ip routing foundations

ProCurve Networking by HP

Student guide Technical training

IP Routing Foundations Version 5.21

Rev. 5.21 1

Contents

Overview

Introduction ............................................................................................ Overview–1 Course objectives.................................................................................... Overview–1 Prerequisites ........................................................................................... Overview–1 Course module overviews ...................................................................... Overview–2 Course agenda ........................................................................................ Overview–3 Additional information ........................................................................... Overview–4

Module 1: IP Routing Basics

Objectives ............................................................................................................. 1–1 General network connectivity goals ..................................................................... 1–2 Scenario: ProCurve University............................................................................. 1–3 Router interfaces and port state ............................................................................ 1–4 Route tables and local address ranges .................................................................. 1–6 The route table...................................................................................................... 1–6 Multinetted interface ............................................................................................ 1–8 When multinetting is appropriate ......................................................................... 1–8 Loopback interface ............................................................................................. 1–10 Learning about remote networks ........................................................................ 1–11 Routing protocol categories................................................................................ 1–12 RIP and OSPF..................................................................................................... 1–13 Standard IGPs for IP networks ........................................................................... 1–14 The disadvantage of RIP .................................................................................... 1–14 Link-state protocols ............................................................................................ 1–15 Router1 RIP update to Router2 .......................................................................... 1–16 Cost..................................................................................................................... 1–16 RIP v2 use of multicast....................................................................................... 1–17 Router2 updates its route table ........................................................................... 1–18 Router2 RIP update to Router1 .......................................................................... 1–19 Router2 RIP update to Router3 .......................................................................... 1–20 Router3 updates its route table ........................................................................... 1–21 Assessing this topology ...................................................................................... 1–22 Providing a routed mesh..................................................................................... 1–23 Split horizon in a routed mesh............................................................................ 1–24 Processing inbound RIP updates ........................................................................ 1–25 Link failure recovery in mesh (1) ....................................................................... 1–27

IP Routing Foundations

2 Rev. 5.21

Link failure recovery in mesh (2) ....................................................................... 1–28 Link failure recovery in mesh (3) ....................................................................... 1–29 Poisoned Reverse................................................................................................ 1–30 Connecting to a core router ................................................................................ 1–31 Connecting to a core routing switch................................................................... 1–32 Connecting to redundant core............................................................................. 1–33 Routing among locations at ProCurve University.............................................. 1–34 Dynamic route exchange .................................................................................... 1–35 Network summarization ..................................................................................... 1–36 Summarization of address space using static routes........................................... 1–37 Route table lookup.............................................................................................. 1–39 Advertising static routes ..................................................................................... 1–40 Equal cost multipath ........................................................................................... 1–41 Module 1 summary............................................................................................. 1–42

Module 2: OSPF Routing

Objectives ............................................................................................................. 2–1 OSPF at ProCurve University ...................................................................... 2–2

Basic OSPF interactions ....................................................................................... 2–3 OSPF routing protocol ................................................................................. 2–4 OSPF hierarchy: Routers and networks ....................................................... 2–5 OSPF Router ID .......................................................................................... 2–5 OSPF adjacencies ........................................................................................ 2–5 OSPF network types .................................................................................... 2–6 OSPF area .................................................................................................... 2–7 OSPF hierarchy: Autonomous System ........................................................ 2–9 OSPF router boots up................................................................................. 2–10 Hello messages .......................................................................................... 2–10 Exchanging Hello packets.......................................................................... 2–11 Two-way neighbor recognition.................................................................. 2–13 Designated Router election ........................................................................ 2–14 Exchanging Database descriptions............................................................. 2–15 Link State Request packet.......................................................................... 2–17 Link State Update packet ........................................................................... 2–18 Updating the Link State Database.............................................................. 2–19 Originating new LSAs ............................................................................... 2–20 Flooding LSAs in Link State Update packet ............................................. 2–21 R1A’s LSA ................................................................................................ 2–22 SPF tree and IP route table......................................................................... 2–23 Summary of OSPF packet types ................................................................ 2–25 Summary of OSPF LSA types confined to a single area ........................... 2–27

Contents

Rev. 5.21 3

Distribution of link state changes ....................................................................... 2–28 Impact of link state changes....................................................................... 2–29 Connecting to existing multi-access network ............................................ 2–30 Recognizing a new router on a multi-access network................................ 2–31 Database synchronization .......................................................................... 2–32 Adjacencies established, database synchronized ....................................... 2–33 Flood new LSAs......................................................................................... 2–34 Acknowledging flooded LSAs................................................................... 2–35 Designated Router adjacency responsibilities............................................ 2–36 Designated Router LSA flooding responsibilities ..................................... 2–37 Non-DR LSA flooding responsibilities...................................................... 2–38 OSPF network types................................................................................... 2–39 Finding the shortest path ............................................................................ 2–41 OSPF’s performance in large intranet........................................................ 2–42 OSPF scalability......................................................................................... 2–44 Area Border Router (ABR) ....................................................................... 2–44 Multiple areas and adjacency ..................................................................... 2–45 ABR link state database synchronization................................................... 2–46 LSA flow between areas ............................................................................ 2–47 Flooding Summary LSAs........................................................................... 2–48 Hierarchical addressing enables summarization ........................................ 2–49 Summary of OSPF LSA types ................................................................... 2–50

External route information ................................................................................. 2–51 Redistributing non-OSPF network information ......................................... 2–52 ASBR ......................................................................................................... 2–53 Stub-area type: Injecting the default route ................................................. 2–54 Locating the ASBR .................................................................................... 2–55 Stub and “totally stubby” area ................................................................... 2–56 Not-so-stubby area (NSSA) ....................................................................... 2–57 Module 2 summary .................................................................................... 2–58

Module 3: Default Gateway Redundancy Protocols

Objectives ............................................................................................................. 3–1 Redundant router interfaces.................................................................................. 3–2 Redundant links: Physical view............................................................................ 3–3 Redundant links: Logical view............................................................................. 3–4 Impact of device failure........................................................................................ 3–5 Edge switch failure ............................................................................................... 3–5 Router failure........................................................................................................ 3–5 Providing a second router ..................................................................................... 3–7 Why failover is not automatic (1)......................................................................... 3–8 Why failover is not automatic (2)......................................................................... 3–9 Why failover is not automatic (3)....................................................................... 3–10


4 Rev. 5.21

Automatic failover for default gateway.............................................................. 3–11 Common characteristics and operations ............................................................. 3–12 Virtual Router Redundancy Protocol ................................................................. 3–14 Virtual routers in VRRP ..................................................................................... 3–15 VRRP: Actual and virtual IP addresses.............................................................. 3–16 VRRP: Master and Backup states....................................................................... 3–17 VRRP: Virtual MAC address ............................................................................. 3–18 VRRP Master broadcasts “gratuitous ARP” ...................................................... 3–19 Master accepts traffic sent to virtual MAC address ........................................... 3–20 Virtual MAC address enables automatic failover .............................................. 3–21 VRRP advertisements......................................................................................... 3–22 VRRP advertisement packet format ................................................................... 3–23 VRRP support for load sharing .......................................................................... 3–24 Considering link failure vs. device failure ......................................................... 3–25 Mixed virtual router states (1) ............................................................................ 3–26 Mixed virtual router states (2) ............................................................................ 3–27 Proprietary variations and enhancements ........................................................... 3–28 VRRPE: Virtual and actual IP addresses............................................................ 3–29 XRRP.................................................................................................................. 3–30 Module 3 summary............................................................................................. 3–31

Module 4: ACL Theory

Objectives ............................................................................................................. 4–1 Device security and access control....................................................................... 4–2 Identity-based security.......................................................................................... 4–2 Role-based security .............................................................................................. 4–2 Rule-based security .............................................................................................. 4–3 Basic security principles: Physical security example........................................... 4–4 Security threats ..................................................................................................... 4–5 Basic security principles: Additional layer of physical security .......................... 4–6 Comparing physical and virtual security.............................................................. 4–7 Planning for rule-based access control ................................................................. 4–8 Rule-based access control example .................................................................... 4–10 Selection criteria in IP header............................................................................. 4–11 Determine which port(s) will filter traffic .......................................................... 4–12 A rule that may be applied to ingress or egress ports......................................... 4–13 The implied “deny any” rule .............................................................................. 4–14 Impact of applying Rule 1 at ingress port .......................................................... 4–15 Impact of applying Rule 1 at egress port............................................................ 4–16 Associating users with resource requirements ................................................... 4–17 Inbound ACL recommendations ........................................................................ 4–17 Outbound ACL recommendations...................................................................... 4–18

Contents

Rev. 5.21 5

Define characteristics of resources ..................................................................... 4–19 Strategies for defining inbound ACLs................................................................ 4–20 Access control for faculty users ......................................................................... 4–21 Access control criteria in TCP and UDP headers............................................... 4–22 Permit faculty user access to curriculum server network................................... 4–24 Permit faculty user access to SMTP services ..................................................... 4–25 Deny faculty user access to administrative servers ............................................ 4–26 Permit faculty user Internet access ..................................................................... 4–27 Access control for student users ......................................................................... 4–28 Permit student access to web registration server ................................................ 4–29 Deny student traffic destined for administrative servers .................................... 4–30 Student Internet access ....................................................................................... 4–31 Access control of admin users............................................................................ 4–32 Permit admin user access to web registration server.......................................... 4–33 Permit admin access to HR and admin servers .................................................. 4–34 Access control for guests.................................................................................... 4–35 Deny guest access to intranet destinations ......................................................... 4–36 Permit guest access to Internet destinations ....................................................... 4–37 Module 4 summary............................................................................................. 4–38

Learning Check Answers


6 Rev. 5.21

Rev. 5.21 Overview – 1

Overview

Introduction

IP Routing Foundations provides the basic knowledge of routing technologies necessary to prepare for Routing Switch Essentials. Designed to be delivered as a self-paced prestudy or in the classroom, IP Routing Foundations focuses on standards, theories, and technologies and is not dependent on ProCurve products or features.

Before taking IP Routing Foundations, students should complete Adaptive EDGE Fundamentals or have attained equivalent background. The topics in Adaptive EDGE Fundamentals include:

Basic Ethernet technology

IP addressing

VLANs

Spanning Tree

Link Aggregation

Fundamentals of switch technology

Traffic prioritization

Course objectives

During this course, you will:

Learn basic routing and traffic filtering technologies, including redundant default gateway protocols, Router Information Protocol (RIP), Open Shortest Path First (OSPF), and Access Control Lists (ACLs)

Prepare for the Routing Switch Essentials instructor-led course

Prerequisites

Adaptive EDGE Fundamentals


Overview – 2 Rev. 5.21

Course module overviews

Module 1, “IP Routing Basics,” describes RIP, static routes, and other information necessary to develop routed networks in the contemporary enterprise.

Module 2, “OSPF Routing,” introduces the basic features and processes of the OSPF routing protocol.

Module 3, “Default Gateway Redundancy and Protocols,” describes the Virtual Router Redundancy Protocol and other technologies designed to ensure the availability of default gateways.

Module 4, “ACL Theory,” describes the theory and planning for ACLs.

Overview

Rev. 5.21 Overview – 3

Course agenda

IP Routing Foundations is designed to be a self-paced prestudy for Routing Switch Essentials. Students should complete each section and its related Learning Check before moving to the next topic.


Overview – 4 Rev. 5.21

Additional information

Rev 5.21 5

Additional information

• The HP Certified Professional (HPCP) program is a world-class certification program benchmarked around the world to ensure validation of the technical and sales competencies and expertiseneeded to plan, deploy, support and service HP technology and solutions

• ProCurve participates in the Sales and Integration Tracks within HPCP• This course, along with Routing Switch Essentials, prepares you for

the required exam for ASE – Routing Switch Essentials• The exam number for this course is HPO-790• For more information on HPCP, go to www.hp.com/certification• For more information on HP ProCurve Training and Certification, go to

http://www.hp.com/rnd/training/certifications.htm

Student Guide: Overview–4

IP Routing Foundations is part of a series of courses on ProCurve products. For more information, visit the ProCurve Web site.

Rev. 5.21 1 – 1

IP Routing Basics Module 1

Objectives: After completing this module, you will be able to:

Categorize sources of routing information

• Static and dynamic

• Interior and exterior

• Distance vector and link state

Describe how a router builds its route table and how it chooses the best match from the tables entries

Describe reasons for defining multinetted interfaces

Explain the value of a loopback interface

Describe the process a router uses to choose a path when its route table includes multiple equal cost paths to the same destination


1 – 2 Rev. 5.21

General network connectivity goals

Rev 5.21 3

General network connectivity goalsEstablish connectivity among clients and resources• Routers must obtain enough information to find the best path to each

address range and collect the information in a route tableRouting efficiency, economy, scalability• Each route table entry specifies an address range that may represent:

– A single network (broadcast domain)– A range of networks whose address space can be expressed as a

starting address and mask• Summarize address space whenever possible to minimize the number

of route table entriesEnable selective forwarding based on resource needs• Arrange clients and addressing scheme to selectively enable access to

resources• Goals of limiting resource access may be based on traffic shaping or

security requirements• Alternate paths for link failover

– Unlike STP, all links active (no blocked links)

Student Guide: 1–2

In general, routers exist to connect clients and resources. Routers learn the most efficient way to reach each address range, collect the information, and organize it in a route table. To enable routers to function efficiently, a medium-to-large enterprise will use a hierarchical addressing scheme. Hierarchical addressing enables an administrator to summarize the address range at remote locations using the smallest number of route table entries. This is only possible when hosts within an IP address range are at the same physical location. A sound IP addressing scheme enables an intranet to scale to a very large size without exceeding the capabilities of its routers.

Routers enable any-to-any communication. However, not all users are necessarily able to reach all resources. This is true for two reasons:

1. Users simply don’t need all intranet resources.

2. Some user/resource pairs must be disallowed to conform to security policies.

The actual mechanisms used for traffic filtering are beyond the scope of this module and will be discussed later in the course. However, to enable the development of efficient traffic filters, administrators must take great care when planning their IP addressing schemes. Basically, the IP addresses of clients with common resource requirements should be within a range that can easily be expressed by a starting address and mask. This module will provide more detail on this topic.

IP Routing Basics

Rev. 5.21 1 – 3

Scenario: ProCurve University

Rev 5.21 4

Scenario: ProCurve University

The university comprises three campusesEach campus supports a variety of users• Students and guests• Faculty and administration

Each campus supports a variety of applications, including web, e-mail, and multimedia conferencing

High-speed core

Northeast campus

Southwest campus

Northwest campus


10 GbE 10 GbE

10 GbE

This module and the rest of IP Routing Foundations will refer to ProCurve University whenever it is useful to illustrate a basic technology principle. The fictional university consists of three campuses connected by a high-speed core. The university supports four types of users—students, guests, faculty, and administrators—and a typical array of enterprise applications.

The university will appear more regularly in Routing Switch Essentials, which focuses heavily upon the deployment and configuration of ProCurve routing switches.


1 – 4 Rev. 5.21

Router interfaces and port state

Rev 5.21 5

Router interfaces and port stateEvery vendor’s router supports one or more of the following interface types:• Physical

– Created by assigning an IP address and mask to a physical port– Interface state may be “up” only if the physical port state is “up”

• Virtual– Associates IP address and mask with a VLAN– Interface state may be “up” if at least one of the ports in the VLAN

is “up” • Loopback

– Assigns IP address and mask to an interface whose state is not bound to a physical port state

– Interface state is always “up”• Multinetted

– Assigns two or more IP address/mask combinations to a physical, virtual, or loopback interface

Student Guide: 1– 4

Every router in an enterprise, regardless of the vendor who provides it, must enable communication among multiple networks. All routers accomplish this by enabling administrators to define one or more of the following types of router interfaces:

1. Physical As its name suggests, the physical interface is created by assigning an IP address and mask to a physical port. The rest of this module will focus heavily on this type of interface, which is the “traditional” router interface.

2. Virtual Common in contemporary enterprises, the virtual interface associates an IP address and mask with a VLAN. This enables packets for multiple broadcast domains to be forwarded through a single port.

3. Loopback The loopback interface defines an IP address and mask that is not bound to any port or VLAN. It is often used as the interface for management communication.

4. Multinetted In a multinetted configuration, two or more IP addresses and masks are assigned to a single port, VLAN, or loopback interface.

IP Routing Basics

Rev. 5.21 1 – 5

Whether they are virtual or physical, router interfaces function in the same way in terms of Layer 3 forwarding. Differences among the types of interfaces are confined solely to Layer 2 forwarding issues. The physical interface associates each router port with a different broadcast domain and thus a different address range, while the virtual interface enables you to associate an arbitrary set of ports with a broadcast domain/address range.


1 – 6 Rev. 5.21

Route tables and local address ranges

Rev 5.21 6

Route table and local address ranges • For each interface whose state is “up,” the router derives the local address

range by applying the mask to the assigned IP address• Route table entries for local address ranges usually have a cost of “0” • Router forwards traffic destined for local networks using port indicated in route

table– Drops traffic destined for address ranges not represented in the table

Router1Port 1: 10.1.10.1/24Port 2: 10.1.30.1/24

Hosts in range 10.1.30.0/24 DG: 10.1.30.1

Hosts in range 10.1.10.0/24DG: 10.1.10.1

Switch2: 10.1.30.3/24

Router forwards traffic among its local address ranges

IP Route TableNetwork address Mask Gateway Port Cost Type 10.1.10.0 255.255.255.0 0.0.0.0 If 1 0 Local10.1.30.0 255.255.255.0 0.0.0.0 If 2 0 Local

Switch1: 10.1.10.3/24

If 1

If 2


In this example, a router has two interfaces defined. Because the physical port “If 1” is connected to Switch1, the interface state is up. Because the interface is defined in the router’s configuration as 10.1.10.1/24, the router applies the mask to the address and derives a range of addresses that it expects to find through that port.

In this case, the range of local addresses the router puts in the route table is 10.1.10.0 with a mask of 255.255.255.0. When this dotted decimal mask is converted to binary, the mask includes 24 “1” bits and eight “0” bits. In the application of the mask to the address, each of the “1” bits indicates the number of high order—that is, “most significant”—bits in the address that are common to all of the hosts connected to this interface. The “0” bits of the mask represent the low order—that is, “least significant”—bits in each host’s address that may have any value. All of the combinations of these eight bits—from 0000 0000 to 1111 1111—are considered part of the address range. However, lowest value (0) and the highest value (255) are not permissible as addresses for individual hosts. The lowest value is the network address, also known as the “starting address.” The highest value is the broadcast address. The same principles apply to If 2.

The route table

A router bases forwarding decisions on the content of its route table. While a Layer 2 forwarding device, such as a switch, floods traffic destined for unknown MAC addresses, a router drops traffic whose destination IP address does not match any of the entries in the route table.

IP Routing Basics

Rev. 5.21 1 – 7

The graphic on the previous page shows route table entries for two networks—10.1.10.0 and 10.1.30.0. Although routers from different vendors may display routing information differently, all route tables contain the same basic information. Common fields include:

The “Gateway” field for each address range is sometimes labeled as the “Next Hop” field, but its function is to tell the router how to reach the address range. In this case, because all three address ranges are local, this router uses all zeros in dotted decimal format. Once again, different vendors represent this in different ways.

The “Port” field indicates which of the router’s interfaces leads toward the best path to the destination.

The “Cost” field provides information about the distance to the network. Because the address ranges in the example are local, Router1 records the “Cost” for each route as “0.” Although the end stations in networks 10.1.10.0/24 and 10.1.30.0/24 are connected to a downstream switch, Router1 considers the addresses to be “local” because Router1’s interfaces are in the same broadcast domain as other hosts in the same address range. The switch is transparent from an IP routing perspective because it forwards traffic based on Layer 2 information rather than Layer 3. The switch’s own IP address, which is assigned for management purposes, does not affect this transparency.

The “Type” field indicates the source of the routing information. Because all of these address ranges are local, their type is “D” which represents “directly connected.” We will cover other sources of routing information later in this module.

Because Router1 provides the default gateway for its local hosts, it can forward traffic on their behalf and also deliver traffic that is destined for those hosts. Because all hosts are local, the router uses ARP to obtain each destination host’s MAC address and encapsulates each forwarded packet with a Layer 2 header that contains its own MAC address in the source address field and the target host’s MAC address in the destination address field.

The router does not change the source or destination IP address in the Layer 3 header. The source address field in the IP datagram header contains the address of the sending host and the destination address field contains the address of the target host. The router does not insert its own address into the IP datagram header as it does with the Layer 2 header.

In most environments, a router is also required to forward traffic toward remote networks.


1 – 8 Rev. 5.21

Multinetted interface

Rev 5.21 7

Multinetted interface

• Defined to provide default gateway addresses for hosts that are in same broadcast domain but have different address ranges

• Each address range appears as route table entry

IP Route TableNetwork address Mask Gateway Port Cost Type 10.1.10.0 255.255.255.0 0.0.0.0 If 1 0 Local10.1.30.0 255.255.255.0 0.0.0.0 If 2 0 Local172.16.150.0 255.255.255.0 0.0.0.0 If 2 0 Local

Router1Port 1: 10.1.10.1/24Port 2: 10.1.30.1/24

Hosts in range 10.1.30.0/24 DG: 10.1.30.1Hosts in range 172.16.150.0/24DG: 172.16.150.1

Hosts in range 10.1.10.0/24DG: 10.1.10.1

Switch2: 10.1.30.3/24Switch1: 10.1.10.3/24

If 1

If 2


Multinetting enables an administrator to associate multiple IP addresses with a single broadcast domain that might be physically bounded, using a physical interface associated with a single router port, or virtually bounded, using a virtual interface associated with a VLAN. Multinetting creates routing inefficiencies and should be used only when necessary.

In contemporary networks, multinetting is usually not recommended, although it was quite common in earlier periods, when physical router interfaces presented the only router interface option. Furthermore, multinetting can create problems in environments where hosts use DHCP to receive IP configuration information. Hosts in a DHCP network usually will receive addresses in the same range; consequently, hosts in a multinetted network may not receive an address in the intended range.

When multinetting is appropriate

Multinetting can be necessary when the network includes a collection of hosts, links, and legacy connectivity devices, such as hubs, that do not support VLANs. The graphic above illustrates this point. Suppose that hosts in the 10.1.30.0/24 address range are used by clients who need access to the Internet. Their addresses would be included in a range to be translated by a router, proxy server, or firewall using NAT. However, the hosts in the range 172.16.150.0/24 are special-purpose devices with statically defined addresses. Their access should be restricted. They will never need to browse the Internet. An administrator might specifically omit their address range from the range of addresses to be translated by the proxy, firewall, or other NAT device.

IP Routing Basics

Rev. 5.21 1 – 9

Administrators might also implement multinetting as an interim step while changing the IP addressing scheme. Suppose, for example, that an intranet originally was configured to use statically defined public addresses and must now be converted to a private addressing scheme where hosts dynamically obtain their addresses. Enabling multinetting would enable the administrator to continue providing connectivity for hosts whose addresses have not been converted, as well as for those whose addresses have been converted to the new scheme.


1 – 10 Rev. 5.21

Loopback interface

Rev 5.21 8

Loopback interface

• Address range associated with loopback interface appears as a route table entry

• May be used as source and/or destination for router’s host processes such as SNMP, Telnet, and HTTP

IP Route TableNetwork address Mask Gateway Port Cost Type 10.1.0.0 255.255.255.0 0.0.0.0 lb 1 0 Local10.1.10.0 255.255.255.0 0.0.0.0 If 1 0 Local10.1.30.0 255.255.255.0 0.0.0.0 If 2 0 Local172.16.150.0 255.255.255.0 0.0.0.0 If 2 0 Local

Router1Port 1: 10.1.10.1/24Port 2: 10.1.30.1/24Loopback 1: 10.1.0.1/24

Hosts in range 10.1.30.0/24 DG: 10.1.30.1Hosts in range 172.16.150.0/24DG: 172.16.150.1

Hosts in range 10.1.10.0/24DG: 10.1.10.1

Switch2: 10.1.30.3/24Switch1: 10.1.10.3/24

If 1

If 2


A loopback interface is very useful for routers in an intranet that supports redundant links. Because the state of a loopback interface is not dependent on the state of any physical port, its IP address will be reachable if at least one other router interface is up. Consequently, the loopback address often is used for in-band device management.

Routers often are configured to use the loopback address for outbound communication with network management stations or other routers. With no loopback defined for this purpose, a router will send the packet through the interface that is “closest” to the destination network; that is, the one that corresponds with the route table’s next hop toward the destination network.

In the case of a network management station, administrators often set up filters that allow the station to accept messages only from a set of source address ranges. In a redundant network, one or more routers might choose different paths to the network management station’s address range based on the physical state of some of the intervening links. Consequently, it can be difficult to predict the address from which a router will send a management message.

Furthermore, by using the loopback interface for all host-based communication with the router, you can set up traffic filters that prohibit traffic produced by typical management protocols—including HTTP, FTP, TFTP, Telnet and SSH—from reaching any of the physical or virtual interfaces. The traffic can be permitted to reach the loopback interface. All valid administrators would need to configure and monitor the router using the loopback interface as a target address. (Traffic filters will be discussed later in this course.)

IP Routing Basics

Rev. 5.21 1 – 11

Learning about remote networks

Rev 5.21 9

Learning about remote networksA router can learn of the existence of remote networks through any combination of the following: • Dynamic interaction with other routers that follow a common set of

rules for exchanging routing information – These rules might include:

• Procedures for establishing relationships with neighboring routers

• The frequency and format of messages exchanged with other routers

• Static route configuration, which requires an administrator to:– Specify an address range, expressed as starting address and mask– Provide “next hop” information that will allow the router to send

traffic toward the address range– Supply a cost to be associated with the path to the address range,

enabling router to choose the lowest-cost statically defined path

Network topology, including Internet and intranet connectivity, determine appropriate methods for each situation


A router can only forward traffic toward address ranges that appear in its route table. If a router receives a routable packet with a destination address that does not match with any route table entries, it drops the packet.

Routers may learn the information in their route tables dynamically through interaction with other routers with which they share a common set of route exchange rules known as a “routing protocol.” Routing protocols specify the format of the information the routers exchange and the conditions that require a router to send information to a neighboring router.

Administrators often choose to augment the dynamically learned information by statically defining information that the router can use to reach specific address ranges. In most contemporary networks, routers must be aware of remote networks because most enterprise users require access to Internet and intranet resources. Usually, route tables are populated with a combination of static and dynamically learned routes.

In any case, routers cannot directly deliver traffic to remote hosts. Instead, they deliver traffic destined for remote hosts to neighboring routers that provide the best route to the remote address range.


1 – 12 Rev. 5.21

Routing protocol categories

Rev 5.21 10

Routing protocol categories

Interior Gateway Protocols (IGP)• Facilitate exchange of information among routers under the same

organizational control; that is, within the same “autonomous system” • Examples of standard IGPs:

– Routing Information Protocol (RIP)– Open Shortest Path First (OSPF)

Exterior Gateway Protocols (EGP)• Facilitate exchange of route information among routers in different

autonomous systems • Border Gateway Protocol version 4 (BGP4) is current standard EGP for

Internet connectivity


There are two types of dynamic interaction between routers:

1. Interior Gateway Protocols (IGP) involve communication among routers that are under common administrative control and use the same protocol for exchanging information; that is, in the same autonomous system.

2. Exterior Gateway Protocols (EGP) involve communication among routers that are under different administrative control; that is, in different autonomous systems.

An Internet Service Provider is likely to use a combination of interior and exterior gateway protocols to facilitate exchange of routing information among the routers that make up its own internal network as well as with the routers at subscriber locations.

Not all Internet subscribers use an exterior gateway protocol; however, a very large subscriber that load balances among multiple ISPs is the most likely candidate for using a formalized exterior gateway protocol. Small-to-medium sized subscribers are likely to use a combination of interior gateway protocols and static routes to facilitate Internet connectivity.

IP Routing Basics

Rev. 5.21 1 – 13

RIP and OSPF

Several routing protocols have been formalized and are described in various standards documents. In some cases, vendors implement these standards exactly as written; other vendors enhance the protocols to optimize particular aspects or functions. Other protocols are entirely proprietary, with their own reserved port and/or protocol numbers. These protocols operate only with other routers from the same vendor.

Two common routing protocols, RIP and OSPF, are both IGPs with the same high-level goal: to enable connectivity within an autonomous system. In general, because RIP and OSPF perform this task in completely different ways, each is best suited for particular topologies. However, there is a large overlapping area of applicability. Many intranets can deploy either protocol effectively.

Routing protocols specify the format of messages to be exchanged. As a fairly simple routing protocol, RIP specifies only one type of message. On the other hand, OSPF is a far more complex IGP that specifies several different types and even sub-types of messages, specifying formal procedures for setting up relationships with neighboring routers and types of messages that should be sent in particular circumstances.

Routing protocols also specify the conditions that require a router to send an advertisement. While a RIP router periodically sends routing information to its neighbors, an OSPF router sends a particular type of message when it experiences a change in the state of one of its links.

RIP will be described in more detail later in this module. A later module will discuss OSPF.


1 – 14 Rev. 5.21

Standard IGPs for IP networks

Rev 5.21 11

Standard IGPs for IP networks

Distance vector: RIP• Each router sends periodic updates containing a subset of its route

table entries to directly connected neighbor routers• Information about remote networks is passed from router to router

based on each router’s perspective • Time required for each router to find alternate path to an address

range after link failure depends on number of routers that separate it from the address range

Link state: OSPF• Each router reports to its neighbors the characteristics of its active

connections to local networks • Updates are flooded to all routers within administratively defined

area, resulting in consistent picture of area’s routers and networks• Each router builds a logical tree that calculates its shortest path to

each network address range • Enables faster convergence – detection of alternate paths after link

failure – due to possession of first-hand information


There are two types of standard IGPs available in IP networks:

1. Distance-vector protocols, such as RIP, require routers to integrate information into their own tables and send the resulting entries, as modified, from their own perspectives.

2. Link-state protocols, such as OSPF, require routers to establish neighbor relationships with adjacent routers. Routers generate updates based on local information and send the updates to neighbors, who then flood updates to all their neighbors. Ideally, within a few milliseconds, every router in an administratively defined area has identical information. Each router builds a logical tree that traces out the shortest path to each advertised destination, using itself as the root. As a result, every router has a consistent picture of the network from its own perspective.

The disadvantage of RIP

While RIP and other distance-vector protocols are easier to configure than link-state protocols, the distance-vector protocols have one serious disadvantage. Changes in routing topology often propagate slowly because information in a router’s table is acquired from other routers that may be as many as 15 hops away.

IP Routing Basics

Rev. 5.21 1 – 15

Suppose, for instance, that Router1 is directly connected to Network 1. When Router1 loses its connection to Network 1, it immediately sends its neighbors an update that reports the cost of Network 1 to be 16. In RIP, the cost of 16 represents infinity and indicates the network is unreachable because the maximum number of router hops in RIP is 15.

After Network 1 has been marked as unavailable, each router is free to accept advertisements from other neighbors that offer a lower-cost path to Network 1. Because there is a 30-second interval between RIP updates, and because RIP updates move one hop at a time, several minutes may elapse before each router has determined the lowest-cost path between itself and Network 1.

Link-state protocols

Link-state protocols avoid this issue because they do not rely on second-hand information. A router sends an “advertisement” when it recognizes a link state change. The update does not contain just the change, but the attributes of all of the router’s currently active links. The router sends the advertisement to its immediate neighbors. The neighbors are required by the protocol to immediately flood the advertisement to all of their neighbors.

Unlike RIP routers, OSPF routers do not increment the costs as they flood updates. In fact, an OSPF router is not permitted to make any changes to advertisements it receives on one network before sending it out onto another network.

As a result, all of the routers in the area have a consistent picture of the connections between all routers and networks in the area. Each router builds a tree based on first-hand information that traces the shortest path between itself and every router and network in the area. When a link state changes, the router recalculates the tree based on the new information. Ideally, less than a second passes between the time the router advertises its new state and the time when all of the routers have found an alternate path, if one exists


1 – 16 Rev. 5.21

Router1 RIP update to Router2

Rev 5.21 12


Hosts in10.2.40.0/24

Network 10.0.64.0/24

Loop 1: 10.1.0.1/24

10.1.30.3/2410.1.10.3/24

If 210.1.30.1/24172.16.150.1/24

Hosts in10.2.20.0/24

Hosts in10.1.10.0/24

Hosts in10.1.30.0/24172.16.150.0/24

10.2.40.3/2410.2.20.3/24

If 110.1.10.1/24

If 310.0.64.1/24

Loop 1: 10.2.0.1/24

If 210.2.40.1/24

If 110.2.20.1/24

If 310.0.64.2/24

S4S3S1 S2

R2R1

RIP enabled

Ethernet header:Dest: 01005e-000009 Source: <R1 MAC>IP datagram header:Source: 10.0.64.1 Dest: 224.0.0.9 UDP header:Source: 520 Dest: 520Routing Information Protocol:Command: Response (2) Version: RIPv2 (2)Network: 10.1.0.0 Mask: 255.255.255.0 Metric: 1Network: 10.1.10.0 Mask: 255.255.255.0 Metric: 1Network: 10.1.30.0 Mask: 255.255.255.0 Metric: 1Network: 172.16.150.0 Mask: 255.255.255.0 Metric: 1

Router1 • Advertises entries in its

route table through interface 3

• Does not include the address range associated with interface 3 (10.0.64.0/24)


When RIP is enabled on an interface, the router prepares an update that advertises the address ranges in its route table. In many cases, including the one above, each address range in the table represents a network, a single broadcast domain. However, this is not always the case. Sometimes the entries represent an address range that includes many networks.

In the example above, Router1 advertises all of its connected networks with one notable exception. A RIP advertisement doesn’t include the address range associated with the interface through which the router sends the update. In this case, the advertisement is being prepared for transmission over interface 3 (if 3), which is associated with the address range 10.0.64.0/24. Accordingly, that network is specifically omitted from the advertisement.

It is important to note that the update actually includes two distinct steps: the preparation and the sending of the update. By default, this process occurs every 30 seconds; when this interval expires, the router must send advertisements through all of its RIP-enabled interfaces.

Cost

Note that the cost associated with each of the advertised networks is 1. While Router1 associates a cost of 0 with its locally connected address ranges, it advertises these networks with a cost of 1. In some vendor implementations, the cost used internally will be 1; however, the external cost is reported in the same way by all router vendors.

IP Routing Basics

Rev. 5.21 1 – 17

RIP v2 use of multicast

The source address in the IP datagram that encapsulates the RIP advertisement is the address of Router1’s interface on the network it shares with Router2. The destination address is a multicast address, which is the requirement in RIP v2.

The use of multicast ensures that all routers connected to a network will receive and process the update simultaneously. Routers or other devices on this network that do not support RIP v2 will not process this update because they are not members of the RIP Routers multicast group (224.0.0.9).

In the example, Router1 is the only RIP router on network 10.0.64.0. Note that Router2 does not have RIP enabled. This does not affect Router1’s outbound RIP updates. Because RIP is enabled on this interface, Router1 will continue sending updates indefinitely.


1 – 18 Rev. 5.21

Router2 updates its route table

Rev 5.21 13


Hosts in10.2.40.0/24

Network 10.0.64.0/24

Loop 1: 10.1.0.1/24

10.1.30.3/2410.1.10.3/24

Hosts in10.2.20.0/24

Hosts in10.1.10.0/24

Hosts in10.1.30.0/24172.16.150.0/24

10.2.40.3/2410.2.20.3/24

If 110.1.10.1/24

If 310.0.64.1/24

Loop 1: 10.2.0.1/24

If 210.2.40.1/24

If 110.2.20.1/24

If 310.0.64.2/24RIP enabled

S4S3S1 S2

R2R1

RIP enabled

Network Gateway Port Cost Type 10.0.64.0/24 0.0.0.0 3 0 D10.1.0.0/24 10.0.64.1 3 2 R 10.1.10.0/24 10.0.64.1 3 2 R10.1.30.0/24 10.0.64.1 3 2 R10.2.0.0/24 0.0.0.0 Lo 1 0 D10.2.20.0/24 0.0.0.0 1 0 D 10.2.40.0/24 0.0.0.0 2 0 D172.16.150.0/24 10.0.64.1 3 2 R

• Router2 integrates networks from Router1’s RIP update into its route table

• “Gateway” associated with RIP-learned networks is source address from IP datagram header of Router1’s RIP update

If 210.1.30.1/24172.16.150.1/24


In this example, RIP has been enabled on Router2’s interface on the 10.0.64.0/24 network. Router2 receives Router1’s RIP update and begins processing it. It doesn’t matter if Router1’s RIP update arrived before Router2 sent any advertisements over the network it shares with Router1 because each router’s sending and receiving actions are independent.

When Router2 receives the advertisement, it compares each entry with the entries already in its route table and immediately adds any advertised address range that does not already appear there. In the example above, all of the address ranges are new, so all are added. The cost of the RIP-learned address ranges is one number higher than the cost advertised by Router1. This is only true if Router2’s configured interface cost for interface 3 is at the default setting of “1.” While it is possible to manipulate interface costs for the purpose of favoring one path over another, it is usually not recommended for reasons discussed later in this module.

Every address range a router learns from a RIP update is set to type “R” (for RIP) in the route table. The “Port” value is the interface through which Router2 received the update that advertised the address range.

In this example, every RIP-learned network in Router2’s route table has the same next hop. This is because Router2 has only one neighbor.

IP Routing Basics

Rev. 5.21 1 – 19


Rev 5.21 13


Hosts in10.2.40.0/24

Network 10.0.64.0/24

Loop 1: 10.1.0.1/24

10.1.30.3/2410.1.10.3/24

Hosts in10.2.20.0/24

Hosts in10.1.10.0/24

Hosts in10.1.30.0/24172.16.150.0/24

10.2.40.3/2410.2.20.3/24

If 110.1.10.1/24

If 310.0.64.1/24

Loop 1: 10.2.0.1/24

If 210.2.40.1/24

If 110.2.20.1/24


S4S3S1 S2

R2R1

RIP enabled

Network Gateway Port Cost Type 10.0.64.0/24 0.0.0.0 3 0 D10.1.0.0/24 10.0.64.1 3 2 R 10.1.10.0/24 10.0.64.1 3 2 R10.1.30.0/24 10.0.64.1 3 2 R10.2.0.0/24 0.0.0.0 Lo 1 0 D10.2.20.0/24 0.0.0.0 1 0 D 10.2.40.0/24 0.0.0.0 2 0 D172.16.150.0/24 10.0.64.1 3 2 R

• Router2 integrates networks from Router1’s RIP update into its route table

• “Gateway” associated with RIP-learned networks is source address from IP datagram header of Router1’s RIP update

If 210.1.30.1/24172.16.150.1/24


When Router2 sends a RIP advertisement through its only RIP-enabled interface, it does not include the address range 10.1.64.0/24 because that address range is associated with interface 3.

Because Router2 has already received advertisements from Router1, it follows an additional rule requiring that advertisements a router sends onto a network do not include the address ranges for which the next hop is on that network.

In the example, none of the networks that Router2 learned from Router1 are included in the RIP update Router2 sends onto network 10.0.64.0/24. Because 10.1.64.1 is the “next hop” for the address ranges 10.1.0.0/24, 10.1.10.0/24, and 10.1.30.0/24, and because the address range associated with interface 3 contains the next hop address, these are omitted from the update.

The set of rules that govern which networks may be advertised is known as “Split horizon.” The primary reason that RIP routers follow Split horizon rules is because a neighbor simply doesn’t need to learn about networks for which it provides the next hop. Other reasons for the Split horizon rules will be discussed later.


1 – 20 Rev. 5.21


Rev 5.21 15


Network 10.0.65.0/24

Loop 1: 10.2.0.1/24

If 210.2.40.1/24

If 110.2.20.1/24


IP datagram header:Source: 10.0.65.1 Dest: 224.0.0.9UDP header:Source: 520 Dest: 520Routing Information Protocol:Network: 10.0.64.0 Mask: 255.255.255.0 Metric: 1 Network: 10.1.0.0 Mask: 255.255.255.0 Metric: 2Network: 10.1.10.0 Mask: 255.255.255.0 Metric: 2Network: 10.1.30.0 Mask: 255.255.255.0 Metric: 2Network: 10.2.0.0 Mask: 255.255.255.0 Metric: 1Network: 10.2.20.0 Mask: 255.255.255.0 Metric: 1Network: 10.2.40.0 Mask: 255.255.255.0 Metric 1Network: 172.16.150.0 Mask: 255.255.255.0 Metric: 2

Hosts in10.2.40.0/24

Hosts in10.2.20.0/24


Loop 1: 10.3.0.1/24

If 210.3.30.1/24

If 110.3.10.1/24

If 310.0.65.2/24

R3

Hosts in10.3.30.0/24

Hosts in10.3.10.0/24

• Router2’s RIP updates through interface 4 include:

– Locally defined networks

– Routes to address ranges learned from a neighbor on interface 3

R2


In this example, Router2 has another neighbor that it reaches through a network (10.0.65.0/24) associated with interface 4. Because Router3 does not have RIP enabled, Router2 has not yet received any advertisements from Router3. Still, because RIP is enabled on interface 4, Router2 sends periodic RIP updates regardless of whether it has received any information from Router3.

The RIP update that Router2 sends to Router3 contains a completely different set of address ranges than the update it sends to Router1. Following Split horizon rules, the RIP advertisement Router2 sends through interface 4 does not include the address range associated with interface 4, 10.0.65.0/24. However, it does include all address ranges in its route table that are either local or learned from a neighbor connected to an interface other than interface 4. Router2 advertises the cost of these address ranges from its own perspective. In all cases except for local networks, a RIP router advertises the cost that each address range has in its own route table.

The “Gateway” or next hop value in the route table is the most important factor in determining which address ranges Router2 will advertise through network 10.0.65.0/24. A RIP advertisement includes all local address ranges except the network address associated with the interface over which the advertisement will be transmitted. A remote address range will be included in the RIP advertisement only if its associated “Gateway” or “next hop” IP address is outside the range of the network associated with the interface over which the advertisement will be transmitted.

IP Routing Basics

Rev. 5.21 1 – 21


Rev 5.21 16


Network 10.0.65.0/24

Loop 1: 10.2.0.1/24

If 210.2.40.1/24

If 110.2.20.1/24


Hosts in10.2.40.0/24

Hosts in10.2.20.0/24


Loop 1: 10.3.0.1/24

If 210.3.30.1/24

If 110.3.10.1/24


R3

Hosts in10.3.30.0/24

Hosts in10.3.10.0/24

Network Gateway Port Cost Type 10.0.64.0/24 10.1.65.1 3 3 RIP10.0.65.0/24 0.0.0.0 3 0 Direct 10.1.0.0/24 10.1.65.1 3 3 RIP 10.1.10.0/24 10.1.65.1 3 3 RIP10.1.30.0/24 10.1.65.1 3 3 RIP10.2.0.0/24 10.1.65.1 3 2 RIP10.2.20.0/24 10.1.65.1 3 2 RIP 10.2.40.0/24 10.1.65.1 3 2 RIP10.3.0.0/24 0.0.0.0 Lo 1 0 Direct10.3.10.0/24 0.0.0.0 1 0 Direct10.3.30.0/24 0.0.0.0 2 0 Direct172.16.150.0/24 10.1.65.1 3 3 RIP

• All routes known to Router3 are either local or learned from 10.0.65.1

• Router3’s updates through interface 3 include networks not learned from neighbors on the network associated with that interface

R2


In the manner described earlier, Router3 increments the cost of all advertised networks by the cost assigned to the interface through which the update arrives. Everything that was advertised by Router2 with a cost of 1 appears in Router3’s route table with a cost of 2. The address ranges reported with a cost of 2 have a cost of 3 in Router3’s route table.

In this example, Router2 is Router3’s only neighbor, so the “Gateway” or next hop router interface for every remote address range in Router3’s route table is 10.0.65.1, which is the IP address of Router2’s interface on the network that connects the two routers. None of Router1’s interfaces appear in Router3’s route table as a next hop because Router3 and Router1 do not share a network. The “Type” column contains “RIP” for all address ranges that Router3 learns from Router2’s advertisements.

When Router3 sends an advertisement to Router2, it will follow the Split horizon rules described earlier. In this case, only three address ranges qualify for inclusion in the RIP advertisement sent to Router2: 10.3.10.0/24, 10.3.30.0/24, and 10.3.0.1/24.


1 – 22 Rev. 5.21

Assessing this topology

Rev 5.21 17

Assessing this topology

Some of the problems with this topology include:• Inefficient forwarding paths and potential bottleneck

– Traffic between Router1 and Router3 has to go through Router2• Does not provide backup paths in the event of link failure• Does not scale well

Loop 1 10.2.0.1/24

10.2.40.0/2410.2.20.0/24



10.3.30.0/2410.3.10.0/24


R3

R2

Loop 1 10.3.0.1/24

10.1.10.0/24


R1

10.1.30.0/24172.16.150.0/24

Loop 1: 10.1.0.1/24


Although this topology is useful for describing RIP operations, it is clearly not an efficient topology. If the links between routers have equal bandwidth, Router2 may become a bottleneck because it must handle traffic between hosts connected to Routers 1 and 3, as well as traffic coming from or destined for its locally connected networks.

Furthermore, this topology also does not provide any redundancy. If either of the links between Router2 and its neighbors should fail, many hosts would be isolated.

The above deficiencies would be magnified if this intranet needed to support more than three routers. If we continued daisy-chaining routers in this manner, the potential for bottlenecks and traffic delay would increase dramatically. The vulnerability of the connections would also escalate.

IP Routing Basics

Rev. 5.21 1 – 23

Providing a routed mesh

Rev 5.21 18

Providing a routed mesh

A routed mesh • Provides a dedicated link between each pair of routers• Provides a backup path in the event of link failure • Does not scale well beyond 3 or 4 nodes

Loop 1 10.2.0.1/24

10.2.40.0/2410.2.20.0/24

10.3.30.0/2410.0.10.0/24

10.0.65.0/24

R3

R2

Loop 1 10.3.0.1/24

10.1.10.0/24

R1

10.1.30.0/24172.16.150.0/24

Loop 1: 10.1.0.1/24

10.0.64.0/24

10.0.66.0/24


Creating a mesh of the routers would solve the problems relating to potential bottlenecks and lack of redundancy. In a mesh, each device is connected to all other devices. Rather than creating a bottleneck at Router2, the topology shown in the example provides Router3 with a direct connection to Router1. If any of the three links should fail, the remaining links would continue to provide connectivity among all three routers. Of course, the potential for a bottleneck would then increase until the mesh was restored.

However, the full mesh solution is not scalable. For every node added to the mesh, the number of point-to-point connections increases dramatically. While it only takes three links to create a full mesh among three nodes, six links are required to fully connect four nodes. A full mesh for five nodes requires 10 point-to-point links.

A full mesh for 10 nodes requires 45 point-to-point links. The number of links can be calculated using the following formula: L = N(N-1)/2’where “L” represents the number of point-to-point links and “N” represents the number of nodes to be interconnected. The values for 10 nodes are 10*9/2=45.


1 – 24 Rev. 5.21

Split horizon in a routed mesh

Rev 5.21 19

Split Horizon in a routed mesh

Each router in a full mesh:• Advertises to neighbors all networks learned from other neighbors• Receives advertisements for each remote network from every neighbor• Chooses the lowest cost path to each destination network

Loop 1 10.2.0.1/24

10.2.40.0/2410.2.20.0/24

10.3.30.0/2410.3.10.0/24

R3

R2

Loop 1: 10.3.0.1/24

10.1.10.0/24

R1

10.1.30.0/24172.16.150.0/24

Loop 1: 10.1.0.1/24

Next hop for 10.2.x.xtraffic (Do not advertise 10.2.x.x networks)

Next hop for 10.1.x.x traffic

(Do not advertise 10.1.x.x networks)

Next hop for 10.3.x.x traffic (Do not advertise 10.3.x.x networks)

Next hop for 10.1.x.x traffic (Do not advertise 10.1.x.x

networks)

Next hop for 10.2.x.xtraffic

(Do not advertise 10.2.x.x networks)

Next hop for 10.3.x.x traffic(Do not advertise 10.3.x.x networks)


In the non-redundant topology described earlier, each router receives information about a specific address range from only one neighbor. However, in a meshed topology, such as the one shown, each router receives updates from both neighbors. Consequently, there is some overlap in the advertised networks.

In the example above, Router3 will receive advertisements from Router1 and Router2. Following Split horizon rules, Router2 advertises networks 10.2.x.x with a cost of 1 because those networks are local to Router2. It also advertises networks 10.1.x.x and 172.16.150.0/24 with a cost of 2. If the update from Router2 is the first one Router3 hears, it will add all seven of the advertised networks to its route table. However, when the first RIP update from the neighbor Router1 arrives, Router3 follows a very specific procedure for evaluating the shortest or lowest-cost path.

It is important for RIP routers to follow Split horizon rules regardless of whether routing loops exist. Even in the non-redundant topology illustrated earlier, failure to follow Split horizon rules can result in significant confusion for the router.

IP Routing Basics

Rev. 5.21 1 – 25

Processing inbound RIP updates

Rev 5.21 20

Processing inbound RIP updates

Yes

No

Yes

No

Yes

Replaceentry

No

Ignore

Read next advertisement


Create entry

Address range exists

in table?

Source = table entry

Gateway ?

Calc.cost < table entry Cost

?

Replaceentry

When a RIP router receives an update, it follows an identical process for each advertised address range. This process is illustrated above. First, the router determines whether the address range already exists in the table. If it does not, the router adds a new entry for this network. It places the source address in the IP datagram header of the RIP update in the route table’s Gateway or Next Hop field. It derives a cost by adding 1 (or the cost of the inbound interface) to the advertised cost.

If the address range does appear in the route table, the router takes one of the following actions:

The router ignores it because it already has the address range in the table and the advertisement includes a higher cost than the entry already in the table.

The router replaces an existing entry with a new one. There are two variations on this outcome.

The first variation typically occurs under normal circumstances, with every periodic update. If the sender of the update is the same as the network’s next hop in the route table, the router creates an entry with an age of 0 and a cost equal to the advertised cost plus 1 (or the inbound interface cost). This entry replaces the network’s current entry. If the network is stable, the new entry will contain the same information as the one it replaced. However, even if the cost has changed since the last update, the router accepts whatever cost is advertised because the router considers the network’s current next hop to be the authority on information relating to it.


1 – 26 Rev. 5.21

The second variation occurs when a neighbor other than the network’s current advertises a lower cost. This variation should not occur frequently. If it does, it means that some set of networks between the router and the destination network are unstable.

IP Routing Basics

Rev. 5.21 1 – 27

Link failure recovery in mesh (1)

Rev 5.21 21


Loop 1 10.2.0.1/24

10.2.40.0/2410.2.20.0/24

10.3.30/2410.3.10.0/24

R3

R2

Loop 1: 10.3.0.1/24

10.1.10.0/24

R1

10.1.30.0/24172.16.150.0/24

Loop 1: 10.1.0.1/24

Advertise10.1.x.x 10.3.x.x





X

Link fails between R2 and R3



10.0.65.0/24

10.0.64.0/24

10.0.66.0/24

In this example, a full mesh connects all three routers. Each router has a direct connection to every router, eliminating the bottleneck. This topology provides some resilience.

Note that each router advertises to each neighbor its own local networks as well as the networks advertised by its other neighbor. Following Split horizon rules, none of the routers advertise to a neighbor the networks for which that neighbor provides the next hop.

The next few diagrams describe the sequence of events that occurs if one of the router-to-router links fails.


1 – 28 Rev. 5.21


Rev 5.21 22


Loop 1 10.2.0.1/24

10.2.40.0/2410.2.20.0/24

10.3.30/2410.3.10.0/24

R3

R2

Loop 1: 10.3.0.1/24

10.1.10.0/24

R1

10.1.30.0/24172.16.150.0/24

Loop 1: 10.1.0.1/24


Advertise10.3.x.x


Advertise10.2.x.x R2 changes Cost to ’16’

for 10.3.x.x networks

R3 changes Cost to ’16’ for 10.2.x.x networks


10.0.64.0/24

10.0.66.0/24

When a RIP router loses link on one of its interfaces, the router immediately changes the cost of the address range associated with the failed interface and all of the address ranges in its table whose next hop is within the address range associated with the failed interface.

In this example, Router2 sets network 10.0.65.0/24 at a cost of 16, which is equal to infinity because the maximum hop count is 15. The router also assigns a cost of 16 to the 10.3.x.x networks because the next hop for those networks is the neighbor interface on Router3, 10.0.65.2. Similarly, Router3 assigns a cost of 16 to network 10.0.65.0/24 and to the 10.2.x.x networks.

IP Routing Basics

Rev. 5.21 1 – 29


Rev 5.21 23

Advertise10.2.x.x


Loop 1 10.2.0.1/24

10.2.40.0/2410.2.20.0/24

10.3.30/2410.3.10.0/24

R3

R2

Loop 1: 10.3.0.1/24

10.1.10.0/24

R1

10.1.30.0/24172.16.150.0/24

Loop 1: 10.1.0.1/24


Advertise10.3.x.x


R2 accepts R1’s advertisement of 10.3.x.x networks, changes Gateway to R1 and Cost to ‘3’

R3 accepts R1’s advertisement of 10.2.x.x networks, changes Gateway to R1 and Cost to ‘3’


10.0.64.0/24

10.0.66.0/24

Although Router2 set its cost for the 10.3.x.x networks at 16 after the link failure, within 30 seconds or less it should receive a RIP update from Router1 advertising a path to these networks at a cost of 2. Router2 derives a cost of 3 by adding its own interface cost to the advertised cost, compares that with the cost of 16 currently in the route table, and creates new route table entries for the 10.3.x.x networks using an interface on Router1 as its next hop. Similarly, Router3 updates its route table to use Router1 as a next hop to reach the 10.2.x.x networks. This is an example of option 3 described on page 24—an advertisement indicates a better

RIP routers do not immediately remove entries from tables as soon as they become aware that networks are unavailable. Instead, a Holddown Timer determines the number of seconds that a router will keep a table entry with a cost of 16, waiting for the link to come back up or for some alternate lower-cost path to displace it. This mechanism enables the routers to adapt to changing conditions with minimal disruptions.

The actual functioning of the Holddown Timer varies from vendor to vendor. However, in general, the Holddown Timer starts when the route changes to a cost of 16 and it continues for three times the update interval (90 seconds). When the timer expires, the route is removed from the table if the router hasn’t received a better path to the address range.


1 – 30 Rev. 5.21

Poisoned Reverse

Rev 5.21 24

Poisoned Reverse

A router using ‘Split Horizon with Poisoned Reverse’ advertises cost of 16 rather than omit routes it learned from neighbor


Routing Information Protocol:Network: 10.0.64.0 Metric: 1 Network: 10.1.0.0/24 Metric: 1Network: 10.1.10.0/24 Metric: 1Network: 10.1.30.0/24 Metric: 1Network: 10.2.0.0/24 Metric: 2Network: 10.2.20.0/24 Metric: 2Network: 10.2.40.0/24 Metric 2Network: 10.3.0.0/24 Metric 16 Network: 10.3.10.0/24 Metric 16Network: 10.3.30.0/24 Metric 16Network: 172.16.150.0/24 Metric: 1


10.3.30/2410.0.10.0/24


R3 Loop 1 10.3.0.1/24

10.1.10.0/24


R1

10.1.30.0/24172.16.150.0/24

Loop 1 10.1.0.1/24

Routing Information Protocol:Network: 10.0.66.0 Metric: 1 Network: 10.1.0.0/24 Metric: 1Network: 10.1.10.0/24 Metric: 1Network: 10.1.30.0/24 Metric: 1Network: 10.2.0.0/24 Metric: 16Network: 10.2.20.0/24 Metric: 16Network: 10.2.40.0/24 Metric 16Network: 10.3.0.0/24 Metric 2 Network: 10.3.10.0/24 Metric 2Network: 10.3.30.0/24 Metric 2Network: 172.16.150.0/24 Metric: 1

Loop 1 10.2.0.1/24

10.2.40.0/2410.2.20.0/24

R2


This example shows the routing mesh as it appears after the loss of the network that formerly connected Router2 to Router3, 10.0.65.0/24. Now, however, the routers are communicating through a mechanism known as “Poisoned Reverse.”

Poisoned Reverse is a variation of Split horizon that can help speed convergence in meshed networks. Instead of omitting the routes that Split horizon rules exclude from the advertisement, the router poisons those routes, making it impossible for the router receiving the advertisement to consider the sender as a valid next hop toward the poisoned address ranges.

A router that employs Split horizon with Poisoned Reverse advertises routes that are excluded by Split horizon. As described earlier, the excluded routes include the address range associated with the interface over which the update will be transmitted. Split horizon also excludes all routes where the next hop Gateway field lists is a host within the interface’s own address range.

IP Routing Basics

Rev. 5.21 1 – 31

Connecting to a core router

Rev 5.21 25

Connecting to a core router

10.0.64.2/24 10.1.10.0/2410.1.20.0/2410.1.30.0/24

10.0.65.2/24 10.2.10.0/2410.2.20.0/2410.2.30.0/24

10.0.66.2/2410.3.10.0/2410.3.20.0/2410.3.30.0/24

10.0.67.2/2410.4.10.0/2410.4.20.0/2410.4.30.0/24

10.0.64.0/24

C1

R4R3R2R1 R4R3

10.0.65.0/24 10.0.66.0/24

10.0.67.0/24

• Connect user networks and resource networks to core to provide equal access

• Each link between routers is in a different network


This example illustrates a more scalable alternative to the routing mesh. In this hierarchical solution, four “edge” routers—that is, routers that support user networks—are connected to a “core” router whose primary responsibility is to interconnect other routers. This configuration eliminates the potential bottlenecks in the routing mesh shown earlier.

The routers place each physical port into a different broadcast domain. Because every connection between an edge router and the core router is in a different broadcast domain, each connection takes up a different network address. If you are trying to interconnect many locations, you could use up the IP address space quickly.


1 – 32 Rev. 5.21

Connecting to a core routing switch

Rev 5.21 26

Connecting to a core routing switch

10.0.64.2/2410.1.10.0/2410.1.20.0/2410.1.30.0/24…

10.0.64.3/2410.2.10.0/2410.2.20.0/2410.2.30.0/24…

10.0.64.4/2410.3.10.0/2410.3.20.0/2410.3.30.0/24…

10.0.64.5/2410.4.10.0/2410.4.20.0/2410.4.30.0/24…

C1

• Routing switches often support higher bandwidth

• Placing edge router uplinks in the same broadcast domain conserves network addresses

Network:10.0.64.0/24

R1 R2 R4R3


You can relieve the strain on IP address space by putting into the same broadcast domain all of the router interfaces that connect the edge routers to the core network.

Flexible assignment of physical ports to router interfaces is one of the primary advantages that a routing switch has over a traditional router. The routing switch also supports higher speed interfaces than most traditional routers. Consequently, the network upgrade at ProCurve University will include the replacement of traditional routers with routing switches that support dynamic routing protocols as well as the definition of static routes.

IP Routing Basics

Rev. 5.21 1 – 33

Connecting to redundant core

Rev 5.21 27

Connecting to redundant core

10.0.64.2/2410.0.65.2/2410.1.10.0/2410.1.20.0/2410.1.30.0/24…

C1

Providing multiple paths between users and resources • Provides resilience • May increase core

capacity Network:10.0.64.0/24

R1 R2 R4R3

C2

Network:10.0.65.0/24


10.0.64.3/2410.0.65.3/2410.2.10.0/2410.2.20.0/2410.2.30.0/24…

10.0.64.4/2410.0.65.4/2410.3.10.0/2410.3.20.0/2410.3.30.0/24…

10.0.64.5/2410.0.65.5/2410.4.10.0/2410.4.20.0/2410.4.30.0/24…

ProCurve University’s network upgrade will feature a redundant core such as the one shown. A redundant core can provide for recovery in the event of link failures. Furthermore, some routers can make use of multiple equal-cost paths to the same destination. On some routers, this feature works automatically; on others, it must be configured. Still other products will only use the first path to each destination that it finds. If and when a second neighbor advertises an equal-cost path to the destination, the router stays with the one it learned first.

You can determine if your router supports equal cost-multipath (ECMP) by inspecting the route table. If you see multiple entries to the same destination that have different “Gateway” values, it usually means that your router is sharing the load toward that destination over all of the links. The maximum number of ECMP routes is usually configurable, as well as the method the router uses to determine which packets will follow each route.


1 – 34 Rev. 5.21

Routing among locations at ProCurve University

Rev 5.21 28

Routing among locations at ProCurve University• Routers learn best path to destination networks at their own location by

exchanging routing information with neighbors• One or two routers from each location exchange routing information with core

routers

University intranet coreNetworks 10.0.0.0/24 through 10.0.255.0/24

10.2.0.0/2410.2.1.0/24 …10.2.255.0/24(up to 255 networks)

10.1.0.0/2410.1.1.0/24 …10.1.255.0/24(up to 255 networks)

10.3.0.0/2410.3.1.0/24 …10.3.255.0/24(up to 255 networks)

Southwest campusHosts in address range:10.1.0.0 – 10.1.255.255

Northwest campusHosts in address range:10.2.0.0 – 10.2.255.255

Northeast campusHosts in address range:10.3.0.0 – 10.3.255.255


Each of ProCurve University’s three campuses has its own network with an address range of 10.x.0.0/24 to 10.x.255.0. The campuses interconnect through an intranet core with addresses in the range of 10.0.0.0/24 to 10.0.255.0/24.

The routing infrastructure supports more than 750 user networks distributed across three physical locations. While the technologies in place are similar to earlier examples, which showed only eight user networks, the complexity of this topology presents a few new challenges.

For instance, because there are so many networks at each location, it would be inefficient or even impossible to connect every router to the intranet core. Instead, the topology features redundant links among routers at each location. Another layer aggregates the traffic from the hosts at each location and connects that router to the core. This multi-layered hierarchical approach can be scaled to support a network with hundreds of locations, if necessary.

IP Routing Basics

Rev. 5.21 1 – 35

Dynamic route exchange

Rev 5.21 29

Dynamic route exchange

• If routers exchange entire route database with neighbors, they obtain detailed information about the networks at every location

• Storing detailed information about other locations can result in inefficient use of route table space

Intranet coreNetworks: 10.0.0.0/24-10.0.255.0/24

10.2.0.0/24-10.2.255.0/24(up to 256 networks)10.1.0.0/24-10.1.255.0/24

(up to 256 networks)

Location AHosts in address range:10.1.0.0 – 10.1.255.255

Location BHosts in address range:10.2.0.0 – 10.2.255.255

Location CHosts in address range:10.3.0.0 – 10.3.255.255

10.0.0.0/24-10.0.255.0/2410.2.0.0/24-10.2.255.0/2410.3.0.0/24-10.3.255.0/24 (up to 768 networks)

10.0.0.0/24-10.0.255.0/2410.1.0.0/24-10.1.255.0/2410.2.0.0/24-10.2.255.0/24 (up to 768 networks)

10.0.0.0/24-10.0.255.0/2410.1.0.0/24-10.1.255.0/2410.3.0.0/24-10.3.255.0/24 (up to 768 networks)

10.3.0.0/24-10.3.255.0/24(up to 256 networks)

Each router may have up to 1,024 route table entries


This diagram illustrates a hierarchical topology that requires all inter-location traffic to transit the core. If the router that connects each location to the core advertises all 256 of its networks, every router in the entire intranet will have over 750 entries in its route table. This is highly inefficient because it is not necessary for every router to know every network.

To avoid this inefficiency, IP network designers usually assign contiguous address space to physically separated locations, regardless of whether they are buildings within the same campus separated by a short distance or campuses within a larger enterprise that are separated by a greater distance. This makes it possible to summarize the address space, enabling a range of networks to be represented by a single route table entry.


1 – 36 Rev. 5.21

Network summarization

Rev 5.21 30

Network summarization

• Network summarization requires hierarchical addressing scheme• Summaries provide a starting address and mask that describes a

range of addresses • Benefits include:

– Minimize the number of route table entries – Enable more efficient route table lookup

• Summarization methods within an autonomous system:– Networks that use RIP

• Define a static route that specifies range’s starting address and mask, next hop (gateway), and path cost

• Disable RIP on the interface that connects to the summarized address range

– Networks that use OSPF • May be divided into administratively defined “areas” • Summaries configured at area boundaries


Often, routers at a location have a limited number of paths to the networks within a given address range. In these cases, you can increase routing efficiency by replacing many individual, specific network advertisements with a single statement that specifies a larger range of addresses using a shorter mask. In all cases, a shorter mask specifies a larger address range and a longer mask specifies a smaller range. Any starting address with a 24-bit mask specifies a range with 256 addresses. A starting address with a 16-bit mask specifies a range of 65,536 addresses.

This process is known as “network summarization.” In most vendor implementations, neither RIP nor OSPF performs this summarization automatically; both require that you perform some additional configuration steps to enable network summarization.

IP Routing Basics

Rev. 5.21 1 – 37

Summarization of address space using static routes

Rev 5.21 31

Summarization of address space using static routes

Location A10.1.0.0/16

A12A11

A13

A14

Intranet core10.0.0.0/16

A2

A1

Routers A1 and A2: • Are configured with

static default route 0.0.0.0/0; next hop is a core router interface

• Include the static route in RIP updates they send to the edge routers (A11-A14) at Location A

Intranet core router is configured with two static summary routes toward address range 10.1.0.0/16• One specifies A1 as next hop • Another specifies A2 as next hop


In networks that implement RIP, static routes usually provide the mechanism for network summarization.

In this example, network summarization will prevent routers in Location A from obtaining detailed, specific advertisements for every network in the intranet. This process requires two steps:

1. Disable the operation of RIP on both sides of the links that connect Routers A1 and A2 to the intranet core. This, of course, prevents the routers in Location A from processing RIP advertisements sent from the core.

2. Define static routes for the path to networks or address ranges that do not appear as more specific routes in the route table.

In the example, the goal is to provide a path for hosts at Location A to reach all non-local destinations, including addresses on the public Internet. To accomplish this, you would specify the default route (0.0.0.0/0) that uses an intranet core interface as the next hop.


1 – 38 Rev. 5.21

While the core router may use a default static route to reach addresses in the public Internet, it can’t use the default route to reach hosts at different locations. Instead, the intranet core might have a summarized route to each location. Because the addressing scheme is hierarchical, and all hosts between 10.1.0.0 and 10.1.255.255 are at Location A, you can define a static summary route for the path the core router has to Location A with the starting address 10.1.0.0 and a 16-bit mask (10.1.0.0/16). The 16-bit mask defines a range of over 65,536 addresses, although some number of the addresses in this range would be inappropriate for host addressing purposes.

For purposes of Layer 3 forwarding, a route table entry with a 16-bit mask matches with a large range of destination addresses. For example, if a router within the intranet core needs to forward traffic toward any of the potentially 65,536 address between 10.1.0.0 and 10.1.255.255, it will forward the traffic to the next hop gateway in the 10.1.0.0/16 route table entry.

Although the diagram shows detailed operation only for Location A, the same procedures would be used for other locations. The intranet core router(s) would need to have static routes specifying each of the locations’ address ranges. Each router would forward traffic destined for a given address range in the direction of the appropriate location. The routers that connect each location to the intranet core would use the default route to forward all traffic for which they do not have a more specific route in their route tables.

IP Routing Basics

Rev. 5.21 1 – 39

Route table lookup

Rev 5.21 32

Route table lookup

IP route table is a list of address ranges that may specify:• A single network • A network summary expressed as a starting address and mask

Route table lookup procedure:• Compare packet’s destination IP address with route table entries• If there is a match, forward the packet to the specified gateway

(next hop) • If there is more than one match, forward the packet to the gateway

specified by the most specific match• If there is no match, discard the packet

Default route • Ultimate summarized route specifies the entire IP address space

(over 4 billion addresses)• Only packets without a more specific match will be forwarded toward

the default route


Although a packet’s destination address may match with multiple route table entries, the router does not stop its evaluation on the first match. When a route table contains multiple matches for an address, the most specific match defines the path the packet will take. The router follows the entry that has the longest mask; that is, the entry that is the most specific match with the packet’s destination address.

Every address in the entire IP address space—between 0.0.0.0 and 255.255.255.255—is included in the range specified in the static default route. Consequently, every packet will match with the default route. However, packets whose destination addresses are within the specific ranges that appear in the route table will match with two entries and will follow the most specific route.


1 – 40 Rev. 5.21

Advertising static routes

Rev 5.21 33

Advertising static routes

Location A10.1.0.0/16

A12A11

A13

A14


A2

A1

Routers A1 and A2 must be able to advertise default route within RIP updates

If there are other routers in the intranet core, this RIP router may be configured to advertise the static routes to its neighbors

Edge routers A11-A14 must be able to accept the default route advertisement (0.0.0.0/0)


Often, network summarization using static routes requires further configuration for the routers that advertise the static routes and the routers that receive them. However, because network equipment manufacturers implement the relationship between RIP and static routes in different ways, you should consult product documentation to determine what configuration is necessary.

In the example, the static route is defined on routers A1 and A2. It may be necessary to configure these routers to “redistribute” static routes, including the default route. The recipient routers (A11-A14) may also need to be configured to “listen” for the default route.

These configuration steps often are necessary because routers usually consider RIP-learned routes, directly connected routes, and static routes to be different “sources” of route information. Most routers automatically redistribute directly connected network address ranges into RIP advertisements, but the choice of whether to automatically redistribute static routes is up to vendor implementation.

Additionally, most routers enable the definition of filter lists for redistribution, which allows an administrator to selectively redistribute static routes. For example, some static routes may be useful locally but unsuitable for use by neighboring routers.

IP Routing Basics

Rev. 5.21 1 – 41

Many routers treat the default static route as a special case of static route. That is, without special configuration, some routers will not place the default route into their route tables, even if it is advertised within a RIP update. Typically, if a router does not automatically listen for or accept the default route, it is usually possible to selectively enable default route listening or to enable it for all RIP interfaces on the router.

Equal cost multipath

After the routers are configured to accept or listen for the default route, it is treated just like any other address range. If a router has a neighbor advertising the default route at a cost of 2 and another advertising the default route at a cost of 3, it will choose the lower cost path. If the next hop router stops advertising the default route and the entry ages out of the route table, the router will replace the invalid route with a valid one.

In the example, Routers A11 through A14 each have two paths to the core and, therefore, two paths to resources that may be available through the core. Whether a given router will use the first-heard route or place both routes in its table and share the traffic between them is entirely dependent on the router’s feature set. At the very least, the second connection to the core provides redundancy.


1 – 42 Rev. 5.21

Module 1 summary

Rev 5.21 34

Module 1 summary

In this module, you learned:• The basic types of router interfaces• How the route table stores route information• The types of routing protocols• How RIP routers advertise routes and determine the best path to a

given resource• The operation of Split Horizon and Poisoned Reverse• How network summarization enables efficient route tables


Module 1 of IP Routing Foundations introduced the basic concepts of IP routing, with an emphasis on RIP. Specific topics included types of router interfaces, the basic operation of RIP, and the types of routing protocols.

IP Routing Basics

Rev. 5.21 1 – 43

Learning check Module 1


1 – 44 Rev. 5.21

1. What are the four types of router interfaces.

a. ........................................................................................................................

b. ........................................................................................................................

c. ........................................................................................................................

d. ........................................................................................................................

2. What is the difference between an Interior Gateway Protocol and an Exterior Gateway Protocol?

............................................................................................................................

............................................................................................................................

............................................................................................................................

3. Name and describe one important disadvantage of RIP.

............................................................................................................................

............................................................................................................................

............................................................................................................................

4. What is “Split horizon”?

............................................................................................................................

............................................................................................................................

............................................................................................................................

5. What is network summarization and why is it necessary?

............................................................................................................................

............................................................................................................................

............................................................................................................................

6. What is “poisoned reverse”?

............................................................................................................................

............................................................................................................................

............................................................................................................................

Rev 5.21 2 – 1

OSPF Routing Module 2

Objectives After completing this module, you will be able to:

Compare and contrast RIP and OSPF

Explain why OSPF provides more efficient routing than RIP in large-scale intranets

Describe the basic process for propagating route information throughout OSPF domains

Describe the roles of the OSPF router types

Explain the functions of the OSPF message types

Describe the OSPF area types and their proper uses

Explain the process of network summarization for OSPF domains


2 – 2 Rev 5.21

OSPF at ProCurve University

Rev 5.21 3

OSPF at ProCurve University

Intranet characteristics that make OSPF a good choice for IGP• Infrastructure provides multiple paths to each address range• Complex connectivity provided by links with varying bandwidth• Topology is hierarchical • Addressing scheme is hierarchical, following physical hierarchy

Plan for ProCurve University intranet upgrade includes:• High availability characteristics

– Locations are interconnected through dual core – Redundant links within each location

• Hierarchical addressing scheme– Address range will be assigned to networks within each campus

location– Address range will be assigned to networks within intranet core


Often, OSPF will be a better choice for RIP as an IGP. This is especially true in intranets that provide multiple paths to each address range, have complex connectivity with links of varying bandwidth, and that have hierarchical addressing schemes and topologies.

The network upgrade at ProCurve University will include an OSPF implementation for the reasons shown. Specifics about the design and implementation will be described in Routing Switch Essentials.

OSPF Routing

Rev 5.21 2 – 3

Basic OSPF interactions

Rev 5.21 4

Basic OSPF interactions


Basic OSPF interactionsHierarchyMessage typesRouter communications

Distribution of link state changesExternal route information

The first section of Module 2 describes the basic interactions between OSPF routers. Specific topics include the OSPF hierarchy, OSPF Hello messages, and the link state messages and database.


2 – 4 Rev 5.21

OSPF routing protocol

Rev 5.21 5

OSPF routing protocol

Benefits when compared with RIP• Faster convergence

– Advertisements flooded throughout domain – Each router advertises only its own connected networks

• Intelligent path selection – Supports variable link cost assignment

• Scalable with no specific limit on the number of router hops between a source and destination host


The benefits of OSPF are most evident in large intranets with redundant routed links. Unlike RIP routers, OSPF routers are immediately aware of changes in network topology and can quickly adjust their next hop information for remote networks.

When a network becomes unavailable due to link failure, the OSPF routers connected to the network immediately pass the information on to all routers in the area. By contrast, RIP updates move from hop to hop, which delays convergence and can cause routers to have contradictory or inconsistent information in their route tables.

OSPF Routing

Rev 5.21 2 – 5

OSPF hierarchy: Routers and networks

Rev 5.21 6

OSPF hierarchy: Routersand networksOSPF routers • Uniquely identified by 32-bit dotted decimal value• Establish formal relationship known as ‘adjacency’ with neighbors • Advertise their own directly connected networks and associated link cost

OSPF networks• Uniquely identified by starting address and mask• Classified based on their function in the ‘tree’ that represents the collection of

routers and networks– ‘Transit’ networks can carry traffic destined for other networks– ‘Stub’ networks have a single entry/exit point

Router ID: 10.1.209.110.1.64.0/24(transit)

Router ID: 10.1.208.1

10.1.20.0/24(stub)

10.1.10.0/24(stub)

R1A R1B


Several important features of OSPF routers and networks enable them to function more efficiently than RIP routers and networks. In particular, the networks and routers in an OSPF domain follow a specific hierarchy that enables efficient communication.

OSPF Router ID

An OSPF router uses its Router ID—a unique 32-bit dotted decimal value—to advertise itself and its connected networks and neighbors to all other OSPF routers. By contrast, a RIP router gathers information about its immediate neighbors from periodic updates.

Most vendors’ implementations of OSPF establish rules that enable a router to select a Router ID from among its active IP interfaces if an administrator has not statically defined a Router ID. Many routers require that the Router ID follow the ID of an active interface. The loopback interface is often the default value for the Router ID because it is the interface least likely to become unavailable.

OSPF adjacencies

One primary task of an OSPF router is to establish a formal relationship, called an “adjacency,” with routers on its local networks. In the example, R1A has three OSPF interfaces, one of which is its loopback interface. It periodically sends “Hello” messages through all of those interfaces in an effort to find neighbors and establish adjacencies. After the adjacency is established, OSPF routers periodically send Hello messages indefinitely to maintain their relationship.


2 – 6 Rev 5.21

For each of its IP interfaces, the OSPF router applies the assigned mask to the assigned IP address to derive the local address range and sends an advertisement that includes every locally connected network. By contrast, if the routers in the example were configured for RIP, Split Horizon rules would prohibit R1A from advertising network 10.1.64.0/24.

OSPF network types

Unlike RIP, OSPF routers differentiate among network types in their advertisements. The OSPF specification (RFC 2338) lists many numbered network types and sub-types. However, they fall into two main categories:

1. Transit networks have two or more connected routers. As such, they are potential paths for traffic that originates within or is destined for some other network.

2. Stub networks have only one router. They are considered stubs because there is only one point of entry (router) to the network. Traffic that comes from or is destined for other networks is never forwarded into a stub network. Stub networks will be discussed in more detail later in this module.

OSPF routers determine whether a network is stub or transit by listening for neighbors. If a router detects at least one neighbor on an interface, the network is a transit network. The router finds no neighbors on stub networks.

By default, OSPF routers will continue sending Hello messages on all interfaces, including those that lead to stub networks. Most OSPF routers send Hello messages through their loopback interfaces, even though they are completely isolated from physical network media and will never lead to neighbors.

However, administrators can configure OSPF routers to not send advertisements through specific interfaces, including the loopback. Many router platforms allow administrators to define certain OSPF interfaces, including the loopback interface, as “passive.” An OSPF router will not send Hello messages through passive interfaces and consequently will not form adjacencies or flood updates into the connected network.

OSPF Routing

Rev 5.21 2 – 7

OSPF area

Rev 5.21 7

OSPF area

Router ID: 10.1.209.110.1.64.0/24(Area 0)

Router ID: 10.1.208.1 R1A

10.1.20.0/24(Area 0)

10.1.10.0/24(Area 0)

• A group of networks interconnected by OSPF routers• Area ID may be expressed as a decimal or dotted decimal number• Networks are identified as members of an area by their connected routers

R1B

Router ID: 10.2.209.110.2.64.0/24(Area 0)


10.2.20.0/24(Area 0)

10.2.10.0/24(Area 0

R2B

C110.0.100.0/24

(Area 0)


The next level in the OSPF hierarchy is the area, which is a contiguous collection of networks. Every OSPF router must belong to at least one area.

An area receives its ID from the routers whose networks are contained within it. Two routers that share a network must agree on its area ID. If the routers do not assign the same area ID to the network, they will fail to form an adjacency. Without an adjacency, the routers will not share information and will not forward IP traffic over the network. They will, however, continue attempting to form an adjacency indefinitely until an administrator resolves the conflict.

All routers that are interconnected by networks that have a common area ID will obtain detailed information about the networks connected to other routers in the area. When a router originates a Router Link State Advertisement (LSA), it sends it to its immediate neighbors, who in turn flood the LSA to all of their neighbors without changing it. In this manner, every Router LSA reaches every router in the area. As a result, every router in the area has an identical collection of router LSAs.

Unlike RIP advertisements, the OSPF advertisement does not immediately yield a next hop gateway for the receiving router to place in its route table. Instead, each router uses the collected advertisements to build a tree, using itself as the root, that represents the shortest path to all of the routers and networks in the area. Each router produces a set of route table entries based on the tree.


2 – 8 Rev 5.21

Any router that experiences a change in the state of one of its links must immediately send a newer instance of its LSA to inform all of the routers in the area of the change. Routers flood the advertisement over the networks that constitute the area. Receipt of a new LSA may cause every router in the area to simultaneously build a new shortest path first (SPF) tree based on the most current information, and potentially (depending on each router’s proximity of the link whose state has changed) place new next hop gateway values in its route table.

OSPF Routing

Rev 5.21 2 – 9

OSPF hierarchy: Autonomous System

Rev 5.21 8

OSPF hierarchy: Autonomous System OSPF Autonomous System (AS) • A collection of interconnected OSPF areas, one of which is Area 0 (backbone)• Area Border Routers (ABR) connect non-backbone areas to backbone

ABR ABR

ABRABR Area 0

Area 2

Area 1 Area 3


The highest level of hierarchy in an OSPF domain is the Autonomous System (AS), which is a collection of interconnected areas. Each area is a portion of the AS where routers exchange detailed information about their link states. It is certainly possible for all of the routers and networks in an AS to be placed into the same OSPF area. However, this approach will limit the maximum number of routers and networks that can be efficiently serviced.

For best results, the logical addressing hierarchy should follow the physical hierarchy. Networks that are in the same physical location should be assigned addresses within a range that can be expressed using a starting address and mask.


2 – 10 Rev 5.21

OSPF router boots up

Rev 5.21 9

OSPF router boots up

First actions taken by a router with active OSPF interfaces:• Create a Router LSA that describes its

connected OSPF networks, store in link state database

• Send Hello messages over all OSPF interfaces every 10 seconds

Loopback 1: 10.1.208.1 OSPF

IP headerSrc: 10.1.64.1 Dst: 224.0.0.5OSPF HeaderSource router: 10.1.208.1 Area ID: 0.0.0.0Hello packetNetwork mask: 255.255.255.0Hello interval: 10 secDead interval: 40 sec

10.1.30.0/24

R1B10.1.64.1/24OSPF cost 10

10.1.64.1/24No OSPF

10.1.10.1/24OSPF cost 100

Type: Router LSA Link state ID:10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000000No of links: 3Stub 10.1.10.0/24 cost 100Stub 10.1.64.0/24 cost 10Stub 10.1.208.0/24 cost 1

IP headerSrc: 10.1.10.1 Dst: 224.0.0.5OSPF HeaderSource router: 10.1.208.1 Area ID: 0.0.0.0Hello packetNetwork mask: 255.255.255.0Hello interval: 10 secDead interval: 40 sec

R1A


When an OSPF router boots up or when OSPF is activated, the router immediately performs two tasks. It places information about its own connected networks into its link state database and begins looking for neighbors on its connected networks.

The first entry in every OSPF router’s Link State Database is its own Router LSA. The diagram shows the highlights of the Router LSA for R1A. The sequence number (80000000 hex) indicates this is R1A’s first instance of a Router LSA. All of R1A’s networks are considered “stub” networks because it has not discovered any neighbors at this point.

If R1A later detects any change in the state of its connected networks—that is, if any of the networks go down or if additional OSPF networks are configured—the router will create a new LSA containing the most recent information and replace the one currently in the database.

Hello messages

Currently, R1A is the only OSPF router in its area, although it is directly connected to R1B. However, OSPF is not enabled on R1B. Still, immediately after it boots up, R1A will begin sending Hello messages over all of its interfaces, including network 10.1.64.0/24. Furthermore, because the formation of adjacencies is crucial to OSPF operation, R1A will continue sending Hello messages unless the interface goes down or an administrator explicitly defines this interface as passive.

OSPF Routing

Rev 5.21 2 – 11

Exchanging Hello packets

Rev 5.21 10

Exchanging Hello packets

OSPF Routers • Send Hello packets periodically to

– Exchange their Router IDs– Verify that they agree on their shared network’s mask and the area to

which it is assigned– Propose or confirm parameters of their relationship, including timers

• Do not use Hello packets to share information about networks other than the one they share

Router ID: 10.1.209.110.1.64.0/24Router ID: 10.1.208.1

10.1.10.0/24

IP headerSrc: 10.1.64.1 Dst: 224.0.0.5OSPF HeaderSource router: 10.1.208.1 Area ID: 0.0.0.0Hello packetNetwork mask: 255.255.255.0Hello interval: 10 secDead interval: 40 secNeighbor: 0.0.0.0


10.1.30.0/24

.1 .2R1A R1B

R1B’s first Hello packet


In this example, OSPF has been activated on R1B. This router has created a Router LSA that represents its own connected networks, stored the LSA in its link state database, and sent its first Hello packet.

All OSPF packets are directly encapsulated by an IP datagram header without using TCP or UDP. The destination address in the IP datagram header is a multicast address, 224.0.0.5, which is reserved for OSPF routers. (Other types of OSPF communication are sent over unicast addresses.)

The information each OSPF router includes in its Hello packets includes the area ID, which must be identical if the routers are to become adjacent. In the example, the networks are identified as members of the unnumbered area known as Area 0.0.0.0 or Area 0. (Other special properties of Area 0 will be discussed later in this module.)

In addition to an area ID, each OSPF interface is configured with values that define its expectations for neighbor interaction. These include the Hello interval, which is the interval between the router’s Hello messages, and the dead interval, which is the interval that a router will wait for a neighbor’s Hello messages before considering the neighbor to be down.


2 – 12 Rev 5.21

In the example above, one of R1A’s Hello packets arrived at R1B before it sent its first Hello packet. R1B compared R1A’s proposed parameters with its own configured parameters. R1B’s Hello messages signaled acceptance of R1A’s Hello messages because the source address in the IP datagram header is in the same address range as the address configured on the receiving interface and because the following parameters were identical:

Area ID

Subnet mask

Hello interval

Dead interval

If any of these parameters differed in the two routers’ messages, or if the routers had the same Router ID, the routers would not move to the next state. Instead, they would continue sending Hello packets with an empty Neighbor field indefinitely, without including each other’s Router ID in the Hello packets they send.

Most routers report parameter mismatches in an event log. In the event of a mismatch, log entries include error messages indicating which parameter was mismatched. The logs also include an error message if Router IDs are identical.

OSPF Routing

Rev 5.21 2 – 13

Two-way neighbor recognition

Rev 5.21 11

Two-way neighbor recognition

• After initial Hello packet exchange each router includes neighbor’s Router ID in Hello packets

• When a router sees its own Router ID in a Hello packet from a neighbor, it enters the ‘Two-way’ state

• When both routers are in the Two-way state, they may proceed to the next step toward adjacency


10.1.10.0/24 10.1.30.0/24

.1 .2R1A R1B




R1A and R1B now send Hello packets every 10 seconds. When R1A receives R1B’s Hello packet containing R1B’s Router ID, R1A begins sending Hello packets that list Router ID 10.1.209.1 as a neighbor. At this point, the routers move to the “two-way state,” which is the next step in their path toward adjacency.

Because R1A and R1B are the only two routers on network 10.1.64.0/24, they will become adjacent. However, not all routers that share a network will become adjacent. In a network that contains many routers, it would be resource-intensive to establish a full mesh of adjacencies among all of the routers. Consequently, the OSPF specification includes a solution for ensuring that routers won’t form so many adjacencies that routing efficiency is compromised. (This solution will be discussed in more detail later in this module.)


2 – 14 Rev 5.21

Designated Router election

Rev 5.21 12

Designated Router election

• Specific adjacency formation procedures vary by network type • When an Ethernet network supports only two routers, one is elected

Designated Router (DR) and the other becomes Backup DR • Additional routers form adjacencies with DR and Backup DR but not

with each other • DR is responsible for generating Network LSA


10.1.10.0/24 10.1.30.0/24

.1 .2R1A R1B

IP headerSrc: 10.1.64.1 Dst: 224.0.0.5OSPF HeaderSource router: 10.1.208.1 Area ID: 0.0.0.0Hello packetNetwork mask: 255.255.255.0Hello interval: 10 secDead interval: 40 secDesignated Router: 10.1.64.2Backup DR: 10.1.64.1Neighbor: 10.1.209.1

IP headerSrc: 10.1.64.2 Dst: 224.0.0.5OSPF HeaderSource router: 10.1.209.1 Area ID: 0.0.0.0Hello packetNetwork mask: 255.255.255.0Hello interval: 10 secDead interval: 40 secDesignated Router: 10.1.64.2Backup DR: 10.1.64.1Neighbor: 10.1.208.1


Because an Ethernet network can support many routers within the same broadcast domain, one OSPF router on each Ethernet network becomes the Designated Router (DR) and another becomes the Backup DR (BDR). Subsequent neighbors on the network become adjacent to the DR and BDR, but not to each other.

The DR has some additional responsibilities, which include generation of another LSA type, known as a Network LSA, which is generated after the DR and BDR have established full adjacency.

Typically, the first two routers on a multi-access network become the DR and the Backup DR. Administrators can influence DR selection by configuring a higher priority on an OSPF router’s interface to a multi-access network. However, if the first routers to connect to the network have equal priority, the one with the higher Router ID will become the DR. Once established in its role, the DR does not relinquish DR responsibility even if another router with a higher priority later becomes adjacent to it.

OSPF Routing

Rev 5.21 2 – 15

Exchanging Database descriptions

Rev 5.21 13

Exchanging Database descriptions


10.1.10.0/24 10.1.30.0/24

.1 .2R1A R1B

IP header:Src: 10.1.64.2 Dst: 10.1.64.1OSPF HeaderSource router: 10.1.209.1 Area ID: 0.0.0.0DB Desc Packet

LSA Header 1Type: Router LSA Link state ID:10.1.209.1Adv. Router: 10.1.209.1Sequence: 80000002

IP headerSrc: 10.1.64.1 Dst: 10.1.64.2OSPF HeaderSource router: 10.1.208.1 Area ID: 0.0.0.0DB Desc PacketLSA Header 1Type: Router LSA Link state ID:10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000002

LSDB LSDB

Each router sends all LSA headers from LSDB

1 Type: Router LSA Link state ID:10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000002No of links: 3Stub 10.1.10.0/24 cost 100Stub 10.1.64.0/24 cost 10Stub 10.1.208.0/24 cost 1



The next stage in the process of forming an adjacency is the exchange of link state database entries. In the example, each router’s link state database (LSDB) contains one entry—the Router LSA it created to advertise its own networks.

In the first phase of database synchronization, both routers send OSPF Database Description packets. The first Database Description packet from each router indicates its intention to send the headers of the LSAs in its own LSDB and indicates the maximum packet size it will use. Each router sends a second Database description packet that contains headers from LSAs in its own link state database. Each router compares the offered LSA headers with those in its own database.

In the example, the process is fairly quick because each router’s LDSB contains only its own Router LSA. However, in a larger intranet, each router may have hundreds of LSAs in its database and it is possible that the list of LSA headers might require several packets.

If you are using monitoring or logging facilities to observe router states as they proceed through adjacency formation, this state appears as “ExStart.”


2 – 16 Rev 5.21

The four items that uniquely identify an LSA are

1. Type The LSA types include the Router LSA, the Network LSA, and four other types that will be described later in this module.

2. Link State ID The type of information in this field is unique to each type of LSA. In a Router LSA, the Link State ID is the Router ID.

3. Advertising Router The router that originated the LSA. In the example, the originating (or advertising) router and the sending router (as shown in IP datagram header) are actually the same router; but this is not always the case.

4. Sequence number The first LSA that a router generates has a sequence number of 80 million. When a router experiences a link state change, it generates a new Router LSA that replaces the obsolete one. The second instance of the same type of LSA sent by the same router is identical on the first three items, but the fourth item—the sequence number—is incremented by a locally significant value.

A router uses the sequence number in the LSA header to differentiate instances of the same Router’s LSA. Depending upon the routers’ past relationship, this could be important to this phase of adjacency. For example, if R1A and R1B were previously adjacent and their link went down, each would keep the other’s LSA for an entire hour. Every LSA has a lifetime of 3600 seconds and an age of 0 seconds when it is originated. By the time an LSA is included in another router’s LSDB, it might be a few seconds old, but it continues to age the entire time it is in the database. If a replacement LSA has not arrived before its lifetime expires, the LSA is aged out of the database.

An OSPF router generates a current Router LSA every 30 minutes to refresh the databases of every router in the area. However, the router does not send every LSA in its database, just the ones it is responsible for generating. By comparison, RIP routers advertise their entire route tables every 30 seconds.

OSPF Routing

Rev 5.21 2 – 17

Link State Request packet

Rev 5.21 14

Link State Request packet



10.1.10.0/24 10.1.30.0/24

.1 .2R1A R1B

IP header:Src: 10.1.64.2 Dst: 10.1.64.1OSPF HeaderSource router: 10.1.209.1 Area ID: 0.0.0.0Link State Request packetType: Router LSA Link state ID:10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000002

IP header:Src: 10.1.64.1 Dst: 10.1.64.2OSPF HeaderSource router: 10.1.208.1 Area ID: 0.0.0.0Link State Request packetType: Router LSA Link state ID:10.1.209.1Adv. Router: 10.1.209.1Sequence: 80000002

LSDB LSDB

Each router requests LSAs not in its own LSDB



Now that each router has received the headers of the LSAs contained in the other router’s LSDB, it can compare the contents of its own LSDB with the proposed headers from the other router. Each router uses a Link State Request packet to return the LSA headers for which the router needs the full advertisement.

In this simple example, each router requests the LSA that was advertised by the other by returning the header in a Link State Request. Basically, this is because there is only one path between the routers but, of course, this is not always the case. In a situation where there are redundant links, each router may already have some subset of the LSAs proposed in the Database Description due to its adjacencies on other interfaces.


2 – 18 Rev 5.21

Link State Update packet

Rev 5.21 15

Link State Update packet



10.1.10.0/24 10.1.30.0/24

.1 .2R1A R1B

OSPF HeaderSource router: 10.1.209.1 Area ID: 0.0.0.0Link State Update packetType: Router LSA Link state ID:10.1.209.1Adv. Router: 10.1.209.1Sequence: 80000002No. of links: 3Stub 10.1.30.0/24 cost 100Stub 10.1.64.0/24 cost 10Stub 10.1.209.0/24 cost 1

OSPF HeaderSource router: 10.1.208.1 Area ID: 0.0.0.0Link State Update packetType: Router LSA Link state ID:10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000002No. of links: 3Stub 10.1.10.0/24 cost 100Stub 10.1.64.0/24 cost 10Stub 10.1.208.0/24 cost 1

LSDB LSDB



Each router provides requested LSAs

While the OSPF Database Description and Link State Request packet types are used only in the early stages of adjacency formation, the Link State Update packet is the primary mechanism for sending Link State Advertisements, both during adjacency formation and whenever link state changes occur.

As used in this stage of adjacency formation, Link State Update packets are sent to the neighbor’s unicast address. However, a router sends Link State Update packets to a reserved multicast address when it contains LSAs that result from link state changes.

A Link State Update packet can contain as many LSAs as the router can fit into the maximum packet size for the network, which is usually 1500 bytes.

When link state changes occur, LSAs are flooded over all adjacencies throughout an entire area. Consequently, a router often will receive multiple copies of the same LSA. A router uses the sequence number to determine whether an incoming LSA is another copy of an advertisement already installed in the database or whether it is a new instance of an LSA that will cause it to change its shortest-path-first tree and next hop values.

OSPF Routing

Rev 5.21 2 – 19

Updating the Link State Database

Rev 5.21 16

Updating the Link State Database



10.1.10.0/24 10.1.30.0/24

.1 .2R1A R1B

LSDB LSDB

1 Type: Router LSA Link State ID:10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000004No of links: 3Stub 10.1.10.0/24 cost 100Transit 10.1.64.0/24 cost 10Stub 10.1.208.0/24 cost 1

2 Type: Router LSALink State ID: 10.1.209.1Adv. Router: 10.1.209.1Sequence: 80000002No. of links: 3Stub 10.1.30.0/24 cost 100Stub 10.1.64.0/24 cost 10Stub 10.1.209.0/24 cost 1


2 Type: Router LSALink State ID: 10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000002No. of links: 3Stub 10.1.10.0/24 cost 100Stub 10.1.64.0/24 cost 10Stub 10.1.208.0/24 cost 1

Adjacency causes state change for network 10.1.64.0/24

The establishment of full adjacency between these routers causes a state change on the network they share—10.1.64.0/24. Because each router now has a neighbor on the network, it is no longer a stub network, but a transit network. In response to this state change, each router generates a new instance of its Router LSA, places it in its LSDB, and floods it to adjacent neighbors.

This state change causes R1B, the Designated Router, to generate another type of LSA that is described on the next few pages.


2 – 20 Rev 5.21

Originating new LSAs

Rev 5.21 17

Originating new LSAs



10.1.10.0/24 10.1.30.0/24

.1 .2R1A R1B

LSDB LSDB


2 Type: Router LSALink State ID: 10.1.209.1Adv. Router: 10.1.209.1No. of links: 3Stub 10.1.30.0/24 cost 100Stub 10.1.64.0/24 cost 10Stub 10.1.209.0/24 cost 1


2 Type: Router LSALink State ID: 10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000002No of links: 3

…3 Type: Network LSA

Link State ID: 10.1.64.2Adv Router: 10.1.209.1Sequence: 80000002Netmask: 255.255.255.0Attached Router: 10.1.208.1Attached Router: 10.1.209.1

Because R1B is the DR of the network 10.1.64.0/24, it originates a Network LSA that describes the network. Network LSAs contain the following information:

The LSA type, which is a Network LSA

Link State ID = the DR’s IP address on the network

Advertising Router is the DR’s Router ID

Sequence number indicates this is the first instance of the LSA

These four pieces of information uniquely identify this instance of the Network LSA for the network 10.1.64.0/24.

OSPF Routing

Rev 5.21 2 – 21

Flooding LSAs in Link State Update packet

Rev 5.21 18

Flooding LSAs in Link State Update packet


Router ID: 10.1.209.1

10.1.64.0/24

10.1.30.0/24

.2R1B

LSDB

1 Type: Router LSA Link State ID:10.1.209.1Adv. Router: 10.1.209.1Sequence: 80000004

2 Type: Router LSALink State ID: 10.1.208.1Adv. Router: 10.1.208.1Sequence: 80000002

3 Type: Network LSALink State ID: 10.1.64.2Adv Router: 10.1.209.1Sequence: 80000002

IP header:Src: 10.1.64.2 Dst: 224.0.0.5OSPF HeaderSource router: 10.1.209.1 Area ID: 0.0.0.0Link State Update packet

Type: Router LSA Link state ID:10.1.209.1Adv. Router: 10.1.209.1Sequence: 80000004

Type: Network LSALink State ID: 10.1.64.2Sequence: 80000002Netmask: 255.255.255.0Attached router: 10.1.208.0Attached router: 10.1.209.0

LSAs generated due to link state change are • Encapsulated in a Link State Update

packet• Sent to All OSPF Routers multicast

address

Router can send multiple LSAs in the same Link State Update packet

The neighbor returns a Link State Acknowledgment to 224.0.0.5 containing the LSA headers it received

Link State Update packets generated as the result of a link state change such as the one shown are sent to the “All OSPF Routers” multicast address 224.0.0.5. The Link State Update packet is immediately flooded to all routers in the area. This example has only two routers, but in an OSPF domain with many routers, all would receive the new instances of the LSAs.”

After receiving the R1B’s Link State Update, R1A acknowledges receipt by sending a Link State Acknowledgement. Proper OSPF operation depends on synchronization of the LSAs stored in each router’s link state database. Like the update packet, an acknowledgement is sent to 224.0.0.5, the OSPF router multicast address. If neighbors do not send an acknowledgment within a configurable period, R1B will send the Link State Update again.


2 – 22 Rev 5.21

R1A’s LSA

R1A must also originate a new LSA because it also experienced a state change when the network type associated with 10.1.64.0/24 transitioned from a stub network to a transit network. This new LSA is shown in the previous diagram with the sequence number of 80000004. R1B is obligated to send a Link State Acknowledgement in response to the Link State Update packet that contained the new instance of R1A’s Router LSA.

The Link State Update and Link State Acknowledgements that result from link state changes are always sent to a multicast address. Note that this is different from the unicast addresses used in messages sent and received during database synchronization phase of adjacency formation.

OSPF Routing

Rev 5.21 2 – 23

SPF tree and IP route table

Rev 5.21 19

SPF tree and IP route table

Each OSPF router: • Uses LSAs in its link state database as input to an algorithm that finds

the shortest path to each destination• Puts itself at the root of its ‘shortest path first’ tree

– All LSAs are identical within an area, perspective is different for each router

• Derives next hop for IP route table from SPF tree

Equal cost multi-path• On finding equal cost paths to a given destination, many routers

install an IP route table entry for each path• If multiple route table entries specify different next hop to same

destination network, traffic may be shared among them


Each router’s advertisements describe its own directly connected networks. When a router originates a Router LSA, it sends it to its immediate neighbors, who in turn flood the LSA to all of their neighbors without changing it in any way. In this manner, every Router LSA reaches every router in the area. Consequently, each router in the area has an identical collection of router LSAs.

Any router that experiences a change in the state of one of its links must immediately inform all of the routers in the area by sending a newer instance of its Router LSA. The advertisement reaches all of the routers in the area very quickly. Routers flood the advertisement over the networks that make up the area.

Receipt of a new advertisement may cause every router in the area to simultaneously build a new shortest path first (SPF) tree based on the most current information. Depending on the router’s proximity to the link whose state has changed, the router might place new next hop gateway values in its route table.

Link state changes that involve a “transit” type network will cause all routers in the area to follow this procedure:

1. Receive new LSA(s). In the case of a state change in a transit network, the router is likely to receive at least two new Router LSAs—one for each router connected to the changed network.

2. Remove all OSPF routes from the route table. A link state routing protocol considers lack of routing information to be superior to invalid or obsolete routing information.


2 – 24 Rev 5.21

3. Run an algorithm to produce the shortest-path-first (SPF) tree based on the latest information. The OSPF RFC describes the operation of the Dijkstra algorithm; however, it also makes allowances for vendors to use any equivalent algorithms to produce the shortest-path-first tree.

4. Install new next hop values for each remote address range

If a router loses a path to a stub network, the routers flood the new instance of the router’s LSA, but all routers in the area don’t need to remove OSPF routes from the route table, run the algorithm, or install new next hop values. From the perspective of the SPF tree, a stub network is like a leaf on the tree. Because the stub network never carries traffic from or to another address range, link state changes allow the router to add or drop a “leaf” instead of entirely recreating the tree.

OSPF Routing

Rev 5.21 2 – 25

Summary of OSPF packet types

Rev 5.21 20

Summary of OSPF packet types

Returns headers of flooded LSAs received in a Link State Update; not used in adjacency formation, only for LSAs flooded over full adjacency

During database synchronization, encapsulates requested LSAs; also used to flood LSAs over established adjacencies

Returns headers of LSAs needed to accomplish synchronization, used in ExStart state

Offers headers of all known LSAs to neighbor, used in ExStart state of adjacency establishment

Initiates adjacency, continues through all states of adjacency formation, and maintains adjacency

Purpose

Link State Acknowledgment5

Link State Update4

Link State Request3

Database Description2

Hello1

NameID


OSPF uses five packet types, as shown above. Their ID numbers, which are significant when examining packet traces, follow the order in which they occur in the adjacency formation process. The various types of packets are sent to different destination addresses, with some addressed to multicast groups and some to individual routers.

Hello packets are always sent to 224.0.0.5, which is the All OSPF Routers multicast group.

Database Description packets and Link State Request packets are sent only during the ExStart state of adjacency establishment. Because adjacency is a one-to-one relationship, these packets are addressed to a single router.

Link State Update packets have three possible destination addresses. During adjacency formation, link state updates are sent to the neighboring interface unicast address to accomplish database synchronization with a single neighbor. After adjacency is formed, link state updates contain LSAs that must be flooded to all routers to enable them to immediately obtain the most current information. Link State Update packets containing LSAs that resulted from a link state change are sent to one of the reserved OSPF router multicast addresses—224.0.0.5 or 224.0.0.6. The choice of address depends on whether the sending router is a DR or a non-DR. (The process for flooding of LSAs, including the use of these multicast addresses, will be described later in this module.)


2 – 26 Rev 5.21

Link State Acknowledgment packets, like Link State Update packets, are sent to 224.0.0.5 if the sender of the acknowledgment is a DR and to 224.0.0.6 if the sender is a non-DR. The completion of the adjacency process inevitably causes link state changes that trigger flooding of new LSAs to the multicast address. When a router receives a Link State Update that was sent to a multicast address, it sends the Link State Acknowledgment to the same multicast address.

OSPF Routing

Rev 5.21 2 – 27

Summary of OSPF LSA types confined to a single area

Rev 5.21 21

Summary of OSPF LSA types confined to a single area

DR’s IP address on the network

Originating router ID

Link State ID

DR of multi-access transit network

Router ID (one LSA for each router in the area)

Advertising Router

Connected routers

Connected networks

Advertises

Network LSA2

Router LSA 1

NameType

• Each LSA is uniquely identified by four items:1. LSA type, of which there are six different types2. Advertising Router, which is always a Router ID3. Link State ID, value depends on LSA type 4. Sequence number, which increments each time the originator generates

a new instance of the LSA• Routers receiving flooded LSAs or LSA headers in Database Descriptions

compare advertised values with those in its LSDB to determine whether to copy LSA into LSDB or ignore


The two types of LSAs—Router LSAs and Network LSAs— perform different functions in deriving next hop values from the SPF tree.. However, they share one characteristic: they are confined to a single area. The processes and flow for LSAs will be described in more detail later in this module.


2 – 28 Rev 5.21

Distribution of link state changes

Rev 5.21 22

Distribution of link state changes

Basic OSPF interactionsDistribution of link state changes

Impact of link state changesLSA flowArea Border Routers (ABR)Network summarization

External route information


The rest of Module 2 will describe the process that OSPF routers use to respond to link state changes. The discussion will include a detailed analysis of LSA flow, as well as the different responsibilities of OSPF router types.

OSPF Routing

Rev 5.21 2 – 29

Impact of link state changes

Rev 5.21 23

Impact of link state changes

After two routers have formed an adjacency, they are obligated to flood to each other:• All self-originated LSAs• All LSAs that arrive in Link State Update packets received from other

neighbors

If either router forms new adjacencies, it:• Includes headers of all known LSAs in Database Description packets

during adjacency formation • Immediately floods to all current neighbors the LSAs it receives during

adjacency formation


In an OSPF network, link state changes prompt a complex, but predictable, series of exchanges between each pair of adjacent routers. After forming an adjacency, a router must flood to its neighbors all LSAs it creates based on local link state changes as well as those it receives from neighbors. A Link State Update packet can contain many LSAs from different sources. The maximum number of LSAs is limited only by the maximum packet size supported by a router’s connected networks.

During adjacency formation, the router includes the headers of all known LSAs in Database Description packets. Similarly, the router must immediately flood to its other neighbors the new LSAs it receives during adjacency formation.


2 – 30 Rev 5.21

Connecting to existing multi-access network

Rev 5.21 24

Connecting to existing multi-access network

Router ID: 10.1.209.1

10.1.64.0/24Router ID: 10.1.208.1

10.1.10.0/24

10.1.30.0/24

DRR1B

R1A

Router LSA; LSID: 10.1.208.1Router LSA; LSID: 10.1.209.1Network LSA; LSID: 10.1.64.2

.2

.1 R1A R1B

Router ID: 10.2.208.1

10.2.10.0/24

10.0.100.0/24

R2A 10.2.64.0/24

C1

Router ID: 10.0.208.1

DR

BDR

BDR .1

.1

.1

C1 R2A

.12

Router LSA; LSID: 10.0.208.1Router LSA; LSID: 10.2.209.1Router LSA; LSID: 10.2.209.1Network LSA; LSID: 10.0.100.12Network LSA; LSID: 10.2.64.2

Router ID: 10.2.209.1

10.2.30.0/24

R2BDR

.2

.1

R2A R2B

BDR

.1


RX RY = adjacency

This example shows two separate OSPF domains. Each router has full adjacency with its neighbor(s), and all databases are synchronized. Although all routers identify their connected networks as members of area 0, the clusters of routers are physically separated.

OSPF Routing

Rev 5.21 2 – 31

Recognizing a new router on a multi-access network

Rev 5.21 25

Recognizing a new router ona multi-access network


Router ID: 10.2.208.1

10.2.10.0/24

10.0.100.0/24

R2A 10.2.64.0/24

10.1.64.0/24Router ID: 10.1.208.1

10.1.10.0/24

R1A

C1

Router ID: 10.0.208.1

BDR

DR

BDR

BDR


.1

.1

.1

.12

.1

.1


.11

All 3 routers multicast Hello messages; R1A learns identity of DR and BDR

Router ID: 10.1.209.1

10.1.30.0/24

DRR1B

.2

Router ID: 10.2.209.1

10.2.30.0/24

R2BDR

.2

.1

C1 R2A

R1A R1B

R2A R2B

When R1A’s OSPF interface on network 10.0.100.0/24 comes up, it begins receiving Hello messages that the DR and Backup DR are sending onto the multi-access network.

The Hello messages contain Router 10.2.208.1 as DR and Router 10.0.208.1 as Backup DR, immediately notifying R1A that it must establish adjacencies with both routers.

R1A’s Hello messages list DR and Backup DR router IDs. When these routers recognize their own Router IDs in the Hello packets, they add R1A’s address to the Hello packets as a neighbor.

When all three routers have seen their own Router ID in a Hello packet, they move to the two-way state, where they will begin the database exchange that leads to adjacency.


2 – 32 Rev 5.21

Database synchronization

Rev 5.21 26

Database synchronization

Router ID: 10.2.208.1

10.2.10.0/24

10.0.100.0/24

R2A

10.1.64.0/24Router ID: 10.1.208.1

10.1.10.0/24

R1A

C1

Router ID: 10.0.208.1

BDR

DR

BDR

BDR


.1

.1

.1

.12

.1

.1


.11

R1A proceeds toward adjacency with DR and BDR; they exchange DB Description, LS Request, and LS Update packets

Router ID: 10.1.209.1

10.1.30.0/24

DRR1B

.2

Router ID: 10.2.209.1

10.2.30.0/24

R2BDR

.2

.1

10.2.64.0/24

C1 R2A

R1A R1B

R2A R2B


R1A must become adjacent to both the DR and the Backup DR. Accordingly, R1A exchanges Database Description packets with both routers, offering the three LSAs in its database. R2A (the DR) and C1 (the Backup DR) send Link State Requests for all of the LSAs and each receives them in Link State Updates.

R2A and C1 also send Database Description packets to R1A, each offering the same set of LSAs from their synchronized database. R1A requests all of the LSA headers offered by one of the routers on the transit network, and receives the five LSA headers in a Link State Update packet.

OSPF Routing

Rev 5.21 2 – 33

Adjacencies established, database synchronized

Rev 5.21 27

Adjacencies established, database synchronized

Router ID: 10.2.209.1Router ID: 10.2.208.1

10.2.30.0/2410.2.10.0/24

R2B

10.0.100.0/24

R2A

10.1.64.0/24Router ID: 10.1.208.1

10.1.10.0/24

R1A

C1

Router ID: 10.0.208.1

BDR

DR

DRBDR

BDR

.1

.1

.1

.12

.1 .2

.1.1

Router LSA; LSID: 10.0.208.1Router LSA; LSID: 10.1.208.1Router LSA; LSID: 10.1.209.1Router LSA; LSID: 10.2.209.1Router LSA; LSID: 10.2.209.1Network LSA; LSID: 10.0.100.12Network LSA; LSID: 10.1.64.2Network LSA; LSID: 10.2.64.2

.11

R1A R2A

Router ID: 10.1.209.1

10.1.30.0/24

DRR1B

.2

10.2.64.0/24

C1 R2A

R1A R1B

R2A R2B

R1A C1

The three routers on network 10.0.100.0/24 have exactly the same LSAs in their link state databases


Each router sends Link State Update packets that contain the LSAs whose headers were included in the Link State Requests. At the end of this process, two additional adjacencies have been established. The three routers connected to network 10.0.100.0/24 have identical entries in their link state databases.

Having established adjacencies with R1A, both R2A and C1 must flood the new LSAs they received from R1A because they are DR and Backup DR for Network 10.0.100.0/24, a multi-access transit network.


2 – 34 Rev 5.21

Flood new LSAs

Rev 5.21 28

Flood new LSAs


10.2.30.0/2410.2.10.0/24

R2B

10.0.100.0/24

R2A

10.1.64.0/24Router ID: 10.1.208.1

10.1.10.0/24

R1A

C1

Router ID: 10.0.208.1

BDR

DR

DRBDR

BDR

.1

.1

.1

.12

.1 .2

.1.1


.11

R1A R2A

Router ID: 10.1.209.1

10.1.30.0/24

DRR1B

.2

C1 and R2A both flood new LSAs

Flood new LSAs

10.2.64.0/24

Flood new LSAs

C1 R2A

R1A R1B

R2A R2B

R1A C1


As soon as R1A receives the LSAs from one of its neighbors on network 10.0.100.0/24, it floods the new LSAs over network 10.1.64.0/24. R1A encapsulates the new LSAs in a Link State Update packet and encapsulates the OSPF packet in an IP datagram whose destination address is the All OSPF Routers multicast group 224.0.0.5.

The same is true for R2A and C1, both of whom have just become adjacent to R1A. Because these routers are the DR and Backup DR of the network 10.0.100.0/24, they are responsible for flooding the LSAs to that network, even though the new information came from that network.

This is quite different from RIP Split Horizon operation, which prevents routers from sending advertisements to the network from which they originated. The reason for the different OSPF operation will be described later in this module.

OSPF Routing

Rev 5.21 2 – 35

Acknowledging flooded LSAs

Rev 5.21 29

Acknowledging flooded LSAs


10.2.30.0/2410.2.10.0/24

R2B

10.0.100.0/24

R2A

10.1.64.0/24Router ID: 10.1.208.1

10.1.10.0/24

R1A

C1

Router ID: 10.0.208.1

BDR

DR

DRBDR

BDR

.1

.1

.1

.12

.1 .2

.1.1


.11

R1A R2A

Router ID: 10.1.209.1

10.1.30.0/24

DRR1B

.2

Each router acknowledges receipt of LSAs

Acknowledge receipt of LSAs

10.2.64.0/24

C1 R2A

R1A R1B

R2A R2B

R1A C1

Acknowledge receipt of LSAs


A router must acknowledge flooded LSAs by multicasting a Link State Acknowledgment to the network from which it received the Link State Update.

The LSA that is encapsulated by the Link State Update packet may have originated with a router anywhere in the area. However, the source address in the IP datagram header that encapsulates the Link State Update will be that of a neighbor because a router’s LSA flooding operation involves creating a new OSPF packet that contains the Link State Update which, in turn, contains the LSAs to be sent to neighbors. So, too, the acknowledgment is sent using a multicast address that reaches local routers

During this series of exchanges, only the LSA remains unchanged. The packets that contain the LSA change at every hop.


2 – 36 Rev 5.21

Designated Router adjacency responsibilities

Rev 5.21 30

Designated Router adjacency responsibilitiesDifferences between DRs and non-DRs become apparent when there are four or more routers on a multi-access network• DR and Backup DR become adjacent to all routers on the network • Non-DRs become adjacent to DR and Backup DR but not to each other• When a router joins a network that has a DR, Backup DR, and at least one

non-DR, the state of its relationship with other non-DRs remains at ‘two-way’

DR Non-DR

BDRR3R1

R2 R4

Non-DR

Network 4

Network 3Network 1

Network 2


Network 0

This example uses a different set of routers and networks than the previous examples to illustrate LSA flow when a multi-access network has four or more connected routers. The multi-access network in the previous example supports a full mesh of adjacencies because there is only one non-DR. However, in this example there are two routers on Network 0 that are not DRs. All routers become adjacent to the DR and the Backup DR, but non-DRs do not become adjacent to each other.

However, the four routers connected by Network 0 do not form a complete mesh. The DR and the Backup DR become adjacent to all routers.

OSPF Routing

Rev 5.21 2 – 37

Designated Router LSA flooding responsibilities

Rev 5.21 31

Designated Router LSA flooding responsibilitiesDR is chosen per network• A router may be a DR for some of its interfaces and a non-DR for others

DR has adjacencies with all routers on Network 0 DR floods LSAs to multicast address 224.0.0.5 when it receives LSAsthat are:• Received due to new adjacency on Network 0 or another network• Flooded to it over existing adjacency on another network• Generated due to a local link state change

Link state change originates here

DR Non-DR

BDRR3R1

R2 R4

Non-DR

Link State Update containing new LSAs

DR floods LSAs to 224.0.0.5

Network 1 Network 3

Network 4


Network 0

Network 2

A router’s role as DR applies only to a single interface, although the term “designated routers” seems to suggest that it applies to all interfaces.

When a router receives a flooded LSA—that is, an LSA encapsulated in a Link State Update packet that is sent to a multicast address—the router’s flooding responsibilities differ according to its roles on its various interfaces. If it is the DR for any of its connected networks, it floods the LSA to that network using the multicast address 224.0.0.5.

For interfaces where it is not a DR, an OSPF router sends its Link State Updates to a different reserved multicast address. This different behavior is necessary because the DR needs to act as a mediator between non-DRs, who do not form adjacencies with each other.


2 – 38 Rev 5.21

Non-DR LSA flooding responsibilities

Rev 5.21 32

Non-DR LSA flooding responsibilities• Non-DRs on Network 0 do not have adjacency with other non-DRs• LSAs received due to adjacencies with other networks are flooded on to

Network 0 using the multicast address for All Designated Routers, 224.0.0.6 • Designated Routers receive the updates, encapsulate the LSAs in a new Link

State Update packet, and flood the packet back on to Network 0 using multicast address for All OSPF Routers, 224.0.0.5

• Some routers receive multiple copies of the LSAs, verify sequence numbers, discard duplicates

Link state change originates here

DR Non-DR

BDRR1

R4

Non-DR

Link State Update containing new LSAs

Non-DR floods LSAs to 224.0.0.6

R3

R2

Network 1 Network 3

Network 2


Network 0

Network 4

DR floods new LSA to 224.0.0.5

The Designated Router strategy is efficient for networks with many connected routers. This strategy avoids the generation of unnecessary traffic by maintaining a limited number of adjacencies.

Link State Updates can only be sent to adjacent neighbors. A non-DR is adjacent only to DRs, so when it floods LSAs onto a network it sends the Link State Update packet to the multicast address 224.0.0.6, which is the multicast address reserved for all Designated Routers. Non-DRs do not receive the update; however, the DRs will subsequently flood the LSAs in an update packet addressed to 224.0.0.5, the multicast group reserved for all OSPF routers.

The process is the same for a router that is a DR for one network but a non-DR for others. Because the DR responsibilities are assigned to an interface, a router can be a DR for some networks and non-DR for others.

In the example, because of this process, all routers on Network 0 have the new LSAs. They flood them to their neighbors on other networks and update their link state databases.

An OSPF router compares characteristics of LSAs it receives with those of the LSAs in its LSDB. It discards those that match with an existing LSA on all four identifying characteristics (LSA type, Advertising Router, Link State ID, and sequence number) or have a lower sequence number are discarded. A higher sequence number indicates a newer LSA. The router replaces an older instance with a newer one.

OSPF Routing

Rev 5.21 2 – 39

OSPF network types

Rev 5.21 33

OSPF network types

OSPF supports several types of networks, including:• Broadcast, including Ethernet and other LAN media• Point-to-point

– Allows exactly two adjacent routers on the network – Usually a WAN link – Both routers become adjacent; does not elect a DR/BDR

• Point-to-multipoint, used for partially meshed frame relay/ATM• Unnumbered point-to-point

– Point-to-point link that does not take up any address space– Another interface on the router provides an address for adjacency

purposes• Non-broadcast multiple access, used for full mesh frame relay/ATM


Because OSPF is designed to serve large-scale networks, the protocol supports several types of networks, including:

Broadcast, such as Ethernet, where a single packet can simultaneously be sent to multiple receives

Point-to-point, commonly used for WAN links

Point-to-multipoint, such as frame relay/ATM, where a single physical circuit supports multiple virtual circuits

Unnumbered point-to-point

Non-broadcast multiple access

To support these various types of networks, OSPF offers several types of transit networks. Each type is designed to serve the specific needs of a physical media type. They are:

A point-to-point transit network, where a router establishes a relationship with exactly one neighbor. After the routers form an adjacency, they will not permit adjacencies to form with other routers. This network type is typically used for point-to-point WAN links, but it can be useful for point-to-point Gigabit Ethernet links.


2 – 40 Rev 5.21

A point-to-multipoint transit network, where a single physical circuit may support multiple virtual circuits and locations are connected in a hub-and-spoke or star configuration. This network type is appropriate for frame relay or ATM networks.

A multi-access transit network, which usually refers to an Ethernet network that has two or more connected routers. The underlying media access method allows a router to send its Hello messages to the reserved multicast address and reach all of its neighbors with a single packet.

A non-broadcast multi-access network (NBMA), which uses a media type such as frame relay and ATM, and interconnects two or more routers using virtual circuits. Its underlying media access method makes it impossible for a router to reach all of its neighbors with a single Hello packet. Instead, a router sends Hello packets to each of the routers on the NBMA

OSPF Routing

Rev 5.21 2 – 41

Finding the shortest path

Rev 5.21 34

Finding the shortest path

• Every time a router receives a new instance of an LSA, it assesses whether the change involves any transit networks

• If it does, the router runs an algorithm against the LSAs in its link state database resulting in a tree that includes all routers and networks in the area and calculates the cost to each destination

• The router populates its IP route table with next hop information from the ‘shortest path first’ tree

Router ID: 10.1.209.110.1.64.0/24Cost 10


10.1.20.0/24Cost 100

10.1.10.0/24Cost 100

R1B

Router ID: 10.2.209.110.2.64.0/24Cost 10

Router ID: 10.2.208.1

R2A

10.2.20.0/24Cost 100

10.2.10.0/24Cost 100

R2B

10.0.100.0/24Cost 1

Shortest path from Router2A’s perspective

=


The LSAs discussed earlier in this module form the basis for the shortest-path-first calculations that give OSPF its fast convergence.

Not every LSA requires the calculation of a new tree. For example, if Router2A received an LSA originated by R1B indicating that its stub network 10.1.20.0/24 was down, it wouldn’t affect shortest-path-first calculation. R1A would simply accept the LSA, replacing the earlier one that indicated the network was up and available.

Suppose, however, that R2A lost its connection to the network 10.0.100.0/24. The DR of this network would originate an LSA indicating that the neighbor list had changed, and all routers would flood the LSA. Additionally, R2A would originate and flood to its only remaining neighbor a new instance of its Router LSA. All four routers would run the algorithm and recognize network 10.2.64.0/24 as the path to R2A and network 10.2.10.0/24.


2 – 42 Rev 5.21

OSPF’s performance in large intranet

Rev 5.21 35

OSPF’s performance in large intranet• OSPF achieves fast convergence due to requirements it places on routers

– Maintain synchronized link state database among all routers– Immediately flood over its adjacencies every LSA it receives – Recalculate shortest-path-first tree and install new routes in route table

when link state changes occur• These requirements can become a burden to a router if:

– Number of LSAs in link state database requires excessive memory– Frequent state changes due to large number of routers and networks leads

to excessive recalculation of SPF tree and become a drain on CPU resources

Transit network failure

XRouter and Network LSAs flow through entire area


Fast convergence is one of OSPF’s main benefits. However, if a network is not designed properly, the mechanisms that enable OSPF routers to respond quickly to state changes and maintain current information can be detrimental to its performance.

The diagram above represents a very large intranet, although it is not practical to show all the routers in such a large network. The routers in the above example are arranged hierarchically, with four router groups that are connected to a set of core routers. As a practical matter, due to the relative isolation of the router groups, the transit network failure shown in the diagram will not result in any route table changes for routers in other groups. The links that connect groups to the core are not affected. When a transit network in one of the locations goes down, the routers in another location do not need to be updated. The links that the routers use to reach the other location are still up.

However, because all of the routers are in a single area, they all receive the updates and process them accordingly, which adds to router overhead. This issue becomes more severe as more routers and networks are added because the probability increases that one or more of them could be experiencing state changes at any given time.

OSPF Routing

Rev 5.21 2 – 43

The creation of areas that include too many routers also can lead to large link state databases that cannot be processed quickly enough to satisfy user needs. Because the link state algorithm must examine all LSAs stored in the LSDB, the inclusion of too many entries can lengthen processing time so that user sessions time out before the router finds the shortest path and updates its route table.

The solution, of course is to divide the networks into areas. Many router vendors recommend limiting the number of routers and networks in an area according to to the available processor speed and memory. Many enable you to configure a minimum interval between iterations of the shortest-path-first algorithm.


2 – 44 Rev 5.21

OSPF scalability

Rev 5.21 36

OSPF scalability

• Divide a large intranet into areas with fewer than 50 routers and fewer than 500 networks

• If you use multiple areas, one must be defined as Area 0 • Connect the areas using an Area Border Router (ABR) that has at least one

interface in Area 0 and at least one interface in a non-zero area• Routers whose interfaces are all assigned to the same area are ‘internal’

routers

Networks assigned to Area 1




To avoid overtaxing OSPF routers, you should divide the intranet into areas sized so that LSA processing and storage do not interfere with performance. In general, an area should have no more than 50 routers or 500 networks. It is also worth noting that OSPF’s benefits are more apparent in larger networks. Consequently, the likely OSPF deployment involves dividing up the networks by physical proximity and creating boundaries between the areas.

In an intranet using multiple areas, one area must be the unnumbered area, often referred to as “Area 0,” “Area 0.0.0.0,” or the “Backbone Area.”

Area Border Router (ABR)

To enable proper OSPF functioning, you must configure an OSPF router to be the Area Border Router (ABR) by assigning some interfaces to Area 0 and other interfaces to another area. The ABR must have at least one backbone interface.

The networks in an area must be contiguous. The design cannot place part of Area 1 in location A and another part of Area 1 in Location B, with connections provided only by networks that belong to some other area.

OSPF Routing

Rev 5.21 2 – 45

Multiple areas and adjacency

Rev 5.21 37

Multiple areas and adjacency

• Adjacency is a requirement for all OSPF routers, whether internal or ABR• Area ID is one of the first items checked in Hello packet

– Adjacency fails if the sender of Hello packet associates the network with a different area ID than the receiver

Networks assigned to area 1




Adjacency is fundamental to all communication between OSPF routers. Without adjacency, routers cannot synchronize their link state databases and cannot flood LSAs. Furthermore, a network with no adjacencies is recognized by all routers as a stub network, instead of as a transit network capable of carrying traffic destined for other networks.

As described earlier, in order to form an adjacency, the routers must agree on many parameters, including area ID. In fact, area ID is one of the first items that the receiver of a Hello message verifies. If the area IDs are different, neither side can move to the Two-Way or ExStart states.

Every OSPF packet, including Hello, Database Description, Link State Request, Link State Update, and Link State Acknowledgment, is encapsulated by an OSPF packet header that contains the area ID and router ID.

If you change the area ID to which a network is assigned without changing the area ID of other routers on that network, the router immediately loses any adjacencies on that network. If other router interfaces subsequently change their area IDs the routers may establish new adjacencies if all other parameters are compatible.


2 – 46 Rev 5.21

ABR link state database synchronization

Rev 5.21 38

ABR link state database synchronization• Router LSAs and Network LSAs do not cross area boundaries• Area Border Routers (ABR)

– Has adjacencies with neighbors in at least two areas– Maintains database synchronization with routers in locally configured areas

Internal routers

in area 1 Internal routers

in area 2

Internal router

in area 0

ABR maintains LSDB entries for area 0 and area 2

ABR maintains LSDB entries for area 0 and area 1


An OSPF router assigns each of its OSPF interfaces to an area. An area border router (ABR) assigns some of its interfaces to the backbone area and other interfaces to a non-backbone area. The ABR must maintain database entries for each area in which it has at least one interface. It does not maintain LSAs for areas in which it has no interfaces.

In this example, each ABR has one interface in the backbone area and two or more interfaces in a non-backbone area. It is possible for an ABR to have interfaces in two non-backbone areas; however, this can add significant overhead because the router must maintain entries for all connected areas. The ABR is a full participant in each area, originating and flooding LSAs when it is appropriate.

OSPF Routing

Rev 5.21 2 – 47

LSA flow between areas

Rev 5.21 39

LSA flow between areas

• ABR generates and floods ‘Summary LSAs’ that:– Describe networks in the backbone area and flood over all adjacencies in

non-backbone area– Describe networks in the non-backbone area(s) and flood over all

adjacencies in backbone area• ABR may be configured to substitute individual network advertisements with

range advertisements

Internal routers

in area 1 Internal routers

in area 2

Internal router

in area 0

Summary LSAs -

networks in area 1

Summary LSAs -

networks in area 0

and area 2

Summary LSAs -

networks in area 2

Summary LSAs -

networks in area 0

and area 1


ABRs have a set of database entries for each supported area and maintain adjacencies with neighbors in those areas. The ABR is responsible for creating a third type of LSA, known as a Summary LSA, which it uses to represent networks from other areas.

In the backbone area section of the ABR’s database, backbone area networks are represented by Router and Network LSAs, and non-backbone area networks are represented by Summary LSAs.

The reverse is also true. In the non-backbone area section of the database, non-backbone area networks are represented by Router and Network LSAs. The backbone networks are represented by Summary LSAs.

Consequently, the link-state database of an ABR that supports two areas has approximately twice as many entries as it would have if all of the interfaces were in the same area. The link-state database of an ABR that supports two areas has approximately three times as many entries as it would have if all of the interfaces were in the same area. Memory consumption is one of the primary reasons that most vendors put limits on the number of areas an OSPF router can support.


2 – 48 Rev 5.21

Flooding Summary LSAs

Rev 5.21 40

Flooding Summary LSAs

10.2.30.1/24Area 210.2.10.1/24

Area 2

R2B

10.1.64.1/24Area 1

Router ID: 10.1.208.1Loopback interface

Area 1

10.1.10.1/24Area 1 Router ID: 10.1.209.1

Loopback interfaceArea 1

10.1.30.1/24Area 1

R1B

10.2.64.1/24Area 2

10.1.64.2/24Area 1

10.2.64.2/24Area 2 Router ID: 10.2.209.1



Area 2

10.0.100.21/24Area 0

10.0.100.11/24Area 0

OSPF HeaderLink State Update packetType: Summary LSA

Link state ID:10.1.10.0Adv. Router: 10.1.208.1Netmask: 255.255.255.0

Type: Summary LSA Link state ID: 10.1.30.0…

R1A(ABR)

R1A (an ABR)• Floods into area 0

a Summary LSA for each network in Area 1

• Floods into area 1 a Summary LSA for each network in Area 0


R2A(ABR)

A Summary LSA contains the starting address and mask of a network from one area that is sent into another area. The example above shows one Summary LSA and the beginning of a second Summary LSA. Like the Router LSA and Network LSA, the Summary LSA is encapsulated in a Link State Update packet and flooded to a router’s adjacent neighbors. Unlike the Router and Network LSA, the Summary LSA crosses area boundaries. The Summary LSA created by R1A and flooded into the backbone area is also flooded into area 2 by R2A, the ABR that connects area 2 to the backbone. Similarly, the Summary LSAs created by R2A that describe networks in area 2 are flooded through the backbone and into area 1.

As a result of the ABR’s creation and flooding of Summary LSAs, an internal (non-ABR) router has Router and Network LSAs that describe networks in its local area, and Summary LSAs that describe networks in other areas.

In the example above, each non-backbone area has a single ABR that connects to the backbone area. However, designers may provide additional resilience by configuring two ABRs per area. In that case, each ABR independently creates and floods summary LSAs from one area into the other. Internal routers in the area would receive twice as many Summary LSAs as they would receive if the area had only one ABR.

Dividing a large intranet into multiple areas will limit the scope of Router LSAs and Network LSAs, but this action alone isn’t sufficient to minimize the size of the link state database. The creation of multiple areas actually increases the size of the LSDB for ABRs and may increase the number of entries for internal routers.

OSPF Routing

Rev 5.21 2 – 49

Hierarchical addressing enables summarization

Rev 5.21 41

Hierarchical addressing enables summarization

10.2.30.1/24Area 210.2.10.1/24

Area 2

10.1.64.1/24Area 1


Area 1

10.1.10.1/24Area 1 Router ID: 10.1.209.1


10.1.30.1/24Area 1

10.2.64.1/24Area 2

10.1.64.2/24Area 1

10.2.64.2/24Area 2 Router ID: 10.2.209.1



Area 2

10.0.100.21/24Area 0

10.0.100.11/24Area 0



Flood Summary LSA

Summarize area’s entire address range with starting address and mask



Flood Summary LSA


R1A(ABR)

R2A(ABR) R2B

R1B

Dividing an intranet into separate areas makes it possible to summarize address space at area boundaries. An ABR can be configured to create Summary LSAs that express the address space of an area as a range rather than as separate networks.

While this requires you to carefully plan and implement a hierarchical addressing scheme in order to summarize the address space of an area with a single range statement; the benefits are significant in terms of LSDB size. In particular, this enables the LSDBs of internal routers within non-backbone areas to list a single route to addresses in other areas, instead of listing individual networks in their LSDB and route table.

The diagram above shows a hypothetical example. In practice, of course, you would not divide a network this small into three separate areas. In fact, the benefits of OSPF are most apparent in larger networks with redundant paths.


2 – 50 Rev 5.21

Summary of OSPF LSA types

Rev 5.21 42

Summary of OSPF LSA types

Starting IP address of external address range

Autonomous system Boundary Router

Normal areasAS External LSA

5

ASBR’s Router IDArea Border RouterNormal areasAS Summary LSA

4

Starting IP address of address range in another area

Area Border RouterAll areas other than stub-no summary

Summary LSA3

DR’s IP address on the network

DR of multi-access transit network

Within a single area

Network LSA2


Originating router ID

Link State ID

Autonomous system Boundary Router

Router ID (one LSA for each router in the area)

Advertising Router

Within a not-so-stubby area

Within a single area

Scope

NSSA LSA7

Router LSA 1

NameType


As shown above, OSPF supports six types of LSA.

Router LSA and Network LSAs are exchange by routers in a single area, as described earlier in this module.

When you define multiple areas on a router, the router automatically becomes an ABR. It creates Summary LSAS that describe networks in the backbone and floods them to adjacent neighbors in non-backbone areas. It also creates Summary LSAs that describe non-backbone networks and floods them to the backbone. Summary LSAs flow through area border routers into “normal” OSPF areas.

The rest of this module will describe three other types of OSPF areas and the uses for the remaining LSA types shown in the table above.

OSPF Routing

Rev 5.21 2 – 51


Rev 5.21 43


Basic OSPF interactionsDistribution of link state changes

External route informationRedistributing non-OSPF network informationAutonomous System Boundary Router (ASBR)Not-so-stubby area (NSSA)


The final section of Module 2 will describe the processes for redistributing information about non-OSPF networks to OSPF routers.


2 – 52 Rev 5.21

Redistributing non-OSPF network information

Rev 5.21 44

Redistributing non-OSPF network informationOSPF routers advertise: • Locally connected OSPF networks using Router LSAs and Network

LSAs • Networks in another area using Summary LSAs

Routing information that comes from a source other than OSPF is considered ‘external’ Examples include:• Default route to the Internet• Static route to portions of the intranet that do not use OSPF• Routes learned from RIP neighbors

Autonomous System Boundary Router (ASBR) is an OSPF router that has learned routes from a non-OSPF source


OSPF routers advertise native OSPF networks using Router LSAs, Network LSAs, and Summary LSAs. When an OSPF router has information in its route table that came from a source other than OSPF, it cannot include that information in its Router LSA because the Router LSA refers strictly to OSPF native networks.

Sources of non-OSPF router can include:

Static routes

Directly connected networks (local interfaces) where OSPF is not enabled

RIP domains within the intranet. These are collections of routers that support RIP and exchange RIP advertisements, but do not support OSPF.

User-defined default route or BGP routes that direct traffic toward an ISP or other location.

Because OSPF routers often must have access to these types of routes, OSPF domains often include an Autonomous System Boundary Router (ASBR), a type of OSPF router that has direct knowledge of non-OSPF information. While configuration procedures are vendor- or platform-specific, the process of transforming routing information from one source into another is often referred to as “redistribution.”

OSPF Routing

Rev 5.21 2 – 53

ASBR

Rev 5.21 45

ASBR

• A router that has access to non-OSPF route information may be configured to redistribute that information into the OSPF Autonomous System

• ASBR generates one AS External LSA for each non-OSPF network– Can be configured to summarize address ranges

• ASBR floods AS External LSA to its adjacent neighbors• Routers in “normal” areas flood AS External LSAs to adjacent neighbors• External address range appears in LSDB and IP route tables of all routers

Area 1

Area 0

Area 2

ASBRNon-OSPF

domain

AS External LSAs


The ASBR is responsible for generating an AS External LSA for each non-OSPF network. Like all other LSAs, it is encapsulated in a Link State Update packet, OSPF packet, and IP packet, and flooded to adjacent neighbors.

On most systems, administrators can configure ranges of external networks to minimize the actual number of advertisements the ASBR must send and, consequently, limit the number of LSAs that every router in the domain must keep in its LSDB. If the ASBR provides a path to the Internet or to all networks not specifically listed in the domain’s route tables, administrators can configure it to originate the default route by creating and flooding a Type 5 AS External LSA that advertises the address range 0.0.0.0/0.

An AS External LSA may be forwarded over adjacencies, through ABRs, and reach every router in the domain if the external information being advertised is worthy of that kind of distribution. In many cases, external routes are connected to a single ASBR and if there are a limited number of paths to that ASBR, it might be more efficient to stop the AS External LSAs from being flooded into every area.


2 – 54 Rev 5.21

Stub-area type: Injecting the default route

Rev 5.21 46

Stub area type: Injecting the default route• OSPF routers internal to non-backbone areas may not require the specific

addresses of non-OSPF networks • To replace the specific advertisements of non-OSPF networks with the default

route, define non-backbone areas as ‘stub’ type areas • The backbone may not be defined as a stub area• Link State Database in stub area cannot contain AS Summary LSAs or AS

External LSAs; ASBR may not reside within a stub area

Area 1 (Stub)

Area 0

Area 2 (Stub)

ASBRNon-OSPF

domain

AS External LSAs

0.0.0.0/0

0.0.0.0/0

Default route appears in LSDB and route tables of Internal routers

ABRs do not flood AS External LSAs into stub area; inject Summary LSA that specifies default route

ABR ABR


The ABR of a stub area receives AS External LSAs from its adjacent neighbors in the backbone area and stores them in its link state database. It does not flood AS External LSAs into the stub area, but instead creates a Type 3 Summary LSA containing the default route and floods that LSA to neighbors in the stub area.

Because the routers internal to the stub area receive the default route, they can forward traffic toward the remote networks managed or discovered by other routing protocols. However, they are not required to maintain individual entries for those networks. This minimizes the number of LSAs in internal routers’ link state database, along with the size of the IP route table.

The ABR’s status as a member of the stub area does not cause it to have the default route in its route table. Instead, its route table contains whatever specific networks or summarized address ranges the ASBR has advertised. If the ASBR has been configured to originate the default route, the databases of all OSPF routers in normal areas will contain the Type 5 AS External LSA that advertises the default route. Internal routers in stub areas will also have the default route in their route tables, but that information comes from the Type 3 Summary LSA that was injected into the stub area by the ABR.

As described earlier, the ABR must always be a member of Area 0 and at least one non-backbone area. Area 0 cannot be defined as a stub area type because it is a connecting point for all of the areas in the OSPF AS. In the diagram, the ASBR is located within Area 0 by design. The ASBR cannot be placed in a stub area.

OSPF Routing

Rev 5.21 2 – 55

Locating the ASBR

Rev 5.21 47

Locating the ASBR

• ASBRs may be located in any ‘normal’ area, never in a stub area • ASBRs indicate their role by setting an option bit in their Router LSAs• ABR detects the presence of an ASBR in an area under its control, originate an

AS Summary LSA, and flood it into the backbone area• AS External LSA includes the ASBR’s Router ID; without the AS Summary LSA,

routers would not know which area the ASBR resides in, preventing them from forwarding traffic toward the non-OSPF networks


Autonomous System Boundary Router

Normal areasAS External LSA

5

ASBR’s Router IDArea Border RouterNormal areasAS Summary LSA

4

Link State IDAdvertising Router ScopeNameType


The AS Summary LSA advertises into all normal areas the router ID that connects to the area in which a given ASBR is located. Without this advertisement, an internal router in a different area than the ASBR would not know how to forward traffic toward the non-OSPF networks.

Unlike all of the other LSA types, the AS Summary LSA does not contain any information that appears in a route table. However, because it is in the link state database, it is available for use when OSPF routers calculate the shortest path to each destination network, including the external networks advertised by the ASBR.


2 – 56 Rev 5.21

Stub and “totally stubby” area

Rev 5.21 48

Stub and ‘totally stubby’ area

Defining area as stub reduces size of LSDB and IP route tableTo further minimize LSDB and IP route table, configure ABR to withhold Summary LSAs. • Result is more compact LSDB and IP route tables• External networks and networks from other areas are summarized with the

default route

Area 1 (Stub)

Area 0

Area 2 (Stub)

ASBRNon-OSPF

domain

AS External LSAs

0.0.0.0/0

0.0.0.0/0

Default route represents external networks and those in other OSPF areas

Stub no-summary or ‘totally stubby’ area border routers prohibit AS External LSAs and Summary LSAs

ABR ABR


In addition to defining an area’s type as “stub,” you can configure the ABR not to flood Type 3 Summary LSAs to adjacent neighbors in the area. This is advisable when there are a limited number of entry and exit points to a given area. For example, all routers in Area 1 usually do not require detailed information about the networks in Area 2.

Although the example shows only one ABR for each non-backbone area, it is often the case that a stub area is connected to the backbone by two ABRs. Although both ABRs will advertise the default route, the one advertising the lowest metric will provide the backbone connection for all routers. If both ABRs advertise the default route with an equal metric, all traffic leaving the area will go through the ABR with the highest router ID.

OSPF Routing

Rev 5.21 2 – 57

Not-so-stubby area (NSSA)

Rev 5.21 49

Not-so-stubby area (NSSA)

NSSA combines efficiency of default route summarization (similar to stub area) with flexibility of ASBR definition• ASBR within NSSA originates Type 7 LSA (NSSA)• ABR transforms Type 7 LSAs into Type 5 and floods them into the backbone

Area 1 (NSSA)

Area 0

Area 2 (Totally Stubby)

ASBRDefault route

to Internet

AS External LSAs

0.0.0.0/0

0.0.0.0/0

This router has some RIP routes

ABR ABR

RIP routes appear in route tables within Area 1 as ‘External’

Non-OSPF information that originates outside Area 1 is summarized as default route

ASBR


Default route represents all networks not in Area 2

OSPF rules prohibit Type 4 or Type 5 LSAs in a stub area. However, if a non-backbone area must include an ASBR, it can be defined as a not-so-stubby area (NSSA) to enable internal routers to gain the efficiency typical of stub areas.

The ABR connected to a not-so-stubby area converts external information that originates outside the area into the default route in the same manner it would if the area were defined as a stub area. This is possible because the ASBR in a not-so-stubby area advertises its external networks using a Type 7 NSSA LSA. The external networks appear in the route tables of routers in the area, and the ABR translates the Type 7 LSAs into Type 5 AS External LSAs and floods them to adjacent neighbors in the backbone. From the backbone, the external network information is summarized as the default route for stub and totally stubby areas.


2 – 58 Rev 5.21

Module 2 summary

Rev 5.21 50

Module 2 summary

In this module, you learned:• The basic operation of the OSPF• Why OSPF provides for more efficient routing than RIP, especially in

large-scale intranets• The functions of the types of OSPF routers• The role of different types of OSPF areas


Module 2 of IP Routing Foundations described the OSPF routing protocol, including the OSPF router and area types. The module emphasized reasons why OSPF is more efficient than RIP in large-scale intranets.

OSPF Routing

Rev 5.21 2 – 59



2 – 60 Rev 5.21

1. Name two types of OSPF networks.

a. ........................................................................................................................

b. ........................................................................................................................

2. Define the purposes of:

ABR: .................................................................................................................

ASBR: ...............................................................................................................

3. Describe the process by which OSPF routers form adjacencies.

............................................................................................................................

............................................................................................................................

............................................................................................................................

4. What types of OSPF LSAs are confined to a single area and how are they used?

............................................................................................................................

............................................................................................................................

............................................................................................................................

............................................................................................................................

5. What techniques enable administrators to limit the size of OSPF link state databases and enhance routing efficiency?

............................................................................................................................

............................................................................................................................

............................................................................................................................

............................................................................................................................

Rev. 5.21 3 – 1

Default Gateway Redundancy Protocols Module 3

Objectives Describe the benefits of providing redundant default gateway service for

clients

List common characteristics of protocols that provide automatic default gateway failover

Describe the operation of the Virtual Router Redundancy Protocol (VRRP)


3 – 2 Rev. 5.21

Redundant router interfaces

Rev 5.21 3

Redundant router interfaces

Multiple router interfaces are members of a group knownas a ‘virtual router’ At any given moment, one router interface is ‘master’• The other will become master only if current master fails

Multiple router interfaces comprise a virtual router configured with a

common virtual IP address: 10.1.10.1

Router A

Intranet and/or Internet


Host: 10.1.10.10/24Default Gateway: 10.1.10.1

Router B

All of the default gateway redundancy technologies discussed throughout this module share the basic features shown above. This highly simplified example illustrates the redundant router topology from the perspective of a single network. In most configurations, two routers will be connected to exactly the same set of networks. Although each router has a unique IP address, they will be configured to share a common virtual IP address. This address will be used as the default gateway for each network to which the routers provide redundant default gateway service.

Default Gateway Redundancy Protocols

Rev. 5.21 3 – 3

Redundant links: Physical view

Rev 5.21 4

Hosts in network 10.1.30.0/24 DG: 10.1.30.1

Hosts in network 10.1.10.0/24DG: 10.1.10.1



Redundant links: Physical view

• Redundant links enable a client’s connections with off-network hosts to continue despite failure of a link along the primary path to its default gateway

• In this example, a router with five interfaces performs default gateway service for hosts in five networks

Router1VLAN 1: ve 1: 10.x.1.1/24VLAN 10: ve 10: 10.x.10.1/24VLAN 20: ve 20: 10.x.20.1/24VLAN 30: ve 30: 10.x.30.1/24VLAN 40: ve 40: 10.x.40.1/24

Link AUntagged 1, Tagged 10, 20, 30, 40

Link BUntagged 1, Tagged 10, 20, 30, 40

Link CUntagged 1, Tagged 10, 20, 30, 40

Router forwards traffic among its connected VLANs

Switch1 Switch2


Many contemporary networks employ Spanning Tree Protocol to ensure that the failure of a single switch-to-switch link will not disrupt connectivity. For instance, in the topology shown above, hosts in all four user VLANs—10, 20, 30, and 40—have two paths to the router that is their default gateway.

Router1 is the sole connecting point for all of the VLANs/networks. Because the router is also the root of the Spanning Tree, Link C (between Switch1 and Switch2) will only be used if either Link A or Link B should fail. The primary path for off-network communication from all hosts in networks 10.1.10.0 and 10.1.30.0 is through Switch1 and Link A. The primary path for hosts in networks 10.1.20.0 and 10.1.40 is through Switch2 and Link B.

If Link A should fail, off-network traffic generated by hosts in networks 10.1.10.0 and 10.1.30.0 will be carried by Link C and Link B. Both links are tagged members of the VLANs associated with these networks (VLANs 10 and 30) and this allows the off-network traffic to take an alternate path to the default gateway.

Since all three of the links (A, B, and C) are members of all five VLANs, the failure of any one of the links would not prevent hosts from reaching their default gateway.


3 – 4 Rev. 5.21

Redundant links: Logical view

Rev 5.21 5

Redundant links: Logical view

Network 10.1.30.0/24All hosts’ DG: 10.1.30.1

Network 10.1.1.0/24




Switch1: 10.1.1.25/24DG: 10.1.1.1

Switch2: 10.1.1.26/24 DG: 10.1.1.1

Layer 2 edge switches:• Provide physical connections within

each network, but are not hosts on networks 10.1.10.0, 10.1.20.0, 10.1.30.0, or 10.1.40.0

• Are hosts on the 10.1.1.0 network

IP route tableDestination gateway port cost10.1.1.0/24 0.0.0.0 v1 110.1.10.0/24 0.0.0.0 v10 110.1.20.0/24 0.0.0.0 v20 1 10.1.30.0/24 0.0.0.0 v30 1 10.1.40.0/24 0.0.0.0 v40 1


This diagram provides a logical view of the network topology shown on the previous page. After Spanning Tree blocks the link between Switch1 and Switch2, there is a single active path between each host and its default gateway, Router1. If a physical link fails, the physical path to the default gateway might change. However, the logical view would remain the same.

The switches shown in the logical diagram provide the physical connections within each network. However, they are not hosts on any network other than the management network, 10.1.1.0/24.


Rev. 5.21 3 – 5

Impact of device failure

Rev 5.21 6

Impact of device failure

Failure of one Layer 2 edge switch:• Hosts connected to those switches

would be cut off from the network

• Highly localized impact with relatively inexpensive solution –replace switch, restore configuration

Failure of the router:• All hosts that use this router as a default

gateway would be cut off from resources in other networks

• Impact has wider scope

• Potentially expensive solution – replace router components, possibly restore configuration

Switch1: 10.1.1.25/24DG: 10.1.1.1

Switch2: 10.1.1.26/24 DG: 10.1.1.1


Network 10.1.1.0/24





The redundant link between Switch1 and Switch2 ensures that this topology is tolerant of link failure. However, in order to design a truly fault-tolerant infrastructure, a network designer must consider the possibility that a component, such as a switch or router, can fail. The topology above does not meet this requirement.

Edge switch failure

In many cases, little can be done to prepare for the failure of an edge switch. Network hosts typically are connected to only one switch, which makes it impossible to provide redundant wired links. If, however, network administrators are using a management and monitoring application, they can react quickly to a switch failure by replacing the switch or by providing an alternate connection to affected users. For instance, if client computers have wireless adapters and the network offers a wireless infrastructure, the clients can activate their wireless adapters and connect through a wireless access point. The users can return to their wired Ethernet connections after the failed switch is replaced.

Router failure

The failure of a router has far wider consequences than the failure of an edge switch. If a router fails, hosts may continue to have connectivity with other hosts in their own network, but they will not be able to access resources on other networks. In contemporary enterprises, this is not acceptable because direct peer-to-peer communication without an intervening server or other device is not common.


3 – 6 Rev. 5.21

Furthermore, routers and routing switches in a production network are likely to support far more networks and clients than are shown in this example. In addition to providing access to resources within an organization, the router is the first point of contact in establishing and maintaining connections with the global Internet.

Consequently, network designers must make allowances for router failures.


Rev. 5.21 3 – 7

Providing a second router

Rev 5.21 7

Providing a second router

• If you provide a second router, you might use a DHCP scope that includes both default gateway addresses

• If Router1 fails, clients can obtain a new DHCP lease that specifies Router2’s IP address as default gateway

Router2 interfaces:10.1.1.2/2410.1.10.2/2410.1.20.2/2410.1.30.2/2410.1.40.2/24

Router1 interfaces:10.1.1.1/2410.1.10.1/2410.1.20.1/2410.1.30.1/2410.1.40.1/24

Switch1: 10.1.1.25/24DG: 10.1.1.1

Switch2: 10.1.1.26/24 DG: 10.1.1.1


Network 10.1.1.0/24





It is tempting to believe you can overcome router failure by simply installing a second router that provides access to the same resources as the first. However, this solution is not adequate because the second router must have a different IP address than the first. Consequently, if the first router fails, all connected hosts must change their default gateway settings to the address of the second router.

Although most IP stacks enable you define a second default gateway address, most do not automatically failover to the second gateway without special configuration.

In the example above, to enable Router2 to perform the function of Router1, administrators must change the default gateway settings for all connected hosts. Obviously, the manual reconfiguration of every host is impractical for a network of any size. Alternately, administrators could reconfigure the network’s DHCP scope and require users to obtain a new DHCP lease with the new gateway. However, this solution is also impractical, for reasons that will be discussed on subsequent pages.


3 – 8 Rev. 5.21

Why failover is not automatic (1)

Rev 5.21 8

Why failover is not automatic (1)• Interfaces on Router1 provide default gateway service for hosts on both

networks • Layer 2 header destination address of all off-network traffic is that of Router1

Layer 2 headerDest. Router1 MACSource: Host 40 MACLayer 3 header:Source: 10.1.40.40Dest: 10.1.20.20

Layer 2 headerDest. Host20 MACSource: Router1 MACLayer 3 header:Source:10.1.40.40 Dest: 10.1.20.20

Router1 interfaces:…10.1.20.1/24…10.1.40.1/24

Host40: 10.1.40.40/24DG: 10.1.40.1

Host20: 10.1.20.20/24DG: 10.1.20.1



Although it is possible to use DHCP leases to change the default gateway settings for all network hosts, this solution will not provide automatic failover.

Suppose, for instance, that a host with the IP address 10.1.40.40/24 has an ongoing session with the host 10.1.20.20/24. The client directs its off-network traffic to its default gateway by inserting the MAC address of the local router interface into the Layer 2 header.

If the router providing default gateway service becomes unavailable, the session will terminate after a few retries and a given timeout period.


Rev. 5.21 3 – 9


Rev 5.21 9

Why failover is not automatic (2)• Despite the failure of Router1, the host continues to send off-network traffic to

Router1’s MAC address • Host will not send traffic to Router2’s MAC address unless its IP stack

configuration is changed to specify a default gateway address on Router2

Host40: 10.1.40.40/24DG: 10.1.40.1

Host20: 10.1.20.20/24DG: 10.1.20.1


x



In this example, the failure of Router1 has disrupted Host40’s session with resources in addresses ranges outside of its own. Unless the client has a special default gateway failover configuration, the client will continue to send packets with the default gateway’s MAC address until the session times out and eventually terminates altogether.

If the user tries to re-establish the connection with the off-network resource, the new session also will fail because the computer’s IP stack configuration still lists its primary default gateway as 10.1.40.1. The entry in the ARP cache associated with that IP address is the MAC address of the VLAN 40 interface on Router1, which is now down.

The IP stack will never failover to the second default gateway, even if the user doesn’t start a new session until Router1’s MAC address has aged out of the PC’s ARP cache. The only way to cause the IP host to use the second router interface (for example, 10.1.40.2) as its default gateway is to modify the IP stack and remove 10.1.40.1 from the default gateway configuration, leaving 10.1.40.2 as the configured default gateway.


3 – 10 Rev. 5.21


Rev 5.21 10

Layer 2 headerDest. Host20 MACSource: Router2 MACLayer 3 header:Source: 10.1.20.20Dest: 10.1.40.40

Why failover is not automatic (3)After you change the default gateway on all hosts to a local interface on Router2, each host:• Uses ARP to obtain the MAC address for Router2 • Sends off-network traffic to Router2’s MAC address

Host40: 10.1.40.40/24DG: 10.1.40.2

Host20: 10.1.20.20/24DG: 10.1.20.2


x



After Host40 is configured to use Router2 as its primary default gateway, the IP host process sends an ARP request to learn the MAC address of the device that is using the IP address 10.1.40.2. Subsequent off-network traffic contains the MAC address associated with 10.1.40.2. The user now can establish a new connection with the resource they were using before Router1 failed and hope to pick up the session where they left off.

This solution presents two problems:

1. Very few end users will go to this much effort to remain in contact with crucial resources. If the hosts are using DHCP, you could simplify their involvement by clearing all of the active leases for the network and forcing each host to obtain a new lease. However, this will require significant administrative and traffic overhead, especially if the failed router was performing default gateway service for dozens of networks.

2. Many sessions are not tolerant of lost connections. If users were performing transaction-oriented procedures, they may not be able to return easily to the location they were accessing when the link or device failure occurred.


Rev. 5.21 3 – 11

Automatic failover for default gateway

Rev 5.21 11

Automatic failover for default gateway Automatic failover can be provided using several different standard and proprietary methods• Virtual Router Redundancy Protocol: IETF RFC 2338• VRRP Extended: Proprietary method available on 9300m series

routing switch• XRRP: Proprietary method available on 5300xl and 3400cl series

switches• Other vendor-specific implementations

Common goals for default gateway redundancy methods:• Enable continuity for off-network communication despite the failure of

the primary default gateway• Provide for automatic failover from primary to backup default gateway

within typical session timeout intervals


All strategies for providing redundant default gateway service have the same goal: To provide seamless failover that ensures uninterrupted communication with remote hosts despite the failure of the primary default gateway. Automatic failover typically occurs within timeout intervals for TCP communication, enabling a client to continue its open sessions through a backup default gateway if the primary gateway fails.

Obviously, any two routers with interfaces on the same network are not necessarily candidates for default gateway redundancy. If each router leads to different parts of the network—for example, one leads toward the core and another leads away from the core—only one will be a suitable default gateway candidate. In general, a hierarchical design that interconnects networks is considered superior to one that has multiple layers of router hops.


3 – 12 Rev. 5.21

Common characteristics and operations

Rev 5.21 12

Common characteristics and operations• Assign a common ID to members of a redundancy group• Apply priorities to determine which router is preferable as primary or

“Master” default gateway for hosts• Require Master to continually announce its availability, enabling

backup routers to automatically detect its failure • Assign “virtual” IP address to routers in redundancy group

– Actual IP address of each router interface on the network is unique– Common virtual IP address is assigned to all router interfaces in the

redundancy group

• Resolve virtual IP address to a virtual MAC address– Current Master forwards traffic sent to the virtual MAC address– Backup routers ignore traffic sent to the virtual MAC address


Vendors and standards groups have devised many protocols and implementations for default gateway redundancy. However, although their terminology, configuration, and monitoring procedures might differ, all of the default gateway redundancy techniques perform the same procedures and operations.

First, all default gateway redundancy implementations define a method for distinguishing router interfaces that are members of the same default gateway redundancy group. A common value is assigned to all router interfaces on a network that can provide default gateway service for the network’s hosts.

Some default gateway redundancy protocols enable you to define a redundancy group consisting of exactly two routers—a primary and a backup. Other protocols enable you to define more than two. All the routers in the same redundancy group must be equally capable of providing default gateway service for hosts on the network.

In most network topologies, one router is a more qualified candidate for “Master” status. Typically, you will configure that router as the primary default gateway. The Master router forwards traffic under normal circumstances, when all links and routers are available. All default gateway redundancy methods enable you to prioritize the routers so that you can determine which router will be Master and which will be the first choice for its backup in the event the Master fails.

Immediate detection in the event of the Master router’s failure is crucial to automatic failover. All default gateway redundancy protocols provide some means for the Master to periodically announce its availability. Backup routers listen for


Rev. 5.21 3 – 13

these messages and will assert themselves as Master in the event of the Master’s failure. Priority settings are used to select the current Master.

Every host on an IP network, including routers, must have a unique IP address. To enable a group of routers to provide equivalent default gateway service, a common virtual IP address is assigned to the routers in the redundancy group. The virtual IP address is defined as the default gateway in the hosts’ IP stack configuration.

Finally, all default gateway redundancy protocols use a virtual MAC address. This address appears in the ARP cache of each IP host on the network associated with the virtual default gateway IP address. The current Master router on a given network forwards traffic sent to the virtual MAC address. When a backup router transitions to Master, it immediately begins forwarding traffic that has the virtual MAC address in the destination field of the Layer 2 header.


3 – 14 Rev. 5.21

Virtual Router Redundancy Protocol

Rev 5.21 13

Virtual Router Redundancy Protocol• Described in RFC 2338 and updated in RFC 3768• VRRP offers a method for defining a “virtual router,” a group of

redundant router interfaces on a network• A router that implements VRRP may support multiple virtual routers,

each of which is identified by an integer between 1 and 255 • The Master of the group periodically advertises its availability

– The Backup router asserts itself as Master if it stops hearingthe periodic advertisement


The Virtual Router Redundancy Protocol (VRRP) is a common default gateway redundancy protocol defined as a standard in RFC 2338 and updated in RFC 3768. Like all default gateway redundancy protocols, VRRP enables administrators to define a “virtual router,” which is a group of redundant routers on a network. Each VRRP router can participate in multiple VRRP groups, which are identified by integers between 1 and 255.

VRRP relies upon the definition of Master and Backup routers. The Master of each group acts as the default gateway for network hosts and periodically advertises its availability. Backup routers assume forwarding duties if they stop receiving advertisements from the Master.


Rev. 5.21 3 – 15

Virtual routers in VRRP

Rev 5.21 14

Virtual routers in VRRP

Group of redundant router interfaces on the same network is known as a “virtual router”All have the following items in common:• Identified by a numeric integer between 1 and 255 known as “Virtual

Router ID” (VRID)• Configured with a “Virtual IP address” that matches the IP stack

default gateway of hosts on the network


VRRP identifies a group of routers that can provide equivalent default gateway service to hosts on a given network as a “virtual router.” While VRRP allows you to define more than two members of a redundancy group, two routers are sufficient for most networks.

A “VRRP router” is defined as any router that implements the VRRP protocol and supports at least one virtual router. Typically, a VRRP router participates in more than one virtual router.

VRRP routers whose interfaces will serve as members of the same virtual router must agree on its identifier, often called a “Virtual Router ID” (VRID). The routers in the group must also be configured with a virtual IP address that hosts on the network will use as their default gateway.


3 – 16 Rev. 5.21

VRRP: Actual and virtual IP addresses

Rev 5.21 15

VRRP: Actual and virtual IP addresses• If the actual IP address assigned to one of the routers matches the virtual IP

address, that router is the “Owner” of the address• The Owner will be the VRRP Master if it is available on the network• Another router can become the Master only if the Owner is not available

Router1 Router2

VRID 1 Master (Owner)Actual IP: 10.1.20.1/24Virtual IP: 10.1.20.1

VRID 1 BackupActual IP: 10.1.20.2/24Virtual IP: 10.1.20.1

VRID 2 Master (Owner)Actual IP: 10.1.40.1/24Virtual IP: 10.1.40.1

VRID 2 BackupActual IP: 10.1.40.2/24Virtual IP: 10.1.40.1

Host40: 10.1.40.40/24DG: 10.1.40.1

Host20: 10.1.20.20/24DG: 10.1.20.1


Because every host on an IP network must have a unique IP address, the router interfaces that make up the virtual router can’t be configured with the same address.

However, you can configure one of the routers to have the same actual IP address as the virtual IP address associated with the VRID. In this configuration, the router whose actual IP address matches the virtual IP address is considered the IP address “Owner.” The Owner of the IP address is assigned a priority value of 255, which is the highest possible value. If the Owner is present on the network, it will be the Master router; all other routers will be Backup.

The highest priority that can be assigned to a non-owner—that is, a router whose IP address is not the same as the virtual IP address—is 254. The VRRP standard specifies that the default priority for a backup is 100. If you have only two routers in the VR redundancy group, you can assign the default priority to the router that is not the IP address owner. However, if the network has one Master and two or more Backups, you must assign different priorities to the backups.


Rev. 5.21 3 – 17

VRRP: Master and Backup states

Rev 5.21 16

VRRP: Master and Backup statesMaster• Forwards off-network traffic for hosts that use the virtual IP address as their

default gateway

Backup• Does not forward traffic sent to the virtual IP address• Is not in an idle state for general IP communication

– Can send and receive traffic through its interface on the network

Host40: 10.1.40.40/24DG: 10.1.40.1

Host20: 10.1.20.20/24DG: 10.1.20.1

Router1 Router2

Master routerVirtual Router ID: 2 Virtual IP: 10.1.40.1

Master routerVirtual Router ID: 1Virtual IP: 10.1.20.1

Backup routerVirtual Router ID: 1Virtual IP: 10.1.20.1

Backup routerVirtual Router ID: 2 Virtual IP: 10.1.40.1


In this example, Router1 and Router2 have been configured with two common VRID and virtual IP addresses and are members of two virtual routers. One virtual router is VRID 1, with the virtual IP address 10.1.20.1. The other virtual router is VRID 2, with the virtual IP address 10.1.40.1.

In this configuration, Router1 is the Master router for both VRIDs. Router2 acts as Backup. As described earlier, the Master router forwards all off-network traffic sent to the virtual IP addresses for either VRID. The Backup takes over this forwarding duty only if the Master router becomes unavailable.

Although Router2 is not the Master of either virtual router, it can send and receive traffic through its interfaces on both networks. If hosts on the network 10.1.40.0/24 were configured with 10.1.40.2 as their default gateway, Router2 would forward their off-network traffic.

Each router’s role as Master or Backup is determined by a priority value associated with the VRID/Virtual IP address.


3 – 18 Rev. 5.21

VRRP: Virtual MAC address

Rev 5.21 17

VRRP: Virtual MAC address

• Clients send off-network traffic to default gateway’s MAC address• IP address associated with virtual router resolves to a virtual MAC

address

• Virtual MAC address ensures continuity of clients’ sessions with off-network resources despite failure of Master

00-00-5e-00-01-01

First 5 octets defined in VRRP standard

Last octet is VRID


A client forwards all off-network traffic to its default gateway defined by the IP address in its IP stack configuration. In a network protected by VRRP, the virtual IP address should be the one configured as the clients’ default gateway. Often, this address is the configured IP address of the VRRP Master router.

Because the clients use a virtual IP address for their default gateway, the MAC address associated with the IP address must also be virtual.


Rev. 5.21 3 – 19

VRRP Master broadcasts “gratuitous ARP”

Rev 5.21 18

VRRP Master broadcasts “gratuitous ARP”• When a VRRP router transitions to the Master role, it broadcasts a

gratuitous ARP message on to each network that contains:– The virtual IP address– The virtual MAC address

• All local hosts receive the message, and– Create an ARP cache entry associating the virtual MAC address with their

default gateway – Send all off-network traffic to the virtual MAC address


To enable a client’s existing sessions to continue despite the failure of the Master, hosts must be sending off-network traffic to the virtual MAC address instead the physical MAC address. To ensure that clients will correctly resolve their (virtual) default gateway’s MAC address, the VRRP Master broadcasts a gratuitous ARP message to all local hosts. Each host that receives the message creates an ARP cache entry and subsequently sends off-network traffic to the virtual MAC address.


3 – 20 Rev. 5.21

Master accepts traffic sent to virtual MAC address

Rev 5.21 19

Layer 2 headerDest. 00-00-5e-00-01-02 Source: Host 40 MACLayer 3 header:Source: 10.1.40.40Dest: 10.1.20.20

Layer 2 headerDest. Host20 MACSource: Router1 MAC Layer 3 header:Source:10.1.40.40 Dest: 10.1.20.20

Master accepts traffic sent to virtual MAC address• Hosts on a VRRP-protected network learn the virtual MAC address through

gratuitous ARP request sent by the Master• Master accepts traffic sent to the virtual MAC address; Backup does not

Host40: 10.1.40.40/24DG: 10.1.40.1

Host20: 10.1.20.20/24DG: 10.1.20.1

Router1

VRID 1 Master (Owner)Actual: 10.1.20.1/24Virtual: 10.1.20.1

VRID 2 Master (Owner)Actual: 10.1.40.1/24Virtual: 10.1.40.1

VRID 1 BackupActual: 10.1.20.2/24Virtual: 10.1.20.1

VRID 2 BackupActual: 10.1.40.2/24Virtual: 10.1.40.1


In this example, the IP host 10.1.40.40 has an ongoing session with a host in another network. It sends the traffic to the virtual MAC address associated with the virtual IP address of VRID 2.


Rev. 5.21 3 – 21

Virtual MAC address enables automatic failover

Rev 5.21 20

Virtual MAC address enables automatic failover• If the Owner/Master fails, the Backup begins forwarding traffic addressed to

the VRID 2 virtual MAC address • Host40 does not require any configuration changes or restarted sessions,

unaware that a different router is forwarding its off-network traffic

Layer 2 headerDest. 00-00-5e-00-01-02 Source: Host 40 MACLayer 3 header:Source: 10.1.40.40Dest: 10.1.20.20

Layer 2 headerDest. Host20 MACSource: Router2 MACLayer 3 header:Source:10.1.40.40 Dest: 10.1.20.20

Host40: 10.1.40.40/24DG: 10.1.40.1

Host20: 10.1.20.20/24DG: 10.1.20.1

Router2

VRID 1 MasterActual: 10.1.20.2/24Virtual: 10.1.20.1

VRID 2 MasterActual: 10.1.40.2/24Virtual: 10.1.40.1

x


When the Master for the network 10.1.40.0/24 fails, Router2 transitions to the Master state and begins forwarding traffic for the networks associated with VRID 1 and VRID 2.

VRRP uses an advertisement that contains information about a virtual router, including the VRID and the virtual IP address associated with the virtual router. Because each advertisement contains information about one virtual router interface, a router that is Master of multiple VRIDs will generate a separate advertisement for each virtual router and send it through its interface to the network associated with the VRID.


3 – 22 Rev. 5.21

VRRP advertisements

Rev 5.21 21

VRRP advertisements

• Master periodically advertises its availability to Backup routers • Default advertisement interval of one second enables very fast recovery

from failure of Master• If a router is the Master for multiple virtual routers, it generates one

advertisement every second for each VRID

Host40: 10.1.40.40/24DG: 10.1.40.1

Host20: 10.1.20.20/24DG: 10.1.20.1 Router1 Router2

MasterVRID 2: 10.1.40.1

BackupVRID 1: 10.1.20.1

BackupVRID 2: 10.1.40.1

MasterVRID 1: 10.1.20.1


Because one router interface is configured or elected as the Master for each VRID, the Backup needs a reliable, automated mechanism for determining that the Master is still alive and forwarding traffic.

VRRP uses an advertisement that contains information about the virtual router, including the VRID and the virtual IP address associated with the virtual router. Because each advertisement contains information about one VRID, a router that is Master of multiple VRIDs will generate a separate advertisement for each VRID.

The Backup router retains its state for as long as it continues to receive the advertisements within the expected interval. A very short advertisement interval (one second at default settings) enables the Backup to quickly recognize when a Master goes down. However, the Backup doesn’t assume the primary router interface is down after missing just one message. Rather, it has a “dead interval” that is based on the advertisement interval.

VRRP advertisements are sent to IP multicast address 224.0.0.18. However, the advertisements are not processed by hosts other than VRRP routers.


Rev. 5.21 3 – 23

VRRP advertisement packet format

Rev 5.21 22

VRRP advertisement packet format


This is an example of a VRRP advertisement. Note that the source MAC address is the virtual MAC address for VRID 40 (28 hex). The source address field in the IP datagram header contains the actual IP address of the router that is sending the advertisement, which need not be the same as the virtual IP address although it is the same in this example because the address Owner is the Master.

The destination address in the IP datagram header is the multicast group reserved for VRRP. Because 224.0.0.18 is a locally scoped IP multicast address, it can only be forwarded over the network that is local to the interface over which the router sent the advertisement.

A VRRP advertisement is encapsulated directly into an IP datagram using the protocol 112 (70 hex). It does not use TCP or UDP.

The advertisement is VRRP packet type 1. There are no other standardized VRRP packet types. However, some vendor-specific implementations may use other packet types that can be interpreted only by routers from the same vendor. The advertisement contains the VRID, this VRRP router’s configured priority, and the IP address associated with this VRID.


3 – 24 Rev. 5.21

VRRP support for load sharing

Rev 5.21 23

VRRP support for load sharing

• VRRP enables you to define multiple VRIDs on each network to share default gateway responsibility

• Each router can be the Master for one VRID and Backup for the other

Router1 Router2

Actual IP: 10.1.10.1/24VRID 11: 10.1.10.1 (Master)VRID 12: 10.1.10.2 (Backup)

Actual IP: 10.1.20.1/24VRID 21: 10.1.20.1 (Master)VRID 22: 10.1.20.2 (Backup)

Actual IP: 10.1.10.2/24VRID 11: 10.1.10.1 (Backup)VRID 12: 10.1.10.2 (Master)

Actual IP: 10.1.20.2/24VRID 21: 10.1.20.1 (Backup)VRID 22: 10.1.20.2 (Master)

Hosts using 10.1.10.1 as DG




10.1.10.0/24

10.1.20.0/24


To enable efficient use of routers, VRRP supports load sharing by allowing you to define more than one VRID in a single network.

In the example above, four VRIDs—11, 12, 21, and 22—have been defined for network 10.1.10.0/24. Router1 is Master for VRID 11 and VRID 21, while Router2 is Master for VRID 12 and VRID 22. Each router is Backup for the VRIDs for which it is not Master.

Because each router is the backup of the other, if either router fails, the remaining router will provide default gateway service to all four VRIDs.

Notice that default gateway duties on each network are divided between the two routers. For instance, half of the hosts on network 10.1.10.0/24 use the virtual IP address associated with VRID 11 as their default gateway, and half of the hosts on the same network use the virtual IP address associated with VRID 12. Similarly, the hosts on network 10.1.20.0/24 are divided between the virtual IP addresses associated with VRID 21 and VRID 22.

While this load-sharing method seems efficient, most hosts in production networks use DHCP to obtain an address and default gateway. Using different DHCP scopes for hosts in the same network can be challenging.

When multiple VLANs are carried over a set of physical links, you divide the hosts along VLAN boundaries. Configure some VLANs to use one router as Master and other VLANs to use a different router as Master.


Rev. 5.21 3 – 25

Considering link failure vs. device failure

Rev 5.21 24

Considering link failure vs. device failureVRRP provides reliable protection against router failureLink failure can lead to mixed interface states and result in sub-optimal routing

Router1 (owner):10.1.10.1/2410.1.20.1/2410.1.30.1/24

Hosts on network 10.1.10.0/24



M

B

Router2 (backup)10.1.10.2/2410.1.20.2/2410.1.30.2/24

M

B

M

x


This example includes two routers, one of which is the owner of the IP addresses associated with the VRIDs on three networks. The owner/master (Router1) loses its connection to network 10.1.30.0/24. Router stops hearing advertisements from Router1. After a few seconds, Router2 starts sending VRRP advertisements, announcing itself as the Master of the VRID associated with network 10.1.30.0. Router2 begins forwarding off-network traffic on behalf of hosts on that network.


3 – 26 Rev. 5.21

Mixed virtual router states (1)

Rev 5.21 25


Router2: • Becomes Master for VRID associated with network 10.1.30.0/24 • Can forward traffic onto networks 10.1.10.0 and 10.1.20.0 regardless of its

Backup state

Router1

10.1.10.0/24

10.1.20.0/24

10.1.30.0/24

M

B

M

B

M

x

Layer 3 header:Source: 10.1.30.30Dest: 10.1.10.10

10.1.10.10/24

IP route tableNetwork/mask cost next hop10.1.10.0/24 0 local10.1.20.0/24 0 local10.1.30.0/24 0 local

Router2


Although Router2’s interfaces on networks 10.1.10.0/24 and 10.1.20.0/24 are in the VRRP Backup state, the router can use those interfaces to deliver traffic that originates within network 10.1.30.0 and is destined for hosts in networks 10.1.10.0 and 10.1.20.0. Router2’s Backup state for networks 10.1.10.0 and 10.1.20.0 means only that Router2 will not forward traffic from those networks that is addressed to either virtual IP address.


Rev. 5.21 3 – 27


Rev 5.21 26


Router1:• Remains Master for VRIDs associated with networks 10.1.10.0 and 10.1.20.0 • Has no local path to network 10.1.30.0, will drop traffic for that network unless

configured to use a Router1 interface as next hop

IP route tableNetwork/mask cost next hop10.1.10.0/24 0 local10.1.20.0/24 0 local

M

BM

B

M

x

10.1.10.0/24

10.1.20.0/24

10.1.30.0/24

Layer 3 header:Source: 10.1.20.20Dest: 10.1.30.30

10.1.30.30/2410.1.0.0/16 2 10.1.20.2


The result of having mixed states for its virtual routers is a bit more significant in the case of the IP address owner, Router1. Because a router’s state for each VRID is separately determined, a router can retain its Master state for some VRIDs even though it has lost its physical connection to other networks.

The loss of Router1’s connection to network 10.1.30.0 causes important changes to its route table. The table no longer has an entry for network 10.1.30.0 and cannot forward to that network locally. In a sense, Router1 is no longer qualified to perform default gateway service for hosts on networks 10.1.10.0 and 10.1.20.0 because it doesn’t have a path to network 10.1.30.0. Without additional configuration, Router1 would simply discard all traffic destined for that network.

A partial solution to this problem is to create static routes that will allow Router1 to forward traffic destined for unknown networks (i.e. not local, in this example) through other routers. However, this path would be far less efficient than the path that would result if Router1 could be configured to relinquish its Master state on all of its interfaces.


3 – 28 Rev. 5.21

Proprietary variations and enhancements

Rev 5.21 27

Proprietary variations and enhancementsVRRP variations on ProCurve Routing Switch 9300m• VRRP Extended (VRRPE)

– No IP Address Owner; all routers defined as Backup– VRRP Master for each VRID is the one with highest priority

• Track ports (for VRRP and VRRPE)– Define ports whose physical state should be tracked – Loss of link on any tracked port causes failover of entire router


The 9300m offers two significant enhancements on the VRRP standard:

1. VRRP Extended (VRRPE) In this proprietary protocol, no router is defined as the IP Address Owner. Instead, all routers are defined as Backup Routers. The Master for each VRID is determined by configured priorities. This provides administrators and designers with flexibility in design and implementation of redundant routing topologies.

2. Track ports Implemented for VRRP and VRRPE, track ports may be used to resolve the issue with mixed virtual router states by enabling administrators to define ports whose physical state should dictate the router’s role. The router can be configured to abdicate its Master status on any or all VRIDs if it detects loss of link on any tracked port.


Rev. 5.21 3 – 29

VRRPE: Virtual and actual IP addresses

Rev 5.21 28

VRRPE: Virtual and actual IP addresses• The virtual IP address is the one configured as default gateway of hosts on the

network • The actual IP addresses assigned to router interfaces must be different from

the virtual IP address • The router with the highest priority value becomes the Master

Host40: 10.1.40.40/24DG: 10.1.40.1

Host20: 10.1.20.20/24DG: 10.1.20.1

Router1 Router2

VRID 1 (Master)Priority 120Actual: 10.1.20.11/24Virtual: 10.1.20.1

VRID 2 (Master)Priority 120Actual: 10.1.40.11/24Virtual: 10.1.40.1

VRID 1 (Backup) Priority 100Actual: 10.1.20.12/24Virtual: 10.1.20.1

VRID 2 (Backup)Priority 100Actual: 10.1.40.12/24Virtual: 10.1.40.1


As shown above, configuration for VRRPE is different from VRRP configuration in two ways:

1. Most significantly, the actual IP addresses assigned to router interfaces must be different from the virtual IP address. In VRRP, by contrast, the virtual IP address can be the interface address of one of the routers, which then becomes the Owner of the IP address.

2. The state of a router—that is, Master or Backup—is determined entirely by a priority value associated with each VRID. The router with the highest priority is automatically the Master. In the example, Router1 is Master for VRID 1 and VRID 2 because its priority is set at 120. Router2 has the default priority of 100. Valid priority values are 3-254.


3 – 30 Rev. 5.21

XRRP

Rev 5.21 29

XRRP

XL Router Redundancy Protocol• Protection domain consists of two routers• IP Address Owner is the router that is configured with the virtual IP

address• Link failure causes failover of entire router

VRRP equivalent for:• ProCurve 3400cl series• ProCurve 6400cl series• ProCurve 5300xl series


Several ProCurve switches, including the 3400cl series, the 5300xl series, and the 6400cl series, support the XL Router Redundancy Protocol (XRRP), which is a proprietary default gateway redundancy protocol.

In XRRP, each protection domain consists of exactly two routers. As in VRRP, the virtual IP address is the interface address of one of the routers, which is the Owner and Master for the virtual address.

If a link fails for an XRRP router, the entire router fails over, which prevents the formation of mixed virtual router states.


Rev. 5.21 3 – 31

Module 3 summary

Rev 5.21 30

Module 3 summary

In this module, you learned:• Why router redundancy protocols are necessary to ensure network

operation in the event of router failure• Similarities among proprietary and standards-based router

redundancy protocols• Basic information about the operation of VRRP• Basic information about the operation of VRRPE• Basic information about XRRP


Module 3 of IP Routing Foundations described the requirements for router redundancy. While many contemporary networks use Spanning Tree to protect against link failure, a separate configuration is necessary to ensure seamless failover in the event of router failure. The module described several propriety and standards-based redundancy protocols, including VRRP, VRRPE, and XRRP.

Routing Switch Essentials will provide detailed instructions on the configuration of VRRPE on the ProCurve 9300m Routing Switch.


3 – 32 Rev. 5.21



Rev. 5.21 3 – 33

1. Why is Spanning Tree an incomplete solution for redundancy in a routed network?

............................................................................................................................

............................................................................................................................

2. Name the technologies for default gateway redundancy that are supported by ProCurve switches.

a. ........................................................................................................................

b. ........................................................................................................................

c. ........................................................................................................................

3. How is the Master router determined in a VRRP implementation?

............................................................................................................................

............................................................................................................................

4. How does VRRPE differ from VRRP?

............................................................................................................................

............................................................................................................................

............................................................................................................................


3 – 34 Rev. 5.21

Rev. 5.21 4 – 1

ACL Theory Module 4

Objectives After completing this module, you will be able to:

Differentiate between rule-based access control and role- and identity-based access control

Describe the steps necessary to plan for rule-based access control

List the criteria by which you can select traffic for special handling

Configure ACLs so that rules are applied in the proper order

Implement a strategy for applying ACLs to user traffic


4 – 2 Rev. 5.21

Device security and access control

Rev 5.21 3

Device security and traffic controlResources in the corporate intranet may be protected by multiplelevels of access control, including:• Identity-based access control

– Defined centrally or on each server – Permissions based on user’s identity, which may be authenticated

by passwords or other means • Role-based access control

– After identity has been authenticated, user may obtain additional permissions associated with organizational function or role

• Rule-based access control – Router examines traffic and permits or denies it based on a set of

rules – Does not replace identity- and role-based security, but is used in

conjunction with these forms of access control


Every enterprise must implement several types of network security to control access to resources. Three or these are:

1. Identity-based security

2. Role-based security

3. Rule-based security

Identity-based security

The security methods most apparent to end users are based on user identity. In this type of security, users are required to assert their identities, often by providing a user name. They are then required to prove or authenticate their identities by providing passwords or biometric information. Identity-based security can be enforced through centralized authentication services and may involve directory services, public key cryptography, or other technologies. After the process is complete, the authenticated user is authorized to use some set of resources.

Role-based security

In role-based security, users are authenticated according to their membership in organizational functions or groups to which an administrator has assigned access rights or permissions. After a user’s identity has been authenticated, the user receives a combination of the rights associated with the individual and those associated with any relevant groups. Role-based security can be enforced by servers and by switches at the edge of the network.

ACL Theory

Rev. 5.21 4 – 3

Rule-based security

Finally, routers can be configured to perform access control functions that selectively permit or deny traffic based on the content of specific fields within the headers of each packet. This form of security is enforced through Access Control Lists (ACLs), which are the subject of this module.


4 – 4 Rev. 5.21

Basic security principles: Physical security example

Rev 5.21 4

Basic security principles: Physical security exampleA building is accessible to employees with key-card accessRooms with storage cabinets have no doors• Key 10 opens the cabinets in Room A• Key 4 opens the cabinets in Room B• Keys are not required to access the cabinets in Room C

Potential problems for Rooms A and B:• Brute force security breach• Denial of service

10 10

10

10

Room A Room B

4

4

4 4

Room CStudent Guide: 4–4

Network security issues and solutions often are similar in concept to physical security issues and solutions.

The slide above uses an unnamed physical facility to illustrate these principles. A building used to store sensitive items requires identity-based and role-based access. Employees use security badges to present their identities and gain access to the building.

Once inside the building, employees can enter any of three storage rooms. However, a role-based security procedure governs access to storage cabinets inside the rooms. Employees use key cards to gain access only to the cabinets appropriate for their organizational functions. The requirements for the three rooms are:

1. Key card 10 is required to access cabinets in Room A. Because this room holds the most sensitive material, card 10 is issued to the fewest number of employees. However, the door to the room remains unlocked because prompt access is important for these employees.

2. Key card 4 is required to access cabinets in Room B.

3. No card is required to access cabinets in Room C, which means they are accessible to all employees with access to the building.

ACL Theory

Rev. 5.21 4 – 5

Security threats

Because the rooms themselves are unlocked, this building faces two important security threats that are analogous to threats encountered in enterprise networks.

1. Brute force attacks Because the doors are unlocked, unauthorized persons could easily gain access to the rooms and force open the locks to the cabinets.

2. Denial of service attacks As well as being able to force open the cabinet locks, intruders could prevent employees from gaining access to the cabinets. While it is unlikely, because anyone can enter the rooms, a crowd of unauthorized individuals theoretically could gather to deny service to authorized individuals.


4 – 6 Rev. 5.21

Basic security principles: Additional layer of physical security

Rev 5.21 5

Additional layer of physical securitySecurity devices are positioned at entrances to Rooms A and B • Programmed with rules to characterize individuals that should be allowed

access• All others are denied access

Locked cabinets in Rooms A and B remain accessible only to individuals in possession of correct keys

10 10

10

10

Room A Room B

6

6

4 4

security device

security device


In this example, security at the fictitious building is heightened by adding locks to the doors of Room A and Room B. By providing an additional layer of security, these devices prevent unauthorized persons from entering rooms that contain resources they are not allowed to use.

Note, however, that the locks are not replacements for the locks on the cabinets. They are additional security measures designed to serve two purposes:

1. Enhance security by making it less likely that an unauthorized persons will find a way to break through the locks on the cabinets

2. Enhance availability by preventing unauthorized persons from impeding the access of authorized persons

ACL Theory

Rev. 5.21 4 – 7

Comparing physical and virtual security

Rev 5.21 6

Comparing physical and virtual securityProviding multiple access control levels enhances network security:• Identity- or role-based access control

– Goal is to allow appropriate user access to services – Analogous to locks on storage cabinets

• Rule-based access control– Defined on routers and routing switches – Goal is traffic control to relieve congestion, limit opportunity for

denial of service attacks – Analogous to security device installed on certain doors


In some ways, the tools and procedures used for network security are similar to those used for physical security. In both cases, administratively defined policies determine which users can access specific resources and what level of access each user will have.

The locks installed on the rooms in the example are analogous to rule-based security in the enterprise intranet. Just as the locks prevent unauthorized users from entering rooms where they are not permitted, enterprise routers can limit traffic flow to ensure that unauthorized users cannot “see” sensitive resources.

In the network, the filters examine packets to compare their source and destination addresses and traffic types with a set of rules configured by administrators. This significantly decreases the likelihood that resources will be compromised or that service will be denied to authorized users.

The rest of this module will discuss rule-based security in the form of ACLs configured on routers.


4 – 8 Rev. 5.21

Planning for rule-based access control

Rev 5.21 7

Planning for rule-based access controlIdentify characteristics of the resource to be protected, such as:• Individual hosts by their IP address• Functional groups of servers by an IP address range• Server-based applications supported by protocol and/or TCP/UDP port

without regard to IP address

For each resource, identify selection criteria:• Common characteristics of traffic that should be permitted• Common characteristics of traffic that should be denied

Based on location of resources and distribution of authorized and unauthorized traffic sources, identify:• All paths through the intranet that could carry identified traffic• Where to place controls

– Ingress and egress ports


Before implementing rule-based access control, you must know what you are trying to protect. Resources can be identified in a number of ways, including IP address and protocol or application.

Access control requirements often play an important role in selecting an addressing scheme. Typically, resources that must be accessed by the same set of users are placed in the same network. This addressing strategy simplifies access control by enabling an administrator to refer to a group of servers as a range of IP addresses rather than as a series of individual IP addresses. Similarly, an efficient IP addressing scheme places users with identical resource needs into the same network or range of networks. When a set of users authorized to access a particular set of resources can be referred to using an IP address range, an administrator can minimize the number of rules required to meet the organization’s traffic control goals. Specific recommendations for IP addressing scheme design are covered in the Routing Switch Essentials course.

Suppose, for example, that several servers provide storage for a particular department, and that all users in the department require equal access to the servers. Because you have placed users into VLANs/networks based on the function or role associated with their identities, all of the users are within a definable range of IP addresses. If the servers are assigned IP addresses within a given address range, such as a subnet or network with a 24-bit mask, they can also be specified as a resource by their address range.

ACL Theory

Rev. 5.21 4 – 9

Alternatively, several servers distributed across many address ranges might support a particular protocol, application, or other function that is definable by a protocol name or number, or by a TCP or UDP port. You can refer to the application as a resource without regard to the IP addresses of specific servers. SMTP is one example of this type of resource.

As well as defining the rules, you must also determine which router interfaces should enforce the access control rules and whether the rules should be applied to inbound or outbound traffic. Additionally, because an organization’s rule-based security policies often require the configuration of multiple rules, you must determine the sequence in which the rules should be applied to inbound or outbound traffic.

The next few slides will illustrate a simple rule-based access control example.


4 – 10 Rev. 5.21

Rule-based access control example

Rev 5.21 8

Rule-based access control example

Guests10.1.10.0/24

Admin10.1.30.0/24

10.1.68.0/24

10.1.67.0/24

10.1.66.0/2410.1.65.0/24

Curriculum10.0.130.0/24

Internet


• The ‘curriculum’ network is accessible to all through the intranet core

• Identity-based security allows authenticated faculty members to access the servers on this network

• Edge router will be configured with traffic filters that enforce rule-based security to permit only faculty members to access the curriculum network

Faculty10.1.20.0/24


Students10.1.40.0/24

At ProCurve University, many resources must be protected by access control rules. One such resource is the curriculum network, an enterprise-wide resource that hosts servers for materials relating to curriculum. These materials include supplementary handouts, quizzes, and exams.

The next few slides will show how to configure ACLs to permit faculty members at one campus to access the servers. This example will illustrate two important points:

1. How to identify the values in IP datagram header that will be specified in the rules

2. Possible locations for application of the rules

ACL Theory

Rev. 5.21 4 – 11

Selection criteria in IP header

Rev 5.21 9

Selection criteria in IP header

Packet matching criteria:• IP datagram header information that identifies permitted traffic:

– Destination IP address between 10.0.130.0 and 10.0.130.255– Source IP address between 10.1.20.0 and 10.1.20.255

• IP datagram header information that identifies denied traffic:– Destination IP addresses other than 10.0.130.0 - 10.0.130.255– Source IP addresses other than 10.1.20.0 - 10.1.20.255

Time to Live

Type of Service Total LengthVersion Hdr Lgth

Identifier Flags Fragment Offset

Protocol Header Checksum

Source Address

Destination Address

Options (if any) Padding

IP header


The first step in planning for rule-based access control is to determine the IP header characteristics that identify permitted traffic. In this example, the permitted traffic originates within the faculty network and is destined for the curriculum network. The source address field in the headers of packets sent by faculty users is within the range 10.1.20.0-10.1.20.255. The value in the destination address field will be 10.0.130.0-10.0.130.255.

All IP traffic with a source and destination address that matches the rule will be subjected to the specified action. All packets that have a source IP address between 10.1.20.0 and 10.1.20.255 and a destination IP address between 10.0.130.0 and 10.0.130.255 will be permitted.

With this rule applied, a router will make forwarding decisions based only on IP address. However, rules can use IP protocol fields to determine which applications can access certain resources. For instance, a rule could permit only HTTP requests, effectively blocking Telnet, FTP, and other IP applications.


4 – 12 Rev. 5.21

Determine which port(s) will filter traffic

Rev 5.21 10

Decide which port(s) will filter traffic

10.1.68.0/24

10.1.67.0/24

10.1.66.0/2410.1.65.0/24Faculty

ingress port

Curriculum server egress port

• Determine all paths that can carry traffic from the faculty user network to the curriculum server network

• Identify ingress and egress ports for the traffic


Guests10.1.10.0/24

Admin10.1.30.0/24


Faculty10.1.20.0/24


Internet


R1D

R1B

R1C

R1A

C1

Without any traffic controls implemented, routers forward all traffic based on route table entries. The policy defined in this example requires the router to permit traffic that comes from the faculty users and is destined for the curriculum server.

Given the goal of permitting traffic from the faculty user network to the curriculum server network, the rule could be applied at either of the two points shown on the diagram. The interface on R1D that connects to the faculty user network is called the “ingress” port because it is the only point through which traffic generated by faculty users can enter the intranet.

Similarly, the only point through which traffic destined for the curriculum server network can exit the intranet is known as the “egress” port.

ACL Theory

Rev. 5.21 4 – 13

A rule that may be applied to ingress or egress ports

Rev 5.21 11

A rule that may be applied to ingress or egress ports

Guests10.1.10.0/24

10.0.100.0/24

Admin10.1.30.0/24


10.1.68.0/24

10.1.67.0/24

10.1.66.0/2410.1.65.0/24

Admin servers10.0.129.0/24


R1C

InternetXCurriculum

AdminFacultyGuests Students

Faculty10.1.20.0/24

R1A R1B

R1D

C1

Emp servers10.0.128.0/24 Rule 1: permit all IP traffic whose source address

is in the range 10.0.20.0/24 AND whose destination address is in the range 10.0.130.0/24.


ORApply Rule 1 outbound

Apply Rule 1 inbound

The ProCurve University intranet provides multiple paths to the core from each edge router. Traffic between the faculty user network and the curriculum server network may be forwarded onto the core network by either R1A or R1B. Regardless of which router handles this traffic, the ingress and egress ports remain the same. While the rule shown on the diagram could be applied to inbound traffic on the ingress port or to outbound traffic on the egress port, one port might be more efficient than the other due to platform-specific factors. Additionally, the impact of applying this rule at the ingress port is completely different from the impact of applying it at the egress port.


4 – 14 Rev. 5.21

The implied “deny any” rule

Rev 5.21 12

The implied ‘deny any’ rule

yes

no

Test Rule 1.Match?

follow action

end

deny any

end

A traffic filtering rule is applied to an interface as a member of an ordered list of rules known as an Access Control List (ACL)The last rule in every ACL denies all traffic that does not meet conditions of rules that appear earlier in the list

• Permit IP traffic matching source address range 10.1.20.0/24 AND destination address range 10.0.130.0/24

• (Implicit) Deny IP traffic from any source to any destination

• Packets that match the conditions of the first rule are subject to the action specified in the rule

• Packets that do not match the conditions of the first rule are compared to remaining rules in the list

• Packets that do not match with any explicitly defined rule are denied


An access control rule is applied to a router interface as a member of an ACL. An ACL frequently contains multiple rules, which are also known as “access control entries” or “ACL entries,” because each router interface can have only one inbound ACL and one outbound ACL. The entries are added to the ACL in the order they should be applied to transiting traffic.

The last rule in an ACL implicitly denies all traffic that was not explicitly permitted by a rule that appears earlier in the list. This rule, called the implied “deny any” rule, is one important reason why the outcome of a particular rule can be different if it is applied as part of an inbound ACL or an outbound ACL.

ACL Theory

Rev. 5.21 4 – 15

Impact of applying Rule 1 at ingress port

Rev 5.21 13

Impact of applying Rule 1 at ingress port

Guests10.1.10.0/24

10.0.100.0/24

Admin10.1.30.0/24


10.1.68.0/24

10.1.67.0/24

10.1.66.0/2410.1.65.0/24



R1C

Internet

Faculty10.1.20.0/24

R1A R1B

R1D

C1

Emp servers10.0.128.0/24

Result 1: Faculty member traffic destined for curriculum network is permitted; traffic destined for other resource networks is implicitly denied

Result 2: Traffic produced by hosts in guest, student, and admin networks is not impacted by rules applied at faculty ingress port.


Rule 1: permit all IP traffic whose source address is in the range 10.0.20.0/24 AND whose destination address is in the range 10.0.130.0/24

Apply Rule 1 inbound

In this example, an ACL developed for ProCurve University contains only one rule. If an administrator applies this rule at the ingress port, faculty users will be able to access curriculum servers. However, because of the implicit “deny any” rule, faculty users will not be able to access any resources located on networks other than 10.0.130.0/24.

Additionally, the placement of the ACL at the ingress port does nothing to limit access to the curriculum server network by users in the guest, admin, and student user networks.


4 – 16 Rev. 5.21

Impact of applying Rule 1 at egress port

Rev 5.21 14

Impact of applying Rule 1 at egress port

Guests10.1.10.0/24

10.0.100.0/24

Admin10.1.30.0/24


10.1.68.0/24

10.1.67.0/24

10.1.66.0/2410.1.65.0/24



R1C

Internet

Faculty10.1.20.0/24

R1A R1B

R1D

C1


Result 1: Traffic sent by hosts in faculty network is explicitly permitted on to the curriculum network; no impact on faculty traffic destined for other networks

Result 2: Traffic sent by hosts in guest, admin, and student networks is explicitly denied entry to the curriculum network


Rule 1: permit all IP traffic whose source address is in the range 10.0.20.0/24 AND whose destination address is in the range 10.0.130.0/24Apply Rule 1

outbound

The application of the rule at the curriculum server egress port meets the goal of permitting faculty users to access curriculum servers while denying access to users in the guest, admin, and student networks. However, it is not a complete solution because it does nothing to restrict access to resources on any other networks.

ACL Theory

Rev. 5.21 4 – 17

Associating users with resource requirements

Rev 5.21 15

Associating users with their resource requirements Approaches to defining and applying ACLs:• Determine resources per user type and apply inbound filters at the ingress port

for each user network• Determine user types per resource and apply outbound filters at the egress

port for each resource network

Inbound filters are generally considered more efficient than outbound filters

XCurriculum

XAccounting

XHuman resources

X

X

X

Admin

X

X

X

Faculty

X

Guests Students

XWeb-based registration

Email/scheduling app.

XInternet


As the previous example illustrates, a single rule is usually not sufficient to meet the traffic filtering requirements for a given interface. Because only one inbound ACL and one outbound ACL can be associated with each interface, ACLs require significant planning. You must assess the security requirements of the entire intranet and carefully define and apply ACLs to avoid inadvertently providing inappropriate user access or denying users legitimate access to resources.

Inbound ACLs are generally considered more efficient than outbound ACLs. However, because the advantages of inbound ACLs are often platform-dependent, outbound ACLs can be preferable in certain situations.

Inbound ACL recommendations

If you choose to define rule-based access control using inbound ACLs, you would assess resource requirements from the user perspective. For each interface, you would determine all of the resources required by the type of user on that network. You would then define an ordered list of rules to specify the characteristics of permitted and denied traffic.

One accepted procedure is to associate a “permit” action with characteristics of traffic that should be allowed to enter the router from the user network. You may also need to associate a “deny” action with characteristics of traffic that should not be allowed to enter the router from the user network.


4 – 18 Rev. 5.21

Outbound ACL recommendations

If you choose to implement access control using outbound ACLs, you will work from the resource perspective. For each network that provides resources, you might choose to define an ordered list of rules that specify characteristics of user traffic that should or should not be allowed to exit the router and reach the hosts that provide resources.

Definition and application of access control rules is typically based on pre-defined organizational security policies and requires knowledge of specific resource requirements for all user types. This module uses the user types and resources at ProCurve University to describe the information that must be gathered in order to plan and implement ACLs.

The next few pages will provide specific address ranges and traffic types, as well as the physical locations for both resources and users within the enterprise intranet.

ACL Theory

Rev. 5.21 4 – 19

Define characteristics of resources

Rev 5.21 16

Define characteristics of resources

Guests10.1.10.0/24

10.0.100.0/24

.1.1 Admin10.1.30.0/24

Faculty10.1.20.0/24

.1.1 Students10.1.40.0/24

10.1.68.0/24

10.1.67.0/24

10.1.66.0/2410.1.65.0/24



C1

R1B

R1DR1C

Internet

Address range 10.0.129.0/24Human resources servers

Address range 10.0.0.0/8 ANDTCP port 25 (SMTP)

Email scheduling app

Address range 10.0.129.0/24Accounting servers

Address range 10.0.130.0/24Curriculum servers

Address range 0.0.0.0/0 AND NOT 10.0.0.0/8

Internet

Host 10.0.130.115 ANDTCP port 80 (HTTP)

Web-based registration server

CharacteristicResource

R1A



The diagram and table above illustrate how administrators at ProCurve University might approach the process of planning their traffic filters. After identifying the intranet’s resources, administrators must determine how those resources can be characterized. More specifically, they must determine what portions of the IP header contain the information that distinguishes one resource from another.

In most cases, the IP address will be an important differentiator. For example, the curriculum servers are all located on the same network, within an address range that can be defined by the starting address 10.0.130.0 and the mask of 255.255.255.0 or 24 contiguous bits.

Other resources include servers such as the accounting and human resources servers, which are used only by members of the administrative department. These servers also are located on the same network, within an address range that can be expressed by a starting address and mask.

However, the email/scheduling application resides on many servers that are distributed across several networks. Consequently, administrators cannot easily base their ACLs on the addresses of all of the servers that support this application. Instead, they can use the well-known port number for SMTP, which is 25.

This slide also shows how the users are characterized. Because administrators have assigned users to VLANs based on their resource needs, they can use a starting address and mask to describe users who perform a particular job function and associate them with the resources to which they need access.


4 – 20 Rev. 5.21

Strategies for defining inbound ACLs

Rev 5.21 17

Strategies for defining inbound ACLs• Filtering traffic at the edge makes efficient use of router resources

– Each router interface can support only one inbound ACL– Identify the permitted and denied resources for hosts on the connected

network

• Two main strategies for associating rules with ACL:1. Create rules that define characteristics of permitted traffic, deny all other

traffic implicitly2. Create rules for each edge interface that define characteristics of denied

traffic, create a rule that permits all traffic not denied by rules that appear earlier in the list

X

HR

X

Accounting

XXXXFaculty

XXXAdmin

Email/ sched

Curriculum

X

X

Internet Registration

XStudents

Guests


The implementation of access control is simplified if all of the hosts in a given VLAN/network/broadcast domain have similar resource requirements. However, because each interface can support only one inbound ACL and one outbound ACL, you must have a plan for organizing all of the traffic filtering rules that must be grouped together into an access list. In order to be effective, the rules must be in a correct and precise order.

The choice of a strategy for enabling access control often depends on the number of resources and types of user groups that must be controlled. Two common approaches are:

1. Create rules that specify the characteristics of the traffic that should be permitted. You then implement the implicit-deny-any rule to deny all traffic not explicitly permitted.

2. Create rules that specify characteristics of traffic to be denied. You then specify a statement to permit all traffic not explicitly denied.

ACL Theory

Rev. 5.21 4 – 21

Access control for faculty users

Rev 5.21 18

Access control for faculty users

Guests10.1.10.0/24

10.0.100.0/24

Admin10.1.30.0/24

10.1.68.0/24

10.1.67.0/24

10.1.66.0/2410.1.65.0/24



C1

R1B

R1C

Internet

Web-based registration server

Host 10.0.130.115AND TCP port 80

Faculty

R1A



.115


Faculty10.1.20.0/24

R1D

Curriculum servers Range 10.0.130.0/24

Email/scheduling Range 10.0.0.0/8 AND TCP port 25

Internet All destinations not in 10.0.0.0/8 range

Faculty members at ProCurve University require access to four network resources:

1. Web-based registration server

2. Curriculum servers

3. Email/scheduling application

4. Internet

The next few pages will present the logic for an ACL to permit this access while denying access to other resources.


4 – 22 Rev. 5.21

Access control criteria in TCP and UDP headers

Rev 5.21 19

Access control criteria in TCP and UDP headers

Source port Destination port

Sequence number

Acknowledgment number

ReservedHdr Lgth Code bits Window

Checksum Urgent pointer

Options (if any) Padding

TCP header

Source port Destination port

Data

UDP header

Checksum Urgent pointer

Data


ACLs enable you to base traffic controls on fields in the TCP and UDP headers. For instance, at ProCurve University, the ACL that will be applied inbound to the faculty user network interface uses TCP port number 25, which is the well-known port SMTP, as a selection criterion.

The graphic above illustrates the placement of this information in the TCP and UDP header. If the protocol field in the IP datagram headers indicates that the protocol is TCP, the TCP header immediately follows the IP header.

Because TCP provides connection-oriented service for upper-layer applications, the TCP header contains more fields than the UDP header. UDP acts like a pass-through between IP and the upper layer applications. However, two fields appear in both types of headers: the source and destination port fields.

When combined with the three fields in the IP header that can be used for selecting packets for special handling, the TCP and UDP source and destination port fields provide flexibility in characterizing traffic that the router should permit or deny.

The field that contains code bits is used during the three-way handshake that sets up a TCP connection, enabling other applications to run over the connection-oriented, flow-controlled session. It is possible to differentiate the value of the code bit field in a packet that is part of an established conversation from the value of the code bit field that is attempting to initiate a new conversation.

ACL Theory

Rev. 5.21 4 – 23

By making this field part of the criteria for a traffic filter, you can deny inbound packets whose code bit field value indicates an attempt to start a session from outside a given network using a TCP-based application. You can permit responses to sessions that were generated inside a given network.


4 – 24 Rev. 5.21

Permit faculty user access to curriculum server network

Rev 5.21 20

Permit faculty user access to curriculum server networkFaculty users can send traffic to any host on the curriculum network using any application

Permit source range 10.1.20.0/24 and dest. range 10.0.130.0/24

Deny source range 10.1.20.0/24 and destination range 10.0.0.0/8

Permit source range 10.1.20.0/24 and any destination address

1

2

3

IP headerProtocol: 6Src: 10.1.20.20 Dst: 10.0.130.115TCP HeaderSrc: 1052 Dst: 80…[data]

Rules in access control list applied to faculty ingress port

Match first entry? YesAction = Permit

(implicit) Deny any source address and any destination address

4


Packet to be tested

Permit source range 10.1.20.0/24 and dest. range 10.0.0.0/8 and dest. TCP port 25

Because the ProCurve University network is well planned, most of the resources needed by the faculty members are on the curriculum server network. This makes it simpler to define access control rules than it would be if faculty resources were distributed across the entire intranet.

In addition to the curriculum servers, the faculty users need access to the Internet and to the email/scheduling application that is distributed across the entire intranet.

Because the registration server is on the curriculum network, faculty members do not need an explicit rule to permit access to that host. Their access to the entire curriculum server network will include the registration server. You would only need to define rules in an ACL for both resources if you needed to deny access to one and permit access to the other.

The slide above shows an example of a specific packet being tested by the inbound ACL, which means the router tests the traffic as it enters the interface.

The first rule provides access to the address range 10.0.130.0/24, which is the network that contains all of the curriculum servers. The router compares relevant portions of the packet to the filtering rule and determines that the source and destination IP addresses match both the source and destination address ranges specified in the rule. The router takes the action associated with the first rule, which is to permit the packet to pass. Every packet the router interface sees that has a source and destination address within the ranges specified by the first rule will be permitted.

The impact of the other rules in this ACL will be described later in this module.

ACL Theory

Rev. 5.21 4 – 25

Permit faculty user access to SMTP services

Rev 5.21 21

Permit faculty user access to SMTP servicesFaculty users can send SMTP traffic to any host in the intranet


Match first entry? NoMatch second entry? YesAction = Permit


Packet to be tested



1

2

3



4



In addition to the curriculum servers, the faculty users need access to the email/scheduling application that is distributed across the entire intranet. Instead of specifying each potential destination host that supports the SMTP-based application, administrators can specify a “permit” rule that specifies TCP port 25 for any destination host in the range 10.0.0.0/8.

In this example, the router is examining an inbound packet on the faculty ingress port. The router compares this packet with the first filtering rule and determines that it does not match. Following well-defined ACL testing procedures, the router compares relevant portions of the packet to the second rule. Because the packet has a destination IP address and destination TCP port that matches the second rule, the router follows the “permit” action associated with the second rule.

Because the first two access control entries specify resources to be permitted, their sequence does impact the overall effect of the ACL.


4 – 26 Rev. 5.21

Deny faculty user access to administrative servers

Rev 5.21 22

Deny faculty user access to administrative serversFaculty users should not have access to administrative servers

Match first entry? NoMatch second entry? NoMatch third entry? YesAction = Deny



Packet to be tested



1

2

3



4



The third rule in this ACL causes the router to deny traffic that is destined for any address within the 10.0.0.0/8 network that was not explicitly permitted by the first or second rules in the list.

In this case, a faculty member is trying to access a host on the administrative server network. Identity-based or role-based security probably would limit this user’s access to the server. However, the third rule in the list prevents faculty users from accessing the administrative server network and creating additional congestion.

Because the packet does not match the conditions of the first or second rules, and the destination address does fall within the range specified in the third rule, the router follows the action associated with the third rule, and denies or drops the packet.

ACL Theory

Rev. 5.21 4 – 27

Permit faculty user Internet access

Rev 5.21 23

Permit faculty user Internet access

Match first entry? NoMatch second entry? NoMatch third entry? NoMatch fourth entry? YesAction = Permit



Packet to be tested



1

2

3



4



Faculty users should have access to the Internet

This slide shows the logic necessary for permitting Internet access by faculty users. The sequence of the last two rules is crucial. While the third rule denies access to intranet destinations not explicitly permitted by rules that appear earlier in the list, the fourth rule permits access to all Internet destinations; that is, to addresses outside of 10.0.0.0/8. This rule effectively overrides the implicit “deny any” rule.


4 – 28 Rev. 5.21

Access control for student users

Rev 5.21 24

Access control for student users

Guests10.1.10.0/24

10.0.100.0/24

Admin10.1.30.0/24

10.1.68.0/24

10.1.67.0/24

10.1.66.0/2410.1.65.0/24



C1

R1B

R1C

InternetWeb-based registration server

Host 10.0.130.115AND TCP port 80

Students

R1A



.115


Faculty10.1.20.0/24

R1D


ProCurve University students require access to the Internet and, when they are on campus, to a web-based registration server on the curriculum network. Students should not be able to access any other servers on the curriculum network, nor should they be able to use protocols other than HTTP on the registration server.

The next few pages will describe ACL logic to accomplish these goals.

ACL Theory

Rev. 5.21 4 – 29

Permit student access to web registration server

Rev 5.21 25

Permit student access to web registration serverStudents have access to only one web server on the curriculum network. They should be denied access to all other servers in the intranet.


1

2

3



Rules in ACL applied to student ingress port


Packet to be tested

Permit source range 10.1.40.0/24 and dest. host 10.0.130.115 and dest TCP port 80



In this example, a student is sending HTTP traffic to the web registration server. Because the inbound packet on the student ingress port has characteristics that match all of the conditions of the first rule, the router follows the action associated with this rule and permits the packet.

Note that the first rule specifies port 80, the well-known TCP port for HTTP traffic. This ensures that students will only have web access to the registration server. Of course, the rule could specify another port number if the application used a custom port or if, for instance, it used Secure Sockets Layer (SSL), which uses the well-known port of 443.


4 – 30 Rev. 5.21

Deny student traffic destined for administrative servers

Rev 5.21 26

Deny student traffic destined for administrative serversThe second rule in the list prevents students from sending traffic to any intranet hosts other than the one permitted by the first rule

Match first entry? NoMatch second entry? YesAction = Deny



Packet to be tested


1

2

3

Rules in ACL applied to student ingress portPermit source range 10.1.40.0/24 and dest. host 10.0.130.115 and dest TCP port 80



In this case, a student is trying to access a host on the administrative server network. The characteristics of the packet shown above do not match with the first rule, so the router compares the packet with the second rule. Because the destination address falls within the range 10.0.0.0/8, the router drops the packet.

Of course, identity- or role-based security probably would prevent this user from accessing the server. However, this ACL provides an additional layer of security and prevents congestion by preventing the students from even sending packets to the administrative server network.

The Access Control Entries (ACEs) are always processed in the order they were created. In the example above, the host address permitted in the first rule is a subset of the address range denied in the second rule. Because traffic destined for the registration server matches both Rule 1 and Rule 2, reversing the sequence of the rules would cause denial of traffic destined for the registration server. This sequence demonstrates a general rule of ACL development. Entries that refer to a more specific address range (i.e. smaller range, longer mask) should precede those that refer to a less specific address range (i.e. larger range, shorter mask).

ACL Theory

Rev. 5.21 4 – 31

Student Internet access

Rev 5.21 27

Student Internet access

Traffic with destinations outside 10.0.0.0/8 is permitted because it matches the third rule


Match first entry? NoMatch second entry? NoMatch third entry? YesAction = Permit


Packet to be tested


1

2

3

Rules in ACL applied to student ingress portPermit source range 10.1.40.0/24 and dest. host 10.0.130.115 and dest TCP port 80



Most traffic that originates in the student user network is destined for the Internet. Accordingly, all traffic that has a destination address outside the 10.0.0.0/8 range matches with the third rule and is permitted.

The destination address range specified in Rule 2 is a subset of the address range specified in Rule 3. If these rules were reversed, and the entry with the larger range appeared earlier in the list than the entry with the smaller range, students would be able to send traffic to all intranet destinations as well as the Internet destinations allowed by the university’s security policy.


4 – 32 Rev. 5.21

Access control of admin users

Rev 5.21 28

Access control for admin users

Guests10.1.10.0/24

10.0.100.0/24

Admin10.1.30.0/24

10.1.68.0/24

10.1.67.0/24

10.1.66.0/2410.1.65.0/24



C1

R1B

R1C

Internet Web-based registration server

Host 10.0.130.115 AND TCP port 80

R1A



.115


Faculty10.1.20.0/24

R1D


Admin and HR servers Range 10.0.129.0/24 Admin

Email/scheduling Range 10.0.0.0/8 AND TCP port 25

Administrative users at ProCurve University require the following access to resources:

The network that contains administrative and HR servers

Web-based registration server (but not the entire curriculum network)

Email/scheduling application

Internet

The next few pages will present the logic for an ACL to permit this access while denying access to other resources.

ACL Theory

Rev. 5.21 4 – 33

Permit admin user access to web registration server

Rev 5.21 29

Permit admin user access to web registration server


1

2

4




Rules in ACL applied to admin ingress port


Packet to be tested

Permit source range 10.1.30.0/24 and dest. host 10.0.130.115 and dest. TCP port 80




3

5

In this example, a user from the administrative network is attempting to access the web registration server. The characteristics of the inbound packet being tested do not match with the first rule in the ACL, but they do match with the second rule. The packet is permitted.


4 – 34 Rev. 5.21

Permit admin access to HR and admin servers

Rev 5.21 30

Permit admin access to HR and admin servers


1

2

4


Rules in ACL applied to admin ingress port


Permit source range 10.1.30.0/24 and dest. host 10.0.130.115 and dest. TCP port 80




3

5


Packet to be tested


In this example, the user is permitted access to a host on the administrative server network. The first rule in the ACL permits access to any host in the range 10.0.129.0/24.

Like the ACL applied to the faculty ingress port, this ACL contains a rule that provides access to the email/scheduling application. Because the admin users need access to the web registration server, this ACL also contains a rule that provides access to that resource. In fact, the first three rules in the ACL could be entered in any order because they all specify the “permit” action. However, the rule that permits access to the administrative network is placed first because that is the resource most frequently accessed by these users.

Because admin users need Internet access, the final explicit entry in the ACL applied to their ingress port overrides the implicit “deny any” entry.

ACL Theory

Rev. 5.21 4 – 35

Access control for guests

Rev 5.21 31

Access control for guests

Guests10.1.10.0/24

10.0.100.0/24

Admin10.1.30.0/24

10.1.68.0/24

10.1.67.0/24

10.1.66.0/2410.1.65.0/24



C1

R1B

R1C

Internet

R1A



.115


Faculty10.1.20.0/24

R1D


Guests

Because guests only have access to the Internet, the ACL applied to their ingress port is quite simple.


4 – 36 Rev. 5.21

Deny guest access to intranet destinations

Rev 5.21 32

Deny guest access to intranet destinationsGuest users are denied access to any host in the 10.0.0.0/8 address range


2


Match first entry? YesAction = Deny


Rules in ACL applied to guest ingress port


Packet to be tested


The ACL applied to the guest ingress port has only two rules. The first denies traffic with a destination within the 10.0.0.0/8 range and the second, shown on the next page, permits traffic with address outside that range.

ACL Theory

Rev. 5.21 4 – 37

Permit guest access to Internet destinations

Rev 5.21 33

Permit guest access to Internet destinationsGuest users are permitted access to hosts outside the 10.0.0.0/8address range


2




Packet to be tested



Rules in ACL applied to guest ingress port

Guest packets destined for networks outside the range of 10.0.0.0/8 match the second rule and are permitted.


4 – 38 Rev. 5.21

Module 4 summary

Rev 5.21 34

Module 4 summary

In this module, you learned:• How ACLs enhance network security• Criteria that can be used as the basis for ACLs• How to plan for effective ACLs• General rules for the development of effective ACLs


Module 4 of IP Routing Foundations described the theory underlying the development of effective ACLs. Using the physical security requirements of a hospital as an analogy, the module showed how ACLs can enhance the security of network resources, including resources such as servers that are already protected by passwords and other measures. The module also showed the criteria, including IP, TCP, and UDP header fields, that can be used as a basis for ACL development. Finally, the module presented rules and techniques for planning and developing effective ACLs.

ACL Theory

Rev. 5.21 4 – 39



4 – 40 Rev. 5.21

1. Name three criteria that can be used to specify traffic for special handling in an ACL.

a. ........................................................................................................................

b. ........................................................................................................................

c. ........................................................................................................................

2. What is the implied “deny any” rule?

............................................................................................................................

............................................................................................................................

3. In an ACL, why should a more specific (longer mask) rule precede the less specific (shorter mask) rule?

............................................................................................................................

............................................................................................................................

............................................................................................................................

............................................................................................................................

Rev. 5.21 Answers – 1

Learning Check Answers


Answers – 2 Rev. 5.21

Module 1 learning check 1. What are the four types of router interfaces.

a. physical, created by assigning a mask and IP address to a physical port

b. virtual, associates an IP address and mask with a VLAN

c. loopback, assigns IP address and mask to interface not associated with any physical port

d. multinetted, assigns two or more IP addresses and masks to a physical, virtual, or loopback interface

2. What is the difference between an Interior Gateway Protocol and an Exterior Gateway Protocol?

Interior Gateway Protocols (IGP) involve communication among routers that are under common administrative control and use the same protocol for exchanging information; that is, in the same autonomous system. Exterior Gateway Protocols (EGP) involve communication among routers that are under different administrative control; that is, in different autonomous systems.

3. Name and describe one important disadvantage of RIP.

Changes in routing topology often propagate slowly (in comparison to OSPF) because information in each router’s table is acquired from routers as many as 15 hops away.

4. What is “Split Horizon”?

Advertisements a router sends onto a network do not include the address ranges for which the next hop is on that network.

5. What is network summarization and why is it necessary?

Network summarization can increase routing efficiency by replacing many individual, specific network advertisements with a single statement that specifies a larger range of addresses using a shorter mask.

6. What is “poisoned reverse”?

Poisoned Reverse is a variation of Split Horizon that can help speed convergence in meshed networks. Instead of omitting the routes that Split Horizon rules exclude from the advertisement, the router poisons those routes, making it impossible for the router receiving the advertisement to consider the sender as a valid next hop toward the poisoned address ranges.

Answers


Module 2 learning check 1. Name the two types of OSPF networks.

a. Transit networks have two or more connected routers. As such, they are potential paths for traffic that originates within or is destined for some other network.

b. Stub networks have only one router. They are considered stubs because there is only one point of entry (router) to the network. Traffic that comes from or is destined for other networks is never forwarded into a stub network. Stub networks will be discussed in more detail later in this module.

2. Define the following:

ABR: A router with an interface in the backbone and in at least one other area.

ASBR: A router responsible for generating an AS External LSA for each non-OSPF network.

3. Describe the process by which OSPF routers form adjacencies.

a. Exchange Hello messages

b. Two-way neighbor recognition

c. DR election

d. Exchange database descriptions

e. Request and exchange link state packets

f. Update link state databases

4. What types of OSPF LSAs are confined to a single area and how are they used?

Router LSAs and Network LSAs are confined to a single area. DRs send Network LSAs to advertise networks. All OSPF routers send Router LSAs to advertise changes in their link states.

5. What techniques enable administrators to limit the size of OSPF link-state databases and enhance routing efficiency?

Make sure areas are not too large and do not contain too many routers. Use network summarization to limit number of entries in databases.



Module 3 learning check 1. Why is Spanning Tree an incomplete solution for redundancy in a routed

network?

Spanning Tree ensures link redundancy, but does not address issues that can arise when hosts lose contact with their default gateways.

2. Name the technologies for default gateway redundancy that are supported by ProCurve switches.

a. VRRP (9300m)

b. VRRPE (9300m)

c. XRRP (3400cl/5300xl)

3. How is the Master router determined in a VRRP implementation?

The Owner of the shared IP address is the Master for each VRID.

4. How does VRRPE differ from VRRP?

VRRPE is a proprietary enhancement of VRRP available on the 9300m. In VRRPE, there is no IP address Owner. Instead, the Master for each VRID is the router configured with the highest priority. The virtual IP address is configured by the administrator.

Answers


Module 4 learning check 1. Name three criteria that can be used to specify traffic for special handling in

an ACL.

a. source address

b. destination address

c. TCP or UDP port number.

2. What is the implied “deny any” rule and why is it necessary?

The implied “deny any” rule is the last rule in an ACL. It implicitly denies all traffic that was not explicitly permitted by a rule that appears earlier in the list.

3. In an ACL, why should a more specific (longer mask) rule precede the less specific (shorter mask) rule?

Because ACLs are processed in the order they are created. When the switch locates a match, it stops processing the ACL. If the rule with a shorter mask is applied first, it may prevent a more specific rule from being applied.

For further information, please visit our Web site at:

www.procurve.com

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

ip routing foundations

Documents