Blog Posts in October 2008
Every now and then I feel the need to write a very basic article, explaining the foundations and getting the terminology straight. Today I’m trying to explain the control and data planes in a router (or a layer-3 switch, depending on your marketing bias). Your opinions, fixes, corrections and all other comments are most welcome.
Update: This challenge is closed, see the final results (November 4th 2008).
Assuming you have the following configurations on R1 and R2:
What IP address can you use on the loopback interface of R1 to establish adjacency between R1 and R2? Can you use more than one IP address?
This challenge was triggered by a comment uri wrote on the “OSPF ignores subnet mask mismatch on point-to-point links” post, claiming that you cannot mix numbered and unnumbered interfaces in OSPF.
I’ve received several e-mails responding to the mismatched OSPF subnet challenge. Some of the readers claimed that the configuration would work as-is; if you were one of them, I would advise you do some lab test the next time. A few of the respondents also noted that it was more a review question than a challenge (since I’ve been writing about this topic a few days back) and everyone who decided the configuration has to be fixed has provided the correct solution: you have to configure the Fast Ethernet as a point-to-point OSPF interface and the routers stop complaining about the OSPF subnet mask mismatch.
Unfortunately, someone decided to prevent everyone else from having real fun figuring out the solution and posted the solution as a comment to my post almost immediately after I wrote it (but I’m positive that those readers that sent me e-mails did not read that comment first). Lesson learned: the next time I’ll disable comments in the challenges.
One of my readers made an interesting observation in response to my “Knowledge or recipes” post: maybe network associates need recipes more than knowledge. My first reaction was to disagree; in my understanding, technicians work with recipes, engineers need to know what they’re doing and why. But then I tried to figure out what the term “networking associate” really means.
Jeremy Stretch has been extremely active in the CT3 wiki in last few days, writing about OSPF inter-area routing and various aspects of PIM. His articles cover the basics of PIM, principles of PIM dense mode, more detailed overview of PIM sparse mode and a hint what Bidirectional PIM is.
We've been discussing basic OSPF operations in the NIL forum. If you're aware of any good online resource explaining OSPF basics, SPF algorithm, the resulting SPF tree and the OSPF cost calculation, I would appreciate if you could post the link(s); preferably in the forum or as a comment to this post. If it turns out there's nothing really useful (which I doubt) I could write something, but I would rather spend time on more advanced (but probably less popular :) topics.
A while ago I've got an interesting question from one of the readers:
I'd like to be able to configure a set of routers to only be manageable from each other. Something like an access-class matching minimum packet TTL would probably be good enough, better if some connected routes could be tagged and access granted based on that. The idea is to keep router-by-router logins in case of routing problems, without opening up access too widely.
I did a few tests with IOS release 12.4(15)T and neither access-class nor control-plane policing recognizes the TTL field in ACL (various bits and pieces of IOS use the same data structures in different procedures, thus resulting in inconsistent behavior). Alternatively, you could deploy inbound access lists on all interfaces, but this is probably way too cumbersome to manage.
The best you can do without going into weird solutions is to allocate router loopback interfaces and inter-router links from a tightly controlled address space and only allow telnet from that address space (while at the same time filtering IP packets pretending to come from that same address space on the perimeter of your network). As the IOS supports extended access lists in the access-class line configuration command, you could allow SSH from a wider set of IP addresses and limit Telnet to the address range allocated to inter-router links.
This feature might come handy if you're trying to figure out who's attacking your application servers (when the TCP session has already been established). Denial-of-service attacks commonly use fake source IP addresses.
The assignment of router’s interfaces into OSPF areas should be a non-issue these days, but for whatever reason some of the students I’m mentoring still use the ridiculous practice that was promoted in older learning materials: a separate network statement using IP subnet and inverse subnet mask for every single interface. I’ve documented what I consider to be best practices in the “OSPF area configuration best practices” article in the CT3 wiki. If you disagree with my opinion, please feel free to edit my article or share your thoughts in a comment to this post.
A few days after my “Knowledge or Recipes” post, Greg Ferro started his “Experience or Certifications” series with a radical “I would always choose certification over experience” approach that quickly moderated into “Knowledge is more fundamental than experience … but you need both”. It’s nice to see someone else thinking along the same lines as yourself.
Update: This challenge is closed, see the final results (October 29th 2008).
You could get something like this only in a CCIE lab (I would hope): R1 and R2 should establish OSPF adjacency, but you cannot change or remove any of the existing configuration commands (you can add new commands).
A while ago cciepursuit described his problems with PPP-over-Frame Relay. Very probably his problems were caused by a static IP address assigned to the virtual template interface (this address gets cloned to all virtual access interfaces and IOS allows you to have the same IP address on multiple WAN point-to-point links). I recreated very similar (obviously seriously broken) scenario in my lab using point-to-point subinterfaces over Frame Relay to simplify the setup.
This is not something you’d want to do in your production network.
The common wisdom says that the subnet mask mismatch will stop the OSPF adjacency from forming (I’ve included a sample debugging printout in yesterday’s post). In reality, the subnet mask is checked only on the multi-access interfaces and is ignored on point-to-point links. The source of this seemingly weird behavior is Section 10.5 of RFC 2328 which says:
The generic input processing of OSPF packets will have checked the validity of the IP header and the OSPF packet header. Next, the values of the Network Mask, HelloInterval, and RouterDeadInterval fields in the received Hello packet must be checked against the values configured for the receiving interface. Any mismatch causes processing to stop and the packet to be dropped. In other words, the above fields are really describing the attached network's configuration. However, there is one exception to the above rule: on point-to-point networks and on virtual links, the Network Mask in the received Hello Packet should be ignored.
Troubleshooting OSPF adjacencies can be a nightmare: if you’ve misconfigured the OSPF interface parameters (the timers or the subnet mask), the adjacency will not form, but the router will not tell you why. The only mechanism you can use to detect the mismatch is the debug ip ospf hello command … just don’t try to use it on a console session of a router running OSPF across hundreds of interfaces.
The OSPF hello event debugging does not display OSPF packets received from a different subnet. If you configure mismatched IP subnets (not the subnet mask) on adjacent routers, you will not see any received hello packets.
To limit the debugging outputs to a single interface, use the debug interface command.
Several comments I’ve received in response to my “Knowledge or recipes” post were slightly resigned, leading me to the unfortunate conclusion that you all gave up and decided to live with the current state of the IT training business. But you can do something about it – go out and vote!
I’m constantly receiving interesting OSPF-related queries. Obviously the many hidden details of the OSPF specs result in slightly unexpected behavior and constant amazement of engineers studying OSPF. During this week, I’ll focus on a few interesting OSPF intricacies.
Let’s start with an easy one: I’ve already described how you can use the show ip ospf interface brief command if you want to display the OSPF interface status (including the interface area, OSPF cost, link type and router status on broadcast links). Unfortunately, this command does not allow you to specify the OSPF process ID and displays interfaces belonging to all OSPF processes (if you run multiple OSPF processes on the router).
- Greg Ferro published some great thoughts on certifications versus experience. While a lot of people tend to disagree with him (at least a bit ... myself included), he has some very good points.
- Joe Harris posted the "IOS order of operation" list. Unfortunately it looks incorrect; I'm positive that in some cases NAT looks at the packet (and creates the translation) even if the inbound ACL drops it.
- Anyone who has ever been involved in security must read Security Maxims from Roger Johnston (hat tip to Bruce Schneier).
- I got promoted to holy cows. At least I have good company. BTW, if you're concerned about the security of your switch configuration, check what NSA has to say about it.
- Thinking problem management has a great post explaining why you need service documentation.
- Ethan Banks is back and writes about RGEs (Resume Generating Events).
- Anthony Sequeira writes about transparent firewall on ASA/PIX.
I've got a simple question recently: “Can I run MPLS on a VLAN interface on 7600?” My initial response was “Sure, why not.”, as I knew we've deployed MPLS in 7600-based networks and there should be no significant difference between a routed port and a VLAN interface on a 7600 (this box treats everything as a VLAN internally).
It turned out the problem was "a small detail" that's not advertised in any 7600-related MPLS marketing material on Cisco web site: you need Advanced IP Services software to run MPLS. To make matters worse, the only mention of 7600-series devices in the Cisco IOS Packaging Product Bulletin I've finally found within the 7600 routers product literature is in the first marketing slide.
My "IP QoS: Two generations of class-of-service tools" article published by SearchTelecom gives you a very high-level overview of IntServ and DiffServ approaches to IP QoS as well as brief description of various DiffServ tools.
Once upon a time, AAA command authorization in Cisco IOS queried the TACACS+ server for every single command a user entered. Rules have changed drastically in the meantime (at least for IOS release 12.4):
- Non-privileged show commands are executed without TACACS+ authorization. Privileged show commands (show running or show archive log config) are still authorized.
- Some commands that can be executed in non-privileged (aka disable) mode (enable, disable, help, logout) are authorized only if you configure aaa authorization commands 0 methods regardless of the current privilege level.
- Other commands (for example, ping) are authorized based on the current privilege level.
For example, if you’ve configured AAA command authorization only for privilege level 15, the ping command will be authorized if you’re working in enable mode, but not otherwise.
- Command authorization is not performed on console unless you’ve configured aaa authorization console.
When configuring MPLS Traffic Engineering in your network, you have to specify the amount of bandwidth that the MPLS TE tunnels can request on each MPLS TE-enabled interface with the ip rsvp bandwidth command.
Until recently, this command accepted only fixed bandwidth (in kilobits), which could be pretty inconvenient if you wanted to use common interface templates or deployed MPLS TE on links with varying bandwidth (for example, Multilink PPP bundles). IOS release 12.2SRC introduced a variant of the same command (ip rsvp bandwidth percentage) that allows you to specify reservable bandwidth as percentage of the current interface bandwidth. Unfortunately this feature didn’t make it into 12.4(20)T.
Today I read your article about scaling EIGRP using stub routers. I was wondering whether you can use the leak map only for routes learned from other EIGRP neighbors? Is it also usable to filter connected routes?Leak-map controls what its name implies: the leakage of routes received from EIGRP neighbors to other EIGRP neighbors. To filter connected prefixes redistributed into EIGRP, use the route-map on redistribute connected command. The only way I've figured out to filter announcements of directly connected networks that are part of the EIGRP process is the distribute-list out command.
When the local Telco installed my blindingly fast 20 Mbps Internet-over-fiber-cable service, I was expecting to use DHCP on the router’s outside interface to connect to the Internet. After all, they’re running switched Ethernet VLANs over the fiber cable, and using DHCP seemed a logical choice. Imagine my surprise when I had to configure PPP-over-Ethernet (PPPoE) – it was as if I would be using a DSL connection, not a fiber-optic cable.
The IINS course is the recommended training for the CCNA Security certification.
Let’s conclude the RIP week with an interesting observation made by Yuri Selivanov: when using MD5 authentication with RIP, Cisco routers send 532-byte UDP datagrams while Juniper routers send 512-byte UDP datagrams. The maximum number of route entries (RTE) in a RIP datagram and its size thus varies based on authentication mechanism and router software:
|Authentication type||Cisco IOS||JunOS|
Somehow people expect RIP datagrams to be at most 512 bytes long, which (as you can see from the table) is not always the case.
I've joined LinkedIn a while ago and it was a great tool to get back in touch with my friends and business partners, but it has limited features (for example, I would like to get something similar to my About page). I'm also wondering whether to start experimenting with MySpace or Facebook and I want to take in account what you're using, so it will be easier to get in touch (I always hate registering at yet-another-site). So, any experience you are willing to share will be really appreciated.
The moment I wrote “RIP summary routes are not present in the IP routing table” in the RIP Route Database article in the CT3 wiki, I knew it was a recipe for disaster. It’s OK not to advertise what you use (we call this route filters); advertising something you don’t use yourself is slightly stupid.
It didn’t take me long (after I found a few minutes of spare time) to come up with a scenario where RIP interface summary creates a nice routing loop.
Yesterday I’ve introduced a scenario where RIP would (in my opinion) work much better than OSPF. If you were not persuaded by the “management-level” arguments, let’s focus on the technical details (but make sure you read the scenario first).
All you ever want to advertise to the remote sites in this design is the default route (or a network-wide summary). Alternatively, you might want to advertise only a route to a central LAN or server. Both requirements are easily met with RIP per-interface output filters. Doing something similar with OSPF is close to impossible. Either you place every remote site into a separate OSPF area (don’t even think about doing it; there could be hundreds of sites) or the routes within an area will leak between the remote sites.
RIP is also more stable than OSPF in this setup. Whenever a remote site disappears, the change in the OSPF area is unnecessarily propagated to all other remote sites in the same area. RIP doesn’t react at all; the output route filter at the central site stops all unnecessary updates.
As you know, OSPF requires hello packets and adjacencies to work properly. The central hub router must therefore track the adjacency states of hundreds of neighbors. When using RIP, the central router couldn’t care less … it sends out its routes every so often, collects whatever comes back and reports when a new remote route is received or an old one disappears.