Archives for posts with tag: routing

Did you know that OSPF neighbors do not move to the  FULL state with mismatched MTU?

I found this out at the weekend when I was working on some Data Centre switches, within the fabric these switches use jumbo MTU. So when I tried to peer a device that was not part of the fabric, I got stuck in EXSTART.

At first I was wondering if I had the OSPF configuration. I checked and double checked but all looked good.

Solved!

run “debug ip ospf adj” you will get a message similar to this.

*Nov 16 21:30:45.551: OSPF-1 ADJ Gi0/0: Nbr 10.1.1.1 has smaller interface MTU

Answer: match the MTU on both sides.
I had a read through TCP/IP Volume 1, It doesn’t mention MTU size anywhere. RFC 2328 does mention it.

If the Interface MTU field in the Database Description packet
indicates an IP datagram size that is larger than the router can
accept on the receiving interface without fragmentation, the
Database Description packet is rejected.

This is where wireshark comes in handy, I had to see this for myself.

The MTU isnt sent in the Hello packet its sent in the type 2 DBD packet, this is after the neighbors acknowledge each other (2WAY). See below.

mtu-ospf

Interesting

RH

I was asked question about MPLS labels within a VRF. Well the question was ” when I type the command ‘show mpls ldp bindings vrf xxx‘ ” I don’t see any labels for my remote site prefixes.

In this case these labels aren’t assigned by LDP they are assigned by BGP.

The command he was looking for was “show ip bgp vpnv4 vrf xxx labels” I think a light went on in his head when i explained this to him!

If your still confused , imagine the LSP (unidirectional) R1 -> R4 is basically a virtual connection if you like , where R4 is the egress LSR for the packet. The packet will travel via R1 -> R2 -> R3 -> R4. The next hop actually is listed as R4 even though it has to pass through R2 and R3. Which by the way has it own labels to add on top of bottom of stack label for R4.

Capture

R1 pushes on the label 1234 for R4 and another label on top for R2 which is 22, next R2 removes its own label (22) and adds the label for R3 which is 33, R3 removes its own label (33) and forwards the packet with the label 1234 to R4. Bottom of stack bit is set to 1, R4 removes the label and forwards.

https://tools.ietf.org/html/rfc3107

RH

I will follow-up my notes with some labs over the coming weeks.

Enabled on the router with “ip multicast-routing
reserved range 224.0.0.0/4 for IPv4, FF00::/8 for IPv6

If multiple PIM routers on the same LAN only one can forward the join and prune messages to the RP, so there is an election on the Designated Router (DR) uses the highest IP.

PIM Dense-Mode – uses a push method to all routers and if no hosts need the stream the router prunes off, this repeats every 3 minutes so not ideal for a large deployments.

Bi Directional PIM – uses shared trees (*, G) , this is useful for large scale deployment saves the RP building multiple source tree entries. The emphasis on location of the RP is critical in this mode, to ensure loop free path there is a designated forwarder (DF) role, this is worked out by the lowest cost unicast path to the RP.

PIM Sparse-Mode – uses on demand mechanism, clients will send a join message. Requires a Rendezvous Point (RP) Initially the multicast source will send traffic and the RP will build the source tree (S,G), once a client requests the stream the RP builds the shared tree (*,G) and source receives the traffic, if there is a better unicast path to the source the router (RP)will build the source tree (show ip mroute) and begin using that path.

PIM Sparse Mode Message Process.

Uses 7 messages , Hello, Bootstrap, Candidate RP-advertisement, Join/Prune, Assert, Register, Register-Stop, Neighbour discovery uses hello messages on PIMv2 224.0.0.13

Source sends traffic to destination multicast address, first router will see this and send a PIM register to the RP, RP acknowledges with register-stop, the RP now has the (S,G) entry in mroute table

Receivers send an IGMP join to the LAN the Designated Router (DR) will send the PIM join message to the RP, each router adds the OIL (outgoing interface list)back towards the receiver for (*, G)

Once the receiver knows about the RP and the source knows about the receiver, they will look to then build the source tree (S,G) entry.

RPF- Reverse path forwarding.

Loop prevention method for multicast, checks the multicast source address against the unicast routing table to see if it should be coming from there if not it will drop the packets.

Rendezvous Point

Statically assign this on each router with command “ip pim rp-address x.x.x.x”, this must be done on each router participating in multicast.

Auto-RP – we use commands to assign the mapping-agent and the candidate RP, we could have redundant RP’s or limit each RP to a certain Multicast address with filtering using ACL’s
we use “ip pim send-rp-announce [interface] scope [0-255]” , the scope is the number of hops we allow this to travel or TTL. Once configured it will begin to send RP-Announce message to the 224.0.1.39 every 60 seconds

Next the mapping agent listens for RP-Announce messages from the C-RP’s and selects the RP’s. It then advertises the RP’s t the rest of the PIM domain RP-Discovery messages to 224.0.1.40 every 60 seconds. “ip pim send-rp-discovery [interface] scope [0-255] interval [seconds]”

We can change the intervals at which RP announce and discovery messages are sent out by using the interval command at the end of the command. Shown above.

Cisco use the “ip pim auto rp listener” command to overcome the sparse mode problem with routers adding the RP. Use this on non RP routers. This is known as the chicken and the egg scenario. You need multicast to run multicast.
This enables the sparse-mode interface to dense flood only the rp-annoucne and rp-discovery messages on 224.0.0.39 224.0.0.40 , enabling the RP to be elected on a sparse-mode network.

PIM BSR – Boot Strap Protocol – open standard compared to auto-rp , uses the all PIM routers address of 224.0.0.13 and TTL of 1. So we select the BSR using the command “ip pim bsr-candidate [interface]” next we can set the candidate rp using “ip pim rp-candidate [interface]”

When router is configured as candidate BSR it sets timer to 130secs then listens for other BSR candidate messages, it advertises its priority 0-255 and IP address, highest priority wins, and then begins sending out BSR messages every 60 secs. When a PIM router receives a BSR message it floods out all interfaces except the one it received it on, this ensures the rest of the multicast routers know who is the BSR.

Once the BSR is know the C-RP begins sending candidate-RP-advertisement messages to the BSR (unicast) they contain the priority 0-255, RP IP address and the Multicast group address for which the RP is an originator for.

Hash function is useful for large multicast deployments where lots of sources are used, when we use the hash feature the RP’s can be load-balanced, the BSR advertises advertise a hash mask in its messages and the receiving routers run the algorithm that can assign a consecutive number of group addresses to one C-RP then it will assign the next group to the next C-RP, much like a standard subnet mask would work. This is specified in the “ip pim bsr-candidate” command.

RPF with Tunnel – This is implemented when need to load-balance traffic over to equal-cost path’s but with the RPF this prevents load balancing over physical links. So for example we would build a tunnel between the two routers that pass traffic through the two links, using per-destination or per packet balancing. (no ip route-cache) on the interfaces. This used along with the ip mroute command should see it work

Source Specific Multicast – Defined in RFC 4607, enables you to identify a set of multicast sources not only by group address but the sources as well, the SSM group is called a channel this is identified using the (S,G) the reserved group address’s for SSM 232.0.0.0/8 and the IPv6 range FF3x::/32.
SSM channel is defined by a source and a group address so multiple sources can be assigned to the same group for examples. (10.100.5.24 , 232.5.5.5) then (10.100.15.60 , 232.5.5.5) this is a unique channel for each multicast group. Hosts will only receive traffic from the requested sources. Can help to protect against DOS attacks.

No RP is needed in this mode as Source Trees are built directly towards the source, because the source is already known. This uses the unicast routing table for forwarding decisions, The multicast source must be manually inputted in advance.

Enabled with “ip pim ssm default” also relies on IGMPv3 so “ip igmp version 3” this command is used at interface level

IGMP – Internet Group Management Protocol

IGMP is the protocol that functions between the hosts, it allows the router to know that a host is interested in the receiving the multicast stream for specific group.

Routers acts as a querier checking to see if host are still interested in a stream, on a LAN segment when more than one router exists.

IGMP is enabled when PIM is enabled has a TTL of 1 and are restricted to the LAN

IGMP 1 – RFC 1112, sends IGMP queries to 224.0.0.1 (all-hosts multicast address) has no election as the IGMP querier, only one host per multicast address replies to the query all other suppress, no mechanism to leave the group. could take up to 3 minutes after the client has stopped listening before the traffic flow will stop.

IGMP 2- RFC 2236, querier election mechanism based on IP address ensures one router per segment sends IGMP.leave group message host send message to leave group when no longer requires the traffic. Leave latency reduced when compared to V1, when a host wants to leave the multicast stream is sends the leave message to 224.0.0.2 (all routers multicast)

IGMP 3 – This version added support for SSM (source specific multicast) which allows for the client to not only specify the group they want to subscribe to but also the source of that traffic (useful if there are many sources in the same group).

 

Well Known Multicast Address

————————————————————-

224.0.0.1 All host group which contains all devices on the same network

224.0.0.2 All multicast routers group which contains all routers on the same network PIMv1

224.0.0.5 All OSPF

224.0.0.6 All OSPF DR

224.0.0.10 EIGRP

224.0.0.13 PIM v2 all PIM routers multicast address.

224.0.0.22 IGMP Version 3

224.0.1.39 Cisco Auto-RP-Announce address

224.0.1.40 Cisco Auto-RP-Discovery address

MSDP – Multicast Source Discovery Protocol

Purpose is to discover multicast sources in other PIM domains, what happens is your own RP’s exchange information with RP’s in other domains. Just like BGP each peer must be explicitly configured. When a PIM DR registers a source with the RP, the RP sends out a SA (Source Active) message to all its MSDP peers.

SA message contains.
Address of the source
group address to which the source is sending
Originating IP

Uses TCP port 639 for peering connections

Every MSDP peer that receives a Source Active message floods those downstream to its own peers from the originator. If the RP receives more than one copy of a SA, the RP will consult the BGP next hop database to determine the next hop towards the SA originator. If AS is non-transit or stub the consult of BGP next hop database still applies to override this we use the command “ip msdp default-peer” so RPF checks are not necessary. One path – no possible loops.

MSDP Mesh Groups are used effectively when multiple RP’s are present in a single domain sources always register to certain RP’s but members must find any source. Every RP has a peering to all other RP’s in the domain. Mesh groups are configured with the command “ip msdp mesh-group [WORD] [IP address]”

SA-Filter

Inbound – here is an example of an inbound SA from msdp 10.255.255.3, only allows SA messages for group 239.8.8.8 from the source 74.74.74.5.
access-list 101 permit ip host 74.74.74.5 host 239.8.8.8
ip msdp sa-filter in 10.255.255.3 list 101

Outbound – here is an example of an outbound SA filter which only sends SA messages to peer 10.255.255.1 from specific group 232.4.4.4 from source 74.74.74.5
access-list 102 permit ip host 74.74.74.5 host 232.4.4.4
ip msdp sa-filter out 10.255.255.1 list 102

Locally originated sources can be filtered with the command same idea as above.
ip msdp redistribute list xxx

ANYCAST – RP

A simple explanation of anycast is packets can be sent to a single IP and any number of devices can respond. When PIM-SM is brought into the mix what this means is we can map a single group to multiple RP’s all with the same “virtual IP” we cannot achieve this without MSDP.

 

RH

This command might save you from a whole world of trouble!

For example you’ve got a scheduled change coming up on your WAN router that’s a little risky, you might just cut yourself off from the router half way through the change…….. what do you do to mitigate this risk?

Well if you don’t have OOB (out-of-band) access to the router you would use the following command

#reload in 20

What this does is reload the router in 20 minutes reverting back to the last saved config. So if you’ve been cut off just wait the time you’ve specified and the router will reload with the old config.

To confirm how much time you have before a reload use the command

#show reload

Once you’ve completed your changes and they are successful just issue the command

#reload cancel

Also used to schedule a reload is the command

#reload at 09:45

This reloads your router and the time you specify but obviously relies your NTP settings to be correct so check this first.

Plan ahead!!

RH

Advertising a default route in BGP with an alternate default route as backup.

So you have your MPLS WAN and your filtering internet at your main data centre, everything going along nicely until the CE router at your data centre goes hard down, all your users are suddenly wondering why they can’t use Facebook or YouTube anymore!
Advertising a default route is easy but advertising multiple…………… now thats a different story.

You need to find a way of making the backup route less desirable, that way it would only be used if the original was unavailable, so here’s how to do it.

You will at least be familiar with BGP path selection, prefix lists, route-maps

Advertise your default route from your main data centre. Here is a sample config

router bgp xxxxx
neighbor x.x.x.x remote-as xxxxx
network 0.0.0.0

In order for BGP to advertise any route it must exist in the routing table so either you use a static route or you’re running a dynamic routing protocol to advertise into your router like EIGRP from your main data centre switch. (I would recommend you use a dynamic routing protocol)
Now that your default route is being advertised this will filter out to the rest of your WAN routers.
So your secondary default route is a little different you still need to advertise this but with some sort of distinguishing feature, the simplest way to do this is to use AS-Prepend this adds on the AS (Autonomous System) number you specify to the advertised route, If you know how BGP Path selection works you will know that BGP will prefer the shortest AS_PATH, regardless of bandwidth or connection type so imagine RIP routing it uses a hop count for route selection it’s the same idea as that. Note. BGP path selection does not solely rely on AS_PATH but for the purposes of this discussion we will assume you are not using WEIGHT, LOCAL_PREF or IGP redistribution.

Firstly you need to create a prefix list to match only the default route

ip prefix-list 10 description Secondary-default
ip prefix-list 10 seq 5 permit 0.0.0.0/0

Next thing you want to do is use a route map to tie in the conditions you need to set for the default route.

route-map default-route permit 5
match ip address prefix-list 10
set as-path prepend xxxxx xxxxx xxxxx xxxxx xxxxx
route-map default-route permit 10

Then all that’s left to do is advertise the route map via BGP

router bgp xxxxx
network 0.0.0.0
neighbor x.x.x.x remote-as xxxxx
neighbor x.x.x.x route-map default-route out

Again making sure the default route exists in your routing table otherwise it won’t be advertised.

Some commands you might use to confirm your changes will be

sh ip bgp
sh ip bgp 0.0.0.0
sh ip bgp neighbor x.x.x.x advertised-routes
sh ip route 0.0.0.0
sh ip route
sh run | inc ip route

Easy as that!

BGP is by far the most versatile and configurable routing protocol I have ever worked with it surprises me every time work with it I learn something new about it.

RH