rule configuration command mode
for the specified standard ACL. Standard ACLs specify a source address.
e
There are two ways to identify an ACL: a number or a name. The use of a number is
m
for IPv4 ACLs only. Standard IPv4 ACL numbers range from 1 to 99. Names must
tre
start with an alpha character. A name may be quoted, as the quotes are stripped, but
spaces are not supported the quoted string. A name cannot be one of the show
Ex
access-lists keywords brief or applied, or any prefix thereof such as ?br? or ?app?.
Names can be up to 64 characters in length.
The ip access-list extended command enters the rule configuration command mode
for the specified extended access-list. Extended access-lists specify both a source
and destination address. Extended ACL numbers range from 100 to 199. The rules
for naming extended ACLs are identical to those for standard ACLs.
Use the permit command to create a permit access list rule entry.
N
Parameters
protocol-num Specifies an IPv4 protocol for which to permit access. Valid values are
e
source: Specifies the IPv4 address of the network or host from which the packet will be
sent.
source-wildcard: Specifies the bits to ignore in the source address.
destination: Specifies the IPv4 address of the network or host to which the packet will be
sent.
destination-wildcard: Specifies the bits to ignore in the destination address.
any: Specifies that any source or destination (extended access list only) address applies to
this rule entry.
host: ip-address Specifies a specific host address that will be applied to this rule entry
dscp: code (Optional) Specifies a DiffServe Code Point (DSCP) value to match against this
packet’s DSCP code.
precedence value (Optional): Specifies an IP Precedence value. Valid values are 0 - 7, or in
order from high to low: critical, flash, flash-override, immediate, internet, network, priority,
routine.
tos value (Optional): Specifies a Type of Service (ToS) value. Valid values are 0 - 15, or
max-reliability, max-throughput, min-delay, min-monetary-cost, normal.
log | log-verbose (Optional): Enables syslog or verbose syslog messaging for an ACL rule
hit.
You can also create permit rules that look at TCP, UDP, or ICMP information. .
Specifying the tcp, udp, or
e
icmp keywords will provide the extended parameter set listed in the syntax for these
m
keywords.
tre
Parameters:
msg icmp-msg (Optional) Specifies a single ICMP message type by entering a
keyword. If the msg option is not specified for an ICMP rule, all ICMP message types
are permitted.
eq: Permits the specified source or destination port
gt: Permits source or destination ports greater than the value specified
lt: Permits source or destination ports less than the value specified
neq: Permits source or destination ports that are not equal to the value specified
range start-port end-port (Optional): Specifies a range of source or destination ports
permitted.
established (Optional): Specifies that only established TCP connections are
permitted. A match is made if ACK or RST bits are set.
The Deny command uses the same grammar as the permit command in all its
variations.
e
m
tre
Ex
Access list logging is throttled to 1 log message per second. If there are multiple
access list rules with logging enabled (log or log-verbose), and more then one frame
e
is transmitted per second that can hit those rules, only the first frame will generate a
m
message. Logging is sampling and does not report every time that a rule with
tre
protocol.
m
For example, in this graphic the normal path from the branch office to corporate
tre
headquarters would pass across the high-bandwidth connections through the middle
of the network. However, the customer company is not willing to pay for that
Ex
connection, but opts for a lower-cost, slower connection to the network. Policy-
Based Routing allows the service provider to configure that customer’s traffic to pass
over lower speed links.
Protocol (RTP) and Real Time Control Protocol (RTCP) to encapsulate multimedia
m
streams and to monitor the delivery of the data. Other protocols such as OSPF, RIP2
tre
and learn the existence other routers or other multimedia conferences on the
network.
The IANA has reserved addresses within the range of 224.0.0.1 through to 224.0.0.255 for
use by network protocols within a local subnetwork. Packets with addresses in this range
e
are not forwarded by routers and are therefore used for routing protocols, topology
m
discovery, and maintenance protocols. Any router that receives a packet with one of these
tre
The illustration shows a partial list of reserved link-local multicast addresses and the
network protocol or function to which they are assigned. There are more than 48 link-local
reserved multicast addresses assigned as well as also additional reserved addresses such
as those for Source Specific Multicast and Internetwork Control Block addresses.
For the current complete list of link-local reserved addresses, visit the following URL:
http://www.iana.org/assignments/multicast-addresses
Administratively Scoped Addresses
IANA has reserved the address range of 239.0.0.0 to 239.255.255.255 as administratively
scoped addresses for use in private multicast domains. Addresses in this range have a
similar function to reserved unicast addresses such as 10.0.0.0 as defined in RFC 1918.
Addresses in this range are not assigned to any other group and can be used inside a
domain without conflicting with other addresses on the Internet. For more information on
administratively scoped addresses see RFC2365.
When an IP multicast address is mapped to a MAC address, only the last 23 bits are
used. The IP multicast address has 28 unique bits. Since only 23 of these can be
e
mapped to a MAC address, this leaves 5 bits of address information that is lost. This
m
results in a certain amount of address ambiguity. Five bits allows for 32 different
tre
combinations, so for every multicast MAC address there are 32 possible IP group
addresses.
Ex
Why only 23 bits? The story is that when Steve Deering was finishing up his
multicasting research, he wanted to purchase 16 consecutive OUIs from the IEEE to
use as IP multicast MAC addresses. Since each OUI provides 24 manageable bits,
having 16 consecutive OUIs would have provided a full 28 bits of MAC address
space, and would have permitted a one-tone mapping of IP multicast addresses to
MAC multicast addresses. However, OUIs cost $1000 each at the time, and
Deering’s manager, Jon Postel, was only willing to purchase a single OUI.
Additionally, Postel divided the OUI between Deering and another researcher, so
Steve ended up with only 23 bits to use in his research.
The goal of IP multicast is to deliver traffic to a specific subset of all the devices on
your network. That said, how do you tell your switches which devices on your
e
The Internet Group Management Protocol (IGMP) is a layer-2 protocol that runs
between hosts and their immediately neighboring multicast routers.
e
Routers implement IGMP to allow hosts to signal to the network their desire to
m
receive multicast traffic for a specific group. This enables the routers to learn about
tre
multicast group increases in size, it becomes ever more likely that a new group
member is able to locate a nearby branch of the multicast distribution tree.
The Internet Group Management Protocol (IGMP) is used between IP hosts and
their local network to support the creation of transient multicast membership groups,
e
the addition and deletion of members of a group, and the periodic confirmation of
m
group membership.
tre
A Server has no direct IGMP involvement, as it does not receive a multicast stream
and only sends a multicast stream.
Ex
IGMP relies on a query and response process. A router on the subnet, called the
“Querier Router”, sends out a query message asking, “Does anyone on this subnet
e
want a multicast stream?” Hosts that want a multicast stream send a response.
m
IGMP query messages are addressed to the all-hosts group address (224.0.0.1) and
tre
have a Time to Live (TTL) value of 1. The router periodically multicasts an IGMP
membership query to the “all hosts” multicast group, on the local subnetwork. All
Ex
hosts that support IGMP are automatically members of the all hosts group and
accept packets address to the all hosts group.
The default query interval is 60 seconds.
Version 1 of IGMP uses two message types: Membership Queries and Membership
Reports. Querying Routers use Membership Query messages to ask for hosts that
e
want to receive multicast streams. Hosts use Membership Reports to tell the Querier
m
Querier Election
In a multi-access network there may be more than one router that is IGMP enabled.
e
Only one multicast querier (router) can exist for each LAN at a time. So, there needs
m
IGMP v1 does not have an election mechanism and relies on the routing protocol to
select a designated router.
Ex
IGMP v2 uses a General Query message on start-up. When routers receive the
General Query messages they compare the source IP address with their own. The
router with the lowest IP address is elected the IGMP querier. General query
messages are sent to the all-routers multicast group using address 224.0.0.2.
All hosts receive the membership query and one or more hosts, host 2 in our
example, respond by multicasting an IGMP Membership Report to the multicast
e
group, of which the host is a member. (225.1.1.1) This report tells the router on the
m
subnetwork that a host is interested in receiving multicast traffic for group 225.1.1.1.
tre
The host responds within the configured Host Response Interval. The default
response interval is 10 seconds.
Ex
The multicast router promiscuously accept all possible multicast addresses, updating
its IGMP multicast group table with each new update.
After a multicast router knows what multicast groups that its leaf subnetworks
require, it then uses a multicast routing protocol to communicate with other routers to
ensure that the correct multicast group traffic is delivered from the source.
Routers maintain an IGMP multicast group table for each interface.
In a shared network environment, the IGMP membership report that was previously
multicast by one host is received by the other hosts.
e
Host 1 then suppresses the sending of its report for group 255.1.1.1 because host 2
m
has already informed the routers on that subnetwork that there is at least one host
tre
When a host receives a query message, it responds with a Host Membership Report
for each host group to which it belongs. To avoid a flurry of reports, each host starts
a randomly chosen report delay timer for each of its group memberships. If, during
the delay period, another report is received for the same group, the local host resets
its timer to a new random value. If another report is not received, the host transmits
a report to the reported group address, causing all other members of the group to
reset their report message timers. This procedure guarantees that reports are
spread out over a period of time and that report traffic is minimized for each group
with at least one member on the subnetwork.
The mechanism described here is that of a shared network. In a switched Ethernet
environment not all hosts receive each others responses.
process and network interface card to receive frames addressed to the multicast
m
group.
tre
A new host does not have to wait for a router's membership query before sending its
host membership report. This reduces join latency if it is the first to join a particular
Ex
In IGMPv2, the Version and Type fields are merged. The values of the Type field
have been specified in such a manner as to allow for backwards compatibility with
e
IGMPv1 deployments.
m
The Group Address field now supports two forms of Membership Queries:
tre
IGMP version 2 supports a Leave Group Message that hosts send to all routers on
that subnetwork when they leave the group. The host leaving a group sends a Leave
e
message it does not know if there are other group members on the same interface.
Therefore, another message type is supported in IGMP version 2, the Group-
Ex
Specific Query. This message allows a router to determine if there are any other
remaining group members on the same interface.
The Querier Router sends a Group-specific query to the group and expects a
response within the last member query interval. If no response is received within the
last member query interval, the router assumes that there are no remaining local
group members.
The addition of the leave group and group-specific IGMP version 2 messages,
coupled with the maximum response time field, permits IGMPv2 to reduce the leave
latency to only a few seconds.
In XOS, use the configure igmp command with the query_interval parameter to
N
change the time period that the router sends a general query from the default of 125
e
query response time (in seconds). The example on the slide sets the query interval
to 60, and accepts the defaults for query response interval and last member query
Ex
interval.
In EOS, you configure all your igmp parameters with the set igmp config
command. Choose the parameters you wish to modify and specify their values. The
example on the slide sets the query interval to 60 seconds on all VLANs.
IGMPv3 supports the standard Membership Query report and adds the Version 3
Membership Report. IGMPv3 Membership Reports are sent to destination address
e
of 224.0.0.22.
m
Membership Queries are sent by IP multicast routers to query the multicast reception
tre
IGMPv3 adds support for source filtering which is the ability for a system to report
interest in receiving packets only from specific source addresses, or from all but
specific source addresses, sent to a particular multicast address. This information
can be used by multicast routing protocols to avoid delivering multicast packets from
specific sources to networks where there are no interested receivers.
General Query, both the Group Address field and the Number of Sources (N) field
m
are zero.
tre
In a Group-Specific Query, the Group Address field contains the multicast address of
interest, and the Number of Sources (N) field contains zero.
Ex
IGMP builds a multicast source trees for each IGMP router in a layer 2 network.
IGMP Snooping builds a multicast source tree for a local switch. It is the ability of a
e
switch to interpret IGMP messages sent by hosts and then to restrict the forwarding
m
of the multicast packets to only those ports (member ports) on which IGMP
tre
messages have been received without forwarding the multicast traffic to the non-
member ports. If IGMP snooping is disabled, all multicast packets will be flooded to
Ex
IGMP snooping filters allow you to configure a policy file on a port to allow or deny
IGMP report and leave packets coming into the port. The IGMP snooping filter
e
For the policies used as IGMP snooping filters, all the entries should be IP address
tre
type entries, and the IP address of each entry must be in the class-D multicast
address space but should not be in the multicast control subnet range (224.0.0.x/24).
Ex
After you create a policy file, use the configure igmp snooping command to
associate the policy file and filter to a set of ports. Use the none option to remove
e
the filter.
m
tre
Ex
When you configure an IGMP input filter, IGMP will check all incoming packets
received from the range of IP addresses specified in the filter’s rules. The protocol
e
action and flow action occur when an incoming packet matches an IP address range.
m
If an incoming packet matches a rule’s address range, the other rules in the filter are
tre
not checked.
To activate the filter, you must assign the filter to a VLAN and enable the filter.
Ex
rule-id: The ID of a rule associated with the input filter. The rule ID sets the order in
tre
which multiple rules check incoming packets. You can create up to eight rules for
each input filter. Each rule must have a unique ID. Possible values are 1–8.
Ex
PIM Snooping
PIM snooping enables routers connected to a L2 switch to forward multicast streams
e
traffic in order for the multicast streams to be propagated because IGMP snooping
tre
traffic only onto ports which routers advertise the PIM join requests. The application
for this feature is for connecting PIM Autonomous Systems usually within an Internet
Exchange’s ISP peering network. PIM snooping does not require PIM to be enabled.
A discussion on PIM snooping is beyond the scope of this course.
(10.1.10.102, 225.0.0.1)
● (*,G) indicates any source and a specific group combination, e.g. (*, 225.0.0.1)
Ex
PIM relies on IGMP technology to determine group memberships and uses existing
unicast routes to perform reverse path forwarding (RPF) checks. RFP is, essentially
e
a method that uses the unicast routing table created by IP protocols such as OSPF,
m
to determine the source address of a packet. PIM uses RPF to set up distribution
tre
underlying routing protocol to perform reverse path forwarding RPF checks. It can
m
perform this function using protocol‐specific routes from, OSPF, RIP, static config.
tre
Ex
essentially, a route lookup on the source. Its routing engine then returns the best
m
interface, regardless of how the routing table is constructed. In this sense, PIM is
tre
of route type.
specific router in the PIM domain. Source devices have to register with the
m
rendezvous point by forwarding a join message. Initially, the source device may not
tre
know which router is the rendezvous point so a join message is used. The multicast
source initiates an IGMP join message. The Designated Router (DR) on the segment
Ex
will forward the join message onto the RP router. The RP router will respond building
a path (tree) between the DR and itself.
Note: Within PIM-SM a Designated Router (DR) is a router that performs the
function of forwarding multicast traffic from a unicast source to the appropriate
e
Designated Router (DR), and should not be interpreted as being the same.
tre
Note: All traffic from the source device must be forwarded to the RP router.
Ex
Once the RP router receives the multicast traffic, it will then forward traffic to the
receivers. This may cause some delay with multicast packets reaching their final
destination since all packets must first go through the rendezvous point.
PIM-SM operates on an explicit join model. PIM-SM routers only send multicast
streams to hosts that explicitly request it.
e
When a host wants a multicast stream, it sends an IGMP Join message with the
m
(*,G) information to its Querier Router. The router adds the interface on which it
tre
receives the Join to the outgoing interface list in its multicast routing table, and
forwards the Join to the Rendezvous Point.
Ex
The Rendezvous Point processes the Join, and adds the interface upon which the
Join arrived to outgoing interfaces for this group in its multicast routing table.
e
If the Rendezvous Point is currently part of the Shortest Path Tree (SPT) for this
m
multicast group and thus is currently receiving the multicast stream, it immediately
tre
begins to forward the stream out that interface. If the RP is not currently receiving
the multicast stream, the Join process ends here. Note that it is possible for the two
Ex
routers involved to have interfaces that are outgoing interfaces for the multicast
group, without having multicast actually flowing.
At this point, the multicast source begins sending multicast packets to the
Designated Router for its network.
e
m
tre
Ex
The Designated Router encapsulates the multicast packet in a Register (S,G) packet
and unicasts it to the Rendezvous Point. It continues to do so until it receives a Join
e
The Rendezvous Point sends a Join, (S,G) message to the Designated router to
begin receiving the multicast stream as multicast, and immediately begins to forward
e
the stream out all of its outgoing interfaces for that group. Each of the receiving
m
routers also begins immediately to forward the multicast stream out all of their
tre
The Designated Router receives the Join (S,G) from the Rendezvous Point, and
begins forwarding the multicast stream as multicast to the RP.
e
m
tre
Ex
The Rendezvous Point also sends a Register Stop (S,G) message to the first hop
router to tell it to stop sending Register messages with the encapsulated multicast
e
packets.
m
tre
Ex
In the meantime, as soon as Router E, the Last Hop Router for Host A, receives the
multicast stream, it looks up the IP network for the Source in the (S,G) stream it is
e
receiving, to see if there is a shorter path back through the network to that source –
m
i.e., a path that is faster than going through the Rendezvous Point.
tre
Ex
message to Router B, to receive the multicast stream along the shortest path
m
Router B adds its connection to Router E to the outgoing interfaces list for this
multicast stream, and begins replicating the multicast packets and forwarding them
e
to Router E.
m
tre
Ex
As soon as Router E begins receiving the multicast stream directly, it sends a Prune
(S,G) message up the shared tree to the Rendezvous Point.
e
m
tre
Ex
The Rendezvous point removes the interface from its outgoing interface list for that
group, and stops forwarding the multicast traffic.
e
m
tre
Ex
In addition, the Rendezvous Point no longer has any active outgoing interfaces for
this multicast group, so it sends a Prune (S,G) message back up the Shared Path
e
Router B prunes the stream to the Rendezvous point, and the Join process is
complete.
e
m
tre
Ex
PIM-SM routers are organized into domains. A domain is defined as a contiguous set
of routers that all implement PIM and are configured to operate within a common
e
boundary.
m
The Bootstrap Router (BSR) distributes Rendezvous Point information to the other
tre
PIM-SM routers within the domain. Each PIM-SM domain has one active BSR. You
can configure multiple routers as candidate BSRs for redundancy.
Ex
PIM-SM routers learn the addresses of Rendezvous Points and the groups for which
they are responsible from messages that the BSR sends to each of the routers.
Rendezvous Point (RP): A router elected as a rendezvous point for a multicast group
receives requested multicast traffic from a DR and forwards it toward the multicast
e
Designated Router (DR): A router performing this function forwards multicast traffic
tre
SM domain informed of the currently assigned RP for each multicast group currently
known in the domain.
Static Rendezvous Point (Static-RP): Traffic is forwarded in the same way, but all
routers within the domain are manually configured with RP address information.
PIM Domain: A contiguous set of routers that implement PIM and are configured to
operate within a common boundary.
Shortest Path Tree (SPT): The shortest path from the source DR through any
intermediate PIM-SM routers leading to the leaf router for the multicast receiver
requesting the traffic for a particular multicast group.
Reverse Path Forwarding (RPF): PIM-SM uses the unicast routing table created by
IP protocols such as RIP and OSPF to determine the source address of a packet.
PIM uses RPF to set up a shared tree for multicast traffic.
Hello – These messages announce the sender’s presence to other PIM‐SM devices.
N
Note: you must use two separate commands to configure the groups for which this
interface is a Candidate Rendezvous Point and the priority this interface has for
e
As shown in this graphic, the mroute table displays the multicast source and group
address, incoming interface, RPF neighbor, outgoing interface, whether interface is
e
The PIM ECMP feature allows downstream PIM routers to choose multiple ECMP
paths to source via hash without affecting existing unicast routing algorithm.
e
This feature operates on a per (S,G) basis splitting the load onto available equal-cost
m
paths by hashing according to the selection criteria configured by the user. It does
tre
not operate by counting the flows. Load splitting need not balance the traffic on the
available paths. PIM ECMP load splitting uses a hash algorithm based on the
Ex
selected criteria to pick up the path to use and will result in load-sharing the traffic
when there are many multicast streams that utilize approximately the same amount
of bandwidth.
By default, PIM chooses the first entry in the routing table when it calculates its
Shortest Path Tree. Consider the situation in this network. Our receiver is attached
e
to the Last-Hop router, which has learned three equal-cost paths to Source A through
m
OSPF. In this case the Last-Hop Router learned about Source A from Router 2 first,
tre
so Router 2 is the first entry in the routing table. PIM by default will always choose
to go through Router 2 to create its SPT back to Source A.
Ex
XOS:
When you enable PIM ECMP load splitting based on source address, the RPF interface for
e
each (*, G) or (S,G) state is selected among the equal cost paths based on the hash derived
m
When you enable PIM ECMP load splitting based on group address, the RPF interface for
each (*, G) or (S,G) state is selected based on the hash derived from the group address.
Ex
When you enable PIM ECMP load splitting based on source-group address, the RPF
interface for each (*, G) or (S,G) state is selected among the equal cost paths based on the
hash derived from the source and group addresses among the equal cost paths based on
the hash derived from the group address.
When you enable PIM ECMP load splitting based on source-group-next hop address, the
RPF interface for each (*, G) or (S,G) state is selected among the equal cost paths based on
the hash derived from the source, group and next hop addresses.
EOS:
Multipath provides the ability to define the mechanism by which PIM chooses the nexthop.
By default, PIM uses the first learned next hop. You can change multipath to use the highest
next hop or a next hop based on a hash of the source IP address.
For a deterministic next hop, the highest-nexthop algorithm chooses the numerically highest
next hop. The hash algorithm will attempt to spread multicast over all possible next hops.
You can configure PIM-SM to continue to forward existing multicast packet streams
during a routing process failure and restart. For example, say that your Rendezvous
e
Point router fails. PIM Graceful lets your multicast streams continue until your
m
PIM Graceful tells the router to delay advertising the absence of a peer for a “grace
Ex
PIM‐SSM only builds source-based shortest path trees. Where PIM-SM always joins
tre
a shared tree first and then switches to the source tree, SSM eliminates the need for
starting with a shared tree by immediately joining a source through the shortest path
Ex
tree. This behavior means that PIM‐SSM does not require an RP or BSR. Members
of an SSM group can only receive from a single source. This is ideal for applications
like TV channel distribution, and for certain banking and trade applications, but rules
out SSM for applications such as multicast VoIP teleconferencing.
The Internet Assigned Numbers Authority (IANA) has reserved addresses for PIM-
SSM in the 232.0.0.0/8 range for IPv4 and in the ff3x:0000/32 range, where (x =
4,5,8, or E), for IPv6. SSM recognizes packets in this range and controls the
behavior of multicast routing devices and hosts that use one of these addresses. In
PIM‐SSM, an IP datagram is transmitted by a source S to an SSM destination
address G, and receivers can receive this datagram by subscribing to channel (S,G).
A channel is a source-group (S,G) pair where S is the source sending to the
multicast group and G is an SSM group address. SSM defines channels on a per-
source basis. In SSM, each channel is associated with one and only one source.
.
In a mixed PIM‐SM and PIM‐SSM configuration you configure the RP and BSR only
for the PIM‐SM group address range. PIM-SSM does not use Rendezvous Points
e
Enable IGMPv3 on all PIM‐SSM interfaces and enable IGMP querying on the
tre
PIM‐SSM receiver interface. PIM‐SSM requires IGMPv3 and/or MLDv2 at the edge
of the network to process the source‐specific IGMP and MLD joins.
Ex
Provides the ideal mechanism for multicasts that originate from a single source and
tre
go to multiple receivers
Does not require unique multicast addresses; it depends upon the receiver request
Ex
PIM‐SM and PIM‐SSM can coexist on a single router and are both implemented
using the PIM‐SM protocol.
e
Extreme PIM‐SSM enabled devices use the following PIM‐SM message types:
m
End-hosts on a LAN segment are typically configured to send packets through the
gateway defined by a default route (or static routes) for remote destinations. Loss of
e
the default router results in a catastrophic event, isolating all end-hosts that are
m
unable to detect any alternate path that may be available. The Virtual Router
tre
The advantage gained from using VRRP is a higher availability default path that
does not require routing or router discovery protocols on end-hosts.
e
Load sharing can also be implemented by configuring multiple VRRP routers across
m
multiple IP routers, each IP router being the master of a different virtual router.
tre
Ex
Before we go any further, let’s get familiar with the terminology defined in RFC 3768:
N
Virtual Router - An abstract object managed by VRRP that acts as a default router for hosts on a
m
shared LAN. A VRRP router may participate in one or more virtual routers.
VRID – Uniqueness is required on a LAN segment only
tre
IP Address Owner - The VRRP router that has the VR’s IP address(es) also as the real interface
Ex
address(es). This is the router that, when up, will be the master of the virtual router instance and
will respond to packets addressed to these IP addresses for ICMP pings, TCP connections, etc.
Virtual Router Master - The VRRP router that assumes the responsibility of forwarding packets
sent to the IP address(es) associated with the virtual router, and answering ARP requests for
these IP addresses.
Virtual Router Backup - The set of VRRP routers available to assume forwarding responsibility
for a virtual router should the current Master fail.
If the virtual router IP address is the same as the interface (VLAN) address owned by a VRRP
router, then the router owning the address becomes the master. The master sends an
advertisement to all other VRRP routers declaring its status, and assumes responsibility for
forwarding packets associated with its virtual router ID (VRID). If the virtual router IP address is
not owned by any of the VRRP routers, then the routers compare their priorities and the higher-
priority owner becomes the master. If priority values are the same, then the VRRP router with
the higher IP address is selected as the master.
The VRRP protocol design provides rapid transition from Backup to Master to
minimize service interruption, and incorporates optimizations that reduce protocol
e
scenarios.
tre
All protocol messaging is performed using IP multicast datagrams, thus the protocol
can operate over a variety of multiaccess LAN technologies supporting IP multicast.
Ex
Each VRRP virtual router has a single well-known MAC address allocated to it. The
virtual router MAC address is used as the source in all periodic VRRP messages
sent by the Master router to enable bridge learning in an extended LAN.
Master_Down_Timer - The amount of time that a Backup router will wait before it
becomes the new Master. Therefore, the higher the priority, the faster a Backup
router will detect that the Master is down.
The virtual router MAC address associated with a virtual router is an IEEE 802 MAC
Address in the following format:
00-00-5E-00-01-{VRID} (in hex in internet standard bit-order)
The first 3 octets are derived from the IANA's OUI. The next 2 octets indicate
the address block assigned to the VRRP protocol. {VRID} is the VRRP Virtual
Router Identifier.
The decision tree for which router becomes the master router is as follows:
• Address Owner: if one of the routers participating in the VRRP instance is the IP
e
• Priority: if there is no address owner, the router with the highest advertised priority
tre
ICMP Echo
The VRRP RFC specifies that a VR master that is not the IP address owner should
e
ICMP Redirects
When a default router finds another router on the same LAN (whose IP address is
e
also on the same subnet) provides a better first hop in the path to a destination, it
m
sends an ICMP Redirect message to the host to indicate that future packets to that
tre
group of routers. This allows VRRP to be used in environments where the topology
is not symmetric.
The IP source address of an ICMP redirect should be the address the end host used
when making its next hop routing decision. If a VRRP router is acting as Master for
virtual router(s) containing addresses it does not own, then it must determine which
virtual router the packet was sent to when selecting the redirect source address.
One method to deduce the virtual router used is to examine the destination MAC
address in the packet that triggered the redirect.
It may be useful to disable Redirects for specific cases where VRRP is being used to
load share traffic between a number of routers in a symmetric topology.
When a host sends an ARP request for one of the VR IP addresses, the master VR
m
The backup VR must not respond to the ARP request for one of the VR IP
addresses.
Ex
If the master VR is the IP address owner, when a host sends an ARP request for this
address, the master VR must respond with the virtual MAC address, not the real
physical MAC address.
For other IP addresses, the VRRP router must respond with the real physical MAC
address, regardless of master or backup.
Gratuitous ARP - behaves in the following manner on a VRRP router:
Each VR sends gratuitous ARP when it becomes the master with virtual IP and MAC
addresses. One gratuitous ARP is issued per VR IP address.
To make the switch learn the correct VR MAC address, the VR master sends
gratuitous ARP for every virtual IP address in the corresponding VR every 10
seconds.
Proxy ARP
If used, the VRRP master router must bind the virtual MAC address to remote IP
destination addresses in proxy ARP replies.
Authentication can help to guarantee that routing information is imported only from trusted
routers. A variety of authentication schemes can be used, but a single scheme must be
e
configured for each network. The use of different schemes enables some interfaces to use
m
The two authentication schemes available are simple, and MD5. The authentication
command specifies the type of authentication and key values used in VRRP Authentication
Ex
is used by VRRP to generate and verify the authentication field in the VRRP header.
vrrp authentication simple: Use this command to set a VRRP authentication password on an
interface in clear test format
Example
This example shows how to set the VRRP authentication password to “vrrpkey” on VLAN 10
VRID1:
RouterA(su-config)->interface vlan.0.10
RouterA(su-config-intf-vlan.0.10)->vrrp authentication simple
vrrpkey
ip vrrp message-digest-key vrid md5 password [hmac-96]: Use this command to set a VRRP
MD5 authentication password on an interface.
Example
This example shows how to set the VRRP MD5 authentication password to “vrrpkey2” on
VLAN 20 VRID 2:
RouterA(su-config)->interface vlan.0.20
RouterA(su-config-intf-vlan.0.20)->vrrp authentication md5
vrrpkey2 hmac-96
Authentication can help to guarantee that routing information is imported only from
trusted routers. A variety of authentication schemes can be used, but a single
e
scheme must be configured for each network. The use of different schemes enables
m
The two authentication schemes available are simple, and MD5. The authentication
Ex
command specifies the type of authentication and key values used in VRRP
Authentication is used by VRRP to generate and verify the authentication field in the
VRRP header.
RouterA is the master VRRP instance VLAN 10, VRID 1, based on priority (200) as
shown by the show ip vrrp command.
e
Note: If VLAN/VRID priority is equal, the router with the highest IP address for the
VLAN will assume the master role.
Ex
The ability to track remote interfaces is designed to address a condition in which the
Master VRRP it Router continues to process packets sent to the VRRP IP address,
e
even when it cannot forward the packet toward the packet’s ultimate destination.
m
tre
Ex
When you configure tracking of an IP route, you create a tracking entry for the
specified route. When this route becomes unreachable, this entry is considered to be
e
failing. If the route you configure does not exist, an immediate VRRP failover will
m
occur.
tre
When you configure tracking using ping, you create a tracking entry for the specified
IP address. The entry is tracked using pings to the IP address, sent at the specified
Ex
Note: A UDP probe can also be configured for Application Content Verification (ACV)
if the remote server supports a protocol that responds to a UDP packet, such as the
e
UDP Echo protocol. Additionally, A TCP probe, if configured, is also capable ACV for
m
VRRP supports the assigning of an ICMP probe to monitor a remote VRRP critical IP
address. The example shown above:
e
m
Sets the internet facing IP address 20.20.20.2 on VLAN 20 as the critical-IP address
for VRRP instance 1
Assigns ICMP probe ICMP-VRRP to monitor the interface and Enables the interface
In addition to the VRRP and EAPS, the core switches are usually configured with
OSPF.
e
m
tre
Ex
MLAG allows for the provision of multiple connections to the core switches without
the need for a loop prevention protocol. In an edge/core environment the core
e