Post on 29-Nov-2014
description
ProCurve Networking by HP
Student guide Technical training
IP Routing Foundations Version 5.21
Rev. 5.21 1
Contents
Overview
Introduction ............................................................................................ Overview–1 Course objectives.................................................................................... Overview–1 Prerequisites ........................................................................................... Overview–1 Course module overviews ...................................................................... Overview–2 Course agenda ........................................................................................ Overview–3 Additional information ........................................................................... Overview–4
Module 1: IP Routing Basics
Objectives ............................................................................................................. 1–1 General network connectivity goals ..................................................................... 1–2 Scenario: ProCurve University............................................................................. 1–3 Router interfaces and port state ............................................................................ 1–4 Route tables and local address ranges .................................................................. 1–6 The route table...................................................................................................... 1–6 Multinetted interface ............................................................................................ 1–8 When multinetting is appropriate ......................................................................... 1–8 Loopback interface ............................................................................................. 1–10 Learning about remote networks ........................................................................ 1–11 Routing protocol categories................................................................................ 1–12 RIP and OSPF..................................................................................................... 1–13 Standard IGPs for IP networks ........................................................................... 1–14 The disadvantage of RIP .................................................................................... 1–14 Link-state protocols ............................................................................................ 1–15 Router1 RIP update to Router2 .......................................................................... 1–16 Cost..................................................................................................................... 1–16 RIP v2 use of multicast....................................................................................... 1–17 Router2 updates its route table ........................................................................... 1–18 Router2 RIP update to Router1 .......................................................................... 1–19 Router2 RIP update to Router3 .......................................................................... 1–20 Router3 updates its route table ........................................................................... 1–21 Assessing this topology ...................................................................................... 1–22 Providing a routed mesh..................................................................................... 1–23 Split horizon in a routed mesh............................................................................ 1–24 Processing inbound RIP updates ........................................................................ 1–25 Link failure recovery in mesh (1) ....................................................................... 1–27
IP Routing Foundations
2 Rev. 5.21
Link failure recovery in mesh (2) ....................................................................... 1–28 Link failure recovery in mesh (3) ....................................................................... 1–29 Poisoned Reverse................................................................................................ 1–30 Connecting to a core router ................................................................................ 1–31 Connecting to a core routing switch................................................................... 1–32 Connecting to redundant core............................................................................. 1–33 Routing among locations at ProCurve University.............................................. 1–34 Dynamic route exchange .................................................................................... 1–35 Network summarization ..................................................................................... 1–36 Summarization of address space using static routes........................................... 1–37 Route table lookup.............................................................................................. 1–39 Advertising static routes ..................................................................................... 1–40 Equal cost multipath ........................................................................................... 1–41 Module 1 summary............................................................................................. 1–42
Module 2: OSPF Routing
Objectives ............................................................................................................. 2–1 OSPF at ProCurve University ...................................................................... 2–2
Basic OSPF interactions ....................................................................................... 2–3 OSPF routing protocol ................................................................................. 2–4 OSPF hierarchy: Routers and networks ....................................................... 2–5 OSPF Router ID .......................................................................................... 2–5 OSPF adjacencies ........................................................................................ 2–5 OSPF network types .................................................................................... 2–6 OSPF area .................................................................................................... 2–7 OSPF hierarchy: Autonomous System ........................................................ 2–9 OSPF router boots up................................................................................. 2–10 Hello messages .......................................................................................... 2–10 Exchanging Hello packets.......................................................................... 2–11 Two-way neighbor recognition.................................................................. 2–13 Designated Router election ........................................................................ 2–14 Exchanging Database descriptions............................................................. 2–15 Link State Request packet.......................................................................... 2–17 Link State Update packet ........................................................................... 2–18 Updating the Link State Database.............................................................. 2–19 Originating new LSAs ............................................................................... 2–20 Flooding LSAs in Link State Update packet ............................................. 2–21 R1A’s LSA ................................................................................................ 2–22 SPF tree and IP route table......................................................................... 2–23 Summary of OSPF packet types ................................................................ 2–25 Summary of OSPF LSA types confined to a single area ........................... 2–27
Contents
Rev. 5.21 3
Distribution of link state changes ....................................................................... 2–28 Impact of link state changes....................................................................... 2–29 Connecting to existing multi-access network ............................................ 2–30 Recognizing a new router on a multi-access network................................ 2–31 Database synchronization .......................................................................... 2–32 Adjacencies established, database synchronized ....................................... 2–33 Flood new LSAs......................................................................................... 2–34 Acknowledging flooded LSAs................................................................... 2–35 Designated Router adjacency responsibilities............................................ 2–36 Designated Router LSA flooding responsibilities ..................................... 2–37 Non-DR LSA flooding responsibilities...................................................... 2–38 OSPF network types................................................................................... 2–39 Finding the shortest path ............................................................................ 2–41 OSPF’s performance in large intranet........................................................ 2–42 OSPF scalability......................................................................................... 2–44 Area Border Router (ABR) ....................................................................... 2–44 Multiple areas and adjacency ..................................................................... 2–45 ABR link state database synchronization................................................... 2–46 LSA flow between areas ............................................................................ 2–47 Flooding Summary LSAs........................................................................... 2–48 Hierarchical addressing enables summarization ........................................ 2–49 Summary of OSPF LSA types ................................................................... 2–50
External route information ................................................................................. 2–51 Redistributing non-OSPF network information ......................................... 2–52 ASBR ......................................................................................................... 2–53 Stub-area type: Injecting the default route ................................................. 2–54 Locating the ASBR .................................................................................... 2–55 Stub and “totally stubby” area ................................................................... 2–56 Not-so-stubby area (NSSA) ....................................................................... 2–57 Module 2 summary .................................................................................... 2–58
Module 3: Default Gateway Redundancy Protocols
Objectives ............................................................................................................. 3–1 Redundant router interfaces.................................................................................. 3–2 Redundant links: Physical view............................................................................ 3–3 Redundant links: Logical view............................................................................. 3–4 Impact of device failure........................................................................................ 3–5 Edge switch failure ............................................................................................... 3–5 Router failure........................................................................................................ 3–5 Providing a second router ..................................................................................... 3–7 Why failover is not automatic (1)......................................................................... 3–8 Why failover is not automatic (2)......................................................................... 3–9 Why failover is not automatic (3)....................................................................... 3–10
IP Routing Foundations
4 Rev. 5.21
Automatic failover for default gateway.............................................................. 3–11 Common characteristics and operations ............................................................. 3–12 Virtual Router Redundancy Protocol ................................................................. 3–14 Virtual routers in VRRP ..................................................................................... 3–15 VRRP: Actual and virtual IP addresses.............................................................. 3–16 VRRP: Master and Backup states....................................................................... 3–17 VRRP: Virtual MAC address ............................................................................. 3–18 VRRP Master broadcasts “gratuitous ARP” ...................................................... 3–19 Master accepts traffic sent to virtual MAC address ........................................... 3–20 Virtual MAC address enables automatic failover .............................................. 3–21 VRRP advertisements......................................................................................... 3–22 VRRP advertisement packet format ................................................................... 3–23 VRRP support for load sharing .......................................................................... 3–24 Considering link failure vs. device failure ......................................................... 3–25 Mixed virtual router states (1) ............................................................................ 3–26 Mixed virtual router states (2) ............................................................................ 3–27 Proprietary variations and enhancements ........................................................... 3–28 VRRPE: Virtual and actual IP addresses............................................................ 3–29 XRRP.................................................................................................................. 3–30 Module 3 summary............................................................................................. 3–31
Module 4: ACL Theory
Objectives ............................................................................................................. 4–1 Device security and access control....................................................................... 4–2 Identity-based security.......................................................................................... 4–2 Role-based security .............................................................................................. 4–2 Rule-based security .............................................................................................. 4–3 Basic security principles: Physical security example........................................... 4–4 Security threats ..................................................................................................... 4–5 Basic security principles: Additional layer of physical security .......................... 4–6 Comparing physical and virtual security.............................................................. 4–7 Planning for rule-based access control ................................................................. 4–8 Rule-based access control example .................................................................... 4–10 Selection criteria in IP header............................................................................. 4–11 Determine which port(s) will filter traffic .......................................................... 4–12 A rule that may be applied to ingress or egress ports......................................... 4–13 The implied “deny any” rule .............................................................................. 4–14 Impact of applying Rule 1 at ingress port .......................................................... 4–15 Impact of applying Rule 1 at egress port............................................................ 4–16 Associating users with resource requirements ................................................... 4–17 Inbound ACL recommendations ........................................................................ 4–17 Outbound ACL recommendations...................................................................... 4–18
Contents
Rev. 5.21 5
Define characteristics of resources ..................................................................... 4–19 Strategies for defining inbound ACLs................................................................ 4–20 Access control for faculty users ......................................................................... 4–21 Access control criteria in TCP and UDP headers............................................... 4–22 Permit faculty user access to curriculum server network................................... 4–24 Permit faculty user access to SMTP services ..................................................... 4–25 Deny faculty user access to administrative servers ............................................ 4–26 Permit faculty user Internet access ..................................................................... 4–27 Access control for student users ......................................................................... 4–28 Permit student access to web registration server ................................................ 4–29 Deny student traffic destined for administrative servers .................................... 4–30 Student Internet access ....................................................................................... 4–31 Access control of admin users............................................................................ 4–32 Permit admin user access to web registration server.......................................... 4–33 Permit admin access to HR and admin servers .................................................. 4–34 Access control for guests.................................................................................... 4–35 Deny guest access to intranet destinations ......................................................... 4–36 Permit guest access to Internet destinations ....................................................... 4–37 Module 4 summary............................................................................................. 4–38
Learning Check Answers
IP Routing Foundations
6 Rev. 5.21
Rev. 5.21 Overview – 1
Overview
Introduction
IP Routing Foundations provides the basic knowledge of routing technologies necessary to prepare for Routing Switch Essentials. Designed to be delivered as a self-paced prestudy or in the classroom, IP Routing Foundations focuses on standards, theories, and technologies and is not dependent on ProCurve products or features.
Before taking IP Routing Foundations, students should complete Adaptive EDGE Fundamentals or have attained equivalent background. The topics in Adaptive EDGE Fundamentals include:
Basic Ethernet technology
IP addressing
VLANs
Spanning Tree
Link Aggregation
Fundamentals of switch technology
Traffic prioritization
Course objectives
During this course, you will:
Learn basic routing and traffic filtering technologies, including redundant default gateway protocols, Router Information Protocol (RIP), Open Shortest Path First (OSPF), and Access Control Lists (ACLs)
Prepare for the Routing Switch Essentials instructor-led course
Prerequisites
Adaptive EDGE Fundamentals
IP Routing Foundations
Overview – 2 Rev. 5.21
Course module overviews
Module 1, “IP Routing Basics,” describes RIP, static routes, and other information necessary to develop routed networks in the contemporary enterprise.
Module 2, “OSPF Routing,” introduces the basic features and processes of the OSPF routing protocol.
Module 3, “Default Gateway Redundancy and Protocols,” describes the Virtual Router Redundancy Protocol and other technologies designed to ensure the availability of default gateways.
Module 4, “ACL Theory,” describes the theory and planning for ACLs.
Overview
Rev. 5.21 Overview – 3
Course agenda
IP Routing Foundations is designed to be a self-paced prestudy for Routing Switch Essentials. Students should complete each section and its related Learning Check before moving to the next topic.
IP Routing Foundations
Overview – 4 Rev. 5.21
Additional information
Rev 5.21 5
Additional information
• The HP Certified Professional (HPCP) program is a world-class certification program benchmarked around the world to ensure validation of the technical and sales competencies and expertiseneeded to plan, deploy, support and service HP technology and solutions
• ProCurve participates in the Sales and Integration Tracks within HPCP• This course, along with Routing Switch Essentials, prepares you for
the required exam for ASE – Routing Switch Essentials• The exam number for this course is HPO-790• For more information on HPCP, go to www.hp.com/certification• For more information on HP ProCurve Training and Certification, go to
http://www.hp.com/rnd/training/certifications.htm
Student Guide: Overview–4
IP Routing Foundations is part of a series of courses on ProCurve products. For more information, visit the ProCurve Web site.
Rev. 5.21 1 – 1
IP Routing Basics Module 1
Objectives: After completing this module, you will be able to:
Categorize sources of routing information
• Static and dynamic
• Interior and exterior
• Distance vector and link state
Describe how a router builds its route table and how it chooses the best match from the tables entries
Describe reasons for defining multinetted interfaces
Explain the value of a loopback interface
Describe the process a router uses to choose a path when its route table includes multiple equal cost paths to the same destination
IP Routing Foundations
1 – 2 Rev. 5.21
General network connectivity goals
Rev 5.21 3
General network connectivity goalsEstablish connectivity among clients and resources• Routers must obtain enough information to find the best path to each
address range and collect the information in a route tableRouting efficiency, economy, scalability• Each route table entry specifies an address range that may represent:
– A single network (broadcast domain)– A range of networks whose address space can be expressed as a
starting address and mask• Summarize address space whenever possible to minimize the number
of route table entriesEnable selective forwarding based on resource needs• Arrange clients and addressing scheme to selectively enable access to
resources• Goals of limiting resource access may be based on traffic shaping or
security requirements• Alternate paths for link failover
– Unlike STP, all links active (no blocked links)
Student Guide: 1–2
In general, routers exist to connect clients and resources. Routers learn the most efficient way to reach each address range, collect the information, and organize it in a route table. To enable routers to function efficiently, a medium-to-large enterprise will use a hierarchical addressing scheme. Hierarchical addressing enables an administrator to summarize the address range at remote locations using the smallest number of route table entries. This is only possible when hosts within an IP address range are at the same physical location. A sound IP addressing scheme enables an intranet to scale to a very large size without exceeding the capabilities of its routers.
Routers enable any-to-any communication. However, not all users are necessarily able to reach all resources. This is true for two reasons:
1. Users simply don’t need all intranet resources.
2. Some user/resource pairs must be disallowed to conform to security policies.
The actual mechanisms used for traffic filtering are beyond the scope of this module and will be discussed later in the course. However, to enable the development of efficient traffic filters, administrators must take great care when planning their IP addressing schemes. Basically, the IP addresses of clients with common resource requirements should be within a range that can easily be expressed by a starting address and mask. This module will provide more detail on this topic.
IP Routing Basics
Rev. 5.21 1 – 3
Scenario: ProCurve University
Rev 5.21 4
Scenario: ProCurve University
The university comprises three campusesEach campus supports a variety of users• Students and guests• Faculty and administration
Each campus supports a variety of applications, including web, e-mail, and multimedia conferencing
High-speed core
Northeast campus
Southwest campus
Northwest campus
Student Guide: 1–3
10 GbE 10 GbE
10 GbE
This module and the rest of IP Routing Foundations will refer to ProCurve University whenever it is useful to illustrate a basic technology principle. The fictional university consists of three campuses connected by a high-speed core. The university supports four types of users—students, guests, faculty, and administrators—and a typical array of enterprise applications.
The university will appear more regularly in Routing Switch Essentials, which focuses heavily upon the deployment and configuration of ProCurve routing switches.
IP Routing Foundations
1 – 4 Rev. 5.21
Router interfaces and port state
Rev 5.21 5
Router interfaces and port stateEvery vendor’s router supports one or more of the following interface types:• Physical
– Created by assigning an IP address and mask to a physical port– Interface state may be “up” only if the physical port state is “up”
• Virtual– Associates IP address and mask with a VLAN– Interface state may be “up” if at least one of the ports in the VLAN
is “up” • Loopback
– Assigns IP address and mask to an interface whose state is not bound to a physical port state
– Interface state is always “up”• Multinetted
– Assigns two or more IP address/mask combinations to a physical, virtual, or loopback interface
Student Guide: 1– 4
Every router in an enterprise, regardless of the vendor who provides it, must enable communication among multiple networks. All routers accomplish this by enabling administrators to define one or more of the following types of router interfaces:
1. Physical As its name suggests, the physical interface is created by assigning an IP address and mask to a physical port. The rest of this module will focus heavily on this type of interface, which is the “traditional” router interface.
2. Virtual Common in contemporary enterprises, the virtual interface associates an IP address and mask with a VLAN. This enables packets for multiple broadcast domains to be forwarded through a single port.
3. Loopback The loopback interface defines an IP address and mask that is not bound to any port or VLAN. It is often used as the interface for management communication.
4. Multinetted In a multinetted configuration, two or more IP addresses and masks are assigned to a single port, VLAN, or loopback interface.
IP Routing Basics
Rev. 5.21 1 – 5
Whether they are virtual or physical, router interfaces function in the same way in terms of Layer 3 forwarding. Differences among the types of interfaces are confined solely to Layer 2 forwarding issues. The physical interface associates each router port with a different broadcast domain and thus a different address range, while the virtual interface enables you to associate an arbitrary set of ports with a broadcast domain/address range.
IP Routing Foundations
1 – 6 Rev. 5.21
Route tables and local address ranges
Rev 5.21 6
Route table and local address ranges • For each interface whose state is “up,” the router derives the local address
range by applying the mask to the assigned IP address• Route table entries for local address ranges usually have a cost of “0” • Router forwards traffic destined for local networks using port indicated in route
table– Drops traffic destined for address ranges not represented in the table
Router1Port 1: 10.1.10.1/24Port 2: 10.1.30.1/24
Hosts in range 10.1.30.0/24 DG: 10.1.30.1
Hosts in range 10.1.10.0/24DG: 10.1.10.1
Switch2: 10.1.30.3/24
Router forwards traffic among its local address ranges
IP Route TableNetwork address Mask Gateway Port Cost Type 10.1.10.0 255.255.255.0 0.0.0.0 If 1 0 Local10.1.30.0 255.255.255.0 0.0.0.0 If 2 0 Local
Switch1: 10.1.10.3/24
If 1
If 2
Student Guide: 1–6
In this example, a router has two interfaces defined. Because the physical port “If 1” is connected to Switch1, the interface state is up. Because the interface is defined in the router’s configuration as 10.1.10.1/24, the router applies the mask to the address and derives a range of addresses that it expects to find through that port.
In this case, the range of local addresses the router puts in the route table is 10.1.10.0 with a mask of 255.255.255.0. When this dotted decimal mask is converted to binary, the mask includes 24 “1” bits and eight “0” bits. In the application of the mask to the address, each of the “1” bits indicates the number of high order—that is, “most significant”—bits in the address that are common to all of the hosts connected to this interface. The “0” bits of the mask represent the low order—that is, “least significant”—bits in each host’s address that may have any value. All of the combinations of these eight bits—from 0000 0000 to 1111 1111—are considered part of the address range. However, lowest value (0) and the highest value (255) are not permissible as addresses for individual hosts. The lowest value is the network address, also known as the “starting address.” The highest value is the broadcast address. The same principles apply to If 2.
The route table
A router bases forwarding decisions on the content of its route table. While a Layer 2 forwarding device, such as a switch, floods traffic destined for unknown MAC addresses, a router drops traffic whose destination IP address does not match any of the entries in the route table.
IP Routing Basics
Rev. 5.21 1 – 7
The graphic on the previous page shows route table entries for two networks—10.1.10.0 and 10.1.30.0. Although routers from different vendors may display routing information differently, all route tables contain the same basic information. Common fields include:
The “Gateway” field for each address range is sometimes labeled as the “Next Hop” field, but its function is to tell the router how to reach the address range. In this case, because all three address ranges are local, this router uses all zeros in dotted decimal format. Once again, different vendors represent this in different ways.
The “Port” field indicates which of the router’s interfaces leads toward the best path to the destination.
The “Cost” field provides information about the distance to the network. Because the address ranges in the example are local, Router1 records the “Cost” for each route as “0.” Although the end stations in networks 10.1.10.0/24 and 10.1.30.0/24 are connected to a downstream switch, Router1 considers the addresses to be “local” because Router1’s interfaces are in the same broadcast domain as other hosts in the same address range. The switch is transparent from an IP routing perspective because it forwards traffic based on Layer 2 information rather than Layer 3. The switch’s own IP address, which is assigned for management purposes, does not affect this transparency.
The “Type” field indicates the source of the routing information. Because all of these address ranges are local, their type is “D” which represents “directly connected.” We will cover other sources of routing information later in this module.
Because Router1 provides the default gateway for its local hosts, it can forward traffic on their behalf and also deliver traffic that is destined for those hosts. Because all hosts are local, the router uses ARP to obtain each destination host’s MAC address and encapsulates each forwarded packet with a Layer 2 header that contains its own MAC address in the source address field and the target host’s MAC address in the destination address field.
The router does not change the source or destination IP address in the Layer 3 header. The source address field in the IP datagram header contains the address of the sending host and the destination address field contains the address of the target host. The router does not insert its own address into the IP datagram header as it does with the Layer 2 header.
In most environments, a router is also required to forward traffic toward remote networks.
IP Routing Foundations
1 – 8 Rev. 5.21
Multinetted interface
Rev 5.21 7
Multinetted interface
• Defined to provide default gateway addresses for hosts that are in same broadcast domain but have different address ranges
• Each address range appears as route table entry
IP Route TableNetwork address Mask Gateway Port Cost Type 10.1.10.0 255.255.255.0 0.0.0.0 If 1 0 Local10.1.30.0 255.255.255.0 0.0.0.0 If 2 0 Local172.16.150.0 255.255.255.0 0.0.0.0 If 2 0 Local
Router1Port 1: 10.1.10.1/24Port 2: 10.1.30.1/24
Hosts in range 10.1.30.0/24 DG: 10.1.30.1Hosts in range 172.16.150.0/24DG: 172.16.150.1
Hosts in range 10.1.10.0/24DG: 10.1.10.1
Switch2: 10.1.30.3/24Switch1: 10.1.10.3/24
If 1
If 2
Student Guide: 1–8
Multinetting enables an administrator to associate multiple IP addresses with a single broadcast domain that might be physically bounded, using a physical interface associated with a single router port, or virtually bounded, using a virtual interface associated with a VLAN. Multinetting creates routing inefficiencies and should be used only when necessary.
In contemporary networks, multinetting is usually not recommended, although it was quite common in earlier periods, when physical router interfaces presented the only router interface option. Furthermore, multinetting can create problems in environments where hosts use DHCP to receive IP configuration information. Hosts in a DHCP network usually will receive addresses in the same range; consequently, hosts in a multinetted network may not receive an address in the intended range.
When multinetting is appropriate
Multinetting can be necessary when the network includes a collection of hosts, links, and legacy connectivity devices, such as hubs, that do not support VLANs. The graphic above illustrates this point. Suppose that hosts in the 10.1.30.0/24 address range are used by clients who need access to the Internet. Their addresses would be included in a range to be translated by a router, proxy server, or firewall using NAT. However, the hosts in the range 172.16.150.0/24 are special-purpose devices with statically defined addresses. Their access should be restricted. They will never need to browse the Internet. An administrator might specifically omit their address range from the range of addresses to be translated by the proxy, firewall, or other NAT device.
IP Routing Basics
Rev. 5.21 1 – 9
Administrators might also implement multinetting as an interim step while changing the IP addressing scheme. Suppose, for example, that an intranet originally was configured to use statically defined public addresses and must now be converted to a private addressing scheme where hosts dynamically obtain their addresses. Enabling multinetting would enable the administrator to continue providing connectivity for hosts whose addresses have not been converted, as well as for those whose addresses have been converted to the new scheme.
IP Routing Foundations
1 – 10 Rev. 5.21
Loopback interface
Rev 5.21 8
Loopback interface
• Address range associated with loopback interface appears as a route table entry
• May be used as source and/or destination for router’s host processes such as SNMP, Telnet, and HTTP
IP Route TableNetwork address Mask Gateway Port Cost Type 10.1.0.0 255.255.255.0 0.0.0.0 lb 1 0 Local10.1.10.0 255.255.255.0 0.0.0.0 If 1 0 Local10.1.30.0 255.255.255.0 0.0.0.0 If 2 0 Local172.16.150.0 255.255.255.0 0.0.0.0 If 2 0 Local
Router1Port 1: 10.1.10.1/24Port 2: 10.1.30.1/24Loopback 1: 10.1.0.1/24
Hosts in range 10.1.30.0/24 DG: 10.1.30.1Hosts in range 172.16.150.0/24DG: 172.16.150.1
Hosts in range 10.1.10.0/24DG: 10.1.10.1
Switch2: 10.1.30.3/24Switch1: 10.1.10.3/24
If 1
If 2
Student Guide: 1–10
A loopback interface is very useful for routers in an intranet that supports redundant links. Because the state of a loopback interface is not dependent on the state of any physical port, its IP address will be reachable if at least one other router interface is up. Consequently, the loopback address often is used for in-band device management.
Routers often are configured to use the loopback address for outbound communication with network management stations or other routers. With no loopback defined for this purpose, a router will send the packet through the interface that is “closest” to the destination network; that is, the one that corresponds with the route table’s next hop toward the destination network.
In the case of a network management station, administrators often set up filters that allow the station to accept messages only from a set of source address ranges. In a redundant network, one or more routers might choose different paths to the network management station’s address range based on the physical state of some of the intervening links. Consequently, it can be difficult to predict the address from which a router will send a management message.
Furthermore, by using the loopback interface for all host-based communication with the router, you can set up traffic filters that prohibit traffic produced by typical management protocols—including HTTP, FTP, TFTP, Telnet and SSH—from reaching any of the physical or virtual interfaces. The traffic can be permitted to reach the loopback interface. All valid administrators would need to configure and monitor the router using the loopback interface as a target address. (Traffic filters will be discussed later in this course.)
IP Routing Basics
Rev. 5.21 1 – 11
Learning about remote networks
Rev 5.21 9
Learning about remote networksA router can learn of the existence of remote networks through any combination of the following: • Dynamic interaction with other routers that follow a common set of
rules for exchanging routing information – These rules might include:
• Procedures for establishing relationships with neighboring routers
• The frequency and format of messages exchanged with other routers
• Static route configuration, which requires an administrator to:– Specify an address range, expressed as starting address and mask– Provide “next hop” information that will allow the router to send
traffic toward the address range– Supply a cost to be associated with the path to the address range,
enabling router to choose the lowest-cost statically defined path
Network topology, including Internet and intranet connectivity, determine appropriate methods for each situation
Student Guide: 1–11
A router can only forward traffic toward address ranges that appear in its route table. If a router receives a routable packet with a destination address that does not match with any route table entries, it drops the packet.
Routers may learn the information in their route tables dynamically through interaction with other routers with which they share a common set of route exchange rules known as a “routing protocol.” Routing protocols specify the format of the information the routers exchange and the conditions that require a router to send information to a neighboring router.
Administrators often choose to augment the dynamically learned information by statically defining information that the router can use to reach specific address ranges. In most contemporary networks, routers must be aware of remote networks because most enterprise users require access to Internet and intranet resources. Usually, route tables are populated with a combination of static and dynamically learned routes.
In any case, routers cannot directly deliver traffic to remote hosts. Instead, they deliver traffic destined for remote hosts to neighboring routers that provide the best route to the remote address range.
IP Routing Foundations
1 – 12 Rev. 5.21
Routing protocol categories
Rev 5.21 10
Routing protocol categories
Interior Gateway Protocols (IGP)• Facilitate exchange of information among routers under the same
organizational control; that is, within the same “autonomous system” • Examples of standard IGPs:
– Routing Information Protocol (RIP)– Open Shortest Path First (OSPF)
Exterior Gateway Protocols (EGP)• Facilitate exchange of route information among routers in different
autonomous systems • Border Gateway Protocol version 4 (BGP4) is current standard EGP for
Internet connectivity
Student Guide: 1–12
There are two types of dynamic interaction between routers:
1. Interior Gateway Protocols (IGP) involve communication among routers that are under common administrative control and use the same protocol for exchanging information; that is, in the same autonomous system.
2. Exterior Gateway Protocols (EGP) involve communication among routers that are under different administrative control; that is, in different autonomous systems.
An Internet Service Provider is likely to use a combination of interior and exterior gateway protocols to facilitate exchange of routing information among the routers that make up its own internal network as well as with the routers at subscriber locations.
Not all Internet subscribers use an exterior gateway protocol; however, a very large subscriber that load balances among multiple ISPs is the most likely candidate for using a formalized exterior gateway protocol. Small-to-medium sized subscribers are likely to use a combination of interior gateway protocols and static routes to facilitate Internet connectivity.
IP Routing Basics
Rev. 5.21 1 – 13
RIP and OSPF
Several routing protocols have been formalized and are described in various standards documents. In some cases, vendors implement these standards exactly as written; other vendors enhance the protocols to optimize particular aspects or functions. Other protocols are entirely proprietary, with their own reserved port and/or protocol numbers. These protocols operate only with other routers from the same vendor.
Two common routing protocols, RIP and OSPF, are both IGPs with the same high-level goal: to enable connectivity within an autonomous system. In general, because RIP and OSPF perform this task in completely different ways, each is best suited for particular topologies. However, there is a large overlapping area of applicability. Many intranets can deploy either protocol effectively.
Routing protocols specify the format of messages to be exchanged. As a fairly simple routing protocol, RIP specifies only one type of message. On the other hand, OSPF is a far more complex IGP that specifies several different types and even sub-types of messages, specifying formal procedures for setting up relationships with neighboring routers and types of messages that should be sent in particular circumstances.
Routing protocols also specify the conditions that require a router to send an advertisement. While a RIP router periodically sends routing information to its neighbors, an OSPF router sends a particular type of message when it experiences a change in the state of one of its links.
RIP will be described in more detail later in this module. A later module will discuss OSPF.
IP Routing Foundations
1 – 14 Rev. 5.21
Standard IGPs for IP networks
Rev 5.21 11
Standard IGPs for IP networks
Distance vector: RIP• Each router sends periodic updates containing a subset of its route
table entries to directly connected neighbor routers• Information about remote networks is passed from router to router
based on each router’s perspective • Time required for each router to find alternate path to an address
range after link failure depends on number of routers that separate it from the address range
Link state: OSPF• Each router reports to its neighbors the characteristics of its active
connections to local networks • Updates are flooded to all routers within administratively defined
area, resulting in consistent picture of area’s routers and networks• Each router builds a logical tree that calculates its shortest path to
each network address range • Enables faster convergence – detection of alternate paths after link
failure – due to possession of first-hand information
Student Guide: 1–14
There are two types of standard IGPs available in IP networks:
1. Distance-vector protocols, such as RIP, require routers to integrate information into their own tables and send the resulting entries, as modified, from their own perspectives.
2. Link-state protocols, such as OSPF, require routers to establish neighbor relationships with adjacent routers. Routers generate updates based on local information and send the updates to neighbors, who then flood updates to all their neighbors. Ideally, within a few milliseconds, every router in an administratively defined area has identical information. Each router builds a logical tree that traces out the shortest path to each advertised destination, using itself as the root. As a result, every router has a consistent picture of the network from its own perspective.
The disadvantage of RIP
While RIP and other distance-vector protocols are easier to configure than link-state protocols, the distance-vector protocols have one serious disadvantage. Changes in routing topology often propagate slowly because information in a router’s table is acquired from other routers that may be as many as 15 hops away.
IP Routing Basics
Rev. 5.21 1 – 15
Suppose, for instance, that Router1 is directly connected to Network 1. When Router1 loses its connection to Network 1, it immediately sends its neighbors an update that reports the cost of Network 1 to be 16. In RIP, the cost of 16 represents infinity and indicates the network is unreachable because the maximum number of router hops in RIP is 15.
After Network 1 has been marked as unavailable, each router is free to accept advertisements from other neighbors that offer a lower-cost path to Network 1. Because there is a 30-second interval between RIP updates, and because RIP updates move one hop at a time, several minutes may elapse before each router has determined the lowest-cost path between itself and Network 1.
Link-state protocols
Link-state protocols avoid this issue because they do not rely on second-hand information. A router sends an “advertisement” when it recognizes a link state change. The update does not contain just the change, but the attributes of all of the router’s currently active links. The router sends the advertisement to its immediate neighbors. The neighbors are required by the protocol to immediately flood the advertisement to all of their neighbors.
Unlike RIP routers, OSPF routers do not increment the costs as they flood updates. In fact, an OSPF router is not permitted to make any changes to advertisements it receives on one network before sending it out onto another network.
As a result, all of the routers in the area have a consistent picture of the connections between all routers and networks in the area. Each router builds a tree based on first-hand information that traces the shortest path between itself and every router and network in the area. When a link state changes, the router recalculates the tree based on the new information. Ideally, less than a second passes between the time the router advertises its new state and the time when all of the routers have found an alternate path, if one exists
IP Routing Foundations
1 – 16 Rev. 5.21
Router1 RIP update to Router2
Rev 5.21 12
Router1 RIP update to Router2
Hosts in10.2.40.0/24
Network 10.0.64.0/24
Loop 1: 10.1.0.1/24
10.1.30.3/2410.1.10.3/24
If 210.1.30.1/24172.16.150.1/24
Hosts in10.2.20.0/24
Hosts in10.1.10.0/24
Hosts in10.1.30.0/24172.16.150.0/24
10.2.40.3/2410.2.20.3/24
If 110.1.10.1/24
If 310.0.64.1/24
Loop 1: 10.2.0.1/24
If 210.2.40.1/24
If 110.2.20.1/24
If 310.0.64.2/24
S4S3S1 S2
R2R1
RIP enabled
Ethernet header:Dest: 01005e-000009 Source: <R1 MAC>IP datagram header:Source: 10.0.64.1 Dest: 224.0.0.9 UDP header:Source: 520 Dest: 520Routing Information Protocol:Command: Response (2) Version: RIPv2 (2)Network: 10.1.0.0 Mask: 255.255.255.0 Metric: 1Network: 10.1.10.0 Mask: 255.255.255.0 Metric: 1Network: 10.1.30.0 Mask: 255.255.255.0 Metric: 1Network: 172.16.150.0 Mask: 255.255.255.0 Metric: 1
Router1 • Advertises entries in its
route table through interface 3
• Does not include the address range associated with interface 3 (10.0.64.0/24)
Student Guide: 1–16
When RIP is enabled on an interface, the router prepares an update that advertises the address ranges in its route table. In many cases, including the one above, each address range in the table represents a network, a single broadcast domain. However, this is not always the case. Sometimes the entries represent an address range that includes many networks.
In the example above, Router1 advertises all of its connected networks with one notable exception. A RIP advertisement doesn’t include the address range associated with the interface through which the router sends the update. In this case, the advertisement is being prepared for transmission over interface 3 (if 3), which is associated with the address range 10.0.64.0/24. Accordingly, that network is specifically omitted from the advertisement.
It is important to note that the update actually includes two distinct steps: the preparation and the sending of the update. By default, this process occurs every 30 seconds; when this interval expires, the router must send advertisements through all of its RIP-enabled interfaces.
Cost
Note that the cost associated with each of the advertised networks is 1. While Router1 associates a cost of 0 with its locally connected address ranges, it advertises these networks with a cost of 1. In some vendor implementations, the cost used internally will be 1; however, the external cost is reported in the same way by all router vendors.
IP Routing Basics
Rev. 5.21 1 – 17
RIP v2 use of multicast
The source address in the IP datagram that encapsulates the RIP advertisement is the address of Router1’s interface on the network it shares with Router2. The destination address is a multicast address, which is the requirement in RIP v2.
The use of multicast ensures that all routers connected to a network will receive and process the update simultaneously. Routers or other devices on this network that do not support RIP v2 will not process this update because they are not members of the RIP Routers multicast group (224.0.0.9).
In the example, Router1 is the only RIP router on network 10.0.64.0. Note that Router2 does not have RIP enabled. This does not affect Router1’s outbound RIP updates. Because RIP is enabled on this interface, Router1 will continue sending updates indefinitely.
IP Routing Foundations
1 – 18 Rev. 5.21
Router2 updates its route table
Rev 5.21 13
Router2 updates its route table
Hosts in10.2.40.0/24
Network 10.0.64.0/24
Loop 1: 10.1.0.1/24
10.1.30.3/2410.1.10.3/24
Hosts in10.2.20.0/24
Hosts in10.1.10.0/24
Hosts in10.1.30.0/24172.16.150.0/24
10.2.40.3/2410.2.20.3/24
If 110.1.10.1/24
If 310.0.64.1/24
Loop 1: 10.2.0.1/24
If 210.2.40.1/24
If 110.2.20.1/24
If 310.0.64.2/24RIP enabled
S4S3S1 S2
R2R1
RIP enabled
Network Gateway Port Cost Type 10.0.64.0/24 0.0.0.0 3 0 D10.1.0.0/24 10.0.64.1 3 2 R 10.1.10.0/24 10.0.64.1 3 2 R10.1.30.0/24 10.0.64.1 3 2 R10.2.0.0/24 0.0.0.0 Lo 1 0 D10.2.20.0/24 0.0.0.0 1 0 D 10.2.40.0/24 0.0.0.0 2 0 D172.16.150.0/24 10.0.64.1 3 2 R
• Router2 integrates networks from Router1’s RIP update into its route table
• “Gateway” associated with RIP-learned networks is source address from IP datagram header of Router1’s RIP update
If 210.1.30.1/24172.16.150.1/24
Student Guide: 1–18
In this example, RIP has been enabled on Router2’s interface on the 10.0.64.0/24 network. Router2 receives Router1’s RIP update and begins processing it. It doesn’t matter if Router1’s RIP update arrived before Router2 sent any advertisements over the network it shares with Router1 because each router’s sending and receiving actions are independent.
When Router2 receives the advertisement, it compares each entry with the entries already in its route table and immediately adds any advertised address range that does not already appear there. In the example above, all of the address ranges are new, so all are added. The cost of the RIP-learned address ranges is one number higher than the cost advertised by Router1. This is only true if Router2’s configured interface cost for interface 3 is at the default setting of “1.” While it is possible to manipulate interface costs for the purpose of favoring one path over another, it is usually not recommended for reasons discussed later in this module.
Every address range a router learns from a RIP update is set to type “R” (for RIP) in the route table. The “Port” value is the interface through which Router2 received the update that advertised the address range.
In this example, every RIP-learned network in Router2’s route table has the same next hop. This is because Router2 has only one neighbor.
IP Routing Basics
Rev. 5.21 1 – 19
Router2 RIP update to Router1
Rev 5.21 13
Router2 updates its route table
Hosts in10.2.40.0/24
Network 10.0.64.0/24
Loop 1: 10.1.0.1/24
10.1.30.3/2410.1.10.3/24
Hosts in10.2.20.0/24
Hosts in10.1.10.0/24
Hosts in10.1.30.0/24172.16.150.0/24
10.2.40.3/2410.2.20.3/24
If 110.1.10.1/24
If 310.0.64.1/24
Loop 1: 10.2.0.1/24
If 210.2.40.1/24
If 110.2.20.1/24
If 310.0.64.2/24RIP enabled
S4S3S1 S2
R2R1
RIP enabled
Network Gateway Port Cost Type 10.0.64.0/24 0.0.0.0 3 0 D10.1.0.0/24 10.0.64.1 3 2 R 10.1.10.0/24 10.0.64.1 3 2 R10.1.30.0/24 10.0.64.1 3 2 R10.2.0.0/24 0.0.0.0 Lo 1 0 D10.2.20.0/24 0.0.0.0 1 0 D 10.2.40.0/24 0.0.0.0 2 0 D172.16.150.0/24 10.0.64.1 3 2 R
• Router2 integrates networks from Router1’s RIP update into its route table
• “Gateway” associated with RIP-learned networks is source address from IP datagram header of Router1’s RIP update
If 210.1.30.1/24172.16.150.1/24
Student Guide: 1–19
When Router2 sends a RIP advertisement through its only RIP-enabled interface, it does not include the address range 10.1.64.0/24 because that address range is associated with interface 3.
Because Router2 has already received advertisements from Router1, it follows an additional rule requiring that advertisements a router sends onto a network do not include the address ranges for which the next hop is on that network.
In the example, none of the networks that Router2 learned from Router1 are included in the RIP update Router2 sends onto network 10.0.64.0/24. Because 10.1.64.1 is the “next hop” for the address ranges 10.1.0.0/24, 10.1.10.0/24, and 10.1.30.0/24, and because the address range associated with interface 3 contains the next hop address, these are omitted from the update.
The set of rules that govern which networks may be advertised is known as “Split horizon.” The primary reason that RIP routers follow Split horizon rules is because a neighbor simply doesn’t need to learn about networks for which it provides the next hop. Other reasons for the Split horizon rules will be discussed later.
IP Routing Foundations
1 – 20 Rev. 5.21
Router2 RIP update to Router3
Rev 5.21 15
Router2 RIP update to Router3
Network 10.0.65.0/24
Loop 1: 10.2.0.1/24
If 210.2.40.1/24
If 110.2.20.1/24
If 310.0.64.2/24RIP enabled
IP datagram header:Source: 10.0.65.1 Dest: 224.0.0.9UDP header:Source: 520 Dest: 520Routing Information Protocol:Network: 10.0.64.0 Mask: 255.255.255.0 Metric: 1 Network: 10.1.0.0 Mask: 255.255.255.0 Metric: 2Network: 10.1.10.0 Mask: 255.255.255.0 Metric: 2Network: 10.1.30.0 Mask: 255.255.255.0 Metric: 2Network: 10.2.0.0 Mask: 255.255.255.0 Metric: 1Network: 10.2.20.0 Mask: 255.255.255.0 Metric: 1Network: 10.2.40.0 Mask: 255.255.255.0 Metric 1Network: 172.16.150.0 Mask: 255.255.255.0 Metric: 2
Hosts in10.2.40.0/24
Hosts in10.2.20.0/24
If 410.0.65.1/24RIP enabled
Loop 1: 10.3.0.1/24
If 210.3.30.1/24
If 110.3.10.1/24
If 310.0.65.2/24
R3
Hosts in10.3.30.0/24
Hosts in10.3.10.0/24
• Router2’s RIP updates through interface 4 include:
– Locally defined networks
– Routes to address ranges learned from a neighbor on interface 3
R2
Student Guide: 1–20
In this example, Router2 has another neighbor that it reaches through a network (10.0.65.0/24) associated with interface 4. Because Router3 does not have RIP enabled, Router2 has not yet received any advertisements from Router3. Still, because RIP is enabled on interface 4, Router2 sends periodic RIP updates regardless of whether it has received any information from Router3.
The RIP update that Router2 sends to Router3 contains a completely different set of address ranges than the update it sends to Router1. Following Split horizon rules, the RIP advertisement Router2 sends through interface 4 does not include the address range associated with interface 4, 10.0.65.0/24. However, it does include all address ranges in its route table that are either local or learned from a neighbor connected to an interface other than interface 4. Router2 advertises the cost of these address ranges from its own perspective. In all cases except for local networks, a RIP router advertises the cost that each address range has in its own route table.
The “Gateway” or next hop value in the route table is the most important factor in determining which address ranges Router2 will advertise through network 10.0.65.0/24. A RIP advertisement includes all local address ranges except the network address associated with the interface over which the advertisement will be transmitted. A remote address range will be included in the RIP advertisement only if its associated “Gateway” or “next hop” IP address is outside the range of the network associated with the interface over which the advertisement will be transmitted.
IP Routing Basics
Rev. 5.21 1 – 21
Router3 updates its route table
Rev 5.21 16
Router3 updates its route table
Network 10.0.65.0/24
Loop 1: 10.2.0.1/24
If 210.2.40.1/24
If 110.2.20.1/24
If 310.0.64.2/24RIP enabled
Hosts in10.2.40.0/24
Hosts in10.2.20.0/24
If 410.0.65.1/24RIP enabled
Loop 1: 10.3.0.1/24
If 210.3.30.1/24
If 110.3.10.1/24
If 310.0.65.2/24RIP enabled
R3
Hosts in10.3.30.0/24
Hosts in10.3.10.0/24
Network Gateway Port Cost Type 10.0.64.0/24 10.1.65.1 3 3 RIP10.0.65.0/24 0.0.0.0 3 0 Direct 10.1.0.0/24 10.1.65.1 3 3 RIP 10.1.10.0/24 10.1.65.1 3 3 RIP10.1.30.0/24 10.1.65.1 3 3 RIP10.2.0.0/24 10.1.65.1 3 2 RIP10.2.20.0/24 10.1.65.1 3 2 RIP 10.2.40.0/24 10.1.65.1 3 2 RIP10.3.0.0/24 0.0.0.0 Lo 1 0 Direct10.3.10.0/24 0.0.0.0 1 0 Direct10.3.30.0/24 0.0.0.0 2 0 Direct172.16.150.0/24 10.1.65.1 3 3 RIP
• All routes known to Router3 are either local or learned from 10.0.65.1
• Router3’s updates through interface 3 include networks not learned from neighbors on the network associated with that interface
R2
Student Guide: 1–21
In the manner described earlier, Router3 increments the cost of all advertised networks by the cost assigned to the interface through which the update arrives. Everything that was advertised by Router2 with a cost of 1 appears in Router3’s route table with a cost of 2. The address ranges reported with a cost of 2 have a cost of 3 in Router3’s route table.
In this example, Router2 is Router3’s only neighbor, so the “Gateway” or next hop router interface for every remote address range in Router3’s route table is 10.0.65.1, which is the IP address of Router2’s interface on the network that connects the two routers. None of Router1’s interfaces appear in Router3’s route table as a next hop because Router3 and Router1 do not share a network. The “Type” column contains “RIP” for all address ranges that Router3 learns from Router2’s advertisements.
When Router3 sends an advertisement to Router2, it will follow the Split horizon rules described earlier. In this case, only three address ranges qualify for inclusion in the RIP advertisement sent to Router2: 10.3.10.0/24, 10.3.30.0/24, and 10.3.0.1/24.
IP Routing Foundations
1 – 22 Rev. 5.21
Assessing this topology
Rev 5.21 17
Assessing this topology
Some of the problems with this topology include:• Inefficient forwarding paths and potential bottleneck
– Traffic between Router1 and Router3 has to go through Router2• Does not provide backup paths in the event of link failure• Does not scale well
Loop 1 10.2.0.1/24
10.2.40.0/2410.2.20.0/24
If 310.0.64.2/24RIP enabled
If 410.0.65.1/24RIP enabled
10.3.30.0/2410.3.10.0/24
If 310.0.65.2/24RIP enabled
R3
R2
Loop 1 10.3.0.1/24
10.1.10.0/24
If 310.0.64.1/24RIP enabled
R1
10.1.30.0/24172.16.150.0/24
Loop 1: 10.1.0.1/24
Student Guide: 1–22
Although this topology is useful for describing RIP operations, it is clearly not an efficient topology. If the links between routers have equal bandwidth, Router2 may become a bottleneck because it must handle traffic between hosts connected to Routers 1 and 3, as well as traffic coming from or destined for its locally connected networks.
Furthermore, this topology also does not provide any redundancy. If either of the links between Router2 and its neighbors should fail, many hosts would be isolated.
The above deficiencies would be magnified if this intranet needed to support more than three routers. If we continued daisy-chaining routers in this manner, the potential for bottlenecks and traffic delay would increase dramatically. The vulnerability of the connections would also escalate.
IP Routing Basics
Rev. 5.21 1 – 23
Providing a routed mesh
Rev 5.21 18
Providing a routed mesh
A routed mesh • Provides a dedicated link between each pair of routers• Provides a backup path in the event of link failure • Does not scale well beyond 3 or 4 nodes
Loop 1 10.2.0.1/24
10.2.40.0/2410.2.20.0/24
10.3.30.0/2410.0.10.0/24
10.0.65.0/24
R3
R2
Loop 1 10.3.0.1/24
10.1.10.0/24
R1
10.1.30.0/24172.16.150.0/24
Loop 1: 10.1.0.1/24
10.0.64.0/24
10.0.66.0/24
Student Guide: 1–23
Creating a mesh of the routers would solve the problems relating to potential bottlenecks and lack of redundancy. In a mesh, each device is connected to all other devices. Rather than creating a bottleneck at Router2, the topology shown in the example provides Router3 with a direct connection to Router1. If any of the three links should fail, the remaining links would continue to provide connectivity among all three routers. Of course, the potential for a bottleneck would then increase until the mesh was restored.
However, the full mesh solution is not scalable. For every node added to the mesh, the number of point-to-point connections increases dramatically. While it only takes three links to create a full mesh among three nodes, six links are required to fully connect four nodes. A full mesh for five nodes requires 10 point-to-point links.
A full mesh for 10 nodes requires 45 point-to-point links. The number of links can be calculated using the following formula: L = N(N-1)/2’where “L” represents the number of point-to-point links and “N” represents the number of nodes to be interconnected. The values for 10 nodes are 10*9/2=45.
IP Routing Foundations
1 – 24 Rev. 5.21
Split horizon in a routed mesh
Rev 5.21 19
Split Horizon in a routed mesh
Each router in a full mesh:• Advertises to neighbors all networks learned from other neighbors• Receives advertisements for each remote network from every neighbor• Chooses the lowest cost path to each destination network
Loop 1 10.2.0.1/24
10.2.40.0/2410.2.20.0/24
10.3.30.0/2410.3.10.0/24
R3
R2
Loop 1: 10.3.0.1/24
10.1.10.0/24
R1
10.1.30.0/24172.16.150.0/24
Loop 1: 10.1.0.1/24
Next hop for 10.2.x.xtraffic (Do not advertise 10.2.x.x networks)
Next hop for 10.1.x.x traffic
(Do not advertise 10.1.x.x networks)
Next hop for 10.3.x.x traffic (Do not advertise 10.3.x.x networks)
Next hop for 10.1.x.x traffic (Do not advertise 10.1.x.x
networks)
Next hop for 10.2.x.xtraffic
(Do not advertise 10.2.x.x networks)
Next hop for 10.3.x.x traffic(Do not advertise 10.3.x.x networks)
Student Guide: 1–24
In the non-redundant topology described earlier, each router receives information about a specific address range from only one neighbor. However, in a meshed topology, such as the one shown, each router receives updates from both neighbors. Consequently, there is some overlap in the advertised networks.
In the example above, Router3 will receive advertisements from Router1 and Router2. Following Split horizon rules, Router2 advertises networks 10.2.x.x with a cost of 1 because those networks are local to Router2. It also advertises networks 10.1.x.x and 172.16.150.0/24 with a cost of 2. If the update from Router2 is the first one Router3 hears, it will add all seven of the advertised networks to its route table. However, when the first RIP update from the neighbor Router1 arrives, Router3 follows a very specific procedure for evaluating the shortest or lowest-cost path.
It is important for RIP routers to follow Split horizon rules regardless of whether routing loops exist. Even in the non-redundant topology illustrated earlier, failure to follow Split horizon rules can result in significant confusion for the router.
IP Routing Basics
Rev. 5.21 1 – 25
Processing inbound RIP updates
Rev 5.21 20
Processing inbound RIP updates
Yes
No
Yes
No
Yes
Replaceentry
No
Ignore
Read next advertisement
Student Guide: 1–25
Create entry
Address range exists
in table?
Source = table entry
Gateway ?
Calc.cost < table entry Cost
?
Replaceentry
When a RIP router receives an update, it follows an identical process for each advertised address range. This process is illustrated above. First, the router determines whether the address range already exists in the table. If it does not, the router adds a new entry for this network. It places the source address in the IP datagram header of the RIP update in the route table’s Gateway or Next Hop field. It derives a cost by adding 1 (or the cost of the inbound interface) to the advertised cost.
If the address range does appear in the route table, the router takes one of the following actions:
The router ignores it because it already has the address range in the table and the advertisement includes a higher cost than the entry already in the table.
The router replaces an existing entry with a new one. There are two variations on this outcome.
The first variation typically occurs under normal circumstances, with every periodic update. If the sender of the update is the same as the network’s next hop in the route table, the router creates an entry with an age of 0 and a cost equal to the advertised cost plus 1 (or the inbound interface cost). This entry replaces the network’s current entry. If the network is stable, the new entry will contain the same information as the one it replaced. However, even if the cost has changed since the last update, the router accepts whatever cost is advertised because the router considers the network’s current next hop to be the authority on information relating to it.
IP Routing Foundations
1 – 26 Rev. 5.21
The second variation occurs when a neighbor other than the network’s current advertises a lower cost. This variation should not occur frequently. If it does, it means that some set of networks between the router and the destination network are unstable.
IP Routing Basics
Rev. 5.21 1 – 27
Link failure recovery in mesh (1)
Rev 5.21 21
Link failure recovery in mesh (1)
Loop 1 10.2.0.1/24
10.2.40.0/2410.2.20.0/24
10.3.30/2410.3.10.0/24
R3
R2
Loop 1: 10.3.0.1/24
10.1.10.0/24
R1
10.1.30.0/24172.16.150.0/24
Loop 1: 10.1.0.1/24
Advertise10.1.x.x 10.3.x.x
Advertise10.2.x.x 10.1.x.x
Advertise10.3.x.x 10.1.x.x
Advertise10.3.x.x 10.2.x.x
Advertise10.1.x.x 10.2.x.x
X
Link fails between R2 and R3
Advertise10.2.x.x 10.3.x.x
Student Guide: 1–27
10.0.65.0/24
10.0.64.0/24
10.0.66.0/24
In this example, a full mesh connects all three routers. Each router has a direct connection to every router, eliminating the bottleneck. This topology provides some resilience.
Note that each router advertises to each neighbor its own local networks as well as the networks advertised by its other neighbor. Following Split horizon rules, none of the routers advertise to a neighbor the networks for which that neighbor provides the next hop.
The next few diagrams describe the sequence of events that occurs if one of the router-to-router links fails.
IP Routing Foundations
1 – 28 Rev. 5.21
Link failure recovery in mesh (2)
Rev 5.21 22
Link failure recovery in mesh (2)
Loop 1 10.2.0.1/24
10.2.40.0/2410.2.20.0/24
10.3.30/2410.3.10.0/24
R3
R2
Loop 1: 10.3.0.1/24
10.1.10.0/24
R1
10.1.30.0/24172.16.150.0/24
Loop 1: 10.1.0.1/24
Advertise10.1.x.x 10.3.x.x
Advertise10.3.x.x
Advertise10.1.x.x 10.2.x.x
Advertise10.2.x.x R2 changes Cost to ’16’
for 10.3.x.x networks
R3 changes Cost to ’16’ for 10.2.x.x networks
Student Guide: 1–28
10.0.64.0/24
10.0.66.0/24
When a RIP router loses link on one of its interfaces, the router immediately changes the cost of the address range associated with the failed interface and all of the address ranges in its table whose next hop is within the address range associated with the failed interface.
In this example, Router2 sets network 10.0.65.0/24 at a cost of 16, which is equal to infinity because the maximum hop count is 15. The router also assigns a cost of 16 to the 10.3.x.x networks because the next hop for those networks is the neighbor interface on Router3, 10.0.65.2. Similarly, Router3 assigns a cost of 16 to network 10.0.65.0/24 and to the 10.2.x.x networks.
IP Routing Basics
Rev. 5.21 1 – 29
Link failure recovery in mesh (3)
Rev 5.21 23
Advertise10.2.x.x
Link failure recovery in mesh (3)
Loop 1 10.2.0.1/24
10.2.40.0/2410.2.20.0/24
10.3.30/2410.3.10.0/24
R3
R2
Loop 1: 10.3.0.1/24
10.1.10.0/24
R1
10.1.30.0/24172.16.150.0/24
Loop 1: 10.1.0.1/24
Advertise10.1.x.x 10.3.x.x
Advertise10.3.x.x
Advertise10.1.x.x 10.2.x.x
R2 accepts R1’s advertisement of 10.3.x.x networks, changes Gateway to R1 and Cost to ‘3’
R3 accepts R1’s advertisement of 10.2.x.x networks, changes Gateway to R1 and Cost to ‘3’
Student Guide: 1–29
10.0.64.0/24
10.0.66.0/24
Although Router2 set its cost for the 10.3.x.x networks at 16 after the link failure, within 30 seconds or less it should receive a RIP update from Router1 advertising a path to these networks at a cost of 2. Router2 derives a cost of 3 by adding its own interface cost to the advertised cost, compares that with the cost of 16 currently in the route table, and creates new route table entries for the 10.3.x.x networks using an interface on Router1 as its next hop. Similarly, Router3 updates its route table to use Router1 as a next hop to reach the 10.2.x.x networks. This is an example of option 3 described on page 24—an advertisement indicates a better
RIP routers do not immediately remove entries from tables as soon as they become aware that networks are unavailable. Instead, a Holddown Timer determines the number of seconds that a router will keep a table entry with a cost of 16, waiting for the link to come back up or for some alternate lower-cost path to displace it. This mechanism enables the routers to adapt to changing conditions with minimal disruptions.
The actual functioning of the Holddown Timer varies from vendor to vendor. However, in general, the Holddown Timer starts when the route changes to a cost of 16 and it continues for three times the update interval (90 seconds). When the timer expires, the route is removed from the table if the router hasn’t received a better path to the address range.
IP Routing Foundations
1 – 30 Rev. 5.21
Poisoned Reverse
Rev 5.21 24
Poisoned Reverse
A router using ‘Split Horizon with Poisoned Reverse’ advertises cost of 16 rather than omit routes it learned from neighbor
If 310.0.64.1/24RIP enabled
Routing Information Protocol:Network: 10.0.64.0 Metric: 1 Network: 10.1.0.0/24 Metric: 1Network: 10.1.10.0/24 Metric: 1Network: 10.1.30.0/24 Metric: 1Network: 10.2.0.0/24 Metric: 2Network: 10.2.20.0/24 Metric: 2Network: 10.2.40.0/24 Metric 2Network: 10.3.0.0/24 Metric 16 Network: 10.3.10.0/24 Metric 16Network: 10.3.30.0/24 Metric 16Network: 172.16.150.0/24 Metric: 1
If 410.0.66.2/24RIP enabled
10.3.30/2410.0.10.0/24
If 410.0.66.1/24RIP enabled
R3 Loop 1 10.3.0.1/24
10.1.10.0/24
If 310.0.64.2/24RIP enabled
R1
10.1.30.0/24172.16.150.0/24
Loop 1 10.1.0.1/24
Routing Information Protocol:Network: 10.0.66.0 Metric: 1 Network: 10.1.0.0/24 Metric: 1Network: 10.1.10.0/24 Metric: 1Network: 10.1.30.0/24 Metric: 1Network: 10.2.0.0/24 Metric: 16Network: 10.2.20.0/24 Metric: 16Network: 10.2.40.0/24 Metric 16Network: 10.3.0.0/24 Metric 2 Network: 10.3.10.0/24 Metric 2Network: 10.3.30.0/24 Metric 2Network: 172.16.150.0/24 Metric: 1
Loop 1 10.2.0.1/24
10.2.40.0/2410.2.20.0/24
R2
Student Guide: 1–30
This example shows the routing mesh as it appears after the loss of the network that formerly connected Router2 to Router3, 10.0.65.0/24. Now, however, the routers are communicating through a mechanism known as “Poisoned Reverse.”
Poisoned Reverse is a variation of Split horizon that can help speed convergence in meshed networks. Instead of omitting the routes that Split horizon rules exclude from the advertisement, the router poisons those routes, making it impossible for the router receiving the advertisement to consider the sender as a valid next hop toward the poisoned address ranges.
A router that employs Split horizon with Poisoned Reverse advertises routes that are excluded by Split horizon. As described earlier, the excluded routes include the address range associated with the interface over which the update will be transmitted. Split horizon also excludes all routes where the next hop Gateway field lists is a host within the interface’s own address range.
IP Routing Basics
Rev. 5.21 1 – 31
Connecting to a core router
Rev 5.21 25
Connecting to a core router
10.0.64.2/24 10.1.10.0/2410.1.20.0/2410.1.30.0/24
10.0.65.2/24 10.2.10.0/2410.2.20.0/2410.2.30.0/24
10.0.66.2/2410.3.10.0/2410.3.20.0/2410.3.30.0/24
10.0.67.2/2410.4.10.0/2410.4.20.0/2410.4.30.0/24
10.0.64.0/24
C1
R4R3R2R1 R4R3
10.0.65.0/24 10.0.66.0/24
10.0.67.0/24
• Connect user networks and resource networks to core to provide equal access
• Each link between routers is in a different network
Student Guide: 1–31
This example illustrates a more scalable alternative to the routing mesh. In this hierarchical solution, four “edge” routers—that is, routers that support user networks—are connected to a “core” router whose primary responsibility is to interconnect other routers. This configuration eliminates the potential bottlenecks in the routing mesh shown earlier.
The routers place each physical port into a different broadcast domain. Because every connection between an edge router and the core router is in a different broadcast domain, each connection takes up a different network address. If you are trying to interconnect many locations, you could use up the IP address space quickly.
IP Routing Foundations
1 – 32 Rev. 5.21
Connecting to a core routing switch
Rev 5.21 26
Connecting to a core routing switch
10.0.64.2/2410.1.10.0/2410.1.20.0/2410.1.30.0/24…
10.0.64.3/2410.2.10.0/2410.2.20.0/2410.2.30.0/24…
10.0.64.4/2410.3.10.0/2410.3.20.0/2410.3.30.0/24…
10.0.64.5/2410.4.10.0/2410.4.20.0/2410.4.30.0/24…
C1
• Routing switches often support higher bandwidth
• Placing edge router uplinks in the same broadcast domain conserves network addresses
Network:10.0.64.0/24
R1 R2 R4R3
Student Guide: 1–32
You can relieve the strain on IP address space by putting into the same broadcast domain all of the router interfaces that connect the edge routers to the core network.
Flexible assignment of physical ports to router interfaces is one of the primary advantages that a routing switch has over a traditional router. The routing switch also supports higher speed interfaces than most traditional routers. Consequently, the network upgrade at ProCurve University will include the replacement of traditional routers with routing switches that support dynamic routing protocols as well as the definition of static routes.
IP Routing Basics
Rev. 5.21 1 – 33
Connecting to redundant core
Rev 5.21 27
Connecting to redundant core
10.0.64.2/2410.0.65.2/2410.1.10.0/2410.1.20.0/2410.1.30.0/24…
C1
Providing multiple paths between users and resources • Provides resilience • May increase core
capacity Network:10.0.64.0/24
R1 R2 R4R3
C2
Network:10.0.65.0/24
Student Guide: 1–33
10.0.64.3/2410.0.65.3/2410.2.10.0/2410.2.20.0/2410.2.30.0/24…
10.0.64.4/2410.0.65.4/2410.3.10.0/2410.3.20.0/2410.3.30.0/24…
10.0.64.5/2410.0.65.5/2410.4.10.0/2410.4.20.0/2410.4.30.0/24…
ProCurve University’s network upgrade will feature a redundant core such as the one shown. A redundant core can provide for recovery in the event of link failures. Furthermore, some routers can make use of multiple equal-cost paths to the same destination. On some routers, this feature works automatically; on others, it must be configured. Still other products will only use the first path to each destination that it finds. If and when a second neighbor advertises an equal-cost path to the destination, the router stays with the one it learned first.
You can determine if your router supports equal cost-multipath (ECMP) by inspecting the route table. If you see multiple entries to the same destination that have different “Gateway” values, it usually means that your router is sharing the load toward that destination over all of the links. The maximum number of ECMP routes is usually configurable, as well as the method the router uses to determine which packets will follow each route.
IP Routing Foundations
1 – 34 Rev. 5.21
Routing among locations at ProCurve University
Rev 5.21 28
Routing among locations at ProCurve University• Routers learn best path to destination networks at their own location by
exchanging routing information with neighbors• One or two routers from each location exchange routing information with core
routers
University intranet coreNetworks 10.0.0.0/24 through 10.0.255.0/24
10.2.0.0/2410.2.1.0/24 …10.2.255.0/24(up to 255 networks)
10.1.0.0/2410.1.1.0/24 …10.1.255.0/24(up to 255 networks)
10.3.0.0/2410.3.1.0/24 …10.3.255.0/24(up to 255 networks)
Southwest campusHosts in address range:10.1.0.0 – 10.1.255.255
Northwest campusHosts in address range:10.2.0.0 – 10.2.255.255
Northeast campusHosts in address range:10.3.0.0 – 10.3.255.255
Student Guide: 1–34
Each of ProCurve University’s three campuses has its own network with an address range of 10.x.0.0/24 to 10.x.255.0. The campuses interconnect through an intranet core with addresses in the range of 10.0.0.0/24 to 10.0.255.0/24.
The routing infrastructure supports more than 750 user networks distributed across three physical locations. While the technologies in place are similar to earlier examples, which showed only eight user networks, the complexity of this topology presents a few new challenges.
For instance, because there are so many networks at each location, it would be inefficient or even impossible to connect every router to the intranet core. Instead, the topology features redundant links among routers at each location. Another layer aggregates the traffic from the hosts at each location and connects that router to the core. This multi-layered hierarchical approach can be scaled to support a network with hundreds of locations, if necessary.
IP Routing Basics
Rev. 5.21 1 – 35
Dynamic route exchange
Rev 5.21 29
Dynamic route exchange
• If routers exchange entire route database with neighbors, they obtain detailed information about the networks at every location
• Storing detailed information about other locations can result in inefficient use of route table space
Intranet coreNetworks: 10.0.0.0/24-10.0.255.0/24
10.2.0.0/24-10.2.255.0/24(up to 256 networks)10.1.0.0/24-10.1.255.0/24
(up to 256 networks)
Location AHosts in address range:10.1.0.0 – 10.1.255.255
Location BHosts in address range:10.2.0.0 – 10.2.255.255
Location CHosts in address range:10.3.0.0 – 10.3.255.255
10.0.0.0/24-10.0.255.0/2410.2.0.0/24-10.2.255.0/2410.3.0.0/24-10.3.255.0/24 (up to 768 networks)
10.0.0.0/24-10.0.255.0/2410.1.0.0/24-10.1.255.0/2410.2.0.0/24-10.2.255.0/24 (up to 768 networks)
10.0.0.0/24-10.0.255.0/2410.1.0.0/24-10.1.255.0/2410.3.0.0/24-10.3.255.0/24 (up to 768 networks)
10.3.0.0/24-10.3.255.0/24(up to 256 networks)
Each router may have up to 1,024 route table entries
Student Guide: 1–35
This diagram illustrates a hierarchical topology that requires all inter-location traffic to transit the core. If the router that connects each location to the core advertises all 256 of its networks, every router in the entire intranet will have over 750 entries in its route table. This is highly inefficient because it is not necessary for every router to know every network.
To avoid this inefficiency, IP network designers usually assign contiguous address space to physically separated locations, regardless of whether they are buildings within the same campus separated by a short distance or campuses within a larger enterprise that are separated by a greater distance. This makes it possible to summarize the address space, enabling a range of networks to be represented by a single route table entry.
IP Routing Foundations
1 – 36 Rev. 5.21
Network summarization
Rev 5.21 30
Network summarization
• Network summarization requires hierarchical addressing scheme• Summaries provide a starting address and mask that describes a
range of addresses • Benefits include:
– Minimize the number of route table entries – Enable more efficient route table lookup
• Summarization methods within an autonomous system:– Networks that use RIP
• Define a static route that specifies range’s starting address and mask, next hop (gateway), and path cost
• Disable RIP on the interface that connects to the summarized address range
– Networks that use OSPF • May be divided into administratively defined “areas” • Summaries configured at area boundaries
Student Guide: 1–36
Often, routers at a location have a limited number of paths to the networks within a given address range. In these cases, you can increase routing efficiency by replacing many individual, specific network advertisements with a single statement that specifies a larger range of addresses using a shorter mask. In all cases, a shorter mask specifies a larger address range and a longer mask specifies a smaller range. Any starting address with a 24-bit mask specifies a range with 256 addresses. A starting address with a 16-bit mask specifies a range of 65,536 addresses.
This process is known as “network summarization.” In most vendor implementations, neither RIP nor OSPF performs this summarization automatically; both require that you perform some additional configuration steps to enable network summarization.
IP Routing Basics
Rev. 5.21 1 – 37
Summarization of address space using static routes
Rev 5.21 31
Summarization of address space using static routes
Location A10.1.0.0/16
A12A11
A13
A14
Intranet core10.0.0.0/16
A2
A1
Routers A1 and A2: • Are configured with
static default route 0.0.0.0/0; next hop is a core router interface
• Include the static route in RIP updates they send to the edge routers (A11-A14) at Location A
Intranet core router is configured with two static summary routes toward address range 10.1.0.0/16• One specifies A1 as next hop • Another specifies A2 as next hop
Student Guide: 1–37
In networks that implement RIP, static routes usually provide the mechanism for network summarization.
In this example, network summarization will prevent routers in Location A from obtaining detailed, specific advertisements for every network in the intranet. This process requires two steps:
1. Disable the operation of RIP on both sides of the links that connect Routers A1 and A2 to the intranet core. This, of course, prevents the routers in Location A from processing RIP advertisements sent from the core.
2. Define static routes for the path to networks or address ranges that do not appear as more specific routes in the route table.
In the example, the goal is to provide a path for hosts at Location A to reach all non-local destinations, including addresses on the public Internet. To accomplish this, you would specify the default route (0.0.0.0/0) that uses an intranet core interface as the next hop.
IP Routing Foundations
1 – 38 Rev. 5.21
While the core router may use a default static route to reach addresses in the public Internet, it can’t use the default route to reach hosts at different locations. Instead, the intranet core might have a summarized route to each location. Because the addressing scheme is hierarchical, and all hosts between 10.1.0.0 and 10.1.255.255 are at Location A, you can define a static summary route for the path the core router has to Location A with the starting address 10.1.0.0 and a 16-bit mask (10.1.0.0/16). The 16-bit mask defines a range of over 65,536 addresses, although some number of the addresses in this range would be inappropriate for host addressing purposes.
For purposes of Layer 3 forwarding, a route table entry with a 16-bit mask matches with a large range of destination addresses. For example, if a router within the intranet core needs to forward traffic toward any of the potentially 65,536 address between 10.1.0.0 and 10.1.255.255, it will forward the traffic to the next hop gateway in the 10.1.0.0/16 route table entry.
Although the diagram shows detailed operation only for Location A, the same procedures would be used for other locations. The intranet core router(s) would need to have static routes specifying each of the locations’ address ranges. Each router would forward traffic destined for a given address range in the direction of the appropriate location. The routers that connect each location to the intranet core would use the default route to forward all traffic for which they do not have a more specific route in their route tables.
IP Routing Basics
Rev. 5.21 1 – 39
Route table lookup
Rev 5.21 32
Route table lookup
IP route table is a list of address ranges that may specify:• A single network • A network summary expressed as a starting address and mask
Route table lookup procedure:• Compare packet’s destination IP address with route table entries• If there is a match, forward the packet to the specified gateway
(next hop) • If there is more than one match, forward the packet to the gateway
specified by the most specific match• If there is no match, discard the packet
Default route • Ultimate summarized route specifies the entire IP address space
(over 4 billion addresses)• Only packets without a more specific match will be forwarded toward
the default route
Student Guide: 1–39
Although a packet’s destination address may match with multiple route table entries, the router does not stop its evaluation on the first match. When a route table contains multiple matches for an address, the most specific match defines the path the packet will take. The router follows the entry that has the longest mask; that is, the entry that is the most specific match with the packet’s destination address.
Every address in the entire IP address space—between 0.0.0.0 and 255.255.255.255—is included in the range specified in the static default route. Consequently, every packet will match with the default route. However, packets whose destination addresses are within the specific ranges that appear in the route table will match with two entries and will follow the most specific route.
IP Routing Foundations
1 – 40 Rev. 5.21
Advertising static routes
Rev 5.21 33
Advertising static routes
Location A10.1.0.0/16
A12A11
A13
A14
Intranet core10.0.0.0/16
A2
A1
Routers A1 and A2 must be able to advertise default route within RIP updates
If there are other routers in the intranet core, this RIP router may be configured to advertise the static routes to its neighbors
Edge routers A11-A14 must be able to accept the default route advertisement (0.0.0.0/0)
Student Guide: 1–40
Often, network summarization using static routes requires further configuration for the routers that advertise the static routes and the routers that receive them. However, because network equipment manufacturers implement the relationship between RIP and static routes in different ways, you should consult product documentation to determine what configuration is necessary.
In the example, the static route is defined on routers A1 and A2. It may be necessary to configure these routers to “redistribute” static routes, including the default route. The recipient routers (A11-A14) may also need to be configured to “listen” for the default route.
These configuration steps often are necessary because routers usually consider RIP-learned routes, directly connected routes, and static routes to be different “sources” of route information. Most routers automatically redistribute directly connected network address ranges into RIP advertisements, but the choice of whether to automatically redistribute static routes is up to vendor implementation.
Additionally, most routers enable the definition of filter lists for redistribution, which allows an administrator to selectively redistribute static routes. For example, some static routes may be useful locally but unsuitable for use by neighboring routers.
IP Routing Basics
Rev. 5.21 1 – 41
Many routers treat the default static route as a special case of static route. That is, without special configuration, some routers will not place the default route into their route tables, even if it is advertised within a RIP update. Typically, if a router does not automatically listen for or accept the default route, it is usually possible to selectively enable default route listening or to enable it for all RIP interfaces on the router.
Equal cost multipath
After the routers are configured to accept or listen for the default route, it is treated just like any other address range. If a router has a neighbor advertising the default route at a cost of 2 and another advertising the default route at a cost of 3, it will choose the lower cost path. If the next hop router stops advertising the default route and the entry ages out of the route table, the router will replace the invalid route with a valid one.
In the example, Routers A11 through A14 each have two paths to the core and, therefore, two paths to resources that may be available through the core. Whether a given router will use the first-heard route or place both routes in its table and share the traffic between them is entirely dependent on the router’s feature set. At the very least, the second connection to the core provides redundancy.
IP Routing Foundations
1 – 42 Rev. 5.21
Module 1 summary
Rev 5.21 34
Module 1 summary
In this module, you learned:• The basic types of router interfaces• How the route table stores route information• The types of routing protocols• How RIP routers advertise routes and determine the best path to a
given resource• The operation of Split Horizon and Poisoned Reverse• How network summarization enables efficient route tables
Student Guide: 1–42
Module 1 of IP Routing Foundations introduced the basic concepts of IP routing, with an emphasis on RIP. Specific topics included types of router interfaces, the basic operation of RIP, and the types of routing protocols.
IP Routing Basics
Rev. 5.21 1 – 43
Learning check Module 1
IP Routing Foundations
1 – 44 Rev. 5.21
1. What are the four types of router interfaces.
a. ........................................................................................................................
b. ........................................................................................................................
c. ........................................................................................................................
d. ........................................................................................................................
2. What is the difference between an Interior Gateway Protocol and an Exterior Gateway Protocol?
............................................................................................................................
............................................................................................................................
............................................................................................................................
3. Name and describe one important disadvantage of RIP.
............................................................................................................................
............................................................................................................................
............................................................................................................................
4. What is “Split horizon”?
............................................................................................................................
............................................................................................................................
............................................................................................................................
5. What is network summarization and why is it necessary?
............................................................................................................................
............................................................................................................................
............................................................................................................................
6. What is “poisoned reverse”?
............................................................................................................................
............................................................................................................................
............................................................................................................................
Rev 5.21 2 – 1
OSPF Routing Module 2
Objectives After completing this module, you will be able to:
Compare and contrast RIP and OSPF
Explain why OSPF provides more efficient routing than RIP in large-scale intranets
Describe the basic process for propagating route information throughout OSPF domains
Describe the roles of the OSPF router types
Explain the functions of the OSPF message types
Describe the OSPF area types and their proper uses
Explain the process of network summarization for OSPF domains
IP Routing Foundations
2 – 2 Rev 5.21
OSPF at ProCurve University
Rev 5.21 3
OSPF at ProCurve University
Intranet characteristics that make OSPF a good choice for IGP• Infrastructure provides multiple paths to each address range• Complex connectivity provided by links with varying bandwidth• Topology is hierarchical • Addressing scheme is hierarchical, following physical hierarchy
Plan for ProCurve University intranet upgrade includes:• High availability characteristics
– Locations are interconnected through dual core – Redundant links within each location
• Hierarchical addressing scheme– Address range will be assigned to networks within each campus
location– Address range will be assigned to networks within intranet core
Student Guide: 2–2
Often, OSPF will be a better choice for RIP as an IGP. This is especially true in intranets that provide multiple paths to each address range, have complex connectivity with links of varying bandwidth, and that have hierarchical addressing schemes and topologies.
The network upgrade at ProCurve University will include an OSPF implementation for the reasons shown. Specifics about the design and implementation will be described in Routing Switch Essentials.
OSPF Routing
Rev 5.21 2 – 3
Basic OSPF interactions
Rev 5.21 4
Basic OSPF interactions
Student Guide: 2–3
Basic OSPF interactionsHierarchyMessage typesRouter communications
Distribution of link state changesExternal route information
The first section of Module 2 describes the basic interactions between OSPF routers. Specific topics include the OSPF hierarchy, OSPF Hello messages, and the link state messages and database.
IP Routing Foundations
2 – 4 Rev 5.21
OSPF routing protocol
Rev 5.21 5
OSPF routing protocol
Benefits when compared with RIP• Faster convergence
– Advertisements flooded throughout domain – Each router advertises only its own connected networks
• Intelligent path selection – Supports variable link cost assignment
• Scalable with no specific limit on the number of router hops between a source and destination host
Student Guide: 2–4
The benefits of OSPF are most evident in large intranets with redundant routed links. Unlike RIP routers, OSPF routers are immediately aware of changes in network topology and can quickly adjust their next hop information for remote networks.
When a network becomes unavailable due to link failure, the OSPF routers connected to the network immediately pass the information on to all routers in the area. By contrast, RIP updates move from hop to hop, which delays convergence and can cause routers to have contradictory or inconsistent information in their route tables.
OSPF Routing
Rev 5.21 2 – 5
OSPF hierarchy: Routers and networks
Rev 5.21 6
OSPF hierarchy: Routersand networksOSPF routers • Uniquely identified by 32-bit dotted decimal value• Establish formal relationship known as ‘adjacency’ with neighbors • Advertise their own directly connected networks and associated link cost
OSPF networks• Uniquely identified by starting address and mask• Classified based on their function in the ‘tree’ that represents the collection of
routers and networks– ‘Transit’ networks can carry traffic destined for other networks– ‘Stub’ networks have a single entry/exit point
Router ID: 10.1.209.110.1.64.0/24(transit)
Router ID: 10.1.208.1
10.1.20.0/24(stub)
10.1.10.0/24(stub)
R1A R1B
Student Guide: 2–5
Several important features of OSPF routers and networks enable them to function more efficiently than RIP routers and networks. In particular, the networks and routers in an OSPF domain follow a specific hierarchy that enables efficient communication.
OSPF Router ID
An OSPF router uses its Router ID—a unique 32-bit dotted decimal value—to advertise itself and its connected networks and neighbors to all other OSPF routers. By contrast, a RIP router gathers information about its immediate neighbors from periodic updates.
Most vendors’ implementations of OSPF establish rules that enable a router to select a Router ID from among its active IP interfaces if an administrator has not statically defined a Router ID. Many routers require that the Router ID follow the ID of an active interface. The loopback interface is often the default value for the Router ID because it is the interface least likely to become unavailable.
OSPF adjacencies
One primary task of an OSPF router is to establish a formal relationship, called an “adjacency,” with routers on its local networks. In the example, R1A has three OSPF interfaces, one of which is its loopback interface. It periodically sends “Hello” messages through all of those interfaces in an effort to find neighbors and establish adjacencies. After the adjacency is established, OSPF routers periodically send Hello messages indefinitely to maintain their relationship.
IP Routing Foundations
2 – 6 Rev 5.21
For each of its IP interfaces, the OSPF router applies the assigned mask to the assigned IP address to derive the local address range and sends an advertisement that includes every locally connected network. By contrast, if the routers in the example were configured for RIP, Split Horizon rules would prohibit R1A from advertising network 10.1.64.0/24.
OSPF network types
Unlike RIP, OSPF routers differentiate among network types in their advertisements. The OSPF specification (RFC 2338) lists many numbered network types and sub-types. However, they fall into two main categories:
1. Transit networks have two or more connected routers. As such, they are potential paths for traffic that originates within or is destined for some other network.
2. Stub networks have only one router. They are considered stubs because there is only one point of entry (router) to the network. Traffic that comes from or is destined for other networks is never forwarded into a stub network. Stub networks will be discussed in more detail later in this module.
OSPF routers determine whether a network is stub or transit by listening for neighbors. If a router detects at least one neighbor on an interface, the network is a transit network. The router finds no neighbors on stub networks.
By default, OSPF routers will continue sending Hello messages on all interfaces, including those that lead to stub networks. Most OSPF routers send Hello messages through their loopback interfaces, even though they are completely isolated from physical network media and will never lead to neighbors.
However, administrators can configure OSPF routers to not send advertisements through specific interfaces, including the loopback. Many router platforms allow administrators to define certain OSPF interfaces, including the loopback interface, as “passive.” An OSPF router will not send Hello messages through passive interfaces and consequently will not form adjacencies or flood updates into the connected network.
OSPF Routing
Rev 5.21 2 – 7
OSPF area
Rev 5.21 7
OSPF area
Router ID: 10.1.209.110.1.64.0/24(Area 0)
Router ID: 10.1.208.1 R1A
10.1.20.0/24(Area 0)
10.1.10.0/24(Area 0)
• A group of networks interconnected by OSPF routers• Area ID may be expressed as a decimal or dotted decimal number• Networks are identified as members of an area by their connected routers
R1B
Router ID: 10.2.209.110.2.64.0/24(Area 0)
Router ID: 10.2.208.1 R2A
10.2.20.0/24(Area 0)
10.2.10.0/24(Area 0
R2B
C110.0.100.0/24
(Area 0)
Student Guide: 2–7
The next level in the OSPF hierarchy is the area, which is a contiguous collection of networks. Every OSPF router must belong to at least one area.
An area receives its ID from the routers whose networks are contained within it. Two routers that share a network must agree on its area ID. If the routers do not assign the same area ID to the network, they will fail to form an adjacency. Without an adjacency, the routers will not share information and will not forward IP traffic over the network. They will, however, continue attempting to form an adjacency indefinitely until an administrator resolves the conflict.
All routers that are interconnected by networks that have a common area ID will obtain detailed information about the networks connected to other routers in the area. When a router originates a Router Link State Advertisement (LSA), it sends it to its immediate neighbors, who in turn flood the LSA to all of their neighbors without changing it. In this manner, every Router LSA reaches every router in the area. As a result, every router in the area has an identical collection of router LSAs.
Unlike RIP advertisements, the OSPF advertisement does not immediately yield a next hop gateway for the receiving router to place in its route table. Instead, each router uses the collected advertisements to build a tree, using itself as the root, that represents the shortest path to all of the routers and networks in the area. Each router produces a set of route table entries based on the tree.
IP Routing Foundations
2 – 8 Rev 5.21
Any router that experiences a change in the state of one of its links must immediately send a newer instance of its LSA to inform all of the routers in the area of the change. Routers flood the advertisement over the networks that constitute the area. Receipt of a new LSA may cause every router in the area to simultaneously build a new shortest path first (SPF) tree based on the most current information, and potentially (depending on each router’s proximity of the link whose state has changed) place new next hop gateway values in its route table.
OSPF Routing
Rev 5.21 2 – 9
OSPF hierarchy: Autonomous System
Rev 5.21 8
OSPF hierarchy: Autonomous System OSPF Autonomous System (AS) • A collection of interconnected OSPF areas, one of which is Area 0 (backbone)• Area Border Routers (ABR) connect non-backbone areas to backbone
ABR ABR
ABRABR Area 0
Area 2
Area 1 Area 3
Student Guide: 2–9
The highest level of hierarchy in an OSPF domain is the Autonomous System (AS), which is a collection of interconnected areas. Each area is a portion of the AS where routers exchange detailed information about their link states. It is certainly possible for all of the routers and networks in an AS to be placed into the same OSPF area. However, this approach will limit the maximum number of routers and networks that can be efficiently serviced.
For best results, the logical addressing hierarchy should follow the physical hierarchy. Networks that are in the same physical location should be assigned addresses within a range that can be expressed using a starting address and mask.
IP Routing Foundations
2 – 10 Rev 5.21
OSPF router boots up
Rev 5.21 9
OSPF router boots up
First actions taken by a router with active OSPF interfaces:• Create a Router LSA that describes its
connected OSPF networks, store in link state database
• Send Hello messages over all OSPF interfaces every 10 seconds
Loopback 1: 10.1.208.1 OSPF
IP headerSrc: 10.1.64.1 Dst: 224.0.0.5OSPF HeaderSource router: 10.1.208.1 Area ID: 0.0.0.0Hello packetNetwork mask: 255.255.255.0Hello interval: 10 secDead interval: 40 sec
10.1.30.0/24
R1B10.1.64.1/24OSPF cost 10
10.1.64.1/24No OSPF
10.1.10.1/24OSPF cost 100
Type: Router LSA Link state ID:10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000000No of links: 3Stub 10.1.10.0/24 cost 100Stub 10.1.64.0/24 cost 10Stub 10.1.208.0/24 cost 1
IP headerSrc: 10.1.10.1 Dst: 224.0.0.5OSPF HeaderSource router: 10.1.208.1 Area ID: 0.0.0.0Hello packetNetwork mask: 255.255.255.0Hello interval: 10 secDead interval: 40 sec
R1A
Student Guide: 2–10
When an OSPF router boots up or when OSPF is activated, the router immediately performs two tasks. It places information about its own connected networks into its link state database and begins looking for neighbors on its connected networks.
The first entry in every OSPF router’s Link State Database is its own Router LSA. The diagram shows the highlights of the Router LSA for R1A. The sequence number (80000000 hex) indicates this is R1A’s first instance of a Router LSA. All of R1A’s networks are considered “stub” networks because it has not discovered any neighbors at this point.
If R1A later detects any change in the state of its connected networks—that is, if any of the networks go down or if additional OSPF networks are configured—the router will create a new LSA containing the most recent information and replace the one currently in the database.
Hello messages
Currently, R1A is the only OSPF router in its area, although it is directly connected to R1B. However, OSPF is not enabled on R1B. Still, immediately after it boots up, R1A will begin sending Hello messages over all of its interfaces, including network 10.1.64.0/24. Furthermore, because the formation of adjacencies is crucial to OSPF operation, R1A will continue sending Hello messages unless the interface goes down or an administrator explicitly defines this interface as passive.
OSPF Routing
Rev 5.21 2 – 11
Exchanging Hello packets
Rev 5.21 10
Exchanging Hello packets
OSPF Routers • Send Hello packets periodically to
– Exchange their Router IDs– Verify that they agree on their shared network’s mask and the area to
which it is assigned– Propose or confirm parameters of their relationship, including timers
• Do not use Hello packets to share information about networks other than the one they share
Router ID: 10.1.209.110.1.64.0/24Router ID: 10.1.208.1
10.1.10.0/24
IP headerSrc: 10.1.64.1 Dst: 224.0.0.5OSPF HeaderSource router: 10.1.208.1 Area ID: 0.0.0.0Hello packetNetwork mask: 255.255.255.0Hello interval: 10 secDead interval: 40 secNeighbor: 0.0.0.0
IP headerSrc: 10.1.64.2 Dst: 224.0.0.5OSPF HeaderSource router: 10.1.209.1 Area ID: 0.0.0.0Hello packetNetwork mask: 255.255.255.0Hello interval: 10 secDead interval: 40 secNeighbor: 10.1.208.1
10.1.30.0/24
.1 .2R1A R1B
R1B’s first Hello packet
Student Guide: 2–11
In this example, OSPF has been activated on R1B. This router has created a Router LSA that represents its own connected networks, stored the LSA in its link state database, and sent its first Hello packet.
All OSPF packets are directly encapsulated by an IP datagram header without using TCP or UDP. The destination address in the IP datagram header is a multicast address, 224.0.0.5, which is reserved for OSPF routers. (Other types of OSPF communication are sent over unicast addresses.)
The information each OSPF router includes in its Hello packets includes the area ID, which must be identical if the routers are to become adjacent. In the example, the networks are identified as members of the unnumbered area known as Area 0.0.0.0 or Area 0. (Other special properties of Area 0 will be discussed later in this module.)
In addition to an area ID, each OSPF interface is configured with values that define its expectations for neighbor interaction. These include the Hello interval, which is the interval between the router’s Hello messages, and the dead interval, which is the interval that a router will wait for a neighbor’s Hello messages before considering the neighbor to be down.
IP Routing Foundations
2 – 12 Rev 5.21
In the example above, one of R1A’s Hello packets arrived at R1B before it sent its first Hello packet. R1B compared R1A’s proposed parameters with its own configured parameters. R1B’s Hello messages signaled acceptance of R1A’s Hello messages because the source address in the IP datagram header is in the same address range as the address configured on the receiving interface and because the following parameters were identical:
Area ID
Subnet mask
Hello interval
Dead interval
If any of these parameters differed in the two routers’ messages, or if the routers had the same Router ID, the routers would not move to the next state. Instead, they would continue sending Hello packets with an empty Neighbor field indefinitely, without including each other’s Router ID in the Hello packets they send.
Most routers report parameter mismatches in an event log. In the event of a mismatch, log entries include error messages indicating which parameter was mismatched. The logs also include an error message if Router IDs are identical.
OSPF Routing
Rev 5.21 2 – 13
Two-way neighbor recognition
Rev 5.21 11
Two-way neighbor recognition
• After initial Hello packet exchange each router includes neighbor’s Router ID in Hello packets
• When a router sees its own Router ID in a Hello packet from a neighbor, it enters the ‘Two-way’ state
• When both routers are in the Two-way state, they may proceed to the next step toward adjacency
Router ID: 10.1.209.110.1.64.0/24Router ID: 10.1.208.1
10.1.10.0/24 10.1.30.0/24
.1 .2R1A R1B
IP headerSrc: 10.1.64.1 Dst: 224.0.0.5OSPF HeaderSource router: 10.1.208.1 Area ID: 0.0.0.0Hello packetNetwork mask: 255.255.255.0Hello interval: 10 secDead interval: 40 secNeighbor: 10.1.209.1
IP headerSrc: 10.1.64.2 Dst: 224.0.0.5OSPF HeaderSource router: 10.1.209.1 Area ID: 0.0.0.0Hello packetNetwork mask: 255.255.255.0Hello interval: 10 secDead interval: 40 secNeighbor: 10.1.208.1
Student Guide: 2–13
R1A and R1B now send Hello packets every 10 seconds. When R1A receives R1B’s Hello packet containing R1B’s Router ID, R1A begins sending Hello packets that list Router ID 10.1.209.1 as a neighbor. At this point, the routers move to the “two-way state,” which is the next step in their path toward adjacency.
Because R1A and R1B are the only two routers on network 10.1.64.0/24, they will become adjacent. However, not all routers that share a network will become adjacent. In a network that contains many routers, it would be resource-intensive to establish a full mesh of adjacencies among all of the routers. Consequently, the OSPF specification includes a solution for ensuring that routers won’t form so many adjacencies that routing efficiency is compromised. (This solution will be discussed in more detail later in this module.)
IP Routing Foundations
2 – 14 Rev 5.21
Designated Router election
Rev 5.21 12
Designated Router election
• Specific adjacency formation procedures vary by network type • When an Ethernet network supports only two routers, one is elected
Designated Router (DR) and the other becomes Backup DR • Additional routers form adjacencies with DR and Backup DR but not
with each other • DR is responsible for generating Network LSA
Router ID: 10.1.209.110.1.64.0/24Router ID: 10.1.208.1
10.1.10.0/24 10.1.30.0/24
.1 .2R1A R1B
IP headerSrc: 10.1.64.1 Dst: 224.0.0.5OSPF HeaderSource router: 10.1.208.1 Area ID: 0.0.0.0Hello packetNetwork mask: 255.255.255.0Hello interval: 10 secDead interval: 40 secDesignated Router: 10.1.64.2Backup DR: 10.1.64.1Neighbor: 10.1.209.1
IP headerSrc: 10.1.64.2 Dst: 224.0.0.5OSPF HeaderSource router: 10.1.209.1 Area ID: 0.0.0.0Hello packetNetwork mask: 255.255.255.0Hello interval: 10 secDead interval: 40 secDesignated Router: 10.1.64.2Backup DR: 10.1.64.1Neighbor: 10.1.208.1
Student Guide: 2–14
Because an Ethernet network can support many routers within the same broadcast domain, one OSPF router on each Ethernet network becomes the Designated Router (DR) and another becomes the Backup DR (BDR). Subsequent neighbors on the network become adjacent to the DR and BDR, but not to each other.
The DR has some additional responsibilities, which include generation of another LSA type, known as a Network LSA, which is generated after the DR and BDR have established full adjacency.
Typically, the first two routers on a multi-access network become the DR and the Backup DR. Administrators can influence DR selection by configuring a higher priority on an OSPF router’s interface to a multi-access network. However, if the first routers to connect to the network have equal priority, the one with the higher Router ID will become the DR. Once established in its role, the DR does not relinquish DR responsibility even if another router with a higher priority later becomes adjacent to it.
OSPF Routing
Rev 5.21 2 – 15
Exchanging Database descriptions
Rev 5.21 13
Exchanging Database descriptions
Router ID: 10.1.209.110.1.64.0/24Router ID: 10.1.208.1
10.1.10.0/24 10.1.30.0/24
.1 .2R1A R1B
IP header:Src: 10.1.64.2 Dst: 10.1.64.1OSPF HeaderSource router: 10.1.209.1 Area ID: 0.0.0.0DB Desc Packet
LSA Header 1Type: Router LSA Link state ID:10.1.209.1Adv. Router: 10.1.209.1Sequence: 80000002
IP headerSrc: 10.1.64.1 Dst: 10.1.64.2OSPF HeaderSource router: 10.1.208.1 Area ID: 0.0.0.0DB Desc PacketLSA Header 1Type: Router LSA Link state ID:10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000002
LSDB LSDB
Each router sends all LSA headers from LSDB
1 Type: Router LSA Link state ID:10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000002No of links: 3Stub 10.1.10.0/24 cost 100Stub 10.1.64.0/24 cost 10Stub 10.1.208.0/24 cost 1
1 Type: Router LSA Link state ID:10.1.209.1Adv. Router: 10.1.209.1Sequence: 80000002No of links: 3Stub 10.1.30.0/24 cost 100Stub 10.1.64.0/24 cost 10Stub 10.1.209.0/24 cost 1
Student Guide: 2–15
The next stage in the process of forming an adjacency is the exchange of link state database entries. In the example, each router’s link state database (LSDB) contains one entry—the Router LSA it created to advertise its own networks.
In the first phase of database synchronization, both routers send OSPF Database Description packets. The first Database Description packet from each router indicates its intention to send the headers of the LSAs in its own LSDB and indicates the maximum packet size it will use. Each router sends a second Database description packet that contains headers from LSAs in its own link state database. Each router compares the offered LSA headers with those in its own database.
In the example, the process is fairly quick because each router’s LDSB contains only its own Router LSA. However, in a larger intranet, each router may have hundreds of LSAs in its database and it is possible that the list of LSA headers might require several packets.
If you are using monitoring or logging facilities to observe router states as they proceed through adjacency formation, this state appears as “ExStart.”
IP Routing Foundations
2 – 16 Rev 5.21
The four items that uniquely identify an LSA are
1. Type The LSA types include the Router LSA, the Network LSA, and four other types that will be described later in this module.
2. Link State ID The type of information in this field is unique to each type of LSA. In a Router LSA, the Link State ID is the Router ID.
3. Advertising Router The router that originated the LSA. In the example, the originating (or advertising) router and the sending router (as shown in IP datagram header) are actually the same router; but this is not always the case.
4. Sequence number The first LSA that a router generates has a sequence number of 80 million. When a router experiences a link state change, it generates a new Router LSA that replaces the obsolete one. The second instance of the same type of LSA sent by the same router is identical on the first three items, but the fourth item—the sequence number—is incremented by a locally significant value.
A router uses the sequence number in the LSA header to differentiate instances of the same Router’s LSA. Depending upon the routers’ past relationship, this could be important to this phase of adjacency. For example, if R1A and R1B were previously adjacent and their link went down, each would keep the other’s LSA for an entire hour. Every LSA has a lifetime of 3600 seconds and an age of 0 seconds when it is originated. By the time an LSA is included in another router’s LSDB, it might be a few seconds old, but it continues to age the entire time it is in the database. If a replacement LSA has not arrived before its lifetime expires, the LSA is aged out of the database.
An OSPF router generates a current Router LSA every 30 minutes to refresh the databases of every router in the area. However, the router does not send every LSA in its database, just the ones it is responsible for generating. By comparison, RIP routers advertise their entire route tables every 30 seconds.
OSPF Routing
Rev 5.21 2 – 17
Link State Request packet
Rev 5.21 14
Link State Request packet
Student Guide: 2–17
Router ID: 10.1.209.110.1.64.0/24Router ID: 10.1.208.1
10.1.10.0/24 10.1.30.0/24
.1 .2R1A R1B
IP header:Src: 10.1.64.2 Dst: 10.1.64.1OSPF HeaderSource router: 10.1.209.1 Area ID: 0.0.0.0Link State Request packetType: Router LSA Link state ID:10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000002
IP header:Src: 10.1.64.1 Dst: 10.1.64.2OSPF HeaderSource router: 10.1.208.1 Area ID: 0.0.0.0Link State Request packetType: Router LSA Link state ID:10.1.209.1Adv. Router: 10.1.209.1Sequence: 80000002
LSDB LSDB
Each router requests LSAs not in its own LSDB
1 Type: Router LSA Link state ID:10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000002No of links: 3Stub 10.1.10.0/24 cost 100Stub 10.1.64.0/24 cost 10Stub 10.1.208.0/24 cost 1
1 Type: Router LSA Link state ID:10.1.209.1Adv. Router: 10.1.209.1Sequence: 80000002No of links: 3Stub 10.1.30.0/24 cost 100Stub 10.1.64.0/24 cost 10Stub 10.1.209.0/24 cost 1
Now that each router has received the headers of the LSAs contained in the other router’s LSDB, it can compare the contents of its own LSDB with the proposed headers from the other router. Each router uses a Link State Request packet to return the LSA headers for which the router needs the full advertisement.
In this simple example, each router requests the LSA that was advertised by the other by returning the header in a Link State Request. Basically, this is because there is only one path between the routers but, of course, this is not always the case. In a situation where there are redundant links, each router may already have some subset of the LSAs proposed in the Database Description due to its adjacencies on other interfaces.
IP Routing Foundations
2 – 18 Rev 5.21
Link State Update packet
Rev 5.21 15
Link State Update packet
Student Guide: 2–18
Router ID: 10.1.209.110.1.64.0/24Router ID: 10.1.208.1
10.1.10.0/24 10.1.30.0/24
.1 .2R1A R1B
OSPF HeaderSource router: 10.1.209.1 Area ID: 0.0.0.0Link State Update packetType: Router LSA Link state ID:10.1.209.1Adv. Router: 10.1.209.1Sequence: 80000002No. of links: 3Stub 10.1.30.0/24 cost 100Stub 10.1.64.0/24 cost 10Stub 10.1.209.0/24 cost 1
OSPF HeaderSource router: 10.1.208.1 Area ID: 0.0.0.0Link State Update packetType: Router LSA Link state ID:10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000002No. of links: 3Stub 10.1.10.0/24 cost 100Stub 10.1.64.0/24 cost 10Stub 10.1.208.0/24 cost 1
LSDB LSDB
1 Type: Router LSA Link state ID:10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000002No of links: 3Stub 10.1.10.0/24 cost 100Stub 10.1.64.0/24 cost 10Stub 10.1.208.0/24 cost 1
1 Type: Router LSA Link state ID:10.1.209.1Adv. Router: 10.1.209.1Sequence: 80000002No of links: 3Stub 10.1.30.0/24 cost 100Stub 10.1.64.0/24 cost 10Stub 10.1.209.0/24 cost 1
Each router provides requested LSAs
While the OSPF Database Description and Link State Request packet types are used only in the early stages of adjacency formation, the Link State Update packet is the primary mechanism for sending Link State Advertisements, both during adjacency formation and whenever link state changes occur.
As used in this stage of adjacency formation, Link State Update packets are sent to the neighbor’s unicast address. However, a router sends Link State Update packets to a reserved multicast address when it contains LSAs that result from link state changes.
A Link State Update packet can contain as many LSAs as the router can fit into the maximum packet size for the network, which is usually 1500 bytes.
When link state changes occur, LSAs are flooded over all adjacencies throughout an entire area. Consequently, a router often will receive multiple copies of the same LSA. A router uses the sequence number to determine whether an incoming LSA is another copy of an advertisement already installed in the database or whether it is a new instance of an LSA that will cause it to change its shortest-path-first tree and next hop values.
OSPF Routing
Rev 5.21 2 – 19
Updating the Link State Database
Rev 5.21 16
Updating the Link State Database
Student Guide: 2–19
Router ID: 10.1.209.110.1.64.0/24Router ID: 10.1.208.1
10.1.10.0/24 10.1.30.0/24
.1 .2R1A R1B
LSDB LSDB
1 Type: Router LSA Link State ID:10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000004No of links: 3Stub 10.1.10.0/24 cost 100Transit 10.1.64.0/24 cost 10Stub 10.1.208.0/24 cost 1
2 Type: Router LSALink State ID: 10.1.209.1Adv. Router: 10.1.209.1Sequence: 80000002No. of links: 3Stub 10.1.30.0/24 cost 100Stub 10.1.64.0/24 cost 10Stub 10.1.209.0/24 cost 1
1 Type: Router LSA Link State ID:10.1.209.1Adv. Router: 10.1.209.1Sequence: 80000004No of links: 3Stub 10.1.30.0/24 cost 100Transit 10.1.64.0/24 cost 10Stub 10.1.209.0/24 cost 1
2 Type: Router LSALink State ID: 10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000002No. of links: 3Stub 10.1.10.0/24 cost 100Stub 10.1.64.0/24 cost 10Stub 10.1.208.0/24 cost 1
Adjacency causes state change for network 10.1.64.0/24
The establishment of full adjacency between these routers causes a state change on the network they share—10.1.64.0/24. Because each router now has a neighbor on the network, it is no longer a stub network, but a transit network. In response to this state change, each router generates a new instance of its Router LSA, places it in its LSDB, and floods it to adjacent neighbors.
This state change causes R1B, the Designated Router, to generate another type of LSA that is described on the next few pages.
IP Routing Foundations
2 – 20 Rev 5.21
Originating new LSAs
Rev 5.21 17
Originating new LSAs
Student Guide: 2–20
Router ID: 10.1.209.110.1.64.0/24Router ID: 10.1.208.1
10.1.10.0/24 10.1.30.0/24
.1 .2R1A R1B
LSDB LSDB
1 Type: Router LSA Link State ID:10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000004No of links: 3Stub 10.1.10.0/24 cost 100Transit 10.1.64.0/24 cost 10Stub 10.1.208.0/24 cost 1
2 Type: Router LSALink State ID: 10.1.209.1Adv. Router: 10.1.209.1No. of links: 3Stub 10.1.30.0/24 cost 100Stub 10.1.64.0/24 cost 10Stub 10.1.209.0/24 cost 1
1 Type: Router LSA Link State ID:10.1.209.1Adv. Router: 10.1.209.1Sequence: 80000004No of links: 3Stub 10.1.30.0/24 cost 100Transit 10.1.64.0/24 cost 10Stub 10.1.209.0/24 cost 1
2 Type: Router LSALink State ID: 10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000002No of links: 3
…3 Type: Network LSA
Link State ID: 10.1.64.2Adv Router: 10.1.209.1Sequence: 80000002Netmask: 255.255.255.0Attached Router: 10.1.208.1Attached Router: 10.1.209.1
Because R1B is the DR of the network 10.1.64.0/24, it originates a Network LSA that describes the network. Network LSAs contain the following information:
The LSA type, which is a Network LSA
Link State ID = the DR’s IP address on the network
Advertising Router is the DR’s Router ID
Sequence number indicates this is the first instance of the LSA
These four pieces of information uniquely identify this instance of the Network LSA for the network 10.1.64.0/24.
OSPF Routing
Rev 5.21 2 – 21
Flooding LSAs in Link State Update packet
Rev 5.21 18
Flooding LSAs in Link State Update packet
Student Guide: 2–21
Router ID: 10.1.209.1
10.1.64.0/24
10.1.30.0/24
.2R1B
LSDB
1 Type: Router LSA Link State ID:10.1.209.1Adv. Router: 10.1.209.1Sequence: 80000004
2 Type: Router LSALink State ID: 10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000002
3 Type: Network LSALink State ID: 10.1.64.2Adv Router: 10.1.209.1Sequence: 80000002
IP header:Src: 10.1.64.2 Dst: 224.0.0.5OSPF HeaderSource router: 10.1.209.1 Area ID: 0.0.0.0Link State Update packet
Type: Router LSA Link state ID:10.1.209.1Adv. Router: 10.1.209.1Sequence: 80000004
Type: Network LSALink State ID: 10.1.64.2Sequence: 80000002Netmask: 255.255.255.0Attached router: 10.1.208.0Attached router: 10.1.209.0
LSAs generated due to link state change are • Encapsulated in a Link State Update
packet• Sent to All OSPF Routers multicast
address
Router can send multiple LSAs in the same Link State Update packet
The neighbor returns a Link State Acknowledgment to 224.0.0.5 containing the LSA headers it received
Link State Update packets generated as the result of a link state change such as the one shown are sent to the “All OSPF Routers” multicast address 224.0.0.5. The Link State Update packet is immediately flooded to all routers in the area. This example has only two routers, but in an OSPF domain with many routers, all would receive the new instances of the LSAs.”
After receiving the R1B’s Link State Update, R1A acknowledges receipt by sending a Link State Acknowledgement. Proper OSPF operation depends on synchronization of the LSAs stored in each router’s link state database. Like the update packet, an acknowledgement is sent to 224.0.0.5, the OSPF router multicast address. If neighbors do not send an acknowledgment within a configurable period, R1B will send the Link State Update again.
IP Routing Foundations
2 – 22 Rev 5.21
R1A’s LSA
R1A must also originate a new LSA because it also experienced a state change when the network type associated with 10.1.64.0/24 transitioned from a stub network to a transit network. This new LSA is shown in the previous diagram with the sequence number of 80000004. R1B is obligated to send a Link State Acknowledgement in response to the Link State Update packet that contained the new instance of R1A’s Router LSA.
The Link State Update and Link State Acknowledgements that result from link state changes are always sent to a multicast address. Note that this is different from the unicast addresses used in messages sent and received during database synchronization phase of adjacency formation.
OSPF Routing
Rev 5.21 2 – 23
SPF tree and IP route table
Rev 5.21 19
SPF tree and IP route table
Each OSPF router: • Uses LSAs in its link state database as input to an algorithm that finds
the shortest path to each destination• Puts itself at the root of its ‘shortest path first’ tree
– All LSAs are identical within an area, perspective is different for each router
• Derives next hop for IP route table from SPF tree
Equal cost multi-path• On finding equal cost paths to a given destination, many routers
install an IP route table entry for each path• If multiple route table entries specify different next hop to same
destination network, traffic may be shared among them
Student Guide: 2–23
Each router’s advertisements describe its own directly connected networks. When a router originates a Router LSA, it sends it to its immediate neighbors, who in turn flood the LSA to all of their neighbors without changing it in any way. In this manner, every Router LSA reaches every router in the area. Consequently, each router in the area has an identical collection of router LSAs.
Any router that experiences a change in the state of one of its links must immediately inform all of the routers in the area by sending a newer instance of its Router LSA. The advertisement reaches all of the routers in the area very quickly. Routers flood the advertisement over the networks that make up the area.
Receipt of a new advertisement may cause every router in the area to simultaneously build a new shortest path first (SPF) tree based on the most current information. Depending on the router’s proximity to the link whose state has changed, the router might place new next hop gateway values in its route table.
Link state changes that involve a “transit” type network will cause all routers in the area to follow this procedure:
1. Receive new LSA(s). In the case of a state change in a transit network, the router is likely to receive at least two new Router LSAs—one for each router connected to the changed network.
2. Remove all OSPF routes from the route table. A link state routing protocol considers lack of routing information to be superior to invalid or obsolete routing information.
IP Routing Foundations
2 – 24 Rev 5.21
3. Run an algorithm to produce the shortest-path-first (SPF) tree based on the latest information. The OSPF RFC describes the operation of the Dijkstra algorithm; however, it also makes allowances for vendors to use any equivalent algorithms to produce the shortest-path-first tree.
4. Install new next hop values for each remote address range
If a router loses a path to a stub network, the routers flood the new instance of the router’s LSA, but all routers in the area don’t need to remove OSPF routes from the route table, run the algorithm, or install new next hop values. From the perspective of the SPF tree, a stub network is like a leaf on the tree. Because the stub network never carries traffic from or to another address range, link state changes allow the router to add or drop a “leaf” instead of entirely recreating the tree.
OSPF Routing
Rev 5.21 2 – 25
Summary of OSPF packet types
Rev 5.21 20
Summary of OSPF packet types
Returns headers of flooded LSAs received in a Link State Update; not used in adjacency formation, only for LSAs flooded over full adjacency
During database synchronization, encapsulates requested LSAs; also used to flood LSAs over established adjacencies
Returns headers of LSAs needed to accomplish synchronization, used in ExStart state
Offers headers of all known LSAs to neighbor, used in ExStart state of adjacency establishment
Initiates adjacency, continues through all states of adjacency formation, and maintains adjacency
Purpose
Link State Acknowledgment5
Link State Update4
Link State Request3
Database Description2
Hello1
NameID
Student Guide: 2–25
OSPF uses five packet types, as shown above. Their ID numbers, which are significant when examining packet traces, follow the order in which they occur in the adjacency formation process. The various types of packets are sent to different destination addresses, with some addressed to multicast groups and some to individual routers.
Hello packets are always sent to 224.0.0.5, which is the All OSPF Routers multicast group.
Database Description packets and Link State Request packets are sent only during the ExStart state of adjacency establishment. Because adjacency is a one-to-one relationship, these packets are addressed to a single router.
Link State Update packets have three possible destination addresses. During adjacency formation, link state updates are sent to the neighboring interface unicast address to accomplish database synchronization with a single neighbor. After adjacency is formed, link state updates contain LSAs that must be flooded to all routers to enable them to immediately obtain the most current information. Link State Update packets containing LSAs that resulted from a link state change are sent to one of the reserved OSPF router multicast addresses—224.0.0.5 or 224.0.0.6. The choice of address depends on whether the sending router is a DR or a non-DR. (The process for flooding of LSAs, including the use of these multicast addresses, will be described later in this module.)
IP Routing Foundations
2 – 26 Rev 5.21
Link State Acknowledgment packets, like Link State Update packets, are sent to 224.0.0.5 if the sender of the acknowledgment is a DR and to 224.0.0.6 if the sender is a non-DR. The completion of the adjacency process inevitably causes link state changes that trigger flooding of new LSAs to the multicast address. When a router receives a Link State Update that was sent to a multicast address, it sends the Link State Acknowledgment to the same multicast address.
OSPF Routing
Rev 5.21 2 – 27
Summary of OSPF LSA types confined to a single area
Rev 5.21 21
Summary of OSPF LSA types confined to a single area
DR’s IP address on the network
Originating router ID
Link State ID
DR of multi-access transit network
Router ID (one LSA for each router in the area)
Advertising Router
Connected routers
Connected networks
Advertises
Network LSA2
Router LSA 1
NameType
• Each LSA is uniquely identified by four items:1. LSA type, of which there are six different types2. Advertising Router, which is always a Router ID3. Link State ID, value depends on LSA type 4. Sequence number, which increments each time the originator generates
a new instance of the LSA• Routers receiving flooded LSAs or LSA headers in Database Descriptions
compare advertised values with those in its LSDB to determine whether to copy LSA into LSDB or ignore
Student Guide: 2–27
The two types of LSAs—Router LSAs and Network LSAs— perform different functions in deriving next hop values from the SPF tree.. However, they share one characteristic: they are confined to a single area. The processes and flow for LSAs will be described in more detail later in this module.
IP Routing Foundations
2 – 28 Rev 5.21
Distribution of link state changes
Rev 5.21 22
Distribution of link state changes
Basic OSPF interactionsDistribution of link state changes
Impact of link state changesLSA flowArea Border Routers (ABR)Network summarization
External route information
Student Guide: 2–28
The rest of Module 2 will describe the process that OSPF routers use to respond to link state changes. The discussion will include a detailed analysis of LSA flow, as well as the different responsibilities of OSPF router types.
OSPF Routing
Rev 5.21 2 – 29
Impact of link state changes
Rev 5.21 23
Impact of link state changes
After two routers have formed an adjacency, they are obligated to flood to each other:• All self-originated LSAs• All LSAs that arrive in Link State Update packets received from other
neighbors
If either router forms new adjacencies, it:• Includes headers of all known LSAs in Database Description packets
during adjacency formation • Immediately floods to all current neighbors the LSAs it receives during
adjacency formation
Student Guide: 2–29
In an OSPF network, link state changes prompt a complex, but predictable, series of exchanges between each pair of adjacent routers. After forming an adjacency, a router must flood to its neighbors all LSAs it creates based on local link state changes as well as those it receives from neighbors. A Link State Update packet can contain many LSAs from different sources. The maximum number of LSAs is limited only by the maximum packet size supported by a router’s connected networks.
During adjacency formation, the router includes the headers of all known LSAs in Database Description packets. Similarly, the router must immediately flood to its other neighbors the new LSAs it receives during adjacency formation.
IP Routing Foundations
2 – 30 Rev 5.21
Connecting to existing multi-access network
Rev 5.21 24
Connecting to existing multi-access network
Router ID: 10.1.209.1
10.1.64.0/24Router ID: 10.1.208.1
10.1.10.0/24
10.1.30.0/24
DRR1B
R1A
Router LSA; LSID: 10.1.208.1Router LSA; LSID: 10.1.209.1Network LSA; LSID: 10.1.64.2
.2
.1 R1A R1B
Router ID: 10.2.208.1
10.2.10.0/24
10.0.100.0/24
R2A 10.2.64.0/24
C1
Router ID: 10.0.208.1
DR
BDR
BDR .1
.1
.1
C1 R2A
.12
Router LSA; LSID: 10.0.208.1Router LSA; LSID: 10.2.209.1Router LSA; LSID: 10.2.209.1Network LSA; LSID: 10.0.100.12Network LSA; LSID: 10.2.64.2
Router ID: 10.2.209.1
10.2.30.0/24
R2BDR
.2
.1
R2A R2B
BDR
.1
Student Guide: 2–30
RX RY = adjacency
This example shows two separate OSPF domains. Each router has full adjacency with its neighbor(s), and all databases are synchronized. Although all routers identify their connected networks as members of area 0, the clusters of routers are physically separated.
OSPF Routing
Rev 5.21 2 – 31
Recognizing a new router on a multi-access network
Rev 5.21 25
Recognizing a new router ona multi-access network
Student Guide: 2–31
Router ID: 10.2.208.1
10.2.10.0/24
10.0.100.0/24
R2A 10.2.64.0/24
10.1.64.0/24Router ID: 10.1.208.1
10.1.10.0/24
R1A
C1
Router ID: 10.0.208.1
BDR
DR
BDR
BDR
Router LSA; LSID: 10.1.208.1Router LSA; LSID: 10.1.209.1Network LSA; LSID: 10.1.64.2
.1
.1
.1
.12
.1
.1
Router LSA; LSID: 10.0.208.1Router LSA; LSID: 10.2.209.1Router LSA; LSID: 10.2.209.1Network LSA; LSID: 10.0.100.12Network LSA; LSID: 10.2.64.2
.11
All 3 routers multicast Hello messages; R1A learns identity of DR and BDR
Router ID: 10.1.209.1
10.1.30.0/24
DRR1B
.2
Router ID: 10.2.209.1
10.2.30.0/24
R2BDR
.2
.1
C1 R2A
R1A R1B
R2A R2B
When R1A’s OSPF interface on network 10.0.100.0/24 comes up, it begins receiving Hello messages that the DR and Backup DR are sending onto the multi-access network.
The Hello messages contain Router 10.2.208.1 as DR and Router 10.0.208.1 as Backup DR, immediately notifying R1A that it must establish adjacencies with both routers.
R1A’s Hello messages list DR and Backup DR router IDs. When these routers recognize their own Router IDs in the Hello packets, they add R1A’s address to the Hello packets as a neighbor.
When all three routers have seen their own Router ID in a Hello packet, they move to the two-way state, where they will begin the database exchange that leads to adjacency.
IP Routing Foundations
2 – 32 Rev 5.21
Database synchronization
Rev 5.21 26
Database synchronization
Router ID: 10.2.208.1
10.2.10.0/24
10.0.100.0/24
R2A
10.1.64.0/24Router ID: 10.1.208.1
10.1.10.0/24
R1A
C1
Router ID: 10.0.208.1
BDR
DR
BDR
BDR
Router LSA; LSID: 10.1.208.1Router LSA; LSID: 10.1.209.1Network LSA; LSID: 10.1.64.2
.1
.1
.1
.12
.1
.1
Router LSA; LSID: 10.0.208.1Router LSA; LSID: 10.2.209.1Router LSA; LSID: 10.2.209.1Network LSA; LSID: 10.0.100.12Network LSA; LSID: 10.2.64.2
.11
R1A proceeds toward adjacency with DR and BDR; they exchange DB Description, LS Request, and LS Update packets
Router ID: 10.1.209.1
10.1.30.0/24
DRR1B
.2
Router ID: 10.2.209.1
10.2.30.0/24
R2BDR
.2
.1
10.2.64.0/24
C1 R2A
R1A R1B
R2A R2B
Student Guide: 2–32
R1A must become adjacent to both the DR and the Backup DR. Accordingly, R1A exchanges Database Description packets with both routers, offering the three LSAs in its database. R2A (the DR) and C1 (the Backup DR) send Link State Requests for all of the LSAs and each receives them in Link State Updates.
R2A and C1 also send Database Description packets to R1A, each offering the same set of LSAs from their synchronized database. R1A requests all of the LSA headers offered by one of the routers on the transit network, and receives the five LSA headers in a Link State Update packet.
OSPF Routing
Rev 5.21 2 – 33
Adjacencies established, database synchronized
Rev 5.21 27
Adjacencies established, database synchronized
Router ID: 10.2.209.1Router ID: 10.2.208.1
10.2.30.0/2410.2.10.0/24
R2B
10.0.100.0/24
R2A
10.1.64.0/24Router ID: 10.1.208.1
10.1.10.0/24
R1A
C1
Router ID: 10.0.208.1
BDR
DR
DRBDR
BDR
.1
.1
.1
.12
.1 .2
.1.1
Router LSA; LSID: 10.0.208.1Router LSA; LSID: 10.1.208.1Router LSA; LSID: 10.1.209.1Router LSA; LSID: 10.2.209.1Router LSA; LSID: 10.2.209.1Network LSA; LSID: 10.0.100.12Network LSA; LSID: 10.1.64.2Network LSA; LSID: 10.2.64.2
.11
R1A R2A
Router ID: 10.1.209.1
10.1.30.0/24
DRR1B
.2
10.2.64.0/24
C1 R2A
R1A R1B
R2A R2B
R1A C1
The three routers on network 10.0.100.0/24 have exactly the same LSAs in their link state databases
Student Guide: 2–33
Each router sends Link State Update packets that contain the LSAs whose headers were included in the Link State Requests. At the end of this process, two additional adjacencies have been established. The three routers connected to network 10.0.100.0/24 have identical entries in their link state databases.
Having established adjacencies with R1A, both R2A and C1 must flood the new LSAs they received from R1A because they are DR and Backup DR for Network 10.0.100.0/24, a multi-access transit network.
IP Routing Foundations
2 – 34 Rev 5.21
Flood new LSAs
Rev 5.21 28
Flood new LSAs
Router ID: 10.2.209.1Router ID: 10.2.208.1
10.2.30.0/2410.2.10.0/24
R2B
10.0.100.0/24
R2A
10.1.64.0/24Router ID: 10.1.208.1
10.1.10.0/24
R1A
C1
Router ID: 10.0.208.1
BDR
DR
DRBDR
BDR
.1
.1
.1
.12
.1 .2
.1.1
Router LSA; LSID: 10.0.208.1Router LSA; LSID: 10.1.208.1Router LSA; LSID: 10.1.209.1Router LSA; LSID: 10.2.209.1Router LSA; LSID: 10.2.209.1Network LSA; LSID: 10.0.100.12Network LSA; LSID: 10.1.64.2Network LSA; LSID: 10.2.64.2
.11
R1A R2A
Router ID: 10.1.209.1
10.1.30.0/24
DRR1B
.2
C1 and R2A both flood new LSAs
Flood new LSAs
10.2.64.0/24
Flood new LSAs
C1 R2A
R1A R1B
R2A R2B
R1A C1
Student Guide: 2–34
As soon as R1A receives the LSAs from one of its neighbors on network 10.0.100.0/24, it floods the new LSAs over network 10.1.64.0/24. R1A encapsulates the new LSAs in a Link State Update packet and encapsulates the OSPF packet in an IP datagram whose destination address is the All OSPF Routers multicast group 224.0.0.5.
The same is true for R2A and C1, both of whom have just become adjacent to R1A. Because these routers are the DR and Backup DR of the network 10.0.100.0/24, they are responsible for flooding the LSAs to that network, even though the new information came from that network.
This is quite different from RIP Split Horizon operation, which prevents routers from sending advertisements to the network from which they originated. The reason for the different OSPF operation will be described later in this module.
OSPF Routing
Rev 5.21 2 – 35
Acknowledging flooded LSAs
Rev 5.21 29
Acknowledging flooded LSAs
Router ID: 10.2.209.1Router ID: 10.2.208.1
10.2.30.0/2410.2.10.0/24
R2B
10.0.100.0/24
R2A
10.1.64.0/24Router ID: 10.1.208.1
10.1.10.0/24
R1A
C1
Router ID: 10.0.208.1
BDR
DR
DRBDR
BDR
.1
.1
.1
.12
.1 .2
.1.1
Router LSA; LSID: 10.0.208.1Router LSA; LSID: 10.1.208.1Router LSA; LSID: 10.1.209.1Router LSA; LSID: 10.2.209.1Router LSA; LSID: 10.2.209.1Network LSA; LSID: 10.0.100.12Network LSA; LSID: 10.1.64.2Network LSA; LSID: 10.2.64.2
.11
R1A R2A
Router ID: 10.1.209.1
10.1.30.0/24
DRR1B
.2
Each router acknowledges receipt of LSAs
Acknowledge receipt of LSAs
10.2.64.0/24
C1 R2A
R1A R1B
R2A R2B
R1A C1
Acknowledge receipt of LSAs
Student Guide: 2–35
A router must acknowledge flooded LSAs by multicasting a Link State Acknowledgment to the network from which it received the Link State Update.
The LSA that is encapsulated by the Link State Update packet may have originated with a router anywhere in the area. However, the source address in the IP datagram header that encapsulates the Link State Update will be that of a neighbor because a router’s LSA flooding operation involves creating a new OSPF packet that contains the Link State Update which, in turn, contains the LSAs to be sent to neighbors. So, too, the acknowledgment is sent using a multicast address that reaches local routers
During this series of exchanges, only the LSA remains unchanged. The packets that contain the LSA change at every hop.
IP Routing Foundations
2 – 36 Rev 5.21
Designated Router adjacency responsibilities
Rev 5.21 30
Designated Router adjacency responsibilitiesDifferences between DRs and non-DRs become apparent when there are four or more routers on a multi-access network• DR and Backup DR become adjacent to all routers on the network • Non-DRs become adjacent to DR and Backup DR but not to each other• When a router joins a network that has a DR, Backup DR, and at least one
non-DR, the state of its relationship with other non-DRs remains at ‘two-way’
DR Non-DR
BDRR3R1
R2 R4
Non-DR
Network 4
Network 3Network 1
Network 2
Student Guide: 2–36
Network 0
This example uses a different set of routers and networks than the previous examples to illustrate LSA flow when a multi-access network has four or more connected routers. The multi-access network in the previous example supports a full mesh of adjacencies because there is only one non-DR. However, in this example there are two routers on Network 0 that are not DRs. All routers become adjacent to the DR and the Backup DR, but non-DRs do not become adjacent to each other.
However, the four routers connected by Network 0 do not form a complete mesh. The DR and the Backup DR become adjacent to all routers.
OSPF Routing
Rev 5.21 2 – 37
Designated Router LSA flooding responsibilities
Rev 5.21 31
Designated Router LSA flooding responsibilitiesDR is chosen per network• A router may be a DR for some of its interfaces and a non-DR for others
DR has adjacencies with all routers on Network 0 DR floods LSAs to multicast address 224.0.0.5 when it receives LSAsthat are:• Received due to new adjacency on Network 0 or another network• Flooded to it over existing adjacency on another network• Generated due to a local link state change
Link state change originates here
DR Non-DR
BDRR3R1
R2 R4
Non-DR
Link State Update containing new LSAs
DR floods LSAs to 224.0.0.5
Network 1 Network 3
Network 4
Student Guide: 2–37
Network 0
Network 2
A router’s role as DR applies only to a single interface, although the term “designated routers” seems to suggest that it applies to all interfaces.
When a router receives a flooded LSA—that is, an LSA encapsulated in a Link State Update packet that is sent to a multicast address—the router’s flooding responsibilities differ according to its roles on its various interfaces. If it is the DR for any of its connected networks, it floods the LSA to that network using the multicast address 224.0.0.5.
For interfaces where it is not a DR, an OSPF router sends its Link State Updates to a different reserved multicast address. This different behavior is necessary because the DR needs to act as a mediator between non-DRs, who do not form adjacencies with each other.
IP Routing Foundations
2 – 38 Rev 5.21
Non-DR LSA flooding responsibilities
Rev 5.21 32
Non-DR LSA flooding responsibilities• Non-DRs on Network 0 do not have adjacency with other non-DRs• LSAs received due to adjacencies with other networks are flooded on to
Network 0 using the multicast address for All Designated Routers, 224.0.0.6 • Designated Routers receive the updates, encapsulate the LSAs in a new Link
State Update packet, and flood the packet back on to Network 0 using multicast address for All OSPF Routers, 224.0.0.5
• Some routers receive multiple copies of the LSAs, verify sequence numbers, discard duplicates
Link state change originates here
DR Non-DR
BDRR1
R4
Non-DR
Link State Update containing new LSAs
Non-DR floods LSAs to 224.0.0.6
R3
R2
Network 1 Network 3
Network 2
Student Guide: 2–38
Network 0
Network 4
DR floods new LSA to 224.0.0.5
The Designated Router strategy is efficient for networks with many connected routers. This strategy avoids the generation of unnecessary traffic by maintaining a limited number of adjacencies.
Link State Updates can only be sent to adjacent neighbors. A non-DR is adjacent only to DRs, so when it floods LSAs onto a network it sends the Link State Update packet to the multicast address 224.0.0.6, which is the multicast address reserved for all Designated Routers. Non-DRs do not receive the update; however, the DRs will subsequently flood the LSAs in an update packet addressed to 224.0.0.5, the multicast group reserved for all OSPF routers.
The process is the same for a router that is a DR for one network but a non-DR for others. Because the DR responsibilities are assigned to an interface, a router can be a DR for some networks and non-DR for others.
In the example, because of this process, all routers on Network 0 have the new LSAs. They flood them to their neighbors on other networks and update their link state databases.
An OSPF router compares characteristics of LSAs it receives with those of the LSAs in its LSDB. It discards those that match with an existing LSA on all four identifying characteristics (LSA type, Advertising Router, Link State ID, and sequence number) or have a lower sequence number are discarded. A higher sequence number indicates a newer LSA. The router replaces an older instance with a newer one.
OSPF Routing
Rev 5.21 2 – 39
OSPF network types
Rev 5.21 33
OSPF network types
OSPF supports several types of networks, including:• Broadcast, including Ethernet and other LAN media• Point-to-point
– Allows exactly two adjacent routers on the network – Usually a WAN link – Both routers become adjacent; does not elect a DR/BDR
• Point-to-multipoint, used for partially meshed frame relay/ATM• Unnumbered point-to-point
– Point-to-point link that does not take up any address space– Another interface on the router provides an address for adjacency
purposes• Non-broadcast multiple access, used for full mesh frame relay/ATM
Student Guide: 2–39
Because OSPF is designed to serve large-scale networks, the protocol supports several types of networks, including:
Broadcast, such as Ethernet, where a single packet can simultaneously be sent to multiple receives
Point-to-point, commonly used for WAN links
Point-to-multipoint, such as frame relay/ATM, where a single physical circuit supports multiple virtual circuits
Unnumbered point-to-point
Non-broadcast multiple access
To support these various types of networks, OSPF offers several types of transit networks. Each type is designed to serve the specific needs of a physical media type. They are:
A point-to-point transit network, where a router establishes a relationship with exactly one neighbor. After the routers form an adjacency, they will not permit adjacencies to form with other routers. This network type is typically used for point-to-point WAN links, but it can be useful for point-to-point Gigabit Ethernet links.
IP Routing Foundations
2 – 40 Rev 5.21
A point-to-multipoint transit network, where a single physical circuit may support multiple virtual circuits and locations are connected in a hub-and-spoke or star configuration. This network type is appropriate for frame relay or ATM networks.
A multi-access transit network, which usually refers to an Ethernet network that has two or more connected routers. The underlying media access method allows a router to send its Hello messages to the reserved multicast address and reach all of its neighbors with a single packet.
A non-broadcast multi-access network (NBMA), which uses a media type such as frame relay and ATM, and interconnects two or more routers using virtual circuits. Its underlying media access method makes it impossible for a router to reach all of its neighbors with a single Hello packet. Instead, a router sends Hello packets to each of the routers on the NBMA
OSPF Routing
Rev 5.21 2 – 41
Finding the shortest path
Rev 5.21 34
Finding the shortest path
• Every time a router receives a new instance of an LSA, it assesses whether the change involves any transit networks
• If it does, the router runs an algorithm against the LSAs in its link state database resulting in a tree that includes all routers and networks in the area and calculates the cost to each destination
• The router populates its IP route table with next hop information from the ‘shortest path first’ tree
Router ID: 10.1.209.110.1.64.0/24Cost 10
Router ID: 10.1.208.1 R1A
10.1.20.0/24Cost 100
10.1.10.0/24Cost 100
R1B
Router ID: 10.2.209.110.2.64.0/24Cost 10
Router ID: 10.2.208.1
R2A
10.2.20.0/24Cost 100
10.2.10.0/24Cost 100
R2B
10.0.100.0/24Cost 1
Shortest path from Router2A’s perspective
=
Student Guide: 2–41
The LSAs discussed earlier in this module form the basis for the shortest-path-first calculations that give OSPF its fast convergence.
Not every LSA requires the calculation of a new tree. For example, if Router2A received an LSA originated by R1B indicating that its stub network 10.1.20.0/24 was down, it wouldn’t affect shortest-path-first calculation. R1A would simply accept the LSA, replacing the earlier one that indicated the network was up and available.
Suppose, however, that R2A lost its connection to the network 10.0.100.0/24. The DR of this network would originate an LSA indicating that the neighbor list had changed, and all routers would flood the LSA. Additionally, R2A would originate and flood to its only remaining neighbor a new instance of its Router LSA. All four routers would run the algorithm and recognize network 10.2.64.0/24 as the path to R2A and network 10.2.10.0/24.
IP Routing Foundations
2 – 42 Rev 5.21
OSPF’s performance in large intranet
Rev 5.21 35
OSPF’s performance in large intranet• OSPF achieves fast convergence due to requirements it places on routers
– Maintain synchronized link state database among all routers– Immediately flood over its adjacencies every LSA it receives – Recalculate shortest-path-first tree and install new routes in route table
when link state changes occur• These requirements can become a burden to a router if:
– Number of LSAs in link state database requires excessive memory– Frequent state changes due to large number of routers and networks leads
to excessive recalculation of SPF tree and become a drain on CPU resources
Transit network failure
XRouter and Network LSAs flow through entire area
Student Guide: 2–42
Fast convergence is one of OSPF’s main benefits. However, if a network is not designed properly, the mechanisms that enable OSPF routers to respond quickly to state changes and maintain current information can be detrimental to its performance.
The diagram above represents a very large intranet, although it is not practical to show all the routers in such a large network. The routers in the above example are arranged hierarchically, with four router groups that are connected to a set of core routers. As a practical matter, due to the relative isolation of the router groups, the transit network failure shown in the diagram will not result in any route table changes for routers in other groups. The links that connect groups to the core are not affected. When a transit network in one of the locations goes down, the routers in another location do not need to be updated. The links that the routers use to reach the other location are still up.
However, because all of the routers are in a single area, they all receive the updates and process them accordingly, which adds to router overhead. This issue becomes more severe as more routers and networks are added because the probability increases that one or more of them could be experiencing state changes at any given time.
OSPF Routing
Rev 5.21 2 – 43
The creation of areas that include too many routers also can lead to large link state databases that cannot be processed quickly enough to satisfy user needs. Because the link state algorithm must examine all LSAs stored in the LSDB, the inclusion of too many entries can lengthen processing time so that user sessions time out before the router finds the shortest path and updates its route table.
The solution, of course is to divide the networks into areas. Many router vendors recommend limiting the number of routers and networks in an area according to to the available processor speed and memory. Many enable you to configure a minimum interval between iterations of the shortest-path-first algorithm.
IP Routing Foundations
2 – 44 Rev 5.21
OSPF scalability
Rev 5.21 36
OSPF scalability
• Divide a large intranet into areas with fewer than 50 routers and fewer than 500 networks
• If you use multiple areas, one must be defined as Area 0 • Connect the areas using an Area Border Router (ABR) that has at least one
interface in Area 0 and at least one interface in a non-zero area• Routers whose interfaces are all assigned to the same area are ‘internal’
routers
Networks assigned to Area 1
Networks assigned to Area 0
Networks assigned to Area 2
Student Guide: 2–44
To avoid overtaxing OSPF routers, you should divide the intranet into areas sized so that LSA processing and storage do not interfere with performance. In general, an area should have no more than 50 routers or 500 networks. It is also worth noting that OSPF’s benefits are more apparent in larger networks. Consequently, the likely OSPF deployment involves dividing up the networks by physical proximity and creating boundaries between the areas.
In an intranet using multiple areas, one area must be the unnumbered area, often referred to as “Area 0,” “Area 0.0.0.0,” or the “Backbone Area.”
Area Border Router (ABR)
To enable proper OSPF functioning, you must configure an OSPF router to be the Area Border Router (ABR) by assigning some interfaces to Area 0 and other interfaces to another area. The ABR must have at least one backbone interface.
The networks in an area must be contiguous. The design cannot place part of Area 1 in location A and another part of Area 1 in Location B, with connections provided only by networks that belong to some other area.
OSPF Routing
Rev 5.21 2 – 45
Multiple areas and adjacency
Rev 5.21 37
Multiple areas and adjacency
• Adjacency is a requirement for all OSPF routers, whether internal or ABR• Area ID is one of the first items checked in Hello packet
– Adjacency fails if the sender of Hello packet associates the network with a different area ID than the receiver
Networks assigned to area 1
Networks assigned to area 0
Networks assigned to area 2
Student Guide: 2–45
Adjacency is fundamental to all communication between OSPF routers. Without adjacency, routers cannot synchronize their link state databases and cannot flood LSAs. Furthermore, a network with no adjacencies is recognized by all routers as a stub network, instead of as a transit network capable of carrying traffic destined for other networks.
As described earlier, in order to form an adjacency, the routers must agree on many parameters, including area ID. In fact, area ID is one of the first items that the receiver of a Hello message verifies. If the area IDs are different, neither side can move to the Two-Way or ExStart states.
Every OSPF packet, including Hello, Database Description, Link State Request, Link State Update, and Link State Acknowledgment, is encapsulated by an OSPF packet header that contains the area ID and router ID.
If you change the area ID to which a network is assigned without changing the area ID of other routers on that network, the router immediately loses any adjacencies on that network. If other router interfaces subsequently change their area IDs the routers may establish new adjacencies if all other parameters are compatible.
IP Routing Foundations
2 – 46 Rev 5.21
ABR link state database synchronization
Rev 5.21 38
ABR link state database synchronization• Router LSAs and Network LSAs do not cross area boundaries• Area Border Routers (ABR)
– Has adjacencies with neighbors in at least two areas– Maintains database synchronization with routers in locally configured areas
Internal routers
in area 1 Internal routers
in area 2
Internal router
in area 0
ABR maintains LSDB entries for area 0 and area 2
ABR maintains LSDB entries for area 0 and area 1
Student Guide: 2–46
An OSPF router assigns each of its OSPF interfaces to an area. An area border router (ABR) assigns some of its interfaces to the backbone area and other interfaces to a non-backbone area. The ABR must maintain database entries for each area in which it has at least one interface. It does not maintain LSAs for areas in which it has no interfaces.
In this example, each ABR has one interface in the backbone area and two or more interfaces in a non-backbone area. It is possible for an ABR to have interfaces in two non-backbone areas; however, this can add significant overhead because the router must maintain entries for all connected areas. The ABR is a full participant in each area, originating and flooding LSAs when it is appropriate.
OSPF Routing
Rev 5.21 2 – 47
LSA flow between areas
Rev 5.21 39
LSA flow between areas
• ABR generates and floods ‘Summary LSAs’ that:– Describe networks in the backbone area and flood over all adjacencies in
non-backbone area– Describe networks in the non-backbone area(s) and flood over all
adjacencies in backbone area• ABR may be configured to substitute individual network advertisements with
range advertisements
Internal routers
in area 1 Internal routers
in area 2
Internal router
in area 0
Summary LSAs -
networks in area 1
Summary LSAs -
networks in area 0
and area 2
Summary LSAs -
networks in area 2
Summary LSAs -
networks in area 0
and area 1
Student Guide: 2–47
ABRs have a set of database entries for each supported area and maintain adjacencies with neighbors in those areas. The ABR is responsible for creating a third type of LSA, known as a Summary LSA, which it uses to represent networks from other areas.
In the backbone area section of the ABR’s database, backbone area networks are represented by Router and Network LSAs, and non-backbone area networks are represented by Summary LSAs.
The reverse is also true. In the non-backbone area section of the database, non-backbone area networks are represented by Router and Network LSAs. The backbone networks are represented by Summary LSAs.
Consequently, the link-state database of an ABR that supports two areas has approximately twice as many entries as it would have if all of the interfaces were in the same area. The link-state database of an ABR that supports two areas has approximately three times as many entries as it would have if all of the interfaces were in the same area. Memory consumption is one of the primary reasons that most vendors put limits on the number of areas an OSPF router can support.
IP Routing Foundations
2 – 48 Rev 5.21
Flooding Summary LSAs
Rev 5.21 40
Flooding Summary LSAs
10.2.30.1/24Area 210.2.10.1/24
Area 2
R2B
10.1.64.1/24Area 1
Router ID: 10.1.208.1Loopback interface
Area 1
10.1.10.1/24Area 1 Router ID: 10.1.209.1
Loopback interfaceArea 1
10.1.30.1/24Area 1
R1B
10.2.64.1/24Area 2
10.1.64.2/24Area 1
10.2.64.2/24Area 2 Router ID: 10.2.209.1
Loopback interfaceArea 2
Router ID: 10.2.208.1Loopback interface
Area 2
10.0.100.21/24Area 0
10.0.100.11/24Area 0
OSPF HeaderLink State Update packetType: Summary LSA
Link state ID:10.1.10.0Adv. Router: 10.1.208.1Netmask: 255.255.255.0
Type: Summary LSA Link state ID: 10.1.30.0…
R1A(ABR)
R1A (an ABR)• Floods into area 0
a Summary LSA for each network in Area 1
• Floods into area 1 a Summary LSA for each network in Area 0
Student Guide: 2–48
R2A(ABR)
A Summary LSA contains the starting address and mask of a network from one area that is sent into another area. The example above shows one Summary LSA and the beginning of a second Summary LSA. Like the Router LSA and Network LSA, the Summary LSA is encapsulated in a Link State Update packet and flooded to a router’s adjacent neighbors. Unlike the Router and Network LSA, the Summary LSA crosses area boundaries. The Summary LSA created by R1A and flooded into the backbone area is also flooded into area 2 by R2A, the ABR that connects area 2 to the backbone. Similarly, the Summary LSAs created by R2A that describe networks in area 2 are flooded through the backbone and into area 1.
As a result of the ABR’s creation and flooding of Summary LSAs, an internal (non-ABR) router has Router and Network LSAs that describe networks in its local area, and Summary LSAs that describe networks in other areas.
In the example above, each non-backbone area has a single ABR that connects to the backbone area. However, designers may provide additional resilience by configuring two ABRs per area. In that case, each ABR independently creates and floods summary LSAs from one area into the other. Internal routers in the area would receive twice as many Summary LSAs as they would receive if the area had only one ABR.
Dividing a large intranet into multiple areas will limit the scope of Router LSAs and Network LSAs, but this action alone isn’t sufficient to minimize the size of the link state database. The creation of multiple areas actually increases the size of the LSDB for ABRs and may increase the number of entries for internal routers.
OSPF Routing
Rev 5.21 2 – 49
Hierarchical addressing enables summarization
Rev 5.21 41
Hierarchical addressing enables summarization
10.2.30.1/24Area 210.2.10.1/24
Area 2
10.1.64.1/24Area 1
Router ID: 10.1.208.1Loopback interface
Area 1
10.1.10.1/24Area 1 Router ID: 10.1.209.1
Loopback interfaceArea 1
10.1.30.1/24Area 1
10.2.64.1/24Area 2
10.1.64.2/24Area 1
10.2.64.2/24Area 2 Router ID: 10.2.209.1
Loopback interfaceArea 2
Router ID: 10.2.208.1Loopback interface
Area 2
10.0.100.21/24Area 0
10.0.100.11/24Area 0
OSPF HeaderLink State Update packetType: Summary LSA
Link state ID:10.1.0.0Adv. Router: 10.1.208.1Netmask: 255.255.0.0
Flood Summary LSA
Summarize area’s entire address range with starting address and mask
OSPF HeaderLink State Update packetType: Summary LSA
Link state ID:10.2.0.0Adv. Router: 10.2.208.1Netmask: 255.255.0.0
Flood Summary LSA
Student Guide: 2–49
R1A(ABR)
R2A(ABR) R2B
R1B
Dividing an intranet into separate areas makes it possible to summarize address space at area boundaries. An ABR can be configured to create Summary LSAs that express the address space of an area as a range rather than as separate networks.
While this requires you to carefully plan and implement a hierarchical addressing scheme in order to summarize the address space of an area with a single range statement; the benefits are significant in terms of LSDB size. In particular, this enables the LSDBs of internal routers within non-backbone areas to list a single route to addresses in other areas, instead of listing individual networks in their LSDB and route table.
The diagram above shows a hypothetical example. In practice, of course, you would not divide a network this small into three separate areas. In fact, the benefits of OSPF are most apparent in larger networks with redundant paths.
IP Routing Foundations
2 – 50 Rev 5.21
Summary of OSPF LSA types
Rev 5.21 42
Summary of OSPF LSA types
Starting IP address of external address range
Autonomous system Boundary Router
Normal areasAS External LSA
5
ASBR’s Router IDArea Border RouterNormal areasAS Summary LSA
4
Starting IP address of address range in another area
Area Border RouterAll areas other than stub-no summary
Summary LSA3
DR’s IP address on the network
DR of multi-access transit network
Within a single area
Network LSA2
Starting IP address of external address range
Originating router ID
Link State ID
Autonomous system Boundary Router
Router ID (one LSA for each router in the area)
Advertising Router
Within a not-so-stubby area
Within a single area
Scope
NSSA LSA7
Router LSA 1
NameType
Student Guide: 2–50
As shown above, OSPF supports six types of LSA.
Router LSA and Network LSAs are exchange by routers in a single area, as described earlier in this module.
When you define multiple areas on a router, the router automatically becomes an ABR. It creates Summary LSAS that describe networks in the backbone and floods them to adjacent neighbors in non-backbone areas. It also creates Summary LSAs that describe non-backbone networks and floods them to the backbone. Summary LSAs flow through area border routers into “normal” OSPF areas.
The rest of this module will describe three other types of OSPF areas and the uses for the remaining LSA types shown in the table above.
OSPF Routing
Rev 5.21 2 – 51
External route information
Rev 5.21 43
External route information
Basic OSPF interactionsDistribution of link state changes
External route informationRedistributing non-OSPF network informationAutonomous System Boundary Router (ASBR)Not-so-stubby area (NSSA)
Student Guide: 2–51
The final section of Module 2 will describe the processes for redistributing information about non-OSPF networks to OSPF routers.
IP Routing Foundations
2 – 52 Rev 5.21
Redistributing non-OSPF network information
Rev 5.21 44
Redistributing non-OSPF network informationOSPF routers advertise: • Locally connected OSPF networks using Router LSAs and Network
LSAs • Networks in another area using Summary LSAs
Routing information that comes from a source other than OSPF is considered ‘external’ Examples include:• Default route to the Internet• Static route to portions of the intranet that do not use OSPF• Routes learned from RIP neighbors
Autonomous System Boundary Router (ASBR) is an OSPF router that has learned routes from a non-OSPF source
Student Guide: 2–52
OSPF routers advertise native OSPF networks using Router LSAs, Network LSAs, and Summary LSAs. When an OSPF router has information in its route table that came from a source other than OSPF, it cannot include that information in its Router LSA because the Router LSA refers strictly to OSPF native networks.
Sources of non-OSPF router can include:
Static routes
Directly connected networks (local interfaces) where OSPF is not enabled
RIP domains within the intranet. These are collections of routers that support RIP and exchange RIP advertisements, but do not support OSPF.
User-defined default route or BGP routes that direct traffic toward an ISP or other location.
Because OSPF routers often must have access to these types of routes, OSPF domains often include an Autonomous System Boundary Router (ASBR), a type of OSPF router that has direct knowledge of non-OSPF information. While configuration procedures are vendor- or platform-specific, the process of transforming routing information from one source into another is often referred to as “redistribution.”
OSPF Routing
Rev 5.21 2 – 53
ASBR
Rev 5.21 45
ASBR
• A router that has access to non-OSPF route information may be configured to redistribute that information into the OSPF Autonomous System
• ASBR generates one AS External LSA for each non-OSPF network– Can be configured to summarize address ranges
• ASBR floods AS External LSA to its adjacent neighbors• Routers in “normal” areas flood AS External LSAs to adjacent neighbors• External address range appears in LSDB and IP route tables of all routers
Area 1
Area 0
Area 2
ASBRNon-OSPF
domain
AS External LSAs
Student Guide: 2–53
The ASBR is responsible for generating an AS External LSA for each non-OSPF network. Like all other LSAs, it is encapsulated in a Link State Update packet, OSPF packet, and IP packet, and flooded to adjacent neighbors.
On most systems, administrators can configure ranges of external networks to minimize the actual number of advertisements the ASBR must send and, consequently, limit the number of LSAs that every router in the domain must keep in its LSDB. If the ASBR provides a path to the Internet or to all networks not specifically listed in the domain’s route tables, administrators can configure it to originate the default route by creating and flooding a Type 5 AS External LSA that advertises the address range 0.0.0.0/0.
An AS External LSA may be forwarded over adjacencies, through ABRs, and reach every router in the domain if the external information being advertised is worthy of that kind of distribution. In many cases, external routes are connected to a single ASBR and if there are a limited number of paths to that ASBR, it might be more efficient to stop the AS External LSAs from being flooded into every area.
IP Routing Foundations
2 – 54 Rev 5.21
Stub-area type: Injecting the default route
Rev 5.21 46
Stub area type: Injecting the default route• OSPF routers internal to non-backbone areas may not require the specific
addresses of non-OSPF networks • To replace the specific advertisements of non-OSPF networks with the default
route, define non-backbone areas as ‘stub’ type areas • The backbone may not be defined as a stub area• Link State Database in stub area cannot contain AS Summary LSAs or AS
External LSAs; ASBR may not reside within a stub area
Area 1 (Stub)
Area 0
Area 2 (Stub)
ASBRNon-OSPF
domain
AS External LSAs
0.0.0.0/0
0.0.0.0/0
Default route appears in LSDB and route tables of Internal routers
ABRs do not flood AS External LSAs into stub area; inject Summary LSA that specifies default route
ABR ABR
Student Guide: 2–54
The ABR of a stub area receives AS External LSAs from its adjacent neighbors in the backbone area and stores them in its link state database. It does not flood AS External LSAs into the stub area, but instead creates a Type 3 Summary LSA containing the default route and floods that LSA to neighbors in the stub area.
Because the routers internal to the stub area receive the default route, they can forward traffic toward the remote networks managed or discovered by other routing protocols. However, they are not required to maintain individual entries for those networks. This minimizes the number of LSAs in internal routers’ link state database, along with the size of the IP route table.
The ABR’s status as a member of the stub area does not cause it to have the default route in its route table. Instead, its route table contains whatever specific networks or summarized address ranges the ASBR has advertised. If the ASBR has been configured to originate the default route, the databases of all OSPF routers in normal areas will contain the Type 5 AS External LSA that advertises the default route. Internal routers in stub areas will also have the default route in their route tables, but that information comes from the Type 3 Summary LSA that was injected into the stub area by the ABR.
As described earlier, the ABR must always be a member of Area 0 and at least one non-backbone area. Area 0 cannot be defined as a stub area type because it is a connecting point for all of the areas in the OSPF AS. In the diagram, the ASBR is located within Area 0 by design. The ASBR cannot be placed in a stub area.
OSPF Routing
Rev 5.21 2 – 55
Locating the ASBR
Rev 5.21 47
Locating the ASBR
• ASBRs may be located in any ‘normal’ area, never in a stub area • ASBRs indicate their role by setting an option bit in their Router LSAs• ABR detects the presence of an ASBR in an area under its control, originate an
AS Summary LSA, and flood it into the backbone area• AS External LSA includes the ASBR’s Router ID; without the AS Summary LSA,
routers would not know which area the ASBR resides in, preventing them from forwarding traffic toward the non-OSPF networks
Starting IP address of external address range
Autonomous System Boundary Router
Normal areasAS External LSA
5
ASBR’s Router IDArea Border RouterNormal areasAS Summary LSA
4
Link State IDAdvertising Router ScopeNameType
Student Guide: 2–55
The AS Summary LSA advertises into all normal areas the router ID that connects to the area in which a given ASBR is located. Without this advertisement, an internal router in a different area than the ASBR would not know how to forward traffic toward the non-OSPF networks.
Unlike all of the other LSA types, the AS Summary LSA does not contain any information that appears in a route table. However, because it is in the link state database, it is available for use when OSPF routers calculate the shortest path to each destination network, including the external networks advertised by the ASBR.
IP Routing Foundations
2 – 56 Rev 5.21
Stub and “totally stubby” area
Rev 5.21 48
Stub and ‘totally stubby’ area
Defining area as stub reduces size of LSDB and IP route tableTo further minimize LSDB and IP route table, configure ABR to withhold Summary LSAs. • Result is more compact LSDB and IP route tables• External networks and networks from other areas are summarized with the
default route
Area 1 (Stub)
Area 0
Area 2 (Stub)
ASBRNon-OSPF
domain
AS External LSAs
0.0.0.0/0
0.0.0.0/0
Default route represents external networks and those in other OSPF areas
Stub no-summary or ‘totally stubby’ area border routers prohibit AS External LSAs and Summary LSAs
ABR ABR
Student Guide: 2–56
In addition to defining an area’s type as “stub,” you can configure the ABR not to flood Type 3 Summary LSAs to adjacent neighbors in the area. This is advisable when there are a limited number of entry and exit points to a given area. For example, all routers in Area 1 usually do not require detailed information about the networks in Area 2.
Although the example shows only one ABR for each non-backbone area, it is often the case that a stub area is connected to the backbone by two ABRs. Although both ABRs will advertise the default route, the one advertising the lowest metric will provide the backbone connection for all routers. If both ABRs advertise the default route with an equal metric, all traffic leaving the area will go through the ABR with the highest router ID.
OSPF Routing
Rev 5.21 2 – 57
Not-so-stubby area (NSSA)
Rev 5.21 49
Not-so-stubby area (NSSA)
NSSA combines efficiency of default route summarization (similar to stub area) with flexibility of ASBR definition• ASBR within NSSA originates Type 7 LSA (NSSA)• ABR transforms Type 7 LSAs into Type 5 and floods them into the backbone
Area 1 (NSSA)
Area 0
Area 2 (Totally Stubby)
ASBRDefault route
to Internet
AS External LSAs
0.0.0.0/0
0.0.0.0/0
This router has some RIP routes
ABR ABR
RIP routes appear in route tables within Area 1 as ‘External’
Non-OSPF information that originates outside Area 1 is summarized as default route
ASBR
Student Guide: 2–57
Default route represents all networks not in Area 2
OSPF rules prohibit Type 4 or Type 5 LSAs in a stub area. However, if a non-backbone area must include an ASBR, it can be defined as a not-so-stubby area (NSSA) to enable internal routers to gain the efficiency typical of stub areas.
The ABR connected to a not-so-stubby area converts external information that originates outside the area into the default route in the same manner it would if the area were defined as a stub area. This is possible because the ASBR in a not-so-stubby area advertises its external networks using a Type 7 NSSA LSA. The external networks appear in the route tables of routers in the area, and the ABR translates the Type 7 LSAs into Type 5 AS External LSAs and floods them to adjacent neighbors in the backbone. From the backbone, the external network information is summarized as the default route for stub and totally stubby areas.
IP Routing Foundations
2 – 58 Rev 5.21
Module 2 summary
Rev 5.21 50
Module 2 summary
In this module, you learned:• The basic operation of the OSPF• Why OSPF provides for more efficient routing than RIP, especially in
large-scale intranets• The functions of the types of OSPF routers• The role of different types of OSPF areas
Student Guide: 2–58
Module 2 of IP Routing Foundations described the OSPF routing protocol, including the OSPF router and area types. The module emphasized reasons why OSPF is more efficient than RIP in large-scale intranets.
OSPF Routing
Rev 5.21 2 – 59
Learning check Module 2
IP Routing Foundations
2 – 60 Rev 5.21
1. Name two types of OSPF networks.
a. ........................................................................................................................
b. ........................................................................................................................
2. Define the purposes of:
ABR: .................................................................................................................
ASBR: ...............................................................................................................
3. Describe the process by which OSPF routers form adjacencies.
............................................................................................................................
............................................................................................................................
............................................................................................................................
4. What types of OSPF LSAs are confined to a single area and how are they used?
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
5. What techniques enable administrators to limit the size of OSPF link state databases and enhance routing efficiency?
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
Rev. 5.21 3 – 1
Default Gateway Redundancy Protocols Module 3
Objectives Describe the benefits of providing redundant default gateway service for
clients
List common characteristics of protocols that provide automatic default gateway failover
Describe the operation of the Virtual Router Redundancy Protocol (VRRP)
IP Routing Foundations
3 – 2 Rev. 5.21
Redundant router interfaces
Rev 5.21 3
Redundant router interfaces
Multiple router interfaces are members of a group knownas a ‘virtual router’ At any given moment, one router interface is ‘master’• The other will become master only if current master fails
Multiple router interfaces comprise a virtual router configured with a
common virtual IP address: 10.1.10.1
Router A
Intranet and/or Internet
Student Guide: 3–2
Host: 10.1.10.10/24Default Gateway: 10.1.10.1
Router B
All of the default gateway redundancy technologies discussed throughout this module share the basic features shown above. This highly simplified example illustrates the redundant router topology from the perspective of a single network. In most configurations, two routers will be connected to exactly the same set of networks. Although each router has a unique IP address, they will be configured to share a common virtual IP address. This address will be used as the default gateway for each network to which the routers provide redundant default gateway service.
Default Gateway Redundancy Protocols
Rev. 5.21 3 – 3
Redundant links: Physical view
Rev 5.21 4
Hosts in network 10.1.30.0/24 DG: 10.1.30.1
Hosts in network 10.1.10.0/24DG: 10.1.10.1
Hosts in network 10.1.40.0/24DG: 10.1.40.1
Hosts in network 10.1.20.0/24DG: 10.1.20.1
Redundant links: Physical view
• Redundant links enable a client’s connections with off-network hosts to continue despite failure of a link along the primary path to its default gateway
• In this example, a router with five interfaces performs default gateway service for hosts in five networks
Router1VLAN 1: ve 1: 10.x.1.1/24VLAN 10: ve 10: 10.x.10.1/24VLAN 20: ve 20: 10.x.20.1/24VLAN 30: ve 30: 10.x.30.1/24VLAN 40: ve 40: 10.x.40.1/24
Link AUntagged 1, Tagged 10, 20, 30, 40
Link BUntagged 1, Tagged 10, 20, 30, 40
Link CUntagged 1, Tagged 10, 20, 30, 40
Router forwards traffic among its connected VLANs
Switch1 Switch2
Student Guide: 3–3
Many contemporary networks employ Spanning Tree Protocol to ensure that the failure of a single switch-to-switch link will not disrupt connectivity. For instance, in the topology shown above, hosts in all four user VLANs—10, 20, 30, and 40—have two paths to the router that is their default gateway.
Router1 is the sole connecting point for all of the VLANs/networks. Because the router is also the root of the Spanning Tree, Link C (between Switch1 and Switch2) will only be used if either Link A or Link B should fail. The primary path for off-network communication from all hosts in networks 10.1.10.0 and 10.1.30.0 is through Switch1 and Link A. The primary path for hosts in networks 10.1.20.0 and 10.1.40 is through Switch2 and Link B.
If Link A should fail, off-network traffic generated by hosts in networks 10.1.10.0 and 10.1.30.0 will be carried by Link C and Link B. Both links are tagged members of the VLANs associated with these networks (VLANs 10 and 30) and this allows the off-network traffic to take an alternate path to the default gateway.
Since all three of the links (A, B, and C) are members of all five VLANs, the failure of any one of the links would not prevent hosts from reaching their default gateway.
IP Routing Foundations
3 – 4 Rev. 5.21
Redundant links: Logical view
Rev 5.21 5
Redundant links: Logical view
Network 10.1.30.0/24All hosts’ DG: 10.1.30.1
Network 10.1.1.0/24
Network 10.1.10.0/24All hosts’ DG: 10.1.10.1
Network 10.1.20.0/24All hosts’ DG: 10.1.20.1
Network 10.1.40.0/24All hosts’ DG: 10.1.40.1
Switch1: 10.1.1.25/24DG: 10.1.1.1
Switch2: 10.1.1.26/24 DG: 10.1.1.1
Layer 2 edge switches:• Provide physical connections within
each network, but are not hosts on networks 10.1.10.0, 10.1.20.0, 10.1.30.0, or 10.1.40.0
• Are hosts on the 10.1.1.0 network
IP route tableDestination gateway port cost10.1.1.0/24 0.0.0.0 v1 110.1.10.0/24 0.0.0.0 v10 110.1.20.0/24 0.0.0.0 v20 1 10.1.30.0/24 0.0.0.0 v30 1 10.1.40.0/24 0.0.0.0 v40 1
Student Guide: 3–4
This diagram provides a logical view of the network topology shown on the previous page. After Spanning Tree blocks the link between Switch1 and Switch2, there is a single active path between each host and its default gateway, Router1. If a physical link fails, the physical path to the default gateway might change. However, the logical view would remain the same.
The switches shown in the logical diagram provide the physical connections within each network. However, they are not hosts on any network other than the management network, 10.1.1.0/24.
Default Gateway Redundancy Protocols
Rev. 5.21 3 – 5
Impact of device failure
Rev 5.21 6
Impact of device failure
Failure of one Layer 2 edge switch:• Hosts connected to those switches
would be cut off from the network
• Highly localized impact with relatively inexpensive solution –replace switch, restore configuration
Failure of the router:• All hosts that use this router as a default
gateway would be cut off from resources in other networks
• Impact has wider scope
• Potentially expensive solution – replace router components, possibly restore configuration
Switch1: 10.1.1.25/24DG: 10.1.1.1
Switch2: 10.1.1.26/24 DG: 10.1.1.1
Network 10.1.30.0/24All hosts’ DG: 10.1.30.1
Network 10.1.1.0/24
Network 10.1.10.0/24All hosts’ DG: 10.1.10.1
Network 10.1.20.0/24All hosts’ DG: 10.1.20.1
Network 10.1.40.0/24All hosts’ DG: 10.1.40.1
Student Guide: 3–5
The redundant link between Switch1 and Switch2 ensures that this topology is tolerant of link failure. However, in order to design a truly fault-tolerant infrastructure, a network designer must consider the possibility that a component, such as a switch or router, can fail. The topology above does not meet this requirement.
Edge switch failure
In many cases, little can be done to prepare for the failure of an edge switch. Network hosts typically are connected to only one switch, which makes it impossible to provide redundant wired links. If, however, network administrators are using a management and monitoring application, they can react quickly to a switch failure by replacing the switch or by providing an alternate connection to affected users. For instance, if client computers have wireless adapters and the network offers a wireless infrastructure, the clients can activate their wireless adapters and connect through a wireless access point. The users can return to their wired Ethernet connections after the failed switch is replaced.
Router failure
The failure of a router has far wider consequences than the failure of an edge switch. If a router fails, hosts may continue to have connectivity with other hosts in their own network, but they will not be able to access resources on other networks. In contemporary enterprises, this is not acceptable because direct peer-to-peer communication without an intervening server or other device is not common.
IP Routing Foundations
3 – 6 Rev. 5.21
Furthermore, routers and routing switches in a production network are likely to support far more networks and clients than are shown in this example. In addition to providing access to resources within an organization, the router is the first point of contact in establishing and maintaining connections with the global Internet.
Consequently, network designers must make allowances for router failures.
Default Gateway Redundancy Protocols
Rev. 5.21 3 – 7
Providing a second router
Rev 5.21 7
Providing a second router
• If you provide a second router, you might use a DHCP scope that includes both default gateway addresses
• If Router1 fails, clients can obtain a new DHCP lease that specifies Router2’s IP address as default gateway
Router2 interfaces:10.1.1.2/2410.1.10.2/2410.1.20.2/2410.1.30.2/2410.1.40.2/24
Router1 interfaces:10.1.1.1/2410.1.10.1/2410.1.20.1/2410.1.30.1/2410.1.40.1/24
Switch1: 10.1.1.25/24DG: 10.1.1.1
Switch2: 10.1.1.26/24 DG: 10.1.1.1
Network 10.1.30.0/24All hosts’ DG: 10.1.30.1
Network 10.1.1.0/24
Network 10.1.10.0/24All hosts’ DG: 10.1.10.1
Network 10.1.20.0/24All hosts’ DG: 10.1.20.1
Network 10.1.40.0/24All hosts’ DG: 10.1.40.1
Student Guide: 3–7
It is tempting to believe you can overcome router failure by simply installing a second router that provides access to the same resources as the first. However, this solution is not adequate because the second router must have a different IP address than the first. Consequently, if the first router fails, all connected hosts must change their default gateway settings to the address of the second router.
Although most IP stacks enable you define a second default gateway address, most do not automatically failover to the second gateway without special configuration.
In the example above, to enable Router2 to perform the function of Router1, administrators must change the default gateway settings for all connected hosts. Obviously, the manual reconfiguration of every host is impractical for a network of any size. Alternately, administrators could reconfigure the network’s DHCP scope and require users to obtain a new DHCP lease with the new gateway. However, this solution is also impractical, for reasons that will be discussed on subsequent pages.
IP Routing Foundations
3 – 8 Rev. 5.21
Why failover is not automatic (1)
Rev 5.21 8
Why failover is not automatic (1)• Interfaces on Router1 provide default gateway service for hosts on both
networks • Layer 2 header destination address of all off-network traffic is that of Router1
Layer 2 headerDest. Router1 MACSource: Host 40 MACLayer 3 header:Source: 10.1.40.40Dest: 10.1.20.20
Layer 2 headerDest. Host20 MACSource: Router1 MACLayer 3 header:Source:10.1.40.40 Dest: 10.1.20.20
Router1 interfaces:…10.1.20.1/24…10.1.40.1/24
Host40: 10.1.40.40/24DG: 10.1.40.1
Host20: 10.1.20.20/24DG: 10.1.20.1
Router2 interfaces:…10.1.20.2/24…10.1.40.2/24
Student Guide: 3–8
Although it is possible to use DHCP leases to change the default gateway settings for all network hosts, this solution will not provide automatic failover.
Suppose, for instance, that a host with the IP address 10.1.40.40/24 has an ongoing session with the host 10.1.20.20/24. The client directs its off-network traffic to its default gateway by inserting the MAC address of the local router interface into the Layer 2 header.
If the router providing default gateway service becomes unavailable, the session will terminate after a few retries and a given timeout period.
Default Gateway Redundancy Protocols
Rev. 5.21 3 – 9
Why failover is not automatic (2)
Rev 5.21 9
Why failover is not automatic (2)• Despite the failure of Router1, the host continues to send off-network traffic to
Router1’s MAC address • Host will not send traffic to Router2’s MAC address unless its IP stack
configuration is changed to specify a default gateway address on Router2
Host40: 10.1.40.40/24DG: 10.1.40.1
Host20: 10.1.20.20/24DG: 10.1.20.1
Router2 interfaces:…10.1.20.2/24…10.1.40.2/24
x
Layer 2 headerDest. Router1 MACSource: Host 40 MACLayer 3 header:Source: 10.1.40.40Dest: 10.1.20.20
Student Guide: 3–9
In this example, the failure of Router1 has disrupted Host40’s session with resources in addresses ranges outside of its own. Unless the client has a special default gateway failover configuration, the client will continue to send packets with the default gateway’s MAC address until the session times out and eventually terminates altogether.
If the user tries to re-establish the connection with the off-network resource, the new session also will fail because the computer’s IP stack configuration still lists its primary default gateway as 10.1.40.1. The entry in the ARP cache associated with that IP address is the MAC address of the VLAN 40 interface on Router1, which is now down.
The IP stack will never failover to the second default gateway, even if the user doesn’t start a new session until Router1’s MAC address has aged out of the PC’s ARP cache. The only way to cause the IP host to use the second router interface (for example, 10.1.40.2) as its default gateway is to modify the IP stack and remove 10.1.40.1 from the default gateway configuration, leaving 10.1.40.2 as the configured default gateway.
IP Routing Foundations
3 – 10 Rev. 5.21
Why failover is not automatic (3)
Rev 5.21 10
Layer 2 headerDest. Host20 MACSource: Router2 MACLayer 3 header:Source: 10.1.20.20Dest: 10.1.40.40
Why failover is not automatic (3)After you change the default gateway on all hosts to a local interface on Router2, each host:• Uses ARP to obtain the MAC address for Router2 • Sends off-network traffic to Router2’s MAC address
Host40: 10.1.40.40/24DG: 10.1.40.2
Host20: 10.1.20.20/24DG: 10.1.20.2
Router2 interfaces:…10.1.20.2/24…10.1.40.2/24
x
Layer 2 headerDest. Router2 MACSource: Host 40 MACLayer 3 header:Source: 10.1.40.40Dest: 10.1.20.20
Student Guide: 3–10
After Host40 is configured to use Router2 as its primary default gateway, the IP host process sends an ARP request to learn the MAC address of the device that is using the IP address 10.1.40.2. Subsequent off-network traffic contains the MAC address associated with 10.1.40.2. The user now can establish a new connection with the resource they were using before Router1 failed and hope to pick up the session where they left off.
This solution presents two problems:
1. Very few end users will go to this much effort to remain in contact with crucial resources. If the hosts are using DHCP, you could simplify their involvement by clearing all of the active leases for the network and forcing each host to obtain a new lease. However, this will require significant administrative and traffic overhead, especially if the failed router was performing default gateway service for dozens of networks.
2. Many sessions are not tolerant of lost connections. If users were performing transaction-oriented procedures, they may not be able to return easily to the location they were accessing when the link or device failure occurred.
Default Gateway Redundancy Protocols
Rev. 5.21 3 – 11
Automatic failover for default gateway
Rev 5.21 11
Automatic failover for default gateway Automatic failover can be provided using several different standard and proprietary methods• Virtual Router Redundancy Protocol: IETF RFC 2338• VRRP Extended: Proprietary method available on 9300m series
routing switch• XRRP: Proprietary method available on 5300xl and 3400cl series
switches• Other vendor-specific implementations
Common goals for default gateway redundancy methods:• Enable continuity for off-network communication despite the failure of
the primary default gateway• Provide for automatic failover from primary to backup default gateway
within typical session timeout intervals
Student Guide: 3–11
All strategies for providing redundant default gateway service have the same goal: To provide seamless failover that ensures uninterrupted communication with remote hosts despite the failure of the primary default gateway. Automatic failover typically occurs within timeout intervals for TCP communication, enabling a client to continue its open sessions through a backup default gateway if the primary gateway fails.
Obviously, any two routers with interfaces on the same network are not necessarily candidates for default gateway redundancy. If each router leads to different parts of the network—for example, one leads toward the core and another leads away from the core—only one will be a suitable default gateway candidate. In general, a hierarchical design that interconnects networks is considered superior to one that has multiple layers of router hops.
IP Routing Foundations
3 – 12 Rev. 5.21
Common characteristics and operations
Rev 5.21 12
Common characteristics and operations• Assign a common ID to members of a redundancy group• Apply priorities to determine which router is preferable as primary or
“Master” default gateway for hosts• Require Master to continually announce its availability, enabling
backup routers to automatically detect its failure • Assign “virtual” IP address to routers in redundancy group
– Actual IP address of each router interface on the network is unique– Common virtual IP address is assigned to all router interfaces in the
redundancy group
• Resolve virtual IP address to a virtual MAC address– Current Master forwards traffic sent to the virtual MAC address– Backup routers ignore traffic sent to the virtual MAC address
Student Guide: 3–12
Vendors and standards groups have devised many protocols and implementations for default gateway redundancy. However, although their terminology, configuration, and monitoring procedures might differ, all of the default gateway redundancy techniques perform the same procedures and operations.
First, all default gateway redundancy implementations define a method for distinguishing router interfaces that are members of the same default gateway redundancy group. A common value is assigned to all router interfaces on a network that can provide default gateway service for the network’s hosts.
Some default gateway redundancy protocols enable you to define a redundancy group consisting of exactly two routers—a primary and a backup. Other protocols enable you to define more than two. All the routers in the same redundancy group must be equally capable of providing default gateway service for hosts on the network.
In most network topologies, one router is a more qualified candidate for “Master” status. Typically, you will configure that router as the primary default gateway. The Master router forwards traffic under normal circumstances, when all links and routers are available. All default gateway redundancy methods enable you to prioritize the routers so that you can determine which router will be Master and which will be the first choice for its backup in the event the Master fails.
Immediate detection in the event of the Master router’s failure is crucial to automatic failover. All default gateway redundancy protocols provide some means for the Master to periodically announce its availability. Backup routers listen for
Default Gateway Redundancy Protocols
Rev. 5.21 3 – 13
these messages and will assert themselves as Master in the event of the Master’s failure. Priority settings are used to select the current Master.
Every host on an IP network, including routers, must have a unique IP address. To enable a group of routers to provide equivalent default gateway service, a common virtual IP address is assigned to the routers in the redundancy group. The virtual IP address is defined as the default gateway in the hosts’ IP stack configuration.
Finally, all default gateway redundancy protocols use a virtual MAC address. This address appears in the ARP cache of each IP host on the network associated with the virtual default gateway IP address. The current Master router on a given network forwards traffic sent to the virtual MAC address. When a backup router transitions to Master, it immediately begins forwarding traffic that has the virtual MAC address in the destination field of the Layer 2 header.
IP Routing Foundations
3 – 14 Rev. 5.21
Virtual Router Redundancy Protocol
Rev 5.21 13
Virtual Router Redundancy Protocol• Described in RFC 2338 and updated in RFC 3768• VRRP offers a method for defining a “virtual router,” a group of
redundant router interfaces on a network• A router that implements VRRP may support multiple virtual routers,
each of which is identified by an integer between 1 and 255 • The Master of the group periodically advertises its availability
– The Backup router asserts itself as Master if it stops hearingthe periodic advertisement
Student Guide: 3–14
The Virtual Router Redundancy Protocol (VRRP) is a common default gateway redundancy protocol defined as a standard in RFC 2338 and updated in RFC 3768. Like all default gateway redundancy protocols, VRRP enables administrators to define a “virtual router,” which is a group of redundant routers on a network. Each VRRP router can participate in multiple VRRP groups, which are identified by integers between 1 and 255.
VRRP relies upon the definition of Master and Backup routers. The Master of each group acts as the default gateway for network hosts and periodically advertises its availability. Backup routers assume forwarding duties if they stop receiving advertisements from the Master.
Default Gateway Redundancy Protocols
Rev. 5.21 3 – 15
Virtual routers in VRRP
Rev 5.21 14
Virtual routers in VRRP
Group of redundant router interfaces on the same network is known as a “virtual router”All have the following items in common:• Identified by a numeric integer between 1 and 255 known as “Virtual
Router ID” (VRID)• Configured with a “Virtual IP address” that matches the IP stack
default gateway of hosts on the network
Student Guide: 3–15
VRRP identifies a group of routers that can provide equivalent default gateway service to hosts on a given network as a “virtual router.” While VRRP allows you to define more than two members of a redundancy group, two routers are sufficient for most networks.
A “VRRP router” is defined as any router that implements the VRRP protocol and supports at least one virtual router. Typically, a VRRP router participates in more than one virtual router.
VRRP routers whose interfaces will serve as members of the same virtual router must agree on its identifier, often called a “Virtual Router ID” (VRID). The routers in the group must also be configured with a virtual IP address that hosts on the network will use as their default gateway.
IP Routing Foundations
3 – 16 Rev. 5.21
VRRP: Actual and virtual IP addresses
Rev 5.21 15
VRRP: Actual and virtual IP addresses• If the actual IP address assigned to one of the routers matches the virtual IP
address, that router is the “Owner” of the address• The Owner will be the VRRP Master if it is available on the network• Another router can become the Master only if the Owner is not available
Router1 Router2
VRID 1 Master (Owner)Actual IP: 10.1.20.1/24Virtual IP: 10.1.20.1
VRID 1 BackupActual IP: 10.1.20.2/24Virtual IP: 10.1.20.1
VRID 2 Master (Owner)Actual IP: 10.1.40.1/24Virtual IP: 10.1.40.1
VRID 2 BackupActual IP: 10.1.40.2/24Virtual IP: 10.1.40.1
Host40: 10.1.40.40/24DG: 10.1.40.1
Host20: 10.1.20.20/24DG: 10.1.20.1
Student Guide: 3–16
Because every host on an IP network must have a unique IP address, the router interfaces that make up the virtual router can’t be configured with the same address.
However, you can configure one of the routers to have the same actual IP address as the virtual IP address associated with the VRID. In this configuration, the router whose actual IP address matches the virtual IP address is considered the IP address “Owner.” The Owner of the IP address is assigned a priority value of 255, which is the highest possible value. If the Owner is present on the network, it will be the Master router; all other routers will be Backup.
The highest priority that can be assigned to a non-owner—that is, a router whose IP address is not the same as the virtual IP address—is 254. The VRRP standard specifies that the default priority for a backup is 100. If you have only two routers in the VR redundancy group, you can assign the default priority to the router that is not the IP address owner. However, if the network has one Master and two or more Backups, you must assign different priorities to the backups.
Default Gateway Redundancy Protocols
Rev. 5.21 3 – 17
VRRP: Master and Backup states
Rev 5.21 16
VRRP: Master and Backup statesMaster• Forwards off-network traffic for hosts that use the virtual IP address as their
default gateway
Backup• Does not forward traffic sent to the virtual IP address• Is not in an idle state for general IP communication
– Can send and receive traffic through its interface on the network
Host40: 10.1.40.40/24DG: 10.1.40.1
Host20: 10.1.20.20/24DG: 10.1.20.1
Router1 Router2
Master routerVirtual Router ID: 2 Virtual IP: 10.1.40.1
Master routerVirtual Router ID: 1Virtual IP: 10.1.20.1
Backup routerVirtual Router ID: 1Virtual IP: 10.1.20.1
Backup routerVirtual Router ID: 2 Virtual IP: 10.1.40.1
Student Guide: 3–17
In this example, Router1 and Router2 have been configured with two common VRID and virtual IP addresses and are members of two virtual routers. One virtual router is VRID 1, with the virtual IP address 10.1.20.1. The other virtual router is VRID 2, with the virtual IP address 10.1.40.1.
In this configuration, Router1 is the Master router for both VRIDs. Router2 acts as Backup. As described earlier, the Master router forwards all off-network traffic sent to the virtual IP addresses for either VRID. The Backup takes over this forwarding duty only if the Master router becomes unavailable.
Although Router2 is not the Master of either virtual router, it can send and receive traffic through its interfaces on both networks. If hosts on the network 10.1.40.0/24 were configured with 10.1.40.2 as their default gateway, Router2 would forward their off-network traffic.
Each router’s role as Master or Backup is determined by a priority value associated with the VRID/Virtual IP address.
IP Routing Foundations
3 – 18 Rev. 5.21
VRRP: Virtual MAC address
Rev 5.21 17
VRRP: Virtual MAC address
• Clients send off-network traffic to default gateway’s MAC address• IP address associated with virtual router resolves to a virtual MAC
address
• Virtual MAC address ensures continuity of clients’ sessions with off-network resources despite failure of Master
00-00-5e-00-01-01
First 5 octets defined in VRRP standard
Last octet is VRID
Student Guide: 3–18
A client forwards all off-network traffic to its default gateway defined by the IP address in its IP stack configuration. In a network protected by VRRP, the virtual IP address should be the one configured as the clients’ default gateway. Often, this address is the configured IP address of the VRRP Master router.
Because the clients use a virtual IP address for their default gateway, the MAC address associated with the IP address must also be virtual.
Default Gateway Redundancy Protocols
Rev. 5.21 3 – 19
VRRP Master broadcasts “gratuitous ARP”
Rev 5.21 18
VRRP Master broadcasts “gratuitous ARP”• When a VRRP router transitions to the Master role, it broadcasts a
gratuitous ARP message on to each network that contains:– The virtual IP address– The virtual MAC address
• All local hosts receive the message, and– Create an ARP cache entry associating the virtual MAC address with their
default gateway – Send all off-network traffic to the virtual MAC address
Student Guide: 3–19
To enable a client’s existing sessions to continue despite the failure of the Master, hosts must be sending off-network traffic to the virtual MAC address instead the physical MAC address. To ensure that clients will correctly resolve their (virtual) default gateway’s MAC address, the VRRP Master broadcasts a gratuitous ARP message to all local hosts. Each host that receives the message creates an ARP cache entry and subsequently sends off-network traffic to the virtual MAC address.
IP Routing Foundations
3 – 20 Rev. 5.21
Master accepts traffic sent to virtual MAC address
Rev 5.21 19
Layer 2 headerDest. 00-00-5e-00-01-02 Source: Host 40 MACLayer 3 header:Source: 10.1.40.40Dest: 10.1.20.20
Layer 2 headerDest. Host20 MACSource: Router1 MAC Layer 3 header:Source:10.1.40.40 Dest: 10.1.20.20
Master accepts traffic sent to virtual MAC address• Hosts on a VRRP-protected network learn the virtual MAC address through
gratuitous ARP request sent by the Master• Master accepts traffic sent to the virtual MAC address; Backup does not
Host40: 10.1.40.40/24DG: 10.1.40.1
Host20: 10.1.20.20/24DG: 10.1.20.1
Router1
VRID 1 Master (Owner)Actual: 10.1.20.1/24Virtual: 10.1.20.1
VRID 2 Master (Owner)Actual: 10.1.40.1/24Virtual: 10.1.40.1
VRID 1 BackupActual: 10.1.20.2/24Virtual: 10.1.20.1
VRID 2 BackupActual: 10.1.40.2/24Virtual: 10.1.40.1
Student Guide: 3–20
In this example, the IP host 10.1.40.40 has an ongoing session with a host in another network. It sends the traffic to the virtual MAC address associated with the virtual IP address of VRID 2.
Default Gateway Redundancy Protocols
Rev. 5.21 3 – 21
Virtual MAC address enables automatic failover
Rev 5.21 20
Virtual MAC address enables automatic failover• If the Owner/Master fails, the Backup begins forwarding traffic addressed to
the VRID 2 virtual MAC address • Host40 does not require any configuration changes or restarted sessions,
unaware that a different router is forwarding its off-network traffic
Layer 2 headerDest. 00-00-5e-00-01-02 Source: Host 40 MACLayer 3 header:Source: 10.1.40.40Dest: 10.1.20.20
Layer 2 headerDest. Host20 MACSource: Router2 MACLayer 3 header:Source:10.1.40.40 Dest: 10.1.20.20
Host40: 10.1.40.40/24DG: 10.1.40.1
Host20: 10.1.20.20/24DG: 10.1.20.1
Router2
VRID 1 MasterActual: 10.1.20.2/24Virtual: 10.1.20.1
VRID 2 MasterActual: 10.1.40.2/24Virtual: 10.1.40.1
x
Student Guide: 3–21
When the Master for the network 10.1.40.0/24 fails, Router2 transitions to the Master state and begins forwarding traffic for the networks associated with VRID 1 and VRID 2.
VRRP uses an advertisement that contains information about a virtual router, including the VRID and the virtual IP address associated with the virtual router. Because each advertisement contains information about one virtual router interface, a router that is Master of multiple VRIDs will generate a separate advertisement for each virtual router and send it through its interface to the network associated with the VRID.
IP Routing Foundations
3 – 22 Rev. 5.21
VRRP advertisements
Rev 5.21 21
VRRP advertisements
• Master periodically advertises its availability to Backup routers • Default advertisement interval of one second enables very fast recovery
from failure of Master• If a router is the Master for multiple virtual routers, it generates one
advertisement every second for each VRID
Host40: 10.1.40.40/24DG: 10.1.40.1
Host20: 10.1.20.20/24DG: 10.1.20.1 Router1 Router2
MasterVRID 2: 10.1.40.1
BackupVRID 1: 10.1.20.1
BackupVRID 2: 10.1.40.1
MasterVRID 1: 10.1.20.1
Student Guide: 3–22
Because one router interface is configured or elected as the Master for each VRID, the Backup needs a reliable, automated mechanism for determining that the Master is still alive and forwarding traffic.
VRRP uses an advertisement that contains information about the virtual router, including the VRID and the virtual IP address associated with the virtual router. Because each advertisement contains information about one VRID, a router that is Master of multiple VRIDs will generate a separate advertisement for each VRID.
The Backup router retains its state for as long as it continues to receive the advertisements within the expected interval. A very short advertisement interval (one second at default settings) enables the Backup to quickly recognize when a Master goes down. However, the Backup doesn’t assume the primary router interface is down after missing just one message. Rather, it has a “dead interval” that is based on the advertisement interval.
VRRP advertisements are sent to IP multicast address 224.0.0.18. However, the advertisements are not processed by hosts other than VRRP routers.
Default Gateway Redundancy Protocols
Rev. 5.21 3 – 23
VRRP advertisement packet format
Rev 5.21 22
VRRP advertisement packet format
Student Guide: 3–23
This is an example of a VRRP advertisement. Note that the source MAC address is the virtual MAC address for VRID 40 (28 hex). The source address field in the IP datagram header contains the actual IP address of the router that is sending the advertisement, which need not be the same as the virtual IP address although it is the same in this example because the address Owner is the Master.
The destination address in the IP datagram header is the multicast group reserved for VRRP. Because 224.0.0.18 is a locally scoped IP multicast address, it can only be forwarded over the network that is local to the interface over which the router sent the advertisement.
A VRRP advertisement is encapsulated directly into an IP datagram using the protocol 112 (70 hex). It does not use TCP or UDP.
The advertisement is VRRP packet type 1. There are no other standardized VRRP packet types. However, some vendor-specific implementations may use other packet types that can be interpreted only by routers from the same vendor. The advertisement contains the VRID, this VRRP router’s configured priority, and the IP address associated with this VRID.
IP Routing Foundations
3 – 24 Rev. 5.21
VRRP support for load sharing
Rev 5.21 23
VRRP support for load sharing
• VRRP enables you to define multiple VRIDs on each network to share default gateway responsibility
• Each router can be the Master for one VRID and Backup for the other
Router1 Router2
Actual IP: 10.1.10.1/24VRID 11: 10.1.10.1 (Master)VRID 12: 10.1.10.2 (Backup)
Actual IP: 10.1.20.1/24VRID 21: 10.1.20.1 (Master)VRID 22: 10.1.20.2 (Backup)
Actual IP: 10.1.10.2/24VRID 11: 10.1.10.1 (Backup)VRID 12: 10.1.10.2 (Master)
Actual IP: 10.1.20.2/24VRID 21: 10.1.20.1 (Backup)VRID 22: 10.1.20.2 (Master)
Hosts using 10.1.10.1 as DG
Hosts using 10.1.10.2 as DG
Hosts using 10.1.20.1 as DG
Hosts using 10.1.20.2 as DG
10.1.10.0/24
10.1.20.0/24
Student Guide: 3–24
To enable efficient use of routers, VRRP supports load sharing by allowing you to define more than one VRID in a single network.
In the example above, four VRIDs—11, 12, 21, and 22—have been defined for network 10.1.10.0/24. Router1 is Master for VRID 11 and VRID 21, while Router2 is Master for VRID 12 and VRID 22. Each router is Backup for the VRIDs for which it is not Master.
Because each router is the backup of the other, if either router fails, the remaining router will provide default gateway service to all four VRIDs.
Notice that default gateway duties on each network are divided between the two routers. For instance, half of the hosts on network 10.1.10.0/24 use the virtual IP address associated with VRID 11 as their default gateway, and half of the hosts on the same network use the virtual IP address associated with VRID 12. Similarly, the hosts on network 10.1.20.0/24 are divided between the virtual IP addresses associated with VRID 21 and VRID 22.
While this load-sharing method seems efficient, most hosts in production networks use DHCP to obtain an address and default gateway. Using different DHCP scopes for hosts in the same network can be challenging.
When multiple VLANs are carried over a set of physical links, you divide the hosts along VLAN boundaries. Configure some VLANs to use one router as Master and other VLANs to use a different router as Master.
Default Gateway Redundancy Protocols
Rev. 5.21 3 – 25
Considering link failure vs. device failure
Rev 5.21 24
Considering link failure vs. device failureVRRP provides reliable protection against router failureLink failure can lead to mixed interface states and result in sub-optimal routing
Router1 (owner):10.1.10.1/2410.1.20.1/2410.1.30.1/24
Hosts on network 10.1.10.0/24
Hosts on network 10.1.20.0/24
Hosts on network 10.1.30.0/24
M
B
Router2 (backup)10.1.10.2/2410.1.20.2/2410.1.30.2/24
M
B
M
x
Student Guide: 3–25
This example includes two routers, one of which is the owner of the IP addresses associated with the VRIDs on three networks. The owner/master (Router1) loses its connection to network 10.1.30.0/24. Router stops hearing advertisements from Router1. After a few seconds, Router2 starts sending VRRP advertisements, announcing itself as the Master of the VRID associated with network 10.1.30.0. Router2 begins forwarding off-network traffic on behalf of hosts on that network.
IP Routing Foundations
3 – 26 Rev. 5.21
Mixed virtual router states (1)
Rev 5.21 25
Mixed virtual router states (1)
Router2: • Becomes Master for VRID associated with network 10.1.30.0/24 • Can forward traffic onto networks 10.1.10.0 and 10.1.20.0 regardless of its
Backup state
Router1
10.1.10.0/24
10.1.20.0/24
10.1.30.0/24
M
B
M
B
M
x
Layer 3 header:Source: 10.1.30.30Dest: 10.1.10.10
10.1.10.10/24
IP route tableNetwork/mask cost next hop10.1.10.0/24 0 local10.1.20.0/24 0 local10.1.30.0/24 0 local
Router2
Student Guide: 3–26
Although Router2’s interfaces on networks 10.1.10.0/24 and 10.1.20.0/24 are in the VRRP Backup state, the router can use those interfaces to deliver traffic that originates within network 10.1.30.0 and is destined for hosts in networks 10.1.10.0 and 10.1.20.0. Router2’s Backup state for networks 10.1.10.0 and 10.1.20.0 means only that Router2 will not forward traffic from those networks that is addressed to either virtual IP address.
Default Gateway Redundancy Protocols
Rev. 5.21 3 – 27
Mixed virtual router states (2)
Rev 5.21 26
Mixed virtual router states (2)
Router1:• Remains Master for VRIDs associated with networks 10.1.10.0 and 10.1.20.0 • Has no local path to network 10.1.30.0, will drop traffic for that network unless
configured to use a Router1 interface as next hop
IP route tableNetwork/mask cost next hop10.1.10.0/24 0 local10.1.20.0/24 0 local
M
BM
B
M
x
10.1.10.0/24
10.1.20.0/24
10.1.30.0/24
Layer 3 header:Source: 10.1.20.20Dest: 10.1.30.30
10.1.30.30/2410.1.0.0/16 2 10.1.20.2
Student Guide: 3–27
The result of having mixed states for its virtual routers is a bit more significant in the case of the IP address owner, Router1. Because a router’s state for each VRID is separately determined, a router can retain its Master state for some VRIDs even though it has lost its physical connection to other networks.
The loss of Router1’s connection to network 10.1.30.0 causes important changes to its route table. The table no longer has an entry for network 10.1.30.0 and cannot forward to that network locally. In a sense, Router1 is no longer qualified to perform default gateway service for hosts on networks 10.1.10.0 and 10.1.20.0 because it doesn’t have a path to network 10.1.30.0. Without additional configuration, Router1 would simply discard all traffic destined for that network.
A partial solution to this problem is to create static routes that will allow Router1 to forward traffic destined for unknown networks (i.e. not local, in this example) through other routers. However, this path would be far less efficient than the path that would result if Router1 could be configured to relinquish its Master state on all of its interfaces.
IP Routing Foundations
3 – 28 Rev. 5.21
Proprietary variations and enhancements
Rev 5.21 27
Proprietary variations and enhancementsVRRP variations on ProCurve Routing Switch 9300m• VRRP Extended (VRRPE)
– No IP Address Owner; all routers defined as Backup– VRRP Master for each VRID is the one with highest priority
• Track ports (for VRRP and VRRPE)– Define ports whose physical state should be tracked – Loss of link on any tracked port causes failover of entire router
Student Guide: 3–28
The 9300m offers two significant enhancements on the VRRP standard:
1. VRRP Extended (VRRPE) In this proprietary protocol, no router is defined as the IP Address Owner. Instead, all routers are defined as Backup Routers. The Master for each VRID is determined by configured priorities. This provides administrators and designers with flexibility in design and implementation of redundant routing topologies.
2. Track ports Implemented for VRRP and VRRPE, track ports may be used to resolve the issue with mixed virtual router states by enabling administrators to define ports whose physical state should dictate the router’s role. The router can be configured to abdicate its Master status on any or all VRIDs if it detects loss of link on any tracked port.
Default Gateway Redundancy Protocols
Rev. 5.21 3 – 29
VRRPE: Virtual and actual IP addresses
Rev 5.21 28
VRRPE: Virtual and actual IP addresses• The virtual IP address is the one configured as default gateway of hosts on the
network • The actual IP addresses assigned to router interfaces must be different from
the virtual IP address • The router with the highest priority value becomes the Master
Host40: 10.1.40.40/24DG: 10.1.40.1
Host20: 10.1.20.20/24DG: 10.1.20.1
Router1 Router2
VRID 1 (Master)Priority 120Actual: 10.1.20.11/24Virtual: 10.1.20.1
VRID 2 (Master)Priority 120Actual: 10.1.40.11/24Virtual: 10.1.40.1
VRID 1 (Backup) Priority 100Actual: 10.1.20.12/24Virtual: 10.1.20.1
VRID 2 (Backup)Priority 100Actual: 10.1.40.12/24Virtual: 10.1.40.1
Student Guide: 3–29
As shown above, configuration for VRRPE is different from VRRP configuration in two ways:
1. Most significantly, the actual IP addresses assigned to router interfaces must be different from the virtual IP address. In VRRP, by contrast, the virtual IP address can be the interface address of one of the routers, which then becomes the Owner of the IP address.
2. The state of a router—that is, Master or Backup—is determined entirely by a priority value associated with each VRID. The router with the highest priority is automatically the Master. In the example, Router1 is Master for VRID 1 and VRID 2 because its priority is set at 120. Router2 has the default priority of 100. Valid priority values are 3-254.
IP Routing Foundations
3 – 30 Rev. 5.21
XRRP
Rev 5.21 29
XRRP
XL Router Redundancy Protocol• Protection domain consists of two routers• IP Address Owner is the router that is configured with the virtual IP
address• Link failure causes failover of entire router
VRRP equivalent for:• ProCurve 3400cl series• ProCurve 6400cl series• ProCurve 5300xl series
Student Guide: 3–30
Several ProCurve switches, including the 3400cl series, the 5300xl series, and the 6400cl series, support the XL Router Redundancy Protocol (XRRP), which is a proprietary default gateway redundancy protocol.
In XRRP, each protection domain consists of exactly two routers. As in VRRP, the virtual IP address is the interface address of one of the routers, which is the Owner and Master for the virtual address.
If a link fails for an XRRP router, the entire router fails over, which prevents the formation of mixed virtual router states.
Default Gateway Redundancy Protocols
Rev. 5.21 3 – 31
Module 3 summary
Rev 5.21 30
Module 3 summary
In this module, you learned:• Why router redundancy protocols are necessary to ensure network
operation in the event of router failure• Similarities among proprietary and standards-based router
redundancy protocols• Basic information about the operation of VRRP• Basic information about the operation of VRRPE• Basic information about XRRP
Student Guide: 3–31
Module 3 of IP Routing Foundations described the requirements for router redundancy. While many contemporary networks use Spanning Tree to protect against link failure, a separate configuration is necessary to ensure seamless failover in the event of router failure. The module described several propriety and standards-based redundancy protocols, including VRRP, VRRPE, and XRRP.
Routing Switch Essentials will provide detailed instructions on the configuration of VRRPE on the ProCurve 9300m Routing Switch.
IP Routing Foundations
3 – 32 Rev. 5.21
Learning check Module 3
Default Gateway Redundancy Protocols
Rev. 5.21 3 – 33
1. Why is Spanning Tree an incomplete solution for redundancy in a routed network?
............................................................................................................................
............................................................................................................................
2. Name the technologies for default gateway redundancy that are supported by ProCurve switches.
a. ........................................................................................................................
b. ........................................................................................................................
c. ........................................................................................................................
3. How is the Master router determined in a VRRP implementation?
............................................................................................................................
............................................................................................................................
4. How does VRRPE differ from VRRP?
............................................................................................................................
............................................................................................................................
............................................................................................................................
IP Routing Foundations
3 – 34 Rev. 5.21
Rev. 5.21 4 – 1
ACL Theory Module 4
Objectives After completing this module, you will be able to:
Differentiate between rule-based access control and role- and identity-based access control
Describe the steps necessary to plan for rule-based access control
List the criteria by which you can select traffic for special handling
Configure ACLs so that rules are applied in the proper order
Implement a strategy for applying ACLs to user traffic
IP Routing Foundations
4 – 2 Rev. 5.21
Device security and access control
Rev 5.21 3
Device security and traffic controlResources in the corporate intranet may be protected by multiplelevels of access control, including:• Identity-based access control
– Defined centrally or on each server – Permissions based on user’s identity, which may be authenticated
by passwords or other means • Role-based access control
– After identity has been authenticated, user may obtain additional permissions associated with organizational function or role
• Rule-based access control – Router examines traffic and permits or denies it based on a set of
rules – Does not replace identity- and role-based security, but is used in
conjunction with these forms of access control
Student Guide: 4–2
Every enterprise must implement several types of network security to control access to resources. Three or these are:
1. Identity-based security
2. Role-based security
3. Rule-based security
Identity-based security
The security methods most apparent to end users are based on user identity. In this type of security, users are required to assert their identities, often by providing a user name. They are then required to prove or authenticate their identities by providing passwords or biometric information. Identity-based security can be enforced through centralized authentication services and may involve directory services, public key cryptography, or other technologies. After the process is complete, the authenticated user is authorized to use some set of resources.
Role-based security
In role-based security, users are authenticated according to their membership in organizational functions or groups to which an administrator has assigned access rights or permissions. After a user’s identity has been authenticated, the user receives a combination of the rights associated with the individual and those associated with any relevant groups. Role-based security can be enforced by servers and by switches at the edge of the network.
ACL Theory
Rev. 5.21 4 – 3
Rule-based security
Finally, routers can be configured to perform access control functions that selectively permit or deny traffic based on the content of specific fields within the headers of each packet. This form of security is enforced through Access Control Lists (ACLs), which are the subject of this module.
IP Routing Foundations
4 – 4 Rev. 5.21
Basic security principles: Physical security example
Rev 5.21 4
Basic security principles: Physical security exampleA building is accessible to employees with key-card accessRooms with storage cabinets have no doors• Key 10 opens the cabinets in Room A• Key 4 opens the cabinets in Room B• Keys are not required to access the cabinets in Room C
Potential problems for Rooms A and B:• Brute force security breach• Denial of service
10 10
10
10
Room A Room B
4
4
4 4
Room CStudent Guide: 4–4
Network security issues and solutions often are similar in concept to physical security issues and solutions.
The slide above uses an unnamed physical facility to illustrate these principles. A building used to store sensitive items requires identity-based and role-based access. Employees use security badges to present their identities and gain access to the building.
Once inside the building, employees can enter any of three storage rooms. However, a role-based security procedure governs access to storage cabinets inside the rooms. Employees use key cards to gain access only to the cabinets appropriate for their organizational functions. The requirements for the three rooms are:
1. Key card 10 is required to access cabinets in Room A. Because this room holds the most sensitive material, card 10 is issued to the fewest number of employees. However, the door to the room remains unlocked because prompt access is important for these employees.
2. Key card 4 is required to access cabinets in Room B.
3. No card is required to access cabinets in Room C, which means they are accessible to all employees with access to the building.
ACL Theory
Rev. 5.21 4 – 5
Security threats
Because the rooms themselves are unlocked, this building faces two important security threats that are analogous to threats encountered in enterprise networks.
1. Brute force attacks Because the doors are unlocked, unauthorized persons could easily gain access to the rooms and force open the locks to the cabinets.
2. Denial of service attacks As well as being able to force open the cabinet locks, intruders could prevent employees from gaining access to the cabinets. While it is unlikely, because anyone can enter the rooms, a crowd of unauthorized individuals theoretically could gather to deny service to authorized individuals.
IP Routing Foundations
4 – 6 Rev. 5.21
Basic security principles: Additional layer of physical security
Rev 5.21 5
Additional layer of physical securitySecurity devices are positioned at entrances to Rooms A and B • Programmed with rules to characterize individuals that should be allowed
access• All others are denied access
Locked cabinets in Rooms A and B remain accessible only to individuals in possession of correct keys
10 10
10
10
Room A Room B
6
6
4 4
security device
security device
Student Guide: 4–6
In this example, security at the fictitious building is heightened by adding locks to the doors of Room A and Room B. By providing an additional layer of security, these devices prevent unauthorized persons from entering rooms that contain resources they are not allowed to use.
Note, however, that the locks are not replacements for the locks on the cabinets. They are additional security measures designed to serve two purposes:
1. Enhance security by making it less likely that an unauthorized persons will find a way to break through the locks on the cabinets
2. Enhance availability by preventing unauthorized persons from impeding the access of authorized persons
ACL Theory
Rev. 5.21 4 – 7
Comparing physical and virtual security
Rev 5.21 6
Comparing physical and virtual securityProviding multiple access control levels enhances network security:• Identity- or role-based access control
– Goal is to allow appropriate user access to services – Analogous to locks on storage cabinets
• Rule-based access control– Defined on routers and routing switches – Goal is traffic control to relieve congestion, limit opportunity for
denial of service attacks – Analogous to security device installed on certain doors
Student Guide: 4–7
In some ways, the tools and procedures used for network security are similar to those used for physical security. In both cases, administratively defined policies determine which users can access specific resources and what level of access each user will have.
The locks installed on the rooms in the example are analogous to rule-based security in the enterprise intranet. Just as the locks prevent unauthorized users from entering rooms where they are not permitted, enterprise routers can limit traffic flow to ensure that unauthorized users cannot “see” sensitive resources.
In the network, the filters examine packets to compare their source and destination addresses and traffic types with a set of rules configured by administrators. This significantly decreases the likelihood that resources will be compromised or that service will be denied to authorized users.
The rest of this module will discuss rule-based security in the form of ACLs configured on routers.
IP Routing Foundations
4 – 8 Rev. 5.21
Planning for rule-based access control
Rev 5.21 7
Planning for rule-based access controlIdentify characteristics of the resource to be protected, such as:• Individual hosts by their IP address• Functional groups of servers by an IP address range• Server-based applications supported by protocol and/or TCP/UDP port
without regard to IP address
For each resource, identify selection criteria:• Common characteristics of traffic that should be permitted• Common characteristics of traffic that should be denied
Based on location of resources and distribution of authorized and unauthorized traffic sources, identify:• All paths through the intranet that could carry identified traffic• Where to place controls
– Ingress and egress ports
Student Guide: 4–8
Before implementing rule-based access control, you must know what you are trying to protect. Resources can be identified in a number of ways, including IP address and protocol or application.
Access control requirements often play an important role in selecting an addressing scheme. Typically, resources that must be accessed by the same set of users are placed in the same network. This addressing strategy simplifies access control by enabling an administrator to refer to a group of servers as a range of IP addresses rather than as a series of individual IP addresses. Similarly, an efficient IP addressing scheme places users with identical resource needs into the same network or range of networks. When a set of users authorized to access a particular set of resources can be referred to using an IP address range, an administrator can minimize the number of rules required to meet the organization’s traffic control goals. Specific recommendations for IP addressing scheme design are covered in the Routing Switch Essentials course.
Suppose, for example, that several servers provide storage for a particular department, and that all users in the department require equal access to the servers. Because you have placed users into VLANs/networks based on the function or role associated with their identities, all of the users are within a definable range of IP addresses. If the servers are assigned IP addresses within a given address range, such as a subnet or network with a 24-bit mask, they can also be specified as a resource by their address range.
ACL Theory
Rev. 5.21 4 – 9
Alternatively, several servers distributed across many address ranges might support a particular protocol, application, or other function that is definable by a protocol name or number, or by a TCP or UDP port. You can refer to the application as a resource without regard to the IP addresses of specific servers. SMTP is one example of this type of resource.
As well as defining the rules, you must also determine which router interfaces should enforce the access control rules and whether the rules should be applied to inbound or outbound traffic. Additionally, because an organization’s rule-based security policies often require the configuration of multiple rules, you must determine the sequence in which the rules should be applied to inbound or outbound traffic.
The next few slides will illustrate a simple rule-based access control example.
IP Routing Foundations
4 – 10 Rev. 5.21
Rule-based access control example
Rev 5.21 8
Rule-based access control example
Guests10.1.10.0/24
Admin10.1.30.0/24
10.1.68.0/24
10.1.67.0/24
10.1.66.0/2410.1.65.0/24
Curriculum10.0.130.0/24
Internet
Student Guide: 4–10
• The ‘curriculum’ network is accessible to all through the intranet core
• Identity-based security allows authenticated faculty members to access the servers on this network
• Edge router will be configured with traffic filters that enforce rule-based security to permit only faculty members to access the curriculum network
Faculty10.1.20.0/24
Intranet core10.0.100.0/24
Students10.1.40.0/24
At ProCurve University, many resources must be protected by access control rules. One such resource is the curriculum network, an enterprise-wide resource that hosts servers for materials relating to curriculum. These materials include supplementary handouts, quizzes, and exams.
The next few slides will show how to configure ACLs to permit faculty members at one campus to access the servers. This example will illustrate two important points:
1. How to identify the values in IP datagram header that will be specified in the rules
2. Possible locations for application of the rules
ACL Theory
Rev. 5.21 4 – 11
Selection criteria in IP header
Rev 5.21 9
Selection criteria in IP header
Packet matching criteria:• IP datagram header information that identifies permitted traffic:
– Destination IP address between 10.0.130.0 and 10.0.130.255– Source IP address between 10.1.20.0 and 10.1.20.255
• IP datagram header information that identifies denied traffic:– Destination IP addresses other than 10.0.130.0 - 10.0.130.255– Source IP addresses other than 10.1.20.0 - 10.1.20.255
Time to Live
Type of Service Total LengthVersion Hdr Lgth
Identifier Flags Fragment Offset
Protocol Header Checksum
Source Address
Destination Address
Options (if any) Padding
IP header
Student Guide: 4–11
The first step in planning for rule-based access control is to determine the IP header characteristics that identify permitted traffic. In this example, the permitted traffic originates within the faculty network and is destined for the curriculum network. The source address field in the headers of packets sent by faculty users is within the range 10.1.20.0-10.1.20.255. The value in the destination address field will be 10.0.130.0-10.0.130.255.
All IP traffic with a source and destination address that matches the rule will be subjected to the specified action. All packets that have a source IP address between 10.1.20.0 and 10.1.20.255 and a destination IP address between 10.0.130.0 and 10.0.130.255 will be permitted.
With this rule applied, a router will make forwarding decisions based only on IP address. However, rules can use IP protocol fields to determine which applications can access certain resources. For instance, a rule could permit only HTTP requests, effectively blocking Telnet, FTP, and other IP applications.
IP Routing Foundations
4 – 12 Rev. 5.21
Determine which port(s) will filter traffic
Rev 5.21 10
Decide which port(s) will filter traffic
10.1.68.0/24
10.1.67.0/24
10.1.66.0/2410.1.65.0/24Faculty
ingress port
Curriculum server egress port
• Determine all paths that can carry traffic from the faculty user network to the curriculum server network
• Identify ingress and egress ports for the traffic
Student Guide: 4–12
Guests10.1.10.0/24
Admin10.1.30.0/24
Students10.1.40.0/24
Faculty10.1.20.0/24
Curriculum10.0.130.0/24
Internet
Intranet core10.0.100.0/24
R1D
R1B
R1C
R1A
C1
Without any traffic controls implemented, routers forward all traffic based on route table entries. The policy defined in this example requires the router to permit traffic that comes from the faculty users and is destined for the curriculum server.
Given the goal of permitting traffic from the faculty user network to the curriculum server network, the rule could be applied at either of the two points shown on the diagram. The interface on R1D that connects to the faculty user network is called the “ingress” port because it is the only point through which traffic generated by faculty users can enter the intranet.
Similarly, the only point through which traffic destined for the curriculum server network can exit the intranet is known as the “egress” port.
ACL Theory
Rev. 5.21 4 – 13
A rule that may be applied to ingress or egress ports
Rev 5.21 11
A rule that may be applied to ingress or egress ports
Guests10.1.10.0/24
10.0.100.0/24
Admin10.1.30.0/24
Students10.1.40.0/24
10.1.68.0/24
10.1.67.0/24
10.1.66.0/2410.1.65.0/24
Admin servers10.0.129.0/24
Curriculum10.0.130.0/24
R1C
InternetXCurriculum
AdminFacultyGuests Students
Faculty10.1.20.0/24
R1A R1B
R1D
C1
Emp servers10.0.128.0/24 Rule 1: permit all IP traffic whose source address
is in the range 10.0.20.0/24 AND whose destination address is in the range 10.0.130.0/24.
Student Guide: 4–13
ORApply Rule 1 outbound
Apply Rule 1 inbound
The ProCurve University intranet provides multiple paths to the core from each edge router. Traffic between the faculty user network and the curriculum server network may be forwarded onto the core network by either R1A or R1B. Regardless of which router handles this traffic, the ingress and egress ports remain the same. While the rule shown on the diagram could be applied to inbound traffic on the ingress port or to outbound traffic on the egress port, one port might be more efficient than the other due to platform-specific factors. Additionally, the impact of applying this rule at the ingress port is completely different from the impact of applying it at the egress port.
IP Routing Foundations
4 – 14 Rev. 5.21
The implied “deny any” rule
Rev 5.21 12
The implied ‘deny any’ rule
yes
no
Test Rule 1.Match?
follow action
end
deny any
end
A traffic filtering rule is applied to an interface as a member of an ordered list of rules known as an Access Control List (ACL)The last rule in every ACL denies all traffic that does not meet conditions of rules that appear earlier in the list
• Permit IP traffic matching source address range 10.1.20.0/24 AND destination address range 10.0.130.0/24
• (Implicit) Deny IP traffic from any source to any destination
• Packets that match the conditions of the first rule are subject to the action specified in the rule
• Packets that do not match the conditions of the first rule are compared to remaining rules in the list
• Packets that do not match with any explicitly defined rule are denied
Student Guide: 4–14
An access control rule is applied to a router interface as a member of an ACL. An ACL frequently contains multiple rules, which are also known as “access control entries” or “ACL entries,” because each router interface can have only one inbound ACL and one outbound ACL. The entries are added to the ACL in the order they should be applied to transiting traffic.
The last rule in an ACL implicitly denies all traffic that was not explicitly permitted by a rule that appears earlier in the list. This rule, called the implied “deny any” rule, is one important reason why the outcome of a particular rule can be different if it is applied as part of an inbound ACL or an outbound ACL.
ACL Theory
Rev. 5.21 4 – 15
Impact of applying Rule 1 at ingress port
Rev 5.21 13
Impact of applying Rule 1 at ingress port
Guests10.1.10.0/24
10.0.100.0/24
Admin10.1.30.0/24
Students10.1.40.0/24
10.1.68.0/24
10.1.67.0/24
10.1.66.0/2410.1.65.0/24
Admin servers10.0.129.0/24
Curriculum10.0.130.0/24
R1C
Internet
Faculty10.1.20.0/24
R1A R1B
R1D
C1
Emp servers10.0.128.0/24
Result 1: Faculty member traffic destined for curriculum network is permitted; traffic destined for other resource networks is implicitly denied
Result 2: Traffic produced by hosts in guest, student, and admin networks is not impacted by rules applied at faculty ingress port.
Student Guide: 4–15
Rule 1: permit all IP traffic whose source address is in the range 10.0.20.0/24 AND whose destination address is in the range 10.0.130.0/24
Apply Rule 1 inbound
In this example, an ACL developed for ProCurve University contains only one rule. If an administrator applies this rule at the ingress port, faculty users will be able to access curriculum servers. However, because of the implicit “deny any” rule, faculty users will not be able to access any resources located on networks other than 10.0.130.0/24.
Additionally, the placement of the ACL at the ingress port does nothing to limit access to the curriculum server network by users in the guest, admin, and student user networks.
IP Routing Foundations
4 – 16 Rev. 5.21
Impact of applying Rule 1 at egress port
Rev 5.21 14
Impact of applying Rule 1 at egress port
Guests10.1.10.0/24
10.0.100.0/24
Admin10.1.30.0/24
Students10.1.40.0/24
10.1.68.0/24
10.1.67.0/24
10.1.66.0/2410.1.65.0/24
Admin servers10.0.129.0/24
Curriculum10.0.130.0/24
R1C
Internet
Faculty10.1.20.0/24
R1A R1B
R1D
C1
Emp servers10.0.128.0/24
Result 1: Traffic sent by hosts in faculty network is explicitly permitted on to the curriculum network; no impact on faculty traffic destined for other networks
Result 2: Traffic sent by hosts in guest, admin, and student networks is explicitly denied entry to the curriculum network
Student Guide: 4–16
Rule 1: permit all IP traffic whose source address is in the range 10.0.20.0/24 AND whose destination address is in the range 10.0.130.0/24Apply Rule 1
outbound
The application of the rule at the curriculum server egress port meets the goal of permitting faculty users to access curriculum servers while denying access to users in the guest, admin, and student networks. However, it is not a complete solution because it does nothing to restrict access to resources on any other networks.
ACL Theory
Rev. 5.21 4 – 17
Associating users with resource requirements
Rev 5.21 15
Associating users with their resource requirements Approaches to defining and applying ACLs:• Determine resources per user type and apply inbound filters at the ingress port
for each user network• Determine user types per resource and apply outbound filters at the egress
port for each resource network
Inbound filters are generally considered more efficient than outbound filters
XCurriculum
XAccounting
XHuman resources
X
X
X
Admin
X
X
X
Faculty
X
Guests Students
XWeb-based registration
Email/scheduling app.
XInternet
Student Guide: 4–17
As the previous example illustrates, a single rule is usually not sufficient to meet the traffic filtering requirements for a given interface. Because only one inbound ACL and one outbound ACL can be associated with each interface, ACLs require significant planning. You must assess the security requirements of the entire intranet and carefully define and apply ACLs to avoid inadvertently providing inappropriate user access or denying users legitimate access to resources.
Inbound ACLs are generally considered more efficient than outbound ACLs. However, because the advantages of inbound ACLs are often platform-dependent, outbound ACLs can be preferable in certain situations.
Inbound ACL recommendations
If you choose to define rule-based access control using inbound ACLs, you would assess resource requirements from the user perspective. For each interface, you would determine all of the resources required by the type of user on that network. You would then define an ordered list of rules to specify the characteristics of permitted and denied traffic.
One accepted procedure is to associate a “permit” action with characteristics of traffic that should be allowed to enter the router from the user network. You may also need to associate a “deny” action with characteristics of traffic that should not be allowed to enter the router from the user network.
IP Routing Foundations
4 – 18 Rev. 5.21
Outbound ACL recommendations
If you choose to implement access control using outbound ACLs, you will work from the resource perspective. For each network that provides resources, you might choose to define an ordered list of rules that specify characteristics of user traffic that should or should not be allowed to exit the router and reach the hosts that provide resources.
Definition and application of access control rules is typically based on pre-defined organizational security policies and requires knowledge of specific resource requirements for all user types. This module uses the user types and resources at ProCurve University to describe the information that must be gathered in order to plan and implement ACLs.
The next few pages will provide specific address ranges and traffic types, as well as the physical locations for both resources and users within the enterprise intranet.
ACL Theory
Rev. 5.21 4 – 19
Define characteristics of resources
Rev 5.21 16
Define characteristics of resources
Guests10.1.10.0/24
10.0.100.0/24
.1.1 Admin10.1.30.0/24
Faculty10.1.20.0/24
.1.1 Students10.1.40.0/24
10.1.68.0/24
10.1.67.0/24
10.1.66.0/2410.1.65.0/24
Admin servers10.0.129.0/24
Curriculum10.0.130.0/24
C1
R1B
R1DR1C
Internet
Address range 10.0.129.0/24Human resources servers
Address range 10.0.0.0/8 ANDTCP port 25 (SMTP)
Email scheduling app
Address range 10.0.129.0/24Accounting servers
Address range 10.0.130.0/24Curriculum servers
Address range 0.0.0.0/0 AND NOT 10.0.0.0/8
Internet
Host 10.0.130.115 ANDTCP port 80 (HTTP)
Web-based registration server
CharacteristicResource
R1A
Emp servers10.0.128.0/24
Student Guide: 4–19
The diagram and table above illustrate how administrators at ProCurve University might approach the process of planning their traffic filters. After identifying the intranet’s resources, administrators must determine how those resources can be characterized. More specifically, they must determine what portions of the IP header contain the information that distinguishes one resource from another.
In most cases, the IP address will be an important differentiator. For example, the curriculum servers are all located on the same network, within an address range that can be defined by the starting address 10.0.130.0 and the mask of 255.255.255.0 or 24 contiguous bits.
Other resources include servers such as the accounting and human resources servers, which are used only by members of the administrative department. These servers also are located on the same network, within an address range that can be expressed by a starting address and mask.
However, the email/scheduling application resides on many servers that are distributed across several networks. Consequently, administrators cannot easily base their ACLs on the addresses of all of the servers that support this application. Instead, they can use the well-known port number for SMTP, which is 25.
This slide also shows how the users are characterized. Because administrators have assigned users to VLANs based on their resource needs, they can use a starting address and mask to describe users who perform a particular job function and associate them with the resources to which they need access.
IP Routing Foundations
4 – 20 Rev. 5.21
Strategies for defining inbound ACLs
Rev 5.21 17
Strategies for defining inbound ACLs• Filtering traffic at the edge makes efficient use of router resources
– Each router interface can support only one inbound ACL– Identify the permitted and denied resources for hosts on the connected
network
• Two main strategies for associating rules with ACL:1. Create rules that define characteristics of permitted traffic, deny all other
traffic implicitly2. Create rules for each edge interface that define characteristics of denied
traffic, create a rule that permits all traffic not denied by rules that appear earlier in the list
X
HR
X
Accounting
XXXXFaculty
XXXAdmin
Email/ sched
Curriculum
X
X
Internet Registration
XStudents
Guests
Student Guide: 4–20
The implementation of access control is simplified if all of the hosts in a given VLAN/network/broadcast domain have similar resource requirements. However, because each interface can support only one inbound ACL and one outbound ACL, you must have a plan for organizing all of the traffic filtering rules that must be grouped together into an access list. In order to be effective, the rules must be in a correct and precise order.
The choice of a strategy for enabling access control often depends on the number of resources and types of user groups that must be controlled. Two common approaches are:
1. Create rules that specify the characteristics of the traffic that should be permitted. You then implement the implicit-deny-any rule to deny all traffic not explicitly permitted.
2. Create rules that specify characteristics of traffic to be denied. You then specify a statement to permit all traffic not explicitly denied.
ACL Theory
Rev. 5.21 4 – 21
Access control for faculty users
Rev 5.21 18
Access control for faculty users
Guests10.1.10.0/24
10.0.100.0/24
Admin10.1.30.0/24
10.1.68.0/24
10.1.67.0/24
10.1.66.0/2410.1.65.0/24
Admin servers10.0.129.0/24
Curriculum10.0.130.0/24
C1
R1B
R1C
Internet
Web-based registration server
Host 10.0.130.115AND TCP port 80
Faculty
R1A
Emp servers10.0.128.0/24
Student Guide: 4–21
.115
Students10.1.40.0/24
Faculty10.1.20.0/24
R1D
Curriculum servers Range 10.0.130.0/24
Email/scheduling Range 10.0.0.0/8 AND TCP port 25
Internet All destinations not in 10.0.0.0/8 range
Faculty members at ProCurve University require access to four network resources:
1. Web-based registration server
2. Curriculum servers
3. Email/scheduling application
4. Internet
The next few pages will present the logic for an ACL to permit this access while denying access to other resources.
IP Routing Foundations
4 – 22 Rev. 5.21
Access control criteria in TCP and UDP headers
Rev 5.21 19
Access control criteria in TCP and UDP headers
Source port Destination port
Sequence number
Acknowledgment number
ReservedHdr Lgth Code bits Window
Checksum Urgent pointer
Options (if any) Padding
TCP header
Source port Destination port
Data
UDP header
Checksum Urgent pointer
Data
Student Guide: 4–22
ACLs enable you to base traffic controls on fields in the TCP and UDP headers. For instance, at ProCurve University, the ACL that will be applied inbound to the faculty user network interface uses TCP port number 25, which is the well-known port SMTP, as a selection criterion.
The graphic above illustrates the placement of this information in the TCP and UDP header. If the protocol field in the IP datagram headers indicates that the protocol is TCP, the TCP header immediately follows the IP header.
Because TCP provides connection-oriented service for upper-layer applications, the TCP header contains more fields than the UDP header. UDP acts like a pass-through between IP and the upper layer applications. However, two fields appear in both types of headers: the source and destination port fields.
When combined with the three fields in the IP header that can be used for selecting packets for special handling, the TCP and UDP source and destination port fields provide flexibility in characterizing traffic that the router should permit or deny.
The field that contains code bits is used during the three-way handshake that sets up a TCP connection, enabling other applications to run over the connection-oriented, flow-controlled session. It is possible to differentiate the value of the code bit field in a packet that is part of an established conversation from the value of the code bit field that is attempting to initiate a new conversation.
ACL Theory
Rev. 5.21 4 – 23
By making this field part of the criteria for a traffic filter, you can deny inbound packets whose code bit field value indicates an attempt to start a session from outside a given network using a TCP-based application. You can permit responses to sessions that were generated inside a given network.
IP Routing Foundations
4 – 24 Rev. 5.21
Permit faculty user access to curriculum server network
Rev 5.21 20
Permit faculty user access to curriculum server networkFaculty users can send traffic to any host on the curriculum network using any application
Permit source range 10.1.20.0/24 and dest. range 10.0.130.0/24
Deny source range 10.1.20.0/24 and destination range 10.0.0.0/8
Permit source range 10.1.20.0/24 and any destination address
1
2
3
IP headerProtocol: 6Src: 10.1.20.20 Dst: 10.0.130.115TCP HeaderSrc: 1052 Dst: 80…[data]
Rules in access control list applied to faculty ingress port
Match first entry? YesAction = Permit
(implicit) Deny any source address and any destination address
4
Student Guide: 4–24
Packet to be tested
Permit source range 10.1.20.0/24 and dest. range 10.0.0.0/8 and dest. TCP port 25
Because the ProCurve University network is well planned, most of the resources needed by the faculty members are on the curriculum server network. This makes it simpler to define access control rules than it would be if faculty resources were distributed across the entire intranet.
In addition to the curriculum servers, the faculty users need access to the Internet and to the email/scheduling application that is distributed across the entire intranet.
Because the registration server is on the curriculum network, faculty members do not need an explicit rule to permit access to that host. Their access to the entire curriculum server network will include the registration server. You would only need to define rules in an ACL for both resources if you needed to deny access to one and permit access to the other.
The slide above shows an example of a specific packet being tested by the inbound ACL, which means the router tests the traffic as it enters the interface.
The first rule provides access to the address range 10.0.130.0/24, which is the network that contains all of the curriculum servers. The router compares relevant portions of the packet to the filtering rule and determines that the source and destination IP addresses match both the source and destination address ranges specified in the rule. The router takes the action associated with the first rule, which is to permit the packet to pass. Every packet the router interface sees that has a source and destination address within the ranges specified by the first rule will be permitted.
The impact of the other rules in this ACL will be described later in this module.
ACL Theory
Rev. 5.21 4 – 25
Permit faculty user access to SMTP services
Rev 5.21 21
Permit faculty user access to SMTP servicesFaculty users can send SMTP traffic to any host in the intranet
IP headerProtocol: 6Src: 10.1.20.20 Dst: 10.0.129.143TCP HeaderSrc: 1064 Dst: 25…[data]
Match first entry? NoMatch second entry? YesAction = Permit
Student Guide: 4–25
Packet to be tested
Permit source range 10.1.20.0/24 and dest. range 10.0.130.0/24
Deny source range 10.1.20.0/24 and destination range 10.0.0.0/8
1
2
3
Rules in access control list applied to faculty ingress port
(implicit) Deny any source address and any destination address
4
Permit source range 10.1.20.0/24 and dest. range 10.0.0.0/8 and dest. TCP port 25
Permit source range 10.1.20.0/24 and any destination address
In addition to the curriculum servers, the faculty users need access to the email/scheduling application that is distributed across the entire intranet. Instead of specifying each potential destination host that supports the SMTP-based application, administrators can specify a “permit” rule that specifies TCP port 25 for any destination host in the range 10.0.0.0/8.
In this example, the router is examining an inbound packet on the faculty ingress port. The router compares this packet with the first filtering rule and determines that it does not match. Following well-defined ACL testing procedures, the router compares relevant portions of the packet to the second rule. Because the packet has a destination IP address and destination TCP port that matches the second rule, the router follows the “permit” action associated with the second rule.
Because the first two access control entries specify resources to be permitted, their sequence does impact the overall effect of the ACL.
IP Routing Foundations
4 – 26 Rev. 5.21
Deny faculty user access to administrative servers
Rev 5.21 22
Deny faculty user access to administrative serversFaculty users should not have access to administrative servers
Match first entry? NoMatch second entry? NoMatch third entry? YesAction = Deny
IP headerProtocol: 6Src: 10.1.40.40 Dst: 10.0.129.143TCP HeaderSrc: 1052 Dst: 80…[data]
Student Guide: 4–26
Packet to be tested
Permit source range 10.1.20.0/24 and dest. range 10.0.130.0/24
Deny source range 10.1.20.0/24 and destination range 10.0.0.0/8
1
2
3
Rules in access control list applied to faculty ingress port
(implicit) Deny any source address and any destination address
4
Permit source range 10.1.20.0/24 and dest. range 10.0.0.0/8 and dest. TCP port 25
Permit source range 10.1.20.0/24 and any destination address
The third rule in this ACL causes the router to deny traffic that is destined for any address within the 10.0.0.0/8 network that was not explicitly permitted by the first or second rules in the list.
In this case, a faculty member is trying to access a host on the administrative server network. Identity-based or role-based security probably would limit this user’s access to the server. However, the third rule in the list prevents faculty users from accessing the administrative server network and creating additional congestion.
Because the packet does not match the conditions of the first or second rules, and the destination address does fall within the range specified in the third rule, the router follows the action associated with the third rule, and denies or drops the packet.
ACL Theory
Rev. 5.21 4 – 27
Permit faculty user Internet access
Rev 5.21 23
Permit faculty user Internet access
Match first entry? NoMatch second entry? NoMatch third entry? NoMatch fourth entry? YesAction = Permit
IP headerProtocol: 6Src: 10.1.40.40 Dst: 15.15.15.150TCP HeaderSrc: 1066 Dst: 80…[data]
Student Guide: 4–27
Packet to be tested
Permit source range 10.1.20.0/24 and dest. range 10.0.130.0/24
Deny source range 10.1.20.0/24 and destination range 10.0.0.0/8
1
2
3
Rules in access control list applied to faculty ingress port
(implicit) Deny any source address and any destination address
4
Permit source range 10.1.20.0/24 and dest. range 10.0.0.0/8 and dest. TCP port 25
Permit source range 10.1.20.0/24 and any destination address
Faculty users should have access to the Internet
This slide shows the logic necessary for permitting Internet access by faculty users. The sequence of the last two rules is crucial. While the third rule denies access to intranet destinations not explicitly permitted by rules that appear earlier in the list, the fourth rule permits access to all Internet destinations; that is, to addresses outside of 10.0.0.0/8. This rule effectively overrides the implicit “deny any” rule.
IP Routing Foundations
4 – 28 Rev. 5.21
Access control for student users
Rev 5.21 24
Access control for student users
Guests10.1.10.0/24
10.0.100.0/24
Admin10.1.30.0/24
10.1.68.0/24
10.1.67.0/24
10.1.66.0/2410.1.65.0/24
Admin servers10.0.129.0/24
Curriculum10.0.130.0/24
C1
R1B
R1C
InternetWeb-based registration server
Host 10.0.130.115AND TCP port 80
Students
R1A
Emp servers10.0.128.0/24
Student Guide: 4–28
.115
Students10.1.40.0/24
Faculty10.1.20.0/24
R1D
Internet All destinations not in 10.0.0.0/8 range
ProCurve University students require access to the Internet and, when they are on campus, to a web-based registration server on the curriculum network. Students should not be able to access any other servers on the curriculum network, nor should they be able to use protocols other than HTTP on the registration server.
The next few pages will describe ACL logic to accomplish these goals.
ACL Theory
Rev. 5.21 4 – 29
Permit student access to web registration server
Rev 5.21 25
Permit student access to web registration serverStudents have access to only one web server on the curriculum network. They should be denied access to all other servers in the intranet.
Deny source range 10.1.40.0/24 and destination range 10.0.0.0/8
1
2
3
IP headerProtocol: 6Src: 10.1.40.40 Dst: 10.0.130.115TCP HeaderSrc: 1044 Dst: 80…[data]
Match first entry? YesAction = Permit
Rules in ACL applied to student ingress port
Student Guide: 4–29
Packet to be tested
Permit source range 10.1.40.0/24 and dest. host 10.0.130.115 and dest TCP port 80
(implicit) Deny any source address and any destination address
Permit source range 10.1.40.0/24 and any destination address
In this example, a student is sending HTTP traffic to the web registration server. Because the inbound packet on the student ingress port has characteristics that match all of the conditions of the first rule, the router follows the action associated with this rule and permits the packet.
Note that the first rule specifies port 80, the well-known TCP port for HTTP traffic. This ensures that students will only have web access to the registration server. Of course, the rule could specify another port number if the application used a custom port or if, for instance, it used Secure Sockets Layer (SSL), which uses the well-known port of 443.
IP Routing Foundations
4 – 30 Rev. 5.21
Deny student traffic destined for administrative servers
Rev 5.21 26
Deny student traffic destined for administrative serversThe second rule in the list prevents students from sending traffic to any intranet hosts other than the one permitted by the first rule
Match first entry? NoMatch second entry? YesAction = Deny
IP headerProtocol: 6Src: 10.1.40.40 Dst: 10.0.129.143TCP HeaderSrc: 1048 Dst: 80…[data]
Student Guide: 4–30
Packet to be tested
Deny source range 10.1.40.0/24 and destination range 10.0.0.0/8
1
2
3
Rules in ACL applied to student ingress portPermit source range 10.1.40.0/24 and dest. host 10.0.130.115 and dest TCP port 80
(implicit) Deny any source address and any destination address
Permit source range 10.1.40.0/24 and any destination address
In this case, a student is trying to access a host on the administrative server network. The characteristics of the packet shown above do not match with the first rule, so the router compares the packet with the second rule. Because the destination address falls within the range 10.0.0.0/8, the router drops the packet.
Of course, identity- or role-based security probably would prevent this user from accessing the server. However, this ACL provides an additional layer of security and prevents congestion by preventing the students from even sending packets to the administrative server network.
The Access Control Entries (ACEs) are always processed in the order they were created. In the example above, the host address permitted in the first rule is a subset of the address range denied in the second rule. Because traffic destined for the registration server matches both Rule 1 and Rule 2, reversing the sequence of the rules would cause denial of traffic destined for the registration server. This sequence demonstrates a general rule of ACL development. Entries that refer to a more specific address range (i.e. smaller range, longer mask) should precede those that refer to a less specific address range (i.e. larger range, shorter mask).
ACL Theory
Rev. 5.21 4 – 31
Student Internet access
Rev 5.21 27
Student Internet access
Traffic with destinations outside 10.0.0.0/8 is permitted because it matches the third rule
IP headerProtocol: 6Src: 10.1.40.40 Dst: 15.15.15.15TCP HeaderSrc: 1052 Dst: 80…[data]
Match first entry? NoMatch second entry? NoMatch third entry? YesAction = Permit
Student Guide: 4–31
Packet to be tested
Deny source range 10.1.40.0/24 and destination range 10.0.0.0/8
1
2
3
Rules in ACL applied to student ingress portPermit source range 10.1.40.0/24 and dest. host 10.0.130.115 and dest TCP port 80
(implicit) Deny any source address and any destination address
Permit source range 10.1.40.0/24 and any destination address
Most traffic that originates in the student user network is destined for the Internet. Accordingly, all traffic that has a destination address outside the 10.0.0.0/8 range matches with the third rule and is permitted.
The destination address range specified in Rule 2 is a subset of the address range specified in Rule 3. If these rules were reversed, and the entry with the larger range appeared earlier in the list than the entry with the smaller range, students would be able to send traffic to all intranet destinations as well as the Internet destinations allowed by the university’s security policy.
IP Routing Foundations
4 – 32 Rev. 5.21
Access control of admin users
Rev 5.21 28
Access control for admin users
Guests10.1.10.0/24
10.0.100.0/24
Admin10.1.30.0/24
10.1.68.0/24
10.1.67.0/24
10.1.66.0/2410.1.65.0/24
Admin servers10.0.129.0/24
Curriculum10.0.130.0/24
C1
R1B
R1C
Internet Web-based registration server
Host 10.0.130.115 AND TCP port 80
R1A
Emp servers10.0.128.0/24
Student Guide: 4–32
.115
Students10.1.40.0/24
Faculty10.1.20.0/24
R1D
Internet All destinations not in 10.0.0.0/8 range
Admin and HR servers Range 10.0.129.0/24 Admin
Email/scheduling Range 10.0.0.0/8 AND TCP port 25
Administrative users at ProCurve University require the following access to resources:
The network that contains administrative and HR servers
Web-based registration server (but not the entire curriculum network)
Email/scheduling application
Internet
The next few pages will present the logic for an ACL to permit this access while denying access to other resources.
ACL Theory
Rev. 5.21 4 – 33
Permit admin user access to web registration server
Rev 5.21 29
Permit admin user access to web registration server
Deny source range 10.1.30.0/24 and destination range 10.0.0.0/8
1
2
4
IP headerProtocol: 6Src: 10.1.30.30 Dst: 10.0.130.115TCP HeaderSrc: 1036 Dst: 80…[data]
Match first entry? NoMatch second entry? YesAction = Permit
Permit source range 10.1.30.0/24 and any destination address
Rules in ACL applied to admin ingress port
Student Guide: 4–33
Packet to be tested
Permit source range 10.1.30.0/24 and dest. host 10.0.130.115 and dest. TCP port 80
(implicit) Deny any source address and any destination address
Permit source range 10.1.30.0/24 and dest. range 10.0.0.0/8 and dest. TCP port 25
Permit source range 10.1.30.0/24 and dest. range 10.0.129.0/24
3
5
In this example, a user from the administrative network is attempting to access the web registration server. The characteristics of the inbound packet being tested do not match with the first rule in the ACL, but they do match with the second rule. The packet is permitted.
IP Routing Foundations
4 – 34 Rev. 5.21
Permit admin access to HR and admin servers
Rev 5.21 30
Permit admin access to HR and admin servers
Deny source range 10.1.30.0/24 and destination range 10.0.0.0/8
1
2
4
Match first entry? YesAction = Permit
Rules in ACL applied to admin ingress port
Student Guide: 4–34
Permit source range 10.1.30.0/24 and dest. host 10.0.130.115 and dest. TCP port 80
(implicit) Deny any source address and any destination address
Permit source range 10.1.30.0/24 and dest. range 10.0.0.0/8 and dest. TCP port 25
Permit source range 10.1.30.0/24 and dest. range 10.0.129.0/24
3
5
IP headerProtocol: 6Src: 10.1.30.30 Dst: 10.0.129.143TCP HeaderSrc: 1042 Dst: 80…[data]
Packet to be tested
Permit source range 10.1.30.0/24 and any destination address
In this example, the user is permitted access to a host on the administrative server network. The first rule in the ACL permits access to any host in the range 10.0.129.0/24.
Like the ACL applied to the faculty ingress port, this ACL contains a rule that provides access to the email/scheduling application. Because the admin users need access to the web registration server, this ACL also contains a rule that provides access to that resource. In fact, the first three rules in the ACL could be entered in any order because they all specify the “permit” action. However, the rule that permits access to the administrative network is placed first because that is the resource most frequently accessed by these users.
Because admin users need Internet access, the final explicit entry in the ACL applied to their ingress port overrides the implicit “deny any” entry.
ACL Theory
Rev. 5.21 4 – 35
Access control for guests
Rev 5.21 31
Access control for guests
Guests10.1.10.0/24
10.0.100.0/24
Admin10.1.30.0/24
10.1.68.0/24
10.1.67.0/24
10.1.66.0/2410.1.65.0/24
Admin servers10.0.129.0/24
Curriculum10.0.130.0/24
C1
R1B
R1C
Internet
R1A
Emp servers10.0.128.0/24
Student Guide: 4–35
.115
Students10.1.40.0/24
Faculty10.1.20.0/24
R1D
Internet All destinations not in 10.0.0.0/8 range
Guests
Because guests only have access to the Internet, the ACL applied to their ingress port is quite simple.
IP Routing Foundations
4 – 36 Rev. 5.21
Deny guest access to intranet destinations
Rev 5.21 32
Deny guest access to intranet destinationsGuest users are denied access to any host in the 10.0.0.0/8 address range
Deny source range 10.1.10.0/24 and destination range 10.0.0.0/81
2
IP headerProtocol: 6Src: 10.1.10.10 Dst: 10.0.130.115TCP HeaderSrc: 1052 Dst: 80…[data]
Match first entry? YesAction = Deny
Permit source range 10.1.10.0/24 and any destination address
Rules in ACL applied to guest ingress port
Student Guide: 4–36
Packet to be tested
(implicit) Deny any source address and any destination address
The ACL applied to the guest ingress port has only two rules. The first denies traffic with a destination within the 10.0.0.0/8 range and the second, shown on the next page, permits traffic with address outside that range.
ACL Theory
Rev. 5.21 4 – 37
Permit guest access to Internet destinations
Rev 5.21 33
Permit guest access to Internet destinationsGuest users are permitted access to hosts outside the 10.0.0.0/8address range
Deny source range 10.1.10.0/24 and destination range 10.0.0.0/81
2
IP headerProtocol: 6Src: 10.1.10.10 Dst: 15.15.15.15TCP HeaderSrc: 1052 Dst: 80…[data]
Match first entry? NoMatch second entry? YesAction = Permit
Student Guide: 4–37
Packet to be tested
(implicit) Deny any source address and any destination address
Permit source range 10.1.10.0/24 and any destination address
Rules in ACL applied to guest ingress port
Guest packets destined for networks outside the range of 10.0.0.0/8 match the second rule and are permitted.
IP Routing Foundations
4 – 38 Rev. 5.21
Module 4 summary
Rev 5.21 34
Module 4 summary
In this module, you learned:• How ACLs enhance network security• Criteria that can be used as the basis for ACLs• How to plan for effective ACLs• General rules for the development of effective ACLs
Student Guide: 4–38
Module 4 of IP Routing Foundations described the theory underlying the development of effective ACLs. Using the physical security requirements of a hospital as an analogy, the module showed how ACLs can enhance the security of network resources, including resources such as servers that are already protected by passwords and other measures. The module also showed the criteria, including IP, TCP, and UDP header fields, that can be used as a basis for ACL development. Finally, the module presented rules and techniques for planning and developing effective ACLs.
ACL Theory
Rev. 5.21 4 – 39
Learning check Module 4
IP Routing Foundations
4 – 40 Rev. 5.21
1. Name three criteria that can be used to specify traffic for special handling in an ACL.
a. ........................................................................................................................
b. ........................................................................................................................
c. ........................................................................................................................
2. What is the implied “deny any” rule?
............................................................................................................................
............................................................................................................................
3. In an ACL, why should a more specific (longer mask) rule precede the less specific (shorter mask) rule?
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................
Rev. 5.21 Answers – 1
Learning Check Answers
IP Routing Foundations
Answers – 2 Rev. 5.21
Module 1 learning check 1. What are the four types of router interfaces.
a. physical, created by assigning a mask and IP address to a physical port
b. virtual, associates an IP address and mask with a VLAN
c. loopback, assigns IP address and mask to interface not associated with any physical port
d. multinetted, assigns two or more IP addresses and masks to a physical, virtual, or loopback interface
2. What is the difference between an Interior Gateway Protocol and an Exterior Gateway Protocol?
Interior Gateway Protocols (IGP) involve communication among routers that are under common administrative control and use the same protocol for exchanging information; that is, in the same autonomous system. Exterior Gateway Protocols (EGP) involve communication among routers that are under different administrative control; that is, in different autonomous systems.
3. Name and describe one important disadvantage of RIP.
Changes in routing topology often propagate slowly (in comparison to OSPF) because information in each router’s table is acquired from routers as many as 15 hops away.
4. What is “Split Horizon”?
Advertisements a router sends onto a network do not include the address ranges for which the next hop is on that network.
5. What is network summarization and why is it necessary?
Network summarization can increase routing efficiency by replacing many individual, specific network advertisements with a single statement that specifies a larger range of addresses using a shorter mask.
6. What is “poisoned reverse”?
Poisoned Reverse is a variation of Split Horizon that can help speed convergence in meshed networks. Instead of omitting the routes that Split Horizon rules exclude from the advertisement, the router poisons those routes, making it impossible for the router receiving the advertisement to consider the sender as a valid next hop toward the poisoned address ranges.
Answers
Rev. 5.21 Answers – 3
Module 2 learning check 1. Name the two types of OSPF networks.
a. Transit networks have two or more connected routers. As such, they are potential paths for traffic that originates within or is destined for some other network.
b. Stub networks have only one router. They are considered stubs because there is only one point of entry (router) to the network. Traffic that comes from or is destined for other networks is never forwarded into a stub network. Stub networks will be discussed in more detail later in this module.
2. Define the following:
ABR: A router with an interface in the backbone and in at least one other area.
ASBR: A router responsible for generating an AS External LSA for each non-OSPF network.
3. Describe the process by which OSPF routers form adjacencies.
a. Exchange Hello messages
b. Two-way neighbor recognition
c. DR election
d. Exchange database descriptions
e. Request and exchange link state packets
f. Update link state databases
4. What types of OSPF LSAs are confined to a single area and how are they used?
Router LSAs and Network LSAs are confined to a single area. DRs send Network LSAs to advertise networks. All OSPF routers send Router LSAs to advertise changes in their link states.
5. What techniques enable administrators to limit the size of OSPF link-state databases and enhance routing efficiency?
Make sure areas are not too large and do not contain too many routers. Use network summarization to limit number of entries in databases.
IP Routing Foundations
Answers – 4 Rev. 5.21
Module 3 learning check 1. Why is Spanning Tree an incomplete solution for redundancy in a routed
network?
Spanning Tree ensures link redundancy, but does not address issues that can arise when hosts lose contact with their default gateways.
2. Name the technologies for default gateway redundancy that are supported by ProCurve switches.
a. VRRP (9300m)
b. VRRPE (9300m)
c. XRRP (3400cl/5300xl)
3. How is the Master router determined in a VRRP implementation?
The Owner of the shared IP address is the Master for each VRID.
4. How does VRRPE differ from VRRP?
VRRPE is a proprietary enhancement of VRRP available on the 9300m. In VRRPE, there is no IP address Owner. Instead, the Master for each VRID is the router configured with the highest priority. The virtual IP address is configured by the administrator.
Answers
Rev. 5.21 Answers – 5
Module 4 learning check 1. Name three criteria that can be used to specify traffic for special handling in
an ACL.
a. source address
b. destination address
c. TCP or UDP port number.
2. What is the implied “deny any” rule and why is it necessary?
The implied “deny any” rule is the last rule in an ACL. It implicitly denies all traffic that was not explicitly permitted by a rule that appears earlier in the list.
3. In an ACL, why should a more specific (longer mask) rule precede the less specific (shorter mask) rule?
Because ACLs are processed in the order they are created. When the switch locates a match, it stops processing the ACL. If the rule with a shorter mask is applied first, it may prevent a more specific rule from being applied.
IP Routing Foundations
Answers – 6 Rev. 5.21
For further information, please visit our Web site at:
www.procurve.com
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.