Cisco IOS IP SLA (Service Level Agreements) Tool

December 12th, 2007 neteng

In today’s workplace, it’s no longer enough to throw up a couple of routers and switches, establish connectivity and declare that the network is complete. Managed services have become a hot item and Cisco has provided some tools to help us better manage the network and alert us to problems as they arise. In a world of VoIP and video conferencing, the Cisco IOS IP SLA service is indeed a powerful tool to add to your network monitoring toolkit.

Topic

Cisco IOS IP SLAs

Definition

Cisco’s SLA tool allows you to proactively monitor network conditions by generating traffic on a device and responding to that traffic from another device. It makes it easier to do such things as verify your QoS policy is working and make sure you’re meeting uptime agreements. When set up in an end-to-end manner, you can simulate the experience of a user and get a truer picture of their network performance. The SLA feature set is huge and results can be pulled up from the command line or via SNMP.

When configuring SLA entries, we need to have both a transmitter and a responder. The responder setup is very basic. To begin communications, the transmitter sends control messages to the responder. These control messages inform the responder as to what port it should listen on for transmitter requests (UDP or TCP). Enabling the responder service itself may not be necessary for some operations if the device is already listening on ports being tested (i.e. HTTP services).

Once an SLA operation has been configured on the transmitter, it’s operation needs to be scheduled. Statistics will only be gathered when the configuration is operational. Operations can be scheduled to start immediately, at a pre-determined date/time and they can even be triggered to start by certain events.

Instead of reinventing the wheel, I’ll refer you to Cisco’s awesome table of SLA capabilities.

Example

Because of the depth of the SLA tool, I’m going to just restrict myself to a very basic configuration. This will give you just a small glimpse into the possibilities the lie ahead. I recommend reading the references at the end of this article to go a little more in-depth. Here is our three-router topology:

We have OSPF running in a single area for these three routers, providing full end-to-end connectivity. Let’s go ahead and turn on the responder service on R3:

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ip sla responder

Let’s verify the service now:

R3#show ip sla responder
IP SLAs Responder is: Enabled
Number of control message received: 0 Number of errors: 0
Recent sources:
Recent error sources:

As you can see, we’re up and running on one end of our network. We have not received any control messages or data from our transmitter though. We’re going to have R1 act as our transmitter and perform the UDP Echo operation. This will measure the end-to-end response time for UDP traffic. First, we’ll configure our operation:

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip sla monitor 1
R1(config-ip-sla)#udp-echo 150.1.3.3 1234
R1(config-ip-sla-udp)#frequency 30
R1(config-ip-sla-udp)#exit
R1(config)#

What we’ve done here is configure an operation with an ID of 1, and within that operation, configured the router to send a UDP packet to R3’s Loopback0 address on port 1234. We’ve also set it to send a packet every 30 seconds (versus the default of 60 seconds). After this has been created, we need to schedule it to run:

R1(config)#ip sla schedule 1 life forever start-time now

The operation is scheduled to run immediately and never expire. Let’s take a look at the configuration we’ve just created:

R1#show ip sla configuration 1
IP SLAs, Infrastructure Engine-II.
Entry number: 1
Owner:
Tag:
Type of operation to perform: udp-echo
Target address/Source address: 150.1.3.3/0.0.0.0
Target port/Source port: 1234/0
Request size (ARR data portion): 16
Operation timeout (milliseconds): 5000
Type Of Service parameters: 0×0
Verify data: No
Data pattern:
Vrf Name:
Control Packets: enabled
Schedule:
Operation frequency (seconds): 30 (not considered if randomly scheduled)
Next Scheduled Start Time: Start Time already passed
Group Scheduled : FALSE
Randomly Scheduled : FALSE
Life (seconds): Forever
Entry Ageout (seconds): never
Recurring (Starting Everyday): FALSE
Status of entry (SNMP RowStatus): Active
Threshold (milliseconds): 5000
Distribution Statistics:
Number of statistic hours kept: 2
Number of statistic distribution buckets kept: 1
Statistic distribution interval (milliseconds): 20
Enhanced History:
History Statistics:
Number of history Lives kept: 0
Number of history Buckets kept: 15
History Filter Type: None

I’ve highlighted the pertinent parts of our configuration. Now that we’ve let this run for a bit, lets check the results on both routers:

R1#show ip sla statistics 1

Round Trip Time (RTT) for Index 1
Latest RTT: 68 milliseconds
Latest operation start time: *13:35:48.015 UTC Wed Dec 12 2007
Latest operation return code: OK
Number of successes: 9
Number of failures: 0
Operation time to live: Forever

R3#show ip sla responder
IP SLAs Responder is: Enabled
Number of control message received: 9 Number of errors: 0
Recent sources:
192.168.12.1 [13:36:17.971 UTC Wed Dec 12 2007]
192.168.12.1 [13:35:47.971 UTC Wed Dec 12 2007]
192.168.12.1 [13:35:17.959 UTC Wed Dec 12 2007]
192.168.12.1 [13:34:47.951 UTC Wed Dec 12 2007]
192.168.12.1 [13:34:17.999 UTC Wed Dec 12 2007]
Recent error sources:

Pretty cool, huh? Now you should be asking yourself, “How can I make this information useful?” Good question. One thing we can do is use this SLA entry as an object that can be tracked by other commands. Let’s create a static route that will only be available if the SLA operation we created is successful:

R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#track 1 rtr 1
R1(config-track)#exit
R1(config)#ip route 123.123.123.0 255.255.255.0 192.168.12.2 track 1

As a side note, you’ll notice that the track statement refers to rtr. This is the old name Cisco used for the SLA tool in previous IOS versions. It stands for Response Time Reporter. As you can see, it’s legacy lives on in the current IOS. We can verify that our static route is currently in R1’s routing table:

R1#sh ip route static
123.0.0.0/24 is subnetted, 1 subnets
S 123.123.123.0 [1/0] via 192.168.12.2

Now let’s shut down our Loopback0 interface on R3 (remember that it’s the target of our SLA operation):

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#int lo0
R3(config-if)#shut

This should effectively kill our UDP echo operation:

R1#sh ip sla statistics 1

Round Trip Time (RTT) for Index 1
Latest RTT: NoConnection/Busy/Timeout
Latest operation start time: *13:48:17.903 UTC Wed Dec 12 2007
Latest operation return code: No connection
Number of successes: 32
Number of failures: 1
Operation time to live: Forever

Interesting! Now let’s see if we still have our static route:

R1#sh ip route 123.123.123.0
% Network not in table

Cool! As you can see, we can really take more control of how our networks behave by utilizing the SLA tool. Once we turn R3’s Loopback0 interface back up, we will see the static route reappear in our routing table after the next UDP echo interval.

References

Cisco IOS IP SLAs Configuration Guide, Release 12.4

Service Assurance Agent (SAA) and the Management Engine

Well folks, that’s just the beginning of what this wonderful tool can do. Be sure to scour the references I’ve linked to and see how you can put it to use in your networks.

neteng

Bookmark It

Hide Sites

Posted in HOWTO, Networking, Routing, Tools | 1 Comment »

BGP - Confederations

December 3rd, 2007 neteng

Our lab topic for today is BGP confederations. It assumes a familiarity with BGP and it’s operations. Confederations are useful when you have a large AS filled with BGP-enabled routers, but are limited in spots to partial-mesh connectivity. That is to say, your number of iBGP connections is small and/or it also makes sense to create sub-ASes for business policy reasons. Each confederation is composed of one or more sub-AS (though why you’d have a confederation composed of only a single sub-AS, I don’t know). External ASes do not see the internal structure of the confederation. They will see all communication as coming from only the major AS number. Neighboring routers in each sub-AS treat the connection between each other as eBGP except in regards to the following items:

Administrative Distance - routes advertised between confed-AS peers through BGP will still show up with an iBGP AD of 200
Local Preference - Maintained throughout major AS
MEDs - Maintained throughout major AS
Next-hop - Maintained throughout major AS
AS_PATH length - Maintained throughout major AS

Here’s the diagram for this lab (click on the diagram for a larger version):

Let’s take a look at the BGP configuration for our 4 routers and we’ll go through the main points:

R1

router bgp 100
no synchronization
bgp router-id 150.1.1.1
bgp log-neighbor-changes
redistribute connected
neighbor 192.168.12.2 remote-as 200
no auto-summary

R2

router bgp 65002
no synchronization
bgp router-id 150.1.2.2
bgp log-neighbor-changes
bgp confederation identifier 200
bgp confederation peers 65001
redistribute connected
neighbor 192.168.12.1 remote-as 100
neighbor 192.168.23.3 remote-as 65001
no auto-summary

R3

router bgp 65001
no synchronization
bgp router-id 150.1.3.3
bgp log-neighbor-changes
bgp confederation identifier 200
bgp confederation peers 65002
redistribute connected
neighbor 192.168.23.2 remote-as 65002
neighbor 192.168.23.2 send-community
neighbor 192.168.34.4 remote-as 65001
no auto-summary

R4

router bgp 65001
no synchronization
bgp router-id 150.1.4.4
bgp log-neighbor-changes
bgp confederation identifier 200
bgp confederation peers 65002
redistribute connected
neighbor 192.168.34.3 remote-as 65001
neighbor 192.168.34.3 send-community
neighbor 192.168.34.3 route-map SET_COMMUNITY out
no auto-summary

The key commands when configuring BGP confederations are:

router bgp [sub-AS#]
bgp confederation identifier [main-AS#]
bgp confederation peers [confederation peer AS#s]

Remember that you will always create the bgp process in the router with the sub-AS number. The main AS number is identified with the bgp confederation identifier command and all sub-AS peers are identified through the bgp confederation peers command. Also, in this case, all of our routes are originating from a redistribute connected command, which puts the connected networks of each router in the bgp advertisements. The actual networks aren’t important for this lab; they’re just there to put some meat in our routing tables.

From the diagram and configuration, you can see that we have 2 main ASes - AS100 & AS200. Within AS200, we have two sub-ASes - AS65001 & AS65002. Let’s pull up the BGP table on R1:

R1#sh ip bgp
BGP table version is 21, local router ID is 150.1.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 111.1.1.0/24 0.0.0.0 0 32768 ?
*> 111.2.2.0/24 0.0.0.0 0 32768 ?
*> 113.3.0.0/16 0.0.0.0 0 32768 ?
*> 150.1.1.0/24 0.0.0.0 0 32768 ?
*> 150.1.2.0/24 192.168.12.2 0 0 200 ?
*> 150.1.3.0/24 192.168.12.2 0 200 ?
*> 172.31.1.0/24 0.0.0.0 0 32768 ?
*> 172.31.2.0/24 192.168.12.2 0 0 200 ?
*> 172.31.3.0/24 192.168.12.2 0 200 ?
*> 172.31.4.0/24 192.168.12.2 0 200 ?
* 192.168.12.0 192.168.12.2 0 0 200 ?
*> 0.0.0.0 0 32768 ?
r> 192.168.12.1/32 192.168.12.2 0 0 200 ?
*> 192.168.12.2/32 0.0.0.0 0 32768 ?
*> 192.168.23.0 192.168.12.2 0 0 200 ?
*> 192.168.23.2/32 192.168.12.2 0 200 ?
*> 192.168.23.3/32 192.168.12.2 0 0 200 ?
Network Next Hop Metric LocPrf Weight Path
*> 192.168.34.0 192.168.12.2 0 200 ?
*> 192.168.34.3/32 192.168.12.2 0 200 ?
*> 192.168.34.4/32 192.168.12.2 0 200 ?

Notice that all routes from R2 (R1’s eBGP-connected neighbor) appear to come only from AS200. This tells us that R1 knows nothing about AS200’s internal sub-ASes. You can make a comparison between the way network summarization works and the way confederations work. If one router is summarizing a group of networks to another router, that other router (in most cases) doesn’t care about the individual subnets contained in the summary. The behavior is virtually identical in this case. The AS_PATH variable will only contain the main AS.

Now let’s see what the bgp table looks like on R2:

R2#sh ip bgp
BGP table version is 23, local router ID is 150.1.2.2
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 111.1.1.0/24 192.168.12.1 0 0 100 ?
*> 111.2.2.0/24 192.168.12.1 0 0 100 ?
*> 113.3.0.0/16 192.168.12.1 0 0 100 ?
*> 150.1.1.0/24 192.168.12.1 0 0 100 ?
*> 150.1.2.0/24 0.0.0.0 0 32768 ?
*> 150.1.3.0/24 192.168.23.3 0 100 0 (65001) ?
*> 150.1.4.0/24 192.168.34.4 0 100 0 (65001) ?
*> 172.31.1.0/24 192.168.12.1 0 0 100 ?
*> 172.31.2.0/24 0.0.0.0 0 32768 ?
*> 172.31.3.0/24 192.168.23.3 0 100 0 (65001) ?
*> 172.31.4.0/24 192.168.34.4 0 100 0 (65001) ?
* 192.168.12.0 192.168.12.1 0 0 100 ?
*> 0.0.0.0 0 32768 ?
*> 192.168.12.1/32 0.0.0.0 0 32768 ?
r> 192.168.12.2/32 192.168.12.1 0 0 100 ?
* 192.168.23.0 192.168.23.3 0 100 0 (65001) ?
*> 0.0.0.0 0 32768 ?
Network Next Hop Metric LocPrf Weight Path
r> 192.168.23.2/32 192.168.23.3 0 100 0 (65001) ?
*> 192.168.23.3/32 0.0.0.0 0 32768 ?
*> 192.168.34.0 192.168.23.3 0 100 0 (65001) ?
*> 192.168.34.3/32 192.168.34.4 0 100 0 (65001) ?
*> 192.168.34.4/32 192.168.23.3 0 100 0 (65001) ?

What does the (65001) under the Path column mean? When we create a confederation, we introduce two new sub-attributes under the AS_PATH attribute: AS_CONFED_SET & AS_CONFED_SEQ. These attributes are in place to prevent loops which can be introduced in the major AS when you have sub-ASes. We can see that NLRIs from R3 & R4 both exhibit these new sub-attributes.

Now let’s take a look at R3’s BGP table:

R3#sh ip bgp
BGP table version is 23, local router ID is 150.1.3.3
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 111.1.1.0/24 192.168.12.1 0 100 0 (65002) 100 ?
*> 111.2.2.0/24 192.168.12.1 0 100 0 (65002) 100 ?
*> 113.3.0.0/16 192.168.12.1 0 100 0 (65002) 100 ?
*> 150.1.1.0/24 192.168.12.1 0 100 0 (65002) 100 ?
*> 150.1.2.0/24 192.168.23.2 0 100 0 (65002) ?
*> 150.1.3.0/24 0.0.0.0 0 32768 ?
*>i150.1.4.0/24 192.168.34.4 0 100 0 ?
*> 172.31.1.0/24 192.168.12.1 0 100 0 (65002) 100 ?
*> 172.31.2.0/24 192.168.23.2 0 100 0 (65002) ?
*> 172.31.3.0/24 0.0.0.0 0 32768 ?
*>i172.31.4.0/24 192.168.34.4 0 100 0 ?
*> 192.168.12.0 192.168.23.2 0 100 0 (65002) ?
*> 192.168.12.1/32 192.168.23.2 0 100 0 (65002) ?
*> 192.168.12.2/32 192.168.12.1 0 100 0 (65002) 100 ?
* 192.168.23.0 192.168.23.2 0 100 0 (65002) ?
*> 0.0.0.0 0 32768 ?
*> 192.168.23.2/32 0.0.0.0 0 32768 ?
Network Next Hop Metric LocPrf Weight Path
r> 192.168.23.3/32 192.168.23.2 0 100 0 (65002) ?
* i192.168.34.0 192.168.34.4 0 100 0 ?
*> 0.0.0.0 0 32768 ?
r>i192.168.34.3/32 192.168.34.4 0 100 0 ?
*> 192.168.34.4/32 0.0.0.0 0 32768 ?

We can really see the confederation paradigm at work here. NLRIs originated by R1 show an AS_PATH containing both the AS65002 sub-AS and the originating AS100. Remember that AS65001 sees AS65002 as being external in this regard.

Also, we can verify that the routes are indeed installed in the Cisco RIB with an iBGP AD of 200:

R3#sh ip route bgp
192.168.12.0/24 is variably subnetted, 3 subnets, 2 masks
B 192.168.12.0/24 [200/0] via 192.168.23.2, 02:18:51
B 192.168.12.1/32 [200/0] via 192.168.23.2, 02:18:51
B 192.168.12.2/32 [200/0] via 192.168.12.1, 02:18:46
113.0.0.0/16 is subnetted, 1 subnets
B 113.3.0.0 [200/0] via 192.168.12.1, 02:18:46
172.31.0.0/24 is subnetted, 4 subnets
B 172.31.2.0 [200/0] via 192.168.23.2, 02:18:51
B 172.31.1.0 [200/0] via 192.168.12.1, 02:18:46
B 172.31.4.0 [200/0] via 192.168.34.4, 02:18:51
111.0.0.0/24 is subnetted, 2 subnets
B 111.2.2.0 [200/0] via 192.168.12.1, 02:18:46
B 111.1.1.0 [200/0] via 192.168.12.1, 02:18:46
150.1.0.0/24 is subnetted, 4 subnets
B 150.1.4.0 [200/0] via 192.168.34.4, 02:18:51
B 150.1.2.0 [200/0] via 192.168.23.2, 02:18:51
B 150.1.1.0 [200/0] via 192.168.12.1, 02:18:46

A final interesting caveat to note is that the BGP decision process changes a little when preferring certain routes over others. When using confederations, NLRIs from external eBGP connections are preferred over NLRIs from confederation-based eBGP connections.

I hope you’ve enjoyed this tutorial. Please email me or leave a comment with any suggestions/questions.

neteng

Bookmark It

Hide Sites

Posted in HOWTO, Networking, Routing | 1 Comment »

Fallback Bridging

November 29th, 2007 neteng

Today, I want to take a closer look at one of the more overlooked topics when it comes to switch configuration: Fallback Bridging. In a world of IP-based applications, few of us rarely come into contact with legacy applications and protocols that may require the use of bridging. But being that a CCIE is considered an Internetworking Expert, it’s something candidates will need to know for the lab exam. And if you ever work in a large enterprise, you may run into this when dealing with old mainframes and ancient equipment.

So let’s go ahead and see what this fallback bridging, aka VLAN bridging, is all about when configured on the Catalyst 3550/3560 platforms. Its main use is to allow machines that speak non-routed or non-supported protocols (SNA, DECNet, AppleTalk, etc.) to communicate across VLANs and routed ports. The idea is to put Switched VLAN Interfaces (SVI) and routed ports (no switchport) for which you want to bridge traffic, into a common bridge group. On the 3550, you’re limited to 31 simultaneous bridge groups (32 on the 3560) and an interface can be a member of only a single bridge group. Another important point to remember is that each VLAN has its own spanning-tree instance. It runs on top of the bridge group to prevent loops.

As always, things are best explained through an example:

If we were asked to configure the switch in the diagram, here’s what we’d do:

CCIE-SW2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
CCIE-SW2(config)#bridge 1 protocol vlan-bridge
CCIE-SW2(config)#int vlan1
CCIE-SW2(config-if)#bridge-group 1
CCIE-SW2(config)#int vlan2
CCIE-SW2(config-if)#bridge-group 1
CCIE-SW2(config)#int fa0/1
CCIE-SW2(config-if)#no switchport
CCIE-SW2(config-if)#bridge-group 1

Now let’s verify that our config took:

CCIE-SW2#sh bridge 1 group

Bridge Group 1 is running the VLAN Bridge compatible Spanning Tree protocol

Port 28 (Vlan1) of bridge group 1 is forwarding
Port 30 (Vlan2) of bridge group 1 is forwarding
Port 31 (FastEthernet0/1) of bridge group 1 is up

That’s all there is to it. Now the switch will build a bridging table and bridge all packets between those interfaces except the following: IPv4 & IPv6, ARP, RARP, LOOPBACK, and Frame Relay ARP.

For more information:

Cisco Documentation: Configuring Fallback Bridging

neteng

Bookmark It

Hide Sites

Posted in Networking, Routing, Switching | 2 Comments »

PIM Sparse Mode - BSR

November 26th, 2007 neteng

Welcome back everyone. I hope you guys were smart enough to avoid following my lead this past weekend and not stuff yourself silly. I’m growing feathers from all the turkey I ate! But I digress…We’re back in action for awhile and I hope to have some good material coming your way.

Let’s begin where we left off and take a look at our common PIM network. We’ve seen static RP assignments and Auto-RP at work, so now we’ll take a look at BSR. It’s really not very complicated if you’re familiar with Auto-RP and you’ll see what I mean as we go through the configuration. The BSR router plays a similar role to the Auto-RP Mapping Agent, but it performs one major function differently. The Auto-RP MA elects an RP based on the announcements it receives from candidate-RPs (C-RP). The BSR router actually sends all mapping possibilities to every PIM router and allows them to elect an RP. They will elect the same RPs for each group though, as every PIM router uses the same hash algorithm.

First, we’ll configure R3 to be our C-RP:

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ip pim rp-candidate lo0

Now let’s verify:

R3#sh ip pim rp map
PIM Group-to-RP Mappings
This system is a candidate RP (v2)

Next, let’s configure R2 to be our BSR:

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip pim bsr-candidate lo0

Let’s verify that everything is working as it should be now:

R2#sh ip pim rp map
PIM Group-to-RP Mappings
This system is the Bootstrap Router (v2)

Group(s) 224.0.0.0/4
RP 150.1.3.3 (?), v2
Info source: 192.168.23.3 (?), via bootstrap, priority 0, holdtime 150
Uptime: 00:00:54, expires: 00:01:33

You can see that R3 has been selected as the RP for all multicast groups. Now we’ll ping from our R1 multicast source to R6 and see what happens:

R1#ping 239.39.39.39

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 239.39.39.39, timeout is 2 seconds:

Reply to request 0 from 192.168.56.6, 452 ms

You can see that R5 is using R3 as it’s RP. This was learned as the BSR sent the announcement to each PIM router (224.0.0.13), and each PIM router forwarded this announcement to it’s neighbors at the same address. Let’s take a look:

R5#sh ip pim rp map
PIM Group-to-RP Mappings

Group(s) 224.0.0.0/4
RP 150.1.3.3 (?), v2
Info source: 150.1.2.2 (?),via bootstrap, priority 0, holdtime 150
Uptime: 00:06:41, expires: 00:02:01

Here’s our mroute table on R5:

R5#sh ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
L - Local, P - Pruned, R - RP-bit set, F - Register flag,
T - SPT-bit set, J - Join SPT, M - MSDP created entry,
X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
U - URD, I - Received Source Specific Host Report,
Z - Multicast Tunnel, z - MDT-data group sender,
Y - Joined MDT-data group, y - Sending to MDT-data group
Outgoing interface flags: H - Hardware switched, A - Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 239.39.39.39), 01:29:37/stopped, RP 150.1.3.3, flags: SJC
Incoming interface: FastEthernet0/0, RPF nbr 192.168.35.3
Outgoing interface list:
FastEthernet1/1, Forward/Sparse, 01:29:37/00:02:31

(192.168.12.1, 239.39.39.39), 00:02:56/00:00:10, flags: JT
Incoming interface: FastEthernet0/0, RPF nbr 192.168.35.3
Outgoing interface list:
FastEthernet1/1, Forward/Sparse, 00:02:56/00:02:31

(*, 224.0.1.40), 01:30:15/00:02:27, RP 0.0.0.0, flags: DCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
Loopback0, Forward/Sparse, 01:30:15/00:02:27

As far as basic BSR setup, that’s all there is to it! If you have multiple BSRs, the one with the highest priority will be elected. If they all have the default Cisco priority of 0, then the BSR candidate with the highest IP address will be chosen. If you have multiple RP candidates seeking election, then the BSR will also elect the RP based on the same priority/IP address system.

I hope you’ve found this series of PIM labs useful. I haven’t quite decided what to tackle next, but have some ideas in mind. Suggestions are always welcome! In the meantime though, expect to see a review of CCNA/CCNP training materials provided by our friends at TrainSignal.

neteng

Bookmark It

Hide Sites

Posted in HOWTO, Multicast, Networking, Routing | 1 Comment »

PIM Sparse Mode - Auto RP

November 21st, 2007 neteng

Ok, so I told a small fib in my last post…But this really is the last post for this week! I finished up this lab and decided to go ahead and post it today. We’re using our familiar topology but we’ll be moving away from static RP assignments and using Cisco’s Auto-RP:

We’ve designated R3 as our Rendezvous Point (RP) and R2 as our Mapping Agent (MA). As a quick refresher, the RP acts as the root of the shared distribution tree and the MA is in charge of mapping RPs to multicast groups and disseminating that information out to multicast-participating routers. The dynamic RP system makes for a much simpler setup when you need to make changes in the future. Instead of having to update each individual router with new RP information, you just need to touch a few pieces.

The first thing we’ll want to do is assign our RP-candidate. We’ll do that as follows:

R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#ip pim send-rp-announce lo0 scope 16

As you can see, we’re having R3 announce it’s loopback address (150.1.3.3) as a candidate for RP assignment. The scope requirement on this command sets the TTL on the announcement packets, in order to limit how far they can go. I just picked an arbitrary number of 16. This command tells the router to send an announcement to 224.0.1.39, which every mapping agent is listening on. Now let’s verify that this router is set to announce itself as an RP:

R3#sh ip pim rp map
PIM Group-to-RP Mapping
This system is an RP (Auto-RP)

Next, we’ll assign the mapping duties to R2:

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int lo0
R2(config-if)#ip pim sparse-mode
R2(config-if)#exit
R2(config)#ip pim send-rp-discovery lo0 scope 16

We had to make sure to configure PIM on R2’s loopback interface so it could participate. Now let’s verify that R2 is configured correctly:

R2#sh ip pim rp mapping
PIM Group-to-RP Mappings
This system is an RP-mapping agent (Loopback0)

Group(s) 224.0.0.0/4
RP 150.1.3.3 (?), v2v1
Info source: 150.1.3.3 (?), elected via Auto-RP
Uptime: 00:00:10, expires: 00:02:49

We now see that R2 is our mapping agent and has already picked up the RP announcement coming from R3. It will now announce the RP assignment to multicast group 224.0.1.40 on which the PIM-configured routers listen. For curiosity’s sake, let’s see what would happen if we also configured R5 to also announce itself as an RP:

R2#sh ip pim rp map
PIM Group-to-RP Mappings
This system is an RP-mapping agent (Loopback0)

Group(s) 224.0.0.0/4
RP 150.1.5.5 (?), v2v1
Info source: 150.1.5.5 (?), elected via Auto-RP
Uptime: 00:05:50, expires: 00:02:08
RP 150.1.3.3 (?), v2v1
Info source: 150.1.3.3 (?), via Auto-RP
Uptime: 00:24:37, expires: 00:02:23

R5 is now the RP of choice as it won out over R3. This is because of the higher IP address on R5. If R5 were to die, R2 would assign the RP duties to R3 to keep things going.

Ok, let’s take R5 out of the RP game and put things back to where they were. Now we’ll ping from R1 to the 239.39.39.39 group again (of which R6 is a member). Here is what our mroute table will look like on R5:

R5#sh ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
L - Local, P - Pruned, R - RP-bit set, F - Register flag,
T - SPT-bit set, J - Join SPT, M - MSDP created entry,
X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
U - URD, I - Received Source Specific Host Report,
Z - Multicast Tunnel, z - MDT-data group sender,
Y - Joined MDT-data group, y - Sending to MDT-data group
Outgoing interface flags: H - Hardware switched, A - Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 239.39.39.39), 00:01:29/stopped, RP 150.1.3.3, flags: SJC
Incoming interface: FastEthernet0/0, RPF nbr 192.168.35.3
Outgoing interface list:
FastEthernet1/1, Forward/Sparse, 00:01:29/00:02:23

(192.168.12.1, 239.39.39.39), 00:00:04/00:02:55, flags: JT
Incoming interface: FastEthernet0/0, RPF nbr 192.168.35.3
Outgoing interface list:
FastEthernet1/1, Forward/Sparse, 00:00:04/00:02:55

….unnecessary info omitted….

Results from our ping:

R1#ping 239.39.39.39

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 239.39.39.39, timeout is 2 seconds:

Reply to request 0 from 192.168.56.6, 468 ms

Hope this was informative! We’ll return with a vengeance next week and tackle BSR along with other exciting topics. Enjoy the long weekend…

neteng

Bookmark It

Hide Sites

Posted in HOWTO, Multicast, Networking, Routing | 2 Comments »

PIM Sparse Mode - Static RP

November 20th, 2007 neteng

Welcome back to the PIM show! I know you’re just chomping at the bit to continue our PIM routing escapades, so we’ve come back to another lab…this time featuring sparse mode routing. We’re going to use the same topology as our dense mode lab and tweak things a little bit. For this lab, we’re just going to implement a static RP device. After this lab, we’ll dive into Auto-RP & BSR. Here’s our sparse mode topology:

We’re going to use the loopback0 interface of R3 as the RP address. This address must be reachable via our IGP. The first thing we’ll want to do is enable PIM on the loopback interface:

R4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R4(config)#int lo0
R4(config-if)#ip pim sparse-mode
R4(config-if)#exit
*Nov 20 09:19:23.503: %PIM-5-DRCHG: DR change from neighbor 0.0.0.0 to 150.1.3.3 on interface Loopback0

Next, we need to statically assign the RP to each router participating in PIM (R2, R3 and R5):

R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#ip pim rp-address 150.1.3.3

It’s important that remember to configure this on our RP as well, because it will not accept it’s status as an RP and you’ll get a message such as this:

*Nov 20 10:38:15.419: %PIM-1-INVALID_RP_REG: Received Register from router 192.168.23.2 for group 239.39.39.39, 150.1.3.3 not willing to be RP

We can verify that the RP is now assigned with the following command:

R2#sh ip pim rp mapping
PIM Group-to-RP Mappings

Group(s): 224.0.0.0/4, Static
RP: 150.1.4.4

As you can see, the default mapping for the RP assignment is for all IP multicast groups. If you wanted to, you could have multiple RPs for different multicast groups by using ACLs. It could look something along the lines of this:

access-list 1 permit 239.0.0.0 0.255.255.255
ip pim rp-address 150.1.3.3 1
ip pim rp-address 150.1.4.4

This is saying “I want to use R3 as my RP for all multicast traffic going to 239.x.x.x.”
Here is what our mappings would look like in conjunction with the first assignment:

R3#sh ip pim rp mapping
PIM Group-to-RP Mappings

Group(s): 224.0.0.0/4, Static
RP: 150.1.4.4 (?)
Acl: 1, Static
RP: 150.1.3.3

Okay, now lets do a test ping from R1 to R6 (who is still joined to our 239.39.39.39 group from our previous dense-mode lab, via the ip igmp join-group command) and see how our mroute table looks from R5’s perspective:

R5#sh ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
L - Local, P - Pruned, R - RP-bit set, F - Register flag,
T - SPT-bit set, J - Join SPT, M - MSDP created entry,
X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
U - URD, I - Received Source Specific Host Report,
Z - Multicast Tunnel, z - MDT-data group sender,
Y - Joined MDT-data group, y - Sending to MDT-data group
Outgoing interface flags: H - Hardware switched, A - Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 239.39.39.39), 00:05:01/stopped, RP 150.1.3.3, flags: SJC
Incoming interface: FastEthernet0/0, RPF nbr 192.168.35.3
Outgoing interface list:
FastEthernet1/1, Forward/Sparse, 00:05:01/00:02:58

(192.168.12.1, 239.39.39.39), 00:02:28/00:02:20, flags: JT
Incoming interface: FastEthernet0/0, RPF nbr 192.168.35.3
Outgoing interface list:
FastEthernet1/1, Forward/Sparse, 00:02:28/00:02:58

(*, 224.0.1.40), 00:05:05/00:02:58, RP 150.1.3.3, flags: SJPCL
Incoming interface: FastEthernet0/0, RPF nbr 192.168.35.3
Outgoing interface list: Null

As you can see, we have our (*, 239.39.39.39) group which is part of the shared tree initially created by PIM sparse mode. Once the source-based tree is built, multicast packets are no longer forwarded along the shared tree and therefore you see the stopped message in the shared tree entry. In our case, the topology is pretty limited so the shared tree and source-based tree are essentially the same.

That’s all there is to it. I hope this was useful for you. As always, comments are welcome!

neteng

Bookmark It

Hide Sites

Posted in HOWTO, Multicast, Networking, Routing | 1 Comment »

PIM Dense Mode

November 19th, 2007 neteng

Our first PIM lab will deal with dense mode PIM. If you need a refresher, please refer back to my previous post for a brief overview on dense mode. It also wouldn’t hurt to review some other documentation before you dive in.

Let’s take a look at our topology:

We have OSPF as our IGP providing full connectivity throughout the domain. Our first step is to get multicast routing up and running on all routers (except R4) with the following command:

ip multicast-routing

We can verify this with the show ip multicast command:

R1#sh ip multicast
Multicast Routing: enabled
Multicast Multipath: disabled
Multicast Route limit: No limit
Multicast Triggered RPF check: enabled
Multicast Fallback group mode: Sparse
Multicast DVMRP Interoperability: disabled

The next step is to enable dense mode PIM on the appropriate interfaces. We use the following command at the interface configuration level in our Cisco routers:

ip pim dense-mode

We can verify that we have PIM connectivity through the show ip pim neighbors command. If we run into trouble, we can also make sure that we have PIM enabled on the correct interfaces via show ip pim interface

R2#sh ip pim neighbor
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
S - State Refresh Capable
Neighbor Interface Uptime/Expires Ver DR
Address Prio/Mode
192.168.23.3 FastEthernet1/0 00:54:07/00:01:19 v2 1 / DR S

R2#sh ip pim interface

Address Interface Ver/ Nbr Query DR DR
Mode Count Intvl Prior
192.168.12.2 FastEthernet0/0 v2/D 0 30 1 192.168.12.2
192.168.23.2 FastEthernet1/0 v2/D 1 30 1 192.168.23.3

Now that we’ve got our multicast routing in place, it’s time to have R6 use IGMP to join the 239.39.39.39 multicast group. We’ll use the following interface configuration command on the link from R6 to R5:

ip igmp join-group 239.39.39.39

Once we’ve done this, we can now ping 239.39.39.39 from R1. We see the following on R1:

R1#ping 239.39.39.39

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 239.39.39.39, timeout is 2 seconds:

Reply to request 0 from 192.168.56.6, 332 ms

We also see that an mroute has been built for this source,group (S,G) pair along the PIM-enabled path:

R3#sh ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
L - Local, P - Pruned, R - RP-bit set, F - Register flag,
T - SPT-bit set, J - Join SPT, M - MSDP created entry,
X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
U - URD, I - Received Source Specific Host Report,
Z - Multicast Tunnel, z - MDT-data group sender,
Y - Joined MDT-data group, y - Sending to MDT-data group
Outgoing interface flags: H - Hardware switched, A - Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 239.39.39.39), 00:02:19/stopped, RP 0.0.0.0, flags: D
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
FastEthernet1/0, Forward/Dense, 00:02:19/00:00:00
FastEthernet0/0, Forward/Dense, 00:02:19/00:00:00

(192.168.12.1, 239.39.39.39), 00:02:19/00:00:43, flags: T
Incoming interface: FastEthernet0/0, RPF nbr 192.168.23.2
Outgoing interface list:
FastEthernet1/0, Forward/Dense, 00:02:19/00:00:00

(*, 224.0.1.40), 00:21:50/00:02:49, RP 0.0.0.0, flags: DCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
FastEthernet1/0, Forward/Dense, 00:21:22/00:00:00
FastEthernet0/0, Forward/Dense, 00:21:50/00:00:00

Success! Now let’s make this a little more interesting. As of right now, here is how R5’s routing entry for the 192.168.12.0 network looks:

R5#sh ip route 192.168.12.0
Routing entry for 192.168.12.0/24
Known via “ospf 1″, distance 110, metric 3, type intra area
Last update from 192.168.45.4 on FastEthernet1/0, 01:25:30 ago
Routing Descriptor Blocks:
192.168.45.4, from 150.1.2.2, 01:25:30 ago, via FastEthernet1/0
Route metric is 3, traffic share count is 1
* 192.168.35.3, from 150.1.2.2, 01:25:30 ago, via FastEthernet0/0
Route metric is 3, traffic share count is 1

As you can see, R5 has a route through both R3 & R4 back to our multicast source. Let’s suspend reality for a minute and assume that the real bandwidth of the link between R5 & R3 is 10Mbps. Lets go ahead and decrease the stated bandwidth on the link between R5 & R3 so that R5 will prefer the route through R4. Here is the current bandwidth:

R5#sh int fa0/0
FastEthernet0/0 is up, line protocol is up
Hardware is DEC21140, address is ca04.0570.0000 (bia ca04.0570.0000)
Internet address is 192.168.35.5/24
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,

Now let’s change that:

R5#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R5(config)#int fa0/0
R5(config-if)#bandwidth 10000

Now we look at the interface again:

FastEthernet0/0 is up, line protocol is up
Hardware is DEC21140, address is ca04.0570.0000 (bia ca04.0570.0000)
Internet address is 192.168.35.5/24
MTU 1500 bytes, BW 10000 Kbit, DLY 100 usec,

Let’s see how our route looks now:

R5#sh ip route 192.168.12.0
Routing entry for 192.168.12.0/24
Known via “ospf 1″, distance 110, metric 3, type intra area
Last update from 192.168.45.4 on FastEthernet1/0, 00:04:47 ago
Routing Descriptor Blocks:
* 192.168.45.4, from 150.1.2.2, 00:04:47 ago, via FastEthernet1/0
Route metric is 3, traffic share count is 1

Okay, now lets try to ping from our source again:

R1#ping 239.39.39.39

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 239.39.39.39, timeout is 2 seconds:
.

Nothing…Now if you recall, we do not have multicast configured on R4. When R5 runs a Reverse Path Forwarding (RPF) check on the multicast packet, it will drop the packet. This is because it is coming through a different interface then what the unicast routing table has as the outgoing interface for the source network (towards R4). Let’s run the following command on R5 to see how the router displays this:

R5#sh ip mroute count
IP Multicast Statistics
3 routes using 2038 bytes of memory
2 groups, 0.50 average sources per group
Forwarding Counts: Pkt Count/Pkts(neg(-) = Drops) per second/Avg Pkt Size/Kilobits per second
Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc)

Group: 239.39.39.39, Source count: 1, Packets forwarded: 0, Packets received: 1
Source: 192.168.12.1/32, Forwarding: 0/0/0/0, Other: 1/1/0

Group: 224.0.1.40, Source count: 0, Packets forwarded: 0, Packets received: 0

As you can see, we have an RPF failure here. We can fix this in a couple of ways. One, we can manipulate our unicast routing protocol so it will favor the PIM-enabled path. Another way would be to enter a static mroute on R5 to the source device using R3 as its next hop. This would allow multicast packets to be forwarded out a non-RPF interface. Let’s go ahead and try this second method out:

R5#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R5(config)#ip mroute 192.168.12.1 255.255.255.255 192.168.35.3

This creates our static mroute as seen here:

R5#sh ip mroute
IP Multicast Routing Table
Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected,
L - Local, P - Pruned, R - RP-bit set, F - Register flag,
T - SPT-bit set, J - Join SPT, M - MSDP created entry,
X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement,
U - URD, I - Received Source Specific Host Report,
Z - Multicast Tunnel, z - MDT-data group sender,
Y - Joined MDT-data group, y - Sending to MDT-data group
Outgoing interface flags: H - Hardware switched, A - Assert winner
Timers: Uptime/Expires
Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 239.39.39.39), 00:03:26/stopped, RP 0.0.0.0, flags: DC
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
FastEthernet1/1, Forward/Dense, 00:03:26/00:00:00
FastEthernet0/0, Forward/Dense, 00:03:26/00:00:00

(192.168.12.1, 239.39.39.39), 00:01:40/00:02:24, flags: T
Incoming interface: FastEthernet0/0, RPF nbr 192.168.35.3, Mroute
Outgoing interface list:
FastEthernet1/1, Forward/Dense, 00:01:40/00:00:00

(*, 224.0.1.40), 00:04:12/00:02:38, RP 0.0.0.0, flags: DCL
Incoming interface: Null, RPF nbr 0.0.0.0
Outgoing interface list:
FastEthernet0/0, Forward/Dense, 00:04:12/00:00:00

Now let’s try to ping 239.39.39.39 from R1 again:

R1#ping 239.39.39.39

Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 239.39.39.39, timeout is 2 seconds:

Reply to request 0 from 192.168.56.6, 208 ms

Voila!

I hope this little lab was useful for you. As always, comments are appreciated via the comments section or via email.

neteng

Bookmark It

Hide Sites

Posted in HOWTO, Multicast, Networking, Routing | 1 Comment »

Multicast Routing - PIM

November 16th, 2007 neteng

Today, we’re going to take a look at multicast routing, specifically the PIM protocol. This article assumes you already have a grasp of multicast basics such as addressing and IGMP. If not, I recommend reading Cisco’s IP Multicast doumentation before going on. I’m just going to provide a general overview of PIM and it’s various modes and parts. Later on, we’ll do some lab-type scenarios where we’ll dive into things a little bit deeper. I also want to keep this as general as possible too, because there is so much good documentation already on the web for PIM and I’ve linked to some of these at the bottom of this article.

The name, Protocol Independent Multicast (PIM), gives you a pretty good idea of how it operates. There are a few other routing protocols for multicast traffic besides PIM, such as DVMRP and MOSPF. The key difference between PIM and DVMRP is that PIM doesn’t need to generate it’s own routing table. It relies on the unicast routing table to perform it’s packet forwarding. DVMRP builds a separate routing table which can take up precious memory and processing power. When it comes to MOSPF, the major difference is that MOSPF relies on OSPF as the unicast routing protocol. MOSPF is built on top of OSPF v2 through extensions. PIM doesn’t care what you’re running underneath it. It can use static routes, IS-IS, BGP, RIP, etc.

Before we go any further, I want to take a moment to discuss a key concept in multicast routing: the Reverse Path Forwarding (RPF) check. The RPF check is how multicast routing protocols prevent loops and inferior paths from ruining your day. When a router receives a multicast packet on an interface, it needs to decide whether or not to forward it or drop it. This decision is based on whether or not the packet came into an interface from which the unicast routing table has designated as the way out for the device sourcing the multicasts. Let’s look at this concept through an example:

Host 192.168.1.3 is sending multicast packets to destination 239.1.1.1. A PC is listening for multicasts to this destination and sits on a segment off of R3. R3 has a single path in its unicast routing table back to 192.168.1.0/24, which is out Serial0/0 and towards R2. Therefore, when a multicast packet is sourced from 192.1681.3 and forwarded from both R1 & R2, R3 drops the packet from R1 as it fails the RPF check. It forwards the packet from R2 though, as it passes the RPF check.

With that said, lets take a look at the various ways in which PIM can operate:

Dense Mode - Dense mode is considered to employ a push implementation of multicast routing. It floods multicast packets on the assumption that all other routers want to receive the traffic. If a router does not, it simply sends a prune message back towards the source. Dense mode produces a source-based tree system, meaning that the source is the root of the multicast packet distribution. It is rarely used in production networks these days, because of the fact that these floods can temporarily hog resources in large networks. A lot of financial companies utilize multicast (notably trading floors) and therefore any crippling spike in resource usage could literally cost folks money. Here’s a diagram of dense mode behavior:

Sparse Mode - Sparse mode is more widely used in today’s multicast networks. It uses a pull based system, assuming that other routers will explicitly request multicast packets. Initially, a shared-tree is built from a router designated as the Rendezvous Point (RP). All paths to and from the multicast source must first come through here until a source-based tree is built. If the direct unicast path from a multicast router to the multicast source has a better metric then the shared-tree path, a source-based tree will be built directly to the source. The gotcha with sparse-dense mode is that, if for whatever reason your RP fails or is not reachable, PIM will default to dense mode and flood packets accordingly. This can be avoided by configuring a sink RP which is a static-RP statement that will essentially take over. Another option is to add the no ip pim dm-fallback command to prevent dense-mode fallback. Here’s a diagram of sparse mode behavior:

Sparse-Dense Mode - This is essentially sparse mode with two multicast groups that operate in dense mode (groups 224.0.1.39 and 224.0.1.40). This is used to accommodate the Auto-RP protocol which we’ll define shortly.  The same dense-mode fallback pitfalls we saw with pure sparse-mode apply to sparse-dense as well. Again, we’ll dive into this a bit more further down the article.

Bidirectional Mode - Bidirectional PIM was created with the idea of efficient scaling when dealing with many multicast sources. Typically, multicast is a one-to-many operation. But when you have a many-to-many setup, bidirectional PIM is useful. It operates similarly to sparse mode in that a shared-tree is created, but instead of being unidirectional, the tree is bidirectional. That is to say, traffic flows not just from the source to the destination through the shared tree, but from the destination to the source as well. It does not allow for creation of source-based trees and therefore helps to limit heavy traffic flows to only one path.

Okay, so we’ve covered the various modes employed by PIM to achieve harmony in our multicast routing domain! Now, being the wise network guru that you are, you’ve obviously chosen to implement sparse mode in your network. We know that we’ll need an RP. There are 3 ways choose an RP:

Static RP - Self-explanatory. Pick your RP and configure every multicast-enabled router to point towards it.

Auto-RP - A Cisco-proprietary protocol that elects an RP. It can be used to lessen manual configuration and provide backup RPs in case of primary RP failure. Components of AutoRP include candidate-RPs (C-RP) and mapping agents (MA). C-RPs attempt to become an RP by having the MA elect them. The MA then floods the RP-to-group mappings to all multicast-routers, providing them with an RP to use. Now there are two ways you can configure PIM to work with Auto-RP. One way is to configure sparse-dense mode throughout your network in order to send multicast requests for RP election and assignment. This is because these requests are sent via multicast packets to 224.0.1.39 and 224.0.1.40. Without an RP already configured, these packets cannot be sent via a shared-tree to the RP! A second way is to configure your network to use pure sparse mode and configure the ip pim auto-rp listener command on each router. This forces the router to use dense mode for only the 224.0.1.39 and 224.0.1.40 groups.

Bootstrap Router (BSR) - BSR is an open protocol that functions similarly to Auto-RP. The BSR acts in a way similar to the Auto-RP MA, mapping RPs to multicast groups. There are two big differences between Auto-RP and BSR. First is the fact that BSR does not need dense mode to communicate. All communication is done through a combination of unicast messages and a special hop-by-hop All-PIM-Routers multicast address (224.0.0.13). Secondly, BSR does not perform the actual RP election. If there are multiple candidate-RPs, it sends all RP mappings to all PIM routers and they make the decision. But, this decision is bound to be the same across all PIM routers as they run the same hash function to determine a winner.

Once again, thank you for taking the time to read through this. I hope it’s been helpful and I appreciate all feedback and questions. We’ll do some lab work soon to show how things look from a router’s perspective!

neteng

Interesting reading available here:

PIM Sparse Mode RFC
PIM Dense Mode RFC
Financial Services Design for High Availability
IP Multicast and PIM Rendezvous Points

Bookmark It

Hide Sites

Posted in HOWTO, Multicast, Networking, Routing | 1 Comment »

Policy Routing

November 15th, 2007 neteng

Today, I thought I’d put up a basic scenario concerning our good friend, policy routing.

Let’s say that you’ve just been called in to consult for a company. They’re looking for a way to force visitors/vendors to go through a web filter when using the Internet. The company has set up a group of six PCs for these visitors to use on the same network as their employees. All PCs are on a network of 172.16.1.0/24. The six visitor PCs are assigned addresses starting at 172.16.1.17 and ending at 172.16.1.22. This group of six PCs can be summarized as a 172.16.1.16/29 subnet.

The company has a single internal Cisco router being used as a default gateway for all users. This router has two serial ports (Serial0/0 and Serial0/1) and two fast ethernet ports (FastEthernet0/0 and Fast Ethernet0/1). Serial 0/0 is connected directly to a WAN router which is connected to the Internet. Standard employees have unfettered access to the Internet through this path. The inside port of the web filter is attached directly to the S0/1 port of the internal router and the outside port of the web is attached to the WAN router. Let’s also say that there is an internal web server that is accessible through the internal router (out of port fa0/1) and it holds data that your visitors need to access through http/https browsing. This server has an IP address of 192.168.1.253. Your task is to somehow redirect Internet traffic coming from the visitor PCs away from the default WAN route and towards the web filter in order to comply with the corporate security policy. Now there may be a much better way to meet these requirements by changing the physical topology, etc…but you’re being tasked to work with the current setup and adapt the configuration. Here is a diagram of the topology:

The processing of the packet is generally as follows:

We need to start by creating an access-list that matches the traffic we want to affect. We do this by matching all http and https traffic coming from the summary subnet of 172.16.1.16/29 and permitting that traffic to any host/network. BUT, remember that we also have to make sure that traffic to the Intranet webserver is not affected. To make sure this is the case, we need to deny http/https traffic from 172.16.1.16/29 to the web server. The router already has a route to directly connected subnet of the web server, so after being ‘unmatched’ by the route-map, traffic to the server will be routed through the normal routing table. This is how our access-list could look:

ip access-list extended VISITOR_TRAFFIC
deny tcp 172.16.1.16 0.0.0.248 host 192.168.1.253 eq 80
deny tcp 172.16.1.16 0.0.0.248 host 192.168.1.253 eq 443
permit tcp 172.16.1.16 0.0.0.248 any eq 80
permit tcp 172.16.1.16 0.0.0.248 any eq 443

It’s also good to remember that at the end of every ACL, there is an implied deny ip any any.

Next we will need to configure our route-map to match the access-list and perform the redirect action on the packet:

route-map VISITOR_REDIRECT permit 10
match ip address VISITOR_TRAFFIC
set interface Serial0/1

Now we will apply the route-map to the incoming interface (in our case, FastEthernet0/0):

interface FastEthernet0/0
ip policy route-map VISITOR_REDIRECT

Remember also that policy routing only works on incoming packets, so there are no in or out options associated with the ip policy route-map command.

I hope you’ve found this brief example useful for your studies, job, etc. As always, please email me with any comments or questions.

neteng

Bookmark It

Hide Sites

Posted in HOWTO, Networking, Routing | 1 Comment »