Professional Documents
Culture Documents
2200 1303_06_2000_c2
Agenda
Host Interaction Default Route and Filtering Distance Redistribution Policy Routing Routing to the internet
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
Host Interaction
2200 1303_06_2000_c2
Using tables:
Search table for longest match use next hop Local is a special case, next hop is DA If no match use default route for next hop Get L2 data of next hop via arp and transmit
5
Note: Simplified
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
IRDP on Routers
Announcements have a lifetime and preference Configured per interface; off by default Can advertise via all systems multicast (224.0.0.1) Preference level can be set
ip irdp [ multicast holdtime seconds (3X max) maxadvertinterval seconds (600) minadvertinterval seconds (3/4X max) preference number (0) address address [number]]
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
IRDP on Hosts
in.rdisc in Solaris (multicast only) gated in Linux, HP-UX and AIX
routerdiscovery client yes | no | on | off ;
WinSock2 in Windows
NT 4.0 KB Article Q223756
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\adaptername\Parameters\Tcpip\
DHCP option 31
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
10.1.1.33
10.1.1.3 00:10:7B:04:88:BB
default-gw = 10.1.1.1
Transparent failover of default router Phantom router created One router is active, responds to phantom L2 and L3 addresses
Others monitor and take over phantom addresses
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
Standby Standby
Primary
HSRP
Hot Standby Router Protocol
Router1:
interface ethernet 0/0 bandwidth 128 ip address 169.223.10.1 255.255.255.0 standby 10 ip 169.223.10.254
Router 1 Router 2
Router2:
interface ethernet 0/0 bandwidth 1500 ip address 169.223.10.2 255.255.255.0 standby 10 priority 150 preempt delay 10 standby 10 ip 169.223.10.254 standby 10 track serial 0 60
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
Server Systems
10
IP Broadcast Control
Subnet or directed broadcast->w.x.y.255 All net broadcast->255.255.255.255 IP directed broadcasts are dropped by default ip helper-address forwards ip forward-protocol packets ip directed-broadcast floods ip forward-protocol packets To be forwarded:
The packet must be a MAC-level broadcast. The packet must be an IP-level all or major network broadcast. The packet must be a TFTP, DNS, Time, NetBIOS, ND, or BOOTP packet, or a UDP protocol specified by the ip forward-protocol udp global configuration command. The time-to-live (TTL) value of the packet must be at least two.
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
11
IP Helper Address
Specified on the input interface Indicates direction toward broadcast destination Forwards ip forward-protocol broadcast packets, specifically:
TFTP, DNS, bootp, DHCP, TACACS, time, NetBIOS name and datagram servers
Router A: interface ethernet 0 ip helper-address 10.2.1.3
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
e0
A
IP Forward Protocol
Flooded UDP packets have destination address changed to ip broadcast-address ip forward-protocol spanning-tree
uses spanning tree database for flooding
ip forward-protocol turbo-flood
speed-up if using spanning tree flooding
Example:
ip forward-protocol spanning-tree bridge 1 protocol dec access-list 201 deny 0x0000 0xFFFF interface ethernet 0 bridge-group 1 bridge-group 1 input-type-list 201
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
13
Feed network provides data TIC servers UDP broadcast data Feed network connected to routers for management
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
Feed Network
200.200.200.0
e0
e0 B
164.53.7.0 .62
164.53.8.0
164.53.9.0
164.53.10.0
Trader Networks
14
Helper Addresses
IP helper added to router interfaces on TIC network Each router sees the other routers broadcasts Each station receives multiple copies of data
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
Feed Network
200.200.200.0
164.53.7.0 .62
164.53.8.0
164.53.9.0
164.53.10.0
Trader Networks
15
Feed Network
200.200.200.0
164.53.7.0 .62
Trader Networks
16
Router A Configuration
ip forward-protocol spanning-tree ip forward-protocol udp 111 ! interface ethernet 0 ip address 200.200.200.61 255.255.255.0 ip broadcast-address 200.200.200.255 ! interface ethernet 1 ip address 164.53.7.61 255.255.255.192 ip broadcast-address 164.53.7.63 ip irdp preference 100 bridge-group 1 bridge-group 1 input-type-list 201 ! bridge 1 protocol dec bridge 1 priority 255 access-list 201 deny 0xFFFF 0x0000
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
17
Router B Configuration
ip forward-protocol spanning-tree ip forward-protocol udp 111 ! interface ethernet 0 ip address 200.200.200.62 255.255.255.0 ip broadcast-address 200.200.200.255 ! interface ethernet 1 ip address 164.53.7.62 255.255.255.192 ip broadcast-address 164.53.7.63 ip irdp preference 90 bridge-group 1 bridge-group 1 path-cost 50 bridge-group 1 input-type-list 201 ! bridge 1 protocol dec bridge 1 priority 255 access-list 201 deny 0xFFFF 0x0000
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
18
Default Routes
2200 1303_06_2000_c2
19
Default Routes
Route used if no match is found in forwarding table Can be carried by routing protocols Two models
Special network number: 0.0.0.0 Flagged in routing protocol
CITY
WORLD
20
2200 1303_06_2000_c2
21
ISIS Example
Service Provider Running BGP
ISIS 19.0.0.0
L1
19.1.1.1 19.1.1.2
L1L2
ISIS S1 19.0.0.0
2200 1303_06_2000_c2
22
BGP Example
Service Provider Running BGP IGP 19.0.0.0
iBGP 19.1.1.1 19.1.1.2
eBGP
23
Conditional Default
ip prefix-list cond permit 10.1.1.0/24 ! route-map def-cond permit 10 match ip address prefix-list cond ! router rip default-information originate route-map def-cond
Inserts a default route if the condition in the route map is met In this case, if network (prefix) 10.1.1.0/24 is present, advertise a default
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
24
2200 1303_06_2000_c2
25
Passive Interface
Prevents routing updates from being transmitted out an interface Don waste resources generating updates on t interfaces that have no need for them (loopback) Can also use passive-interface default
s0
26
Route Filtering
Selectively announce routes, per neighbor
Hide part of the topology/connectivity
Network X
Route filter with distribute-list command Can filter anywhere in distance-vector protocols:
RIP, IGRP, EIGRP, RIPv2 and BGP
Advertise B and Y
Network A
Advertise B and X
Network B
Network Y
27
s0 Partner Network
distribute list 1 in serial 0 access-list 1 permit 129.1.0.0 access-list 1 deny 0.0.0.0 255.255.255.255
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
28
router eigrp 111 network 128.1.0.0 distribute list 1 out serial 0 access-list 1 permit 128.1.0.0 0.0.0.0 ip default network 128.1.0.0
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
29
Precedence of Filters
Filter routing updates in or out bound Interface specific or global Evaluation order: interface, global Example:
access-list 1 deny 1.0.0.0 0.255.255.255 access-list 2 permit 1.2.3.0 0.0.0.255 router rip distribute-list 1 in ethernet 0 distribute-list 2 in
30
ACL Oversights
Access control lists can filter routing updates
RIP RIPv2 IGRP EIGRP OSPF ISIS BGP
2200 1303_06_2000_c2
UDP Port 520 UDP Port 520 IP Protocol Field 9 IP Protocol Field 88 IP Protocol Field 89 SAP 0xFEFE; Protocol 83 TCP Port 179
255.255.255.255 224.0.0.9 (Default) 255.255.255.255 255.255.255.255 224.0.0.10 224.0.0.5 (AllOSPFRouters) 224.0.0.6 (DRRouters) 01:80:C2:00:00:15 Neighbor Address
31
Verifies Signature
32
Signature Generation
Routing Update
Router A
Hash Function
Hash
Signature
Routing Update
Signature
33
Signature Verification
Router B
Signature Routing Update
Routing Update Signature Decrypt Using Preconfigured Key Hash If Hashes Are Equal, Signature Is Authentic
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
Hash
34
Authentication in RIPv2
key chain kal key 1 A key-string 234 ! interface Serial2 ip rip authentication mode md5 ip rip authentication key-chain kal ! key chain ka2 router rip key 1 version 2 B key-string 234 ! interface Serial1/0 ip rip authentication mode md5 ip rip authentication key-chain ka2 ! router rip version 2
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
35
Authentication
RIP uses text and MD5
also validate-update-source
(E)IGRP uses MD5 OSPF has text and MD5 per area and intf ISIS has text per area and domain
MD5 authentication is on the way
36
Distance
2200 1303_06_2000_c2
37
Default Distance 0 1 5 20 90 100 110 115 120 140 170 200 255
38
distance weight [address mask [access-list-number] address and mask specify the source access list applies to content ip route dest next-hop distance Remember the floating static route?
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
39
Using Distance
192.31.7.0
.2
.1
.2
128.88.1.0
.1
.3
router rip network 192.31.7.0 network 128.88.0.0 distance 255 distance 90 128.88.1.3 0.0.0.0 distance 120 192.31.7.0 0.0.0.255
2200 1303_06_2000_c2
40
Redistribution
Hops = Bandwidth = Compound = AS-PATH ?
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
41
Redistributing Routes
Under a router xxx command, redistribute:
a source protocol: bgp | igrp | isis | ospf | static | connected | rip a value for the destination protocol: metric a route map for filtering: route-map scope of redistribution: subnets as well as some protocol specific parameters
RIP
OSPF
2200 1303_06_2000_c2
42
Default Metrics
The first, or seed, metric for a route is derived from being directly connected to a router interface
Re-distributed routes are not physically connected default-metric establishes the seed metric for the route Once a compatible metric is established, the metric can increment just like any other route Set default metric bigger than the biggest native metric
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
43
default-metric bandwidth delay reliability loading mtu Used for IGRP and Enhanced IGRP redistribution default-metric number Used for OSPF, RIP, ISIS, and BGP redistribution
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
44
Offset Lists
Increases incoming and outgoing metric (hops or delay) Add 10 to the delay component of routes matching access list 21 when outbound
router igrp offset-list 21 out 10 access-list 21 ..
45
46
Redistribute RIP routes with a hop count equal to 1 into OSPF These routes will be redistributed into OSPF as external LSAs with
a metric of 5, metric type of Type1 a tag equal to 1.
router ospf 109 redistribute rip route-map rip-to-ospf ! route-map rip-to-ospf permit match metric 1 set metric 5 set metric-type type1 set tag 1
2200 1303_06_2000_c2
47
Feedback Loops
When crossing a redistribution boundary, information is lost A physical or logical loop causes a route to be advertised back to the redistributing router that first advertised it How does the router know which route to accept?
Answer: it can know t Humans have to re-insert the lost information
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
48
Implementation Considerations
RIP RIP 172.16.0.0 RIP
172.16 172.16
EIGRP
172.16
AS 300 EIGRP
ASBR ASBR
EIGRP
172.16
Routing feedback
Suboptimal path selection Routing loops
49
172.16.2.0
172.16.1.0
50
Policy Routing
When Destinations Aren t Enough
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
51
Policy Routing
Forwarding decision not based on destination address Selects defined path based on attributes of user packet (source/destination IP address, application port, packet lengths, and so forth) Set next hop or interface Set default next hop or interface
Customer A ISP A
Customer B
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
ISP B
52
53
Match packets against the access lists to permit policy routing of them
match ip address access-list-expressions
If the Layer3 packet length is between min-length and max-length, inclusive, the packet matches Useful for distinguishing interactive versus bulk traffic when access lists will not work
match length min-length max-length
2200 1303_06_2000_c2
54
If there is no explicit route for this destination, then route to this hop Both use the first IP address associated with an up/up interface
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
55
If there is no explicit route for this destination, then route to this interface If interface1 is down interface2 and subsequent interfaces are tried Setting interface to Null0 creates a policy that drops the packet
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
56
value 0 1 2 4 8
Set the IP TOS or precedence header field Can use numeric or symbolic value
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
57
A valid next hop implies the output interface The first combination of next hop and interface is used Router sourced packets are policy routed via ip local route-map foo command
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
58
s1 bri0
route-map foo permit 12 192.168.93.0 set default interface Null0 route-map foo permit 11 match ip address 103 set ip next-hop 10.0.0.1 route-map foo permit 10 match ip address 101 set ip next-hop 11.0.0.1 access-list 101 permit tcp 192.168.93.0 0.0.0.255 any eq telnet access-list 101 permit icmp any any access-list 103 permit tcp 192.168.93.0 0.0.0.255 any eq ftp
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
59
Premium ISP
E.g. ERP Application NPR NPR
Standard ISP
E.g.
Enterprise Backbone
60
If the router is policy routing packets to a next hop and it is down, the router will try unsuccessfully to use ARP (which is down). This behavior will continue forever To prevent this, configure the router to first verify that the next hop(s) of the route map is a CDP neighbor(s) before routing to that next hop set ip next-hop verify-availability is not supported in dCEF since it doesn support CDP t
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
61
NPR Example
Configure CEF, NetFlow, and NetFlow with flow acceleration Configure policy routing to verify that next hop 50.0.0.8 of route map test is a CDP neighbor before the router tries to policy route to it If the first packet is policy routed via route map 10, the packets of the same flow always take the same route map (10), not route map 20, because they all match or pass access list 1 check Policy Routing can be flowaccelerated by bypassing the access-list check
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
ip cef ip flow-cache feature-accelerate interface ethernet0/0/1 ip route-cache flow ip policy route-map test route-map test permit 10 match ip address 1 set ip precedence priority set ip next-hop 50.0.0.8 set ip next-hop verify-availability route-map test permit 20 match ip address 101 set interface Ethernet0/0/3 set ip tos max-throughput
62
2200 1303_06_2000_c2
63
64
BGP should have filters applied so that these routes are not advertised to or propagated through the Internet
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
65
2200 1303_06_2000_c2
66
ISP
F
AS 201
67
What Is Multihoming?
AS 300
E
AS 400
C
2200 1303_06_2000_c2
68
ISP 2
AS 201
69
AS 200
D
AS 300
E
0.0.0.0
A B
0.0.0.0
AS 400
C
2000, Cisco Systems, Inc.
70
Provider AS 200
D E
Provider AS 300
AS 400
2200 1303_06_2000_c2
C
2000, Cisco Systems, Inc.
71
AS 200
D A B
AS 300
E
AS 400
2200 1303_06_2000_c2
C
2000, Cisco Systems, Inc.
72
Conclusion
Be Careful Out There
2200 1303_06_2000_c2
73
Summary Part 1
Under normal operation, there should be exactly one interior routing protocol on any network segment
Use passive-interface as necessary to ensure this
The number of redistribution boundaries should be kept to a minimum Run as few routing protocols as possible
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
74
Summary Part 2
Choose routing protocol based on matching requirements with features Addressing should be contiguous with respect to topology Redistribute routes only as necessary and as few as required Use advanced features for special cases and for fine tuning Test and understand before you implement
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
75
Recommended Reading
IP Routing Protocols : RIP, OSPF, BGP, and Cisco Routing Protocols by Uyless Black, ISBN: 0130142484 EIGRP for IP : Basic Operation and Configuration by Alvaro Retana, Russ White, Don Slice, ISBN: 0201657732 EIGRP Network Design Solutions, by Ivan Pepelnjak, ISBN: 1578701651 OSPF : Anatomy of An Internet Routing Protocol by John T. Moy, ISBN: 0201634724 OSPF Network Design Solutions by Thomas M. Thomas, ISBN: 1578700469 Large-Scale IP Network Solutions : CCIE Professional Development by Khalid Raza, Mark Turner, Salmad Asad, ISBN: 1578700841 Internet Routing Architectures, by Bassam Halabi, Danny McPherson, ISBN: 157870233x Routing in the Internet by Christian Huitema, ISBN: 0130226475 and of course:
http://www.cisco.com
2200 1303_06_2000_c2
2000, Cisco Systems, Inc.
76
77
2200 1303_06_2000_c2
78
2200 1303_06_2000_c2
79
2200 1303_06_2000_c2
80