Documente Academic
Documente Profesional
Documente Cultură
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 1
Deploying Interior
Gateway Protocols
TECRST-2021
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
Deploying Interior Gateway Protocols
Design Theory
Working with Addressing and Summarization
Working with Hierarchy
Working with Topologies
Working with Redistribution
Transitioning Routing Protocols
BGP
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3
Design Theory
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
Design Theory
Design Goals
Resiliency
Simplicity
Functional Separation
Hiding Reachability
Hiding Topology
Virtualization
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 5
―… a reliable network delivers virtually every packet
accepted by the network, to the right destination,
within a reasonable amount of time…‖
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 6
Design Goals
Networks deliver packets! Deliver
Packets
A network is judged on its
ability to support applications
Adjust to Real World Changes
All the other elements of
network design support this
Device Failure Business Changes
single goal
Resiliency (Reliability)
Reduced Downtime
Simplicity
Fast Recovery Fast Troubleshooting
Functional Separation
Simplicity
Functional Separation
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 7
Design Goals
Another view of network design is
Network
to determine why networks fail Failure
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 8
Notes on OPEX
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 9
Notes on OPEX
Resiliency
Manages the costs of downtime
Simplicity
Manages the costs of monitoring and changing the network
Manages the costs of downtime
Functional Separation
Manages the costs of monitoring and changing the network
Manages the costs of downtime
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 10
Design Goals
Provides alternate paths to route
around failures
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 11
Resiliency
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 12
Resiliency
What Are You Planning For?
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 13
Resiliency
Statistical Analysis
It‘s Important to Understand:
Mean Time Between Failures (MTBF)
How long the device or system runs before failing
Uptime, or Reliability
How many ―9‘s‖
Total Time/(MTBF+MTTR)
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 14
Resiliency
Functional Separation
Break failure domains apart
A single failure impacts
less of the network
Improves Troubleshooting
Troubleshooting is split and test
Splitting the failure domain presplits
the troubleshooting domains
Decreases MTTR
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 15
Resiliency
Redundancy
The simplest path to increased
resiliency is adding redundancy... A
Not so fast!
Resiliency must be balanced
against simplicity and
functional separation
Redundancy doesn‘t always
add resiliency B
10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 16
Resiliency
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 17
―Could I explain this at 2AM to a TAC Engineer
who lives halfway across the world?‖
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 18
Simplicity
Simplicity Encompasses:
Network Design
Covered throughout the remainder of this presentation
Management Simplicity
Configuration Simplicity
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 19
Simplicity
Configuration Simplicity
Choose the simplest configuration that will do the job
Choose the easier configuration to change in the future
Choose the configuration that contains the intent
Examples
Use prefix lists for route filtering, rather than access lists
Use tags for filtering redistributed routes, rather than
building a long list of networks
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 20
Simplicity
Configuration Simplicity
OSPF Network hub_router#show run
....
Install new router... interface s0/0
ip address 10.1.1.100 255.255.255.0
Examine configuration ....
of hub router
Examine configuration spoke_router#show run
of existing spoke router ....
interface s0/0
Configure new router ip address 10.1.1.200 255.255.255.0
Connect to network ....
Network breaks!
new_router#show run
Why? ....
interface s0/0
ip address 10.1.1.80 255.255.255.0
....
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 21
Simplicity
Configuration Simplicity
Why were the interface IP hub_router#show run
....
addresses set up this way? interface s0/0
The interface isn‘t a point-to- ip address 10.1.1.100 255.255.255.0
point, so it must be a multipoint ....
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 22
Simplicity
Configuration Simplicity
What if we use the OSPF hub_router#show run
....
interface priority, instead? interface s0/0
The reason for the ip address 10.1.1.100 255.255.255.0
ip ospf priority 240
configuration directly
....
relates to what the
configuration does spoke_router#show run
This makes network ....
maintenance simpler interface s0/0
ip address 10.1.1.200 255.255.255.0
Rules of thumb: ip ospf priority 0
....
Apply the most obvious
configuration possible
new_router#show run
Apply the configuration as ....
interface s0/0
close to the point of control ip address 10.1.1.80 255.255.255.0
as possible ip ospf priority 0
....
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 23
Functional Separation
Allows us to hide information
Allows us to break the network into multiple failure domains
The amount of separation between the failure domains depends on
the the strength of the separation
Watch out for fate sharing (should cover this later in the presentation)
Two Types:
Hierarchy
Virtualization
Can be mixed/blended
Many grey areas between these
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24
Functional Separation
Simplicity
Breaking the network up into smaller pieces allows us
to break a single large problem into a number of smaller,
simpler problems
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 25
Functional Separation
Apparent Simplicity
A tradeoff
Sometimes, the cost of overall complexity is higher than the offsets
in increased simplicity in one specific area or topology
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 26
Functional Separation
Two Directions
Topological
Divide the network along
topological ―choke points‖
Aggregate reachability Distribution Core
information Aggregation
Aggregate topology
information
Access
Aggregate traffic flows
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 27
Functional Separation
Two Directions
Logical
Divide the network into
multiple topologies
Divide topology information
between topologies
Leak minimal information
between topologies
The most common
implementation
Split ―outside routes‖ from ―next
hop routes‖
Advertise in two different routing
protocols, an EGP and an IGP
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 28
Hiding Reachability
IP addressing is built around A .2
the concept of summarizing .1
reachability information .3
192.168.1.0/29
192.168.1.1
A doesn‘t advertise each of 192.168.1.2
.4
192.168.1.0/29
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 29
Hiding Reachability
In the same way, summarizing .2
multiple networks into one .1
advertisement just increases .3
the scope of reachable hosts
192.168.1.0/29
.4
192.168.1.0/29 and .5
192.168.1.8/29 can be
.6
aggregated (summarized)
192.168.1.0/28
to one advertisement,
192.168.1.0/28
.2
.1
To routers and devices .3
beyond the summarization
192.168.1.8/29
point, all the hosts from .4
192.168.1.0 through A .5
192.168.1.15 are
.6
reachable through A
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 30
Hiding Reachability
Seen from the binary
24 bits
perspective, as you make 28 destinations
the prefix length shorter,
(192.168).00000001.00000000
you move the network/host
separation line to the left (192.168).00000010.00000000
As you move the red line to
the left, you encompass more (192.168).00000011.00000000
(192.168).00000000.00000000
22 bits
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 31
Hiding Reachability
192.168.1.0/24,
192.168.2.0/24, and 192.168.0.0/22
192.168.3.0/24 can 1 network
be advertised as 1024 addresses
192.168.0.0/22
3 networks
Rather than three 255 addresses each
networks, each with
255 addresses (253
hosts), A advertises
a single network,
with 1024 addresses 192.168.1.0/24
192.168.2.0/24
192.168.3.0/24
253 hosts
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 32
Hiding Reachability
Address summarization also Summary doesn‘t
hides changes in the network change!
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 33
Hiding Reachability
Assessing the Impact
One way of looking at hierarchical design is to
determine the difference summarization makes
statistically
If we know the rate at which prefixes change state
within a network, we can predict how many state
changes any given router will need to adjust to in a
given time period
For instance suppose we know the average prefix will
change once every month. What impact will this have
on a large network?
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 34
Hiding Reachability
Assessing the Impact
1000 routes each failing
once/month means 4100/30
= 136.7 state changes per day
1000 routes 1000 routes
in the core of this network
Summarizing each 1000 route
area into 100 routes reduces
4000+100 routes
the core to 500, rather than
400+100 routes
4100, routes
Summarization hides individual
route changes, so we are 1000 routes 1000 routes
down to 100/30 = 3.3 state
changes per day
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 35
Hiding Topology
Topology information A is connected to B
describes how devices A is connected to C
B is connected to D
are interconnected in C is connected to D
the network D is connected to
10.1.1.0/24
While topology information C is connected to
10.1.2.0/24
is useful, we‘d like to hide A B is connected to
this information at some 10.1.2.0/24
point in the network B
Hiding topology information C
10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 36
Hiding Topology
Hiding topology information A B
also hides information about
changes in the topology C
Hide C can reach
C advertises reachability to topology 10.1.1.0/24, and
here I‘m connected to
10.1.1.0/24 C!
If the F to G link fails, C can still
reach 10.1.1.0/24 (although the D
metric might change)
If B can still use C to reach
10.1.1.0/24, does B need to know E F
about the F to G link failure?
No!
G
10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 37
Virtualization
xxx yyy
Virtualization is placing two
apparently separate resources
on top of a single resource Silver Gold
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 38
Virtualization
xxx yyy
Virtualization always
introduces fate sharing
Silver Gold
If an underlying topology, or
network, fails, all overlaying 100 101
topologies fail as well
TCP/IP Sessions
This is fate sharing Red Blue
Virtual Topologies
Fate sharing makes
virtualization complex to
design and troubleshoot 802.1q VLANs
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 39
Virtualization
Control Plane Only
EGP (BGP) over IGP (EIGRP, Separates control plane Fairly simple to implement
OSPF, or IS-IS) information into internal and deploy
and external
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 40
Working with
Addressing and
Summarization
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 41
Addressing and Summarization
Address Allocation
Summary Metrics
Aggregation Issues
Aggregation Techniques
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 42
Address Allocation
A hierarchical topology isn‘t
enough to hide reachability
information—the way the
addressing is laid out in the Can‘t
network is also critical I asked summarize here
second!
There are several possible
methods you can use to assign
addresses within a network
Allocating addresses as
they are requested is a 10.1.2.0/24
common method
This only creates summarization 10.1.3.0/24
points if you happen to get I asked 10.1.1.0/24
address allocation requests first!
that coincide with the topology I asked
of the network third!
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 43
Address Allocation
Assigning addresses based
on the political structure Can‘t
of the organization is summarize
another method here
10.1.x.x is marketing
10.2.x.x is sales
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 44
Address Allocation
Assigning address by the Can‘t
geographic location of summarize here
the device or network is
also common
10.1.0.0/16 is Nevada
10.2.0.0/16 is California
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 45
Address Allocation
Addressing needs to follow
the network topology to
create summarization points
Nevada
Any scheme will create
summarization points as 10.1.1.0/24 10.1.2.0/24 10.2.1.0/24
10.2.1.0/24
But, it‘s best just to use 10.1.1.0/24
topological addressing 10.2.2.0/24
10.2.3.0/24
10.1.3.0/24
from the start 10.1.2.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 47
Address Allocation
/31 on point-
Several techniques can be to-point
used to conserve address
space, where needed
Use /31‘s on point-to-point
10.1.0.0/16
links to conserve 10.3.0.0/16
address space 10.2.0.0/16
Avoid IP unnumbered, for
management reasons—you
can‘t reach the remote
device if the remote link fails
10.1.1.0/24
Don‘t be frightened of
10.1.2.0/24
odd length masks where
10.3.1.0/24
it makes sense 10.2.1.0/24
10.3.2.0/24
10.2.2.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 48
Summary Metrics
In all interior gateway 10.1.0.0/23
Cost 20
protocols, the summary A
10.2.0.0/23
metric is dependant on Cost 20
the metrics of the components
The metric of the highest or
lowest cost component route is
B
chosen as the summary metric C
Cost 10
Cost 20
10.1.0.0/24
10.1.1.0/24
Cost 10
Cost 20
10.2.1.0/24
10.2.0.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 49
Summary Metrics
If the component the metric 10.1.0.0/23
Cost 10
20
was taken from flaps, the A
10.2.0.0/23
summary flaps as well! Cost 20
Cost 10
Cost 20
10.1.0.0/24
10.1.1.0/24
with the changes
Cost 10
Cost 20
10.2.1.0/24
10.2.0.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 50
Summary Metrics
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 51
Summary Metrics
Use a loopback interface 10.1.0.0/23
A
to force the metric to Cost 10
remain constant
Create a loopback interface
within the summary address
range with a higher or lower 10.1.0.0/23
metric than any other component B
The summary will use the metric
of the loopback, which doesn‘t
ever go down
Cost 10
Cost 20
10.1.0.0/24
10.1.1.0/24
A static route to null0 on the
summarizing router can also
be used
You can sometimes use a route loopback 0
ip address 10.1.1.1 255.255.255.255
map to force the summary‘s ip ospf cost 10
metric to always be the same
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 52
Aggregation Issues
Summary Suboptimal Routing
B and C are advertising A
10.1.0.0/23 to A with a
metric of 30
10.1.0.0/23 (30)
10.1.0.0/23 (30)
10 20
A has two routes to 10.1.0.0/23
B with a cost of 30
C with a cost of 40
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 53
Aggregation Issues
Summary Suboptimal Routing
When summarizing down
the hierarchy in OSPF, we 10.1.0.0/24 10.1.1.0/24
can use manual summaries
instead of stub areas A B
Area border
Always prefer to summarize
10 10
more information rather
C 20 D
than less
10.1.1.0/24
10.1.0.0/23
10.1.0.0/23
area 1 range 10.1.0.0 255.255.254.0 20 10
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 54
Aggregation Issues
Summary Suboptimal Routing
It‘s also possible to use
LSA type 3 filtering to solve 10.1.0.0/24 10.1.1.0/24
this problem
A B
Area border
Permit only a default plus
some number of longer 0.0.0.0/0
10 10
prefix routes to allow optimal
C 20 D
routing to those destinations
0.0.0.0/0
10.1.1.0/24
0.0.0.0/0
ip prefix-list AREA_1_OUT seq 10 permit 0.0.0.0
!
router ospf 1000 20 10
area 1 filter-list prefix AREA_1_OUT out
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 55
Aggregation Issues
Summary Suboptimal Routing
IS-IS automatically summarizes
down the hierarchy 10.1.0.0/24 10.1.1.0/24
L1/L2 border
leak more specific routes when
optimal routing towards the
10 10
core is important
C 20 D
0.0.0.0/0
10.1.1.0/24
0.0.0.0/0
20 10
access-list 100 permit ip 10.1.1.0 0.0.0.255
!
router isis
redistribute isis ip level-2 into level-1 distribute-list 100
metric-style wide
E
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 56
Aggregation Issues
Summary Suboptimal Routing
EIGRP always requires either
summarization or filtering to 10.1.0.0/24 10.1.1.0/24
reduce routing information from
the core towards the edge A B
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58
Aggregation Issues
Summary Suboptimal Routing
Rather than summarizing,
redistributed static routes 10.1.0.0/24 10.1.1.0/24
paired with distribute lists
can be used A B
10 10
ip route 10.1.0.0 255.255.254.0 null0
!
C 20 D
access-list 10 permit 10.1.0.0 0.0.1.255
!
router eigrp 100
10.1.1.0/24
10.1.0.0/23
10.1.0.0/23
redistribute static
default-metric 1000 1 255 1 1500
distribute-list 10 out serial 0/0
20 10
ip route 10.1.0.0 255.255.254.0 null0
!
access-list 10 permit 10.1.0.0 0.0.1.255
access-list 10 permit 10.1.1.0 0.0.0.255
! E
router eigrp 100
redistribute static
default-metric 1000 1 255 1 1500
distribute-list 10 out serial 0/0
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 59
Aggregation Issues
Summary Suboptimal Routing
Another option is to
create a pair of summaries 10.1.0.0/24 10.1.1.0/24
containing the more and
less specific routes A B
0.0.0.0/0
0.0.0.0/0
10.1.1.0/24
interface serial 0/0
ip summary-address 10.1.1.0 255.255.255.0 250 20 10
ip summary-address 0.0.0.0 0.0.0.0
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 60
Aggregation Issues
Distance Vector Summary Black Holes
Routers B and C are A
summarizing 10.1.0.0/24
and 10.1.1.0/24 into a single
advertisement, 10.1.0.0/23,
towards A
Routers B and C are also 10.1.0.0/23 10.1.0.0/23
10.1.0.0/24
10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 61
Aggregation Issues
Distance Vector Summary Black Holes
If Router B loses its link to A
10.1.0.0/24, what happens?
10.1.1.0/24 isn‘t
Router B isn‘t learning about learned from A
10.1.0.0/24 through C, since
C is only advertising a default
route—so B no longer knows 10.1.0.0/23 10.1.0.0/23
10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 62
Aggregation Issues
Distance Vector Summary Black Holes
A could still forward traffic 10.1.0.1 A
destined to 10.1.0.1 to B
We have a summarization
black hole
If A is load sharing per packet,
10.1.0.0/23 10.1.0.0/23
every other packet will be dropped
If A is load sharing per session,
then some hosts will be able to B C
reach destinations on 10.1.0.0/24,
and others won‘t
10.1.0.0/24
10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 63
Aggregation Issues
Distance Vector Summary Black Holes
One way to solve this problem A
is to always have at least one Don‘t
summarize up
unsummarized link between the and down
summarizing routers
Summarization
The summarizing routers always
have someplace to send the traffic if 10.1.0.0/23 10.1.0.0/23
they lose connectivity to the link
No
Another option is not to B C
summarize both up the hierarchy 0.0.0.0/0
and down the hierarchy
This reduces network scaling! 10.1.0.0/24
10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 64
Aggregation Issues
Link State Summary Suboptimal Routing
Routers E and F are not
intended to transit traffic A
between C and D
Routers C and D issue B
summaries containing 10.1.0.0/16
10.1.1.0/24
C D
Router A chooses D as its
best path to the summary
The link from Router D to 10.1.1.0/24
Router E fails
How can we prevent E
Router D from using the F
link through F to reach 10.1.1.0/24
10.1.1.0/24? 10.1.2.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 65
Aggregation Issues
Link State Summary Suboptimal Routing
Place a link between C and
D within the same area as E A
and F
New link
The link cost between C and B
D should be lower than the 10.1.0.0/16
link cost through F, causing D
to route through this new link C D
10.1.1.0/24
E
F
10.1.1.0/24
10.1.2.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 66
Aggregation Techniques
Leaking More Specifics
In this network, it appears 10.1.1.0/24
10.2.1.0/24
almost impossible to 10.1.2.0/24
10.2.4.0/24
summarize at any point 10.1.3.0/24
A
because of the addressing 10.2.2.0/24
10.1.4.0/24
10.2.3.0/24
Summarize anyway! 10.1.5.0/24
10.2.4.0/24
Router B can advertise
10.1.0.0/22
Routes which don‘t fall B
within this summary range C
will be leaked through to
Router A
10.1.3.0/24
10.2.4.0/24
10.2.1.0/24
10.1.2.0/24
10.1.1.0/24
10.2.5.0/24
10.1.4.0/24
10.1.5.0/24
10.2.3.0/24
10.2.2.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 67
Aggregation Techniques
Leaking More Specifics
Summarizing to 10.1.0.0/22 10.1.0.0/22
B
C
10.1.3.0/24
10.2.4.0/24
10.2.1.0/24
10.1.2.0/24
10.1.1.0/24
10.2.5.0/24
10.1.4.0/24
10.1.5.0/24
10.2.3.0/24
10.2.2.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 68
Aggregation Techniques
Leaking More Specifics
We can do the same thing 10.1.0.0/22
10.2.1.0/24
with the 10.2.0.0 networks 10.2.4.0/24
10.2.0.0/21
on Router C, with 10.1.4.0/24
A
10.2.0.0/21, dropping the 10.1.5.0/24
number of routes on
Router A by two more
The more specific
information is still leaked B
through the summary, so C
routing still works
10.1.3.0/24
10.2.4.0/24
10.2.1.0/24
10.1.2.0/24
10.1.1.0/24
10.2.5.0/24
10.1.4.0/24
10.1.5.0/24
10.2.3.0/24
10.2.2.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 69
Aggregation Techniques
Leaking More Specifics
If one of the networks 10.1.0.0/22
10.2.1.0/24
behind Router B fails, traffic 10.2.4.0/24
10.2.0.0/21
for that network will be 10.1.4.0/24
A
forwarded to Router C 10.1.5.0/24
At C, it will be discarded
Packets
because of the NULL0 dropped to
route automatically created null 0
with the summary B
C
The only danger here is
that the link from A to C
10.1.3.0/24
10.2.4.0/24
10.2.1.0/24
10.1.2.0/24
10.1.1.0/24
may be overwhelmed with
10.2.5.0/24
10.1.4.0/24
10.1.5.0/24
10.2.3.0/24
10.2.2.0/24
the extra traffic
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 70
Aggregation Techniques
Leaking More Specifics
It‘s also useful to leak more
specifics along with (or 10.1.0.0/16
through) an aggregate
C should receive as few
routes as possible
But still optimally route to 10.1.1.0/24 10.1.2.0/24
10.1.1.0/24 and 10.1.2.0/24
dynamically
A B
There are several ways to
accomplish this
10.1.0.0/16
10.1.0.0/16
Redistributed static routes
and route filters
Overlapping Aggregates
Route Leaking (EIGRP)
C
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 71
Aggregation Techniques
Leaking More Specifics
router eigrp 100
redistribute static route-map aggroutes
default-metric 1000 1 255 1 1500
distribute-list 20 out serial0/0 10.1.0.0/16
!
ip route 10.1.0.0 255.255.0.0 null0
!
route-map agg-routes permit 10
match ip address 10
match interface serial 0/0 10.1.1.0/24 10.1.2.0/24
!
access-list 10 permit 10.1.0.0 0.0.255.255
access-list 20 permit 10.1.1.0 0.0.255.255
A B
router eigrp 100
redistribute static route-map aggroutes
default-metric 1000 1 255 1 1500
distribute-list 20 out serial0/0
10.1.0.0/16
10.1.0.0/16
!
ip route 10.1.0.0 255.255.0.0 null0
!
10.1.1.0/24
10.1.2.0/24
route-map agg-routes permit 10
match ip address 10
match interface serial 0/0
!
access-list 10 permit 10.1.0.0 0.0.255.255 C
access-list 20 permit 10.1.2.0 0.0.255.255
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 72
Aggregation Techniques
Leaking More Specifics
EIGRP allows overlapping 10.1.0.0/16
summaries
Set the administrative
distance on the longer 10.1.1.0/24 10.1.2.0/24
prefix so it‘s not installed...
A B
10.1.0.0/16
10.1.0.0/16
interface serial 0/0
....
10.1.1.0/24
10.1.2.0/24
ip summary-address eigrp 1 10.1.0.0 255.255.0.0
ip summary-address eigrp 1 10.1.1.0 255.255.255.0 255
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 73
Aggregation Techniques
Leaking More Specifics
EIGRP can leak more specific 10.1.0.0/16
routes through a summary,
as well
CSCed01736, 12.3(11.01)T
10.1.1.0/24 10.1.2.0/24
10.1.0.0/16
10.1.0.0/16
interface Serial0/0
ip summary-address eigrp 1
10.1.1.0/24
10.1.2.0/24
10.1.0.0 255.255.0.0 leak-map LeakList
10.1.3.0/24
10.2.4.0/24
10.2.1.0/24
10.1.2.0/24
10.1.1.0/24
10.2.5.0/24
10.1.4.0/24
10.1.5.0/24
10.2.3.0/24
10.2.2.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 75
Aggregation Techniques
Smaller Aggregates
We can combine the 10.1.0.0/22
10.2.1.0/24
larger summaries with 10.2.4.0/24
A
the smaller summaries
10.2.0.0/21
to have the most impact
10.1.4.0/23
These are two very
effective tools if
used together, with B
a little planning C
10.1.3.0/24
10.2.4.0/24
10.2.1.0/24
10.1.2.0/24
10.1.1.0/24
10.2.5.0/24
10.1.5.0/24
10.1.4.0/24
10.2.3.0/24
10.2.2.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 76
Aggregation Techniques
Smaller Aggregates
Balance this sort of 10.1.0.0/22
10.2.1.0/24
optimization with the 10.2.4.0/24
A
maintenance work it
10.2.0.0/21
produces in the network
10.1.4.0/23
Leaking routes through
summaries means
checking what adding a B
new route will do to the C
summaries and the routing
10.1.3.0/24
10.2.4.0/24
10.2.1.0/24
10.1.2.0/24
10.1.1.0/24
Summarizing on small
10.2.5.0/24
10.1.5.0/24
10.1.4.0/24
10.2.3.0/24
10.2.2.0/24
blocks means considering
the summaries when
moving a set of addresses
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 77
Hiding Topology
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 78
Hiding Topology
Distance Vector
Topology information is
naturally hidden in I can reach
distance vector protocols, 10.1.1.0/24 A I can reach
10.1.1.0/24
beyond the next hop
C and D only advertise
that they can reach
10.1.1.0/24, not that they B C
are connected to D, which
is then connected to
10.1.1.0/24
I can reach D I can reach
10.1.1.0/24 10.1.1.0/24
10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 79
Hiding Topology
Distance Vector
Distance vector protocols can still
have too much topology information A
Multiple parallel links can slow
down convergence because of
overwhelming topology information
General EIGRP rule of thumb: There
should be no more paths in the topology
table than are allowed to be installed in
the routing table B
(show ip eigrp topology all vs.
maximum paths)
10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 80
Hiding Topology
Link State Flooding Domains
In link state protocols, A B
routers flood information
about the state of their links C
to all other routers, carrying Border
topology information to all
the routers in the network
Connected to
D C, E, and F
All the routers receiving the
flooded link state information Connected to
D and G
are said to be in the same
flooding domain E F
Connected
We summarize topology to D and G
information into reachability
Connected to E, F,
information at a flooding and 10.1.1.0/24
G
domain border
10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 81
Hiding Topology
Link State Flooding Domains
OSPF Redistributed
Flooding Domain == Area 10.1.2.0/24
10.1.1.0/24
Flooding Domain Border
== Area Border Router 10.1.3.0/24 C
A
Link State Summary == Type 3 Area 0 B
border
Contains only reachability and C
Area
cost information, no topology 10.1.2.0/24 external A
A B
External == Type 5 BA
B 10.1.1.0/24
Contains only reachability and BC
cost information, no topology D CB
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 82
Hiding Topology
Link State Flooding Domains
Decoding OSPF Stub Areas Redistributed
10.1.2.0/24
―Stub‖ == no link state
10.1.1.0/24
summaries (type 3)
―Totally‖ == no external A 10.1.3.0/24 C
information (type 4 or 5) Area 0 B
border
―Not so‖ == Externals injected C
Area
10.1.2.0/24 external A
as type 7‘s and translated at A B
the border BA
Stub Area B 10.1.1.0/24
Stub area receives external BC
D CB
routing information from
outside the area only (no
redistribution within the area) 10.1.2.0/24 external A
10.1.3.0/24 A C
default C
No information about
10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 83
Hiding Topology
Link State Flooding Domains
Totally stubby areas receive no Redistributed
information about reachability to 10.1.2.0/24
external or internal destinations 10.1.1.0/24
border
C
Area
D could originate information 10.1.2.0/24 external A
A B
about destinations external BA
to OSPF Totally Stub B 10.1.1.0/24
BC
You should use stub areas D CB
by default
Supply minimal information
where possible Default C
10.1.3.0/24
Consider suboptimal routing
when necessary
No information about
10.1.1.0/24 or
10.1.2.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 84
Hiding Topology
Assessing the Impact
Considering SPF run time 350
for a link state protocol,
convergence times vary 300
around the number of routers
and the number of routes: 250
Milliseconds
1000 routers: 90 to 100 ms
2000 routers: 130 to 140 ms 200
100
50
5000
10000
20000
25000
15000
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 85
Hiding Topology
Assessing the Impact
Changing the number of 350
routes can make up to a
10 ms
10 millisecond difference 300
in SPF run time
200 ms
Changing the number of 250
Milliseconds
routers can make up to a
200 millisecond difference 200
50
5000
10000
20000
25000
15000
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 86
Hiding Topology
Assessing the Impact
This isn‘t always the case 350
Milliseconds
and Cisco IOS® to Cisco IOS
200
150
100
50
5000
10000
20000
25000
15000
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 87
Working with
Hierarchy
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 88
Working with Hierarchy
Hierarchical Design
Two Layer Hierarchy
Three Layer Hierarchy
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 89
Hierarchical Design
Basic Concepts
Zones
Zones (or Nodes)
A topologically defined part
of the network
Attached to other parts of the
network through choke points
Choke Points
Places where zones or nodes
are connected together
Choke Points
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 90
Hierarchical Design
Basic Concepts
Each zone represents a failure domain
Choke points provide:
A place to aggregate reachability information
A place to aggregate topology information
A place to aggregate traffic flows
A place to apply traffic policy
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 91
Hierarchical Design
How Many Layers?
There are two basic designs:
Two layer
Three layer
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 92
Hierarchical Design
How Many Layers?
Geography
Networks contained in smaller spaces lend themselves to
two layers
Networks with more ―reach‖ lend themselves to three layers
Topology Depth
The maximum number of hops from one edge to another
The greater the depth, the more layering will help the design
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 93
Hierarchical Design
How Many Layers?
Topology Design
The more complex the design, the more splitting the network
up into zones will help the design
Policy Implementation
Traffic engineering tends to prefer two layer designs
Resource restriction policies tend to prefer three layer designs
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 94
Hierarchical Design
Creating Choke Points
Moving the boundary
between two pieces of No
summarization Logical
the network may create a boundary
choke point which didn‘t points
exist before
With the logical boundary
point behind the lower
routers, based on the
divisional structure, there‘s
10.1.1.0/24
10.1.3.0/24
10.1.0.0/24
10.1.2.0/24
no place to summarize
10.2.1.0/24
10.2.3.0/24
10.2.0.0/24
10.2.2.0/24
Sales Logistics
Marketing Engineering
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 95
Hierarchical Design
Creating Choke Points
What happens if we move Logical
the logical boundary point boundary
10.1.0.0/22 point
up one layer? 10.2.0.0/22
The logical network structure
no longer follows the
corporate departments
We now have a point at which
we can summarize routes!
10.1.1.0/24
10.1.3.0/24
10.1.0.0/24
10.1.2.0/24
10.2.1.0/24
10.2.3.0/24
10.2.0.0/24
10.2.2.0/24
Sales Logistics
Marketing Engineering
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 96
Hierarchical Design
Creating Choke Points
Logical
In this case, moving the boundary
logical boundary point down point
one layer can be used to
improve summarization
With EIGRP, it‘s just a
matter of configuring
summaries in the best
possible place
With OSPF and IS-IS, some
restructuring of the area or
10.2.1.0/24
10.2.3.0/24
10.1.0.0/24
10.1.2.0/24
routing domain borders may
10.2.2.0/24
10.2.0.0/24
10.1.3.0/24
10.1.1.0/24
be needed to change where
summarization takes place
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 97
Hierarchical Design
Creating Choke Points
Sometimes, you need
to change the topology
to build a choke point
A full mesh is just a
hierarchical network
in disguise!
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 98
Hierarchical Design
Creating Choke Points
Separating complexity from
complexity through choke
points amplifies the benefits
of hierarchy
Sometimes, logical or
physical topology changes
are needed to separate
complexity from complexity
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 99
Two Layer Hierarchy
Basic Concepts
The core gets traffic from
one topological area of the
Core
network to another
High Speed Switching Aggregation
is the focus
Within the core, avoid
Policy (the more complex
the more to avoid it) within
the core
Reachability and topology
aggregation
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 100
Two Layer Hierarchy
Basic Concepts
Core routers should summarize Policy
routing information towards the
Core
aggregation layer
Typically, the fewer number of Aggregation Summary
routes advertised towards the
edge, the better
Routing policy may also be
implemented at the core edge
How many and what routes
will be accepted from each
aggregation area, etc.
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 101
Two Layer Hierarchy
Basic Concepts
The aggregation layer provides
user attachment points
Core
Information about the edge
should be hidden from the core Aggregation Summarize
using summarization and
topology hiding techniques
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 102
Two Layer Hierarchy
Basic Concepts
Policy should be placed at
the edge of the network
Core
Traffic acceptance (based
on load and traffic type)
Aggregation
Filtering unwanted traffic
Security policy
Policy
Layer 2 and Layer 3 filters
apply at the edge
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 103
Two Layer Hierarchy
Basic Concepts
Small and medium scale
campus networks are
often modeled as two
layer networks
A moderate number of routers
are attached to the network
The network doesn‘t have a
large wide area component Core
Distances are small, and all
links are similar in speed
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 104
Two Layer Hierarchy
Basic Concepts
ISP networks are often
modeled on a two layer
hierarchy as well POP
Topology information
is summarized between
POP
the POPs and the
network core POP
Address summarization
is generally from the core Customers
towards the POPs
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 105
Two Layer Hierarchy
EIGRP
In an EIGRP network, the
hierarchy is created through
summarization, rather than
through some protocol
defined boundary
There are no ―areas‖ or other
ways of dividing a network
built into EIGRP itself, since
topology information is
hidden at each hop in the
network anyway
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 106
Two Layer Hierarchy
EIGRP
Summarization from the
edge towards the core
hides details about the user
access points from the core
Summarization towards
the core can cause routing Summarization
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 107
Two Layer Hierarchy
EIGRP
Summarization from the
core towards the edge
Summarization
can hide details about the
core from the edge routers,
as well
This type of summarization
can cause suboptimal
routing, however
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 108
Two Layer Hierarchy
OSPF
OSPF creates edges Area Border
through areas, using Area
Border Routers (ABRs)
Typically, with a two level
hierarchy, the ABRs are
at the edge of the core
The core is area 0
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 109
Two Layer Hierarchy
OSPF
Summarization is configured
at the ABR, on the edge of
the edge/aggregation areas
Summarization
and the core
Area 0
Summarization can also be
configured to reduce the
amount of reachability
information carried into
the areas
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 110
Two Layer Hierarchy
OSPF
To remove virtually all network .... area 1 stub
reachability information
into the areas, declare them network .... area 2 stub nosummary
totally stub or not so totally
stub areas
Use totally stub areas when Area 0
there is a single area border,
or when suboptimal routing
of traffic exiting the area isn‘t
an issue
Use stub areas when there is
more than one area border,
and optimal routing of traffic
leaving the area is important
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 111
Three Layer Hierarchy
Basic Concepts
The core gets traffic from one
topological area of the network to
another: High Speed Switching Core
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 112
Three Layer Hierarchy
Basic Concepts
Address summarization
Traffic aggregation
and aggregation occur at
the distribution layer Core
Address Summarization
Distribution
Within the distribution layer
At the edge of the distribution
Summary
layer and the core
Access
At the edge of the distribution
layer and the access layer
At both edges of the
distribution layer
Traffic Aggregation
High to low speed link transitions
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 113
Three Layer Hierarchy
Basic Concepts
The distribution layer is where
most of the policy in a three
layer network should reside Core
Routing Policy
Distribution
Routes accepted from the
Policy
access layer
Routes will be passed from
the core into the access layer Access
Traffic Engineering
Directing traffic into the
best core entry point
Access layer failover
Traffic filters
No summarization!
avoided between distribution
layer routers! Core
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 115
Three Layer Hierarchy
Basic Concepts
The access layer provides ports
for the users to plug in to
Core
Traffic filtering and packet
policies are implemented here
Distribution
Traffic acceptance (based
on load and traffic type)
Filtering unwanted traffic
at Layer 2 and Layer 3 Access
Policy
Security policy
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 116
Three Layer Hierarchy
EIGRP
Deeper hierarchy doesn‘t
change EIGRP‘s fundamental Core
design concepts
The distribution layer should
be the blocking point for
EIGRP queries
Distribution
Provide minimal information Summarize
toward the core
Access
Provide minimal information
toward the access
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 117
Three Layer Hierarchy
OSPF
For OSPF, the question is
whether to place the area
borders in the distribution
layer, or in the core
Core
The answer to this question
is, as always, ―it depends‖
There are two rules of thumb Distribution
we can work with, though:
Separate complexity
from complexity
Access
Place area borders
to reduce suboptimal
routing and to increase
summarization
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 118
Three Layer Hierarchy
OSPF
Complex areas include
Full mesh topologies
Highly parallel
Large scale hub and spoke data center
Highly redundant topologies
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 119
OSPF Two Layer Hierarchy
network .... area 1 stub
To remove virtually all
reachability information into the
areas, declare them totally stub Highly parallel
data center
or not so totally stub areas
Use totally stub areas when
Full mesh core
there is a single area border, or
when suboptimal routing of traffic
exiting the area isn‘t an issue
Large scale
Use stub areas when there is hub and
more than one area border, and spoke
Highly
optimal routing of traffic leaving redundant
campus
the area is important
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 120
Working with
Topologies
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 121
Working with Topologies
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 122
Link State Point-to-Point Broadcast
Normally, if a set of routers are
connected over a broadcast link,
each router would form a neighbor A
relationship with every other router
on the link
This can cause a large amount B C
of flooding over the single
broadcast network
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 123
Link State Point-to-Point Broadcast
To reduce flooding:
In OSPF, a router that receives
new information floods it to the DR, A
which then refloods it to the other
connected routers
In IS-IS, the first router to receive
new information floods it, and the DIS B C
coordinates database synchronization
between the routers
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 124
Link State Point-to-Point Broadcast
If there are only two routers on
the broadcast link the DR/DIS
adds complexity, rather than A
removing it
Point-to-point high speed Ethernet
segments used in campus
B
environments, data centers, etc.
What could be advertised as a point-
to-point is actually advertised as two
point-to-points to the DR/DIS
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 125
Link State Point-to-Point Broadcast
draft-ietf-isis-igp-p2p-over-lan
describes a method for OSPF
and IS-IS to treat a broadcast A
interface FastEthernet 0
isis network point-to-point
ip ospf network point-to-point
....
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 126
Controlling Physical Parallelism
More redundancy is
better, right?
Not always...
There are 64 paths
between these two
hosts, 26
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 127
Controlling Physical Parallelism
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 128
Controlling Physical Parallelism
Server Farm Example
It‘s common to build networks
with back-to-back routers HSRP Peers
for redundancy
The routing protocol sees
each of these links as a
possible transit path, so each
link adds another set of paths
the routing protocol must
consider when calculating
the best path
You want to route to these RP Transit
Paths
links, not through them
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 129
Controlling Physical Parallelism
Server Farm Example
The solution to this is
passive-interface
Configuring an interface as
passive in EIGRP, OSPF,
or IS-IS will cause it not to
form neighbor relationships
across the link
These networks will still
be advertised as reachable
destinations, but they will
never be advertised as
transit links
router ospf 100
passive-interface fastethernet 0/0
router ospf 100 passive-interface fastethernet 0/1
passive-interface default -or- passive-interface fastethernet 0/2
no passive-interface fastethernet 1/0 passive-interface fastethernet 0/3
.... ....
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 130
Controlling Physical Parallelism
It‘s common to build out alternate
links in a network
Adds network resiliency
Can provide optimal routing
to resources
Adds additional bandwidth in
congested areas of the network
Optimal routing
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 131
Controlling Physical Parallelism
Adding a third link almost
always approaches the point
of diminishing returns, and adds
much more network complexity
When considering adding more
redundancy, always balance the
increased resiliency against the
added complexity
Increased network
convergence times
Increased management effort
Increased troubleshooting times
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 132
Controlling Physical Parallelism
The impact of greater 2.5
levels of redundancy on
convergence times can be
Seconds
seen in routing protocol
scalability testing
Using EIGRP, with a single
backup path, it takes about
1.3 seconds for a router with
10000 routes to converge 0 Routes 10000
Feasible successor
Best path
fails
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 133
Controlling Physical Parallelism
Adding the third path 2.5
increases convergence
time to 2 seconds
Seconds
Adding the fourth path
increases convergence
time to 2.25 seconds
0 Routes 10000
Best path
fails
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 134
Controlling Physical Parallelism
High availability studies also 100.00
show the impact of adding the
99.90
third link is not all that great
Reliability
Adding a second link will 99.80
increase reliability significantly
99.70
Adding a third link approaches
the point of diminishing returns 99.60
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 135
Controlling Physical Parallelism
If you‘re adding more links to
increase the available bandwidth
in a specific place in the network
Try to hide this complexity from other
parts of the network, if possible
Summarize just the parallel links into a
single advertisement at both sides if Summary
you‘re using a distance vector protocol
Summary
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 136
Controlling Physical Parallelism
Layer 2 bundling (such
MLPPP or EtherChannel®)
may be useful to reduce the
Layer 3 complexity when
using multiple links to build
required bandwidth
But be careful of issues
with processor utilization Link bundle
due to bundling overhead,
troubleshooting
complexity, etc.
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 137
Controlling Physical Parallelism
Consider using High
Availability (HA)
techniques to reduce
overlapping redundancy
Stateful Switchover/
NonStop Forwarding with
redundant hardware in
the same box may be
able to replace redundant
connections to network
connected devices
Single high
availability device
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 138
Controlling Physical Parallelism
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 139
Hub and Spoke
Basic Design
Hub and spoke networks interface s0/0
ip address 10.1.1.1 255.255.255.0
are often built over point-
to-multipoint networks
Packets transmitted
If the hub is configured to treat here are received by
all spokes
the entire point-to-multipoint
network as a single interface,
it can transmit multicast and
broadcast packets which are
received by all spoke routers
Layer 3 on the hub router will
not notice a single circuit failure
Packets transmitted
here are received
only by the hub router
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 140
Hub and Spoke
Basic Design
interface s0/0.1 point-to-point
The hub router can also be ip address 10.1.1.0 255.255.255.254
....
configured to treat each spoke‘s interface s0/0.2 point-to-point
ip address 10.1.1.2 255.255.255.254
circuit as an individual point-to- ....
interface s0/0.3 point-to-point
point circuit on a subinterface ip address 10.1.1.4 255.255.255.254
If end-to-end signaling is in
Packets
use, a failed circuit will cause transmitted
the subinterface to fail here are received
by one spoke
Packets transmitted
here are received
only by the hub router
interface s0.1 point-to-point
ip address 10.1.1.x 255.255.255.254
....
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 141
Hub and Spoke
Basic Design
In single homed hub and spoke
networks, the hub router, spoke
routers, and the links themselves
are all single points of failure
You can mitigate the single point of failure in Highly
the routers using high availability techniques available
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 142
Hub and Spoke
Basic Design
access-list 10 deny 192.168.0.0 0.0.0.255
Summarize towards the core access-list 10 permit any
....
Number the remote links out router eigrp 100
distribute-list 10 out
of the same address space as
the remote networks, if possible
Use /31‘s to conserve address Summary
space for point-to-points only
192.168.1.0/24
192.168.2.0/24
192.168.2.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 143
Hub and Spoke
Basic Design
All the same principles apply
to dual homed hub and
spoke networks Summary
Summarize or filter the links only
to the remotes
0.0.0.0/0
Use /31‘s on point-to-points
to conserve address space
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 144
Hub and Spoke
Basic Design: Administrative Distance
How do we limit the amount of D
information passed down to the External
Internet
default
remote sites? route
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 145
Hub and Spoke
Basic Design: Administrative Distance
If two routing protocols router#show ip eigrp topology
P 10.0.1.0/24, 1 successors, FD is 2681856
provide a route to the same via 10.1.1.1 (2681856/2169856)
destination, how do we
choose between them? The EIGRP distance 90
route wins
Their metrics are not comparable
An administrative distance is router(config)#ip route 10.0.1.0
added to each route learned 255.255.255.0 null0
based on the protocol installing
the route The static distance 1
route wins
Static routes can be
configured with a distance router(config)#ip route 10.0.1.0
255.255.255.0 null0 200
This can create a floating static
The route will not be used unless distance 200
the dynamic protocols have no
route to that destination
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 146
Basic Hub and Spoke Design
Basic Design: The Discard Route
The route generated by ip summary-address eigrp 1 10.0.0.0
the summary is called a 255.0.0.0
discard route 10.2.1.0/24
10.1.2.1
What would happen if this
10.1.0.0/16
route isn‘t created?
A
Configure two routers back to
back with overlapping summaries
10.0.0.0/8
Generate a packet towards B
10.1.2.1 from either router
At A, the best path is through
10.1.0.0/16 to B
10.1.1.0/24
At B, the best path is through
10.0.0.0/8 to A ip summary-address eigrp 1 10.1.0.0
255.255.0.0
Routing Loop
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 147
Hub and Spoke
Basic Design: The Discard Route
In this case, the locally D
generated discard route wins External
Internet
default
The route learned from D will not route
be installed in the local table
EIGRP
Hosts behind C will not be able to
reach destinations on the Internet
What happens if A
loses its path to D?
A B
C will now prefer the internal learned
through A over the external learned
trough B
We have a black hole
D* 0.0.0.0/0 [90/409600] via <A> C
[90/409600] via <A>
ip summary-address eigrp 1 0.0.0.0
0.0.0.0 200
D* 0.0.0.0/0 [170/409600] via <A>
[170/409600] via <A>
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 149
Hub and Spoke
Basic Design: Summary Black Hole
You can also use floating access-list 10 permit host 0.0.0.0
access-list 20 deny host 0.0.0.0
static routes at the two hub access-list 20 permit any
....
routers and redistribute them ip route 0.0.0.0 0.0.0.0 null0 250
into the routing protocol ....
router eigrp 100
Distribute list 10 only allows redistribute static
distribute-list 10 out <remote 1>
the default route to be
distribute-list 10 out <remote 2>
advertised to the remotes distribute-list 10 out <remote 3>
distribute-list 20 out <core>
Distribute list 20 prevents a
default route from being
leaked back into the core
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 150
Basic Hub and Spoke Design
Basic Design: Summary Black Hole
One solution is to have a link D
between the summarizing routers External
Internet
default
across which they share full route
routing information
EIGRP
Conditional advertisement of
routing information is another
possible solution
OSPF can conditionally generate a A B
default route
EIGRP has conditional advertisement
as a planned feature
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 151
Hub and Spoke
EIGRP
EIGRP can run over either a Single multipoint
or several
multipoint interface at the hub point-to-points
router or point-to-point Summary
only
subinterfaces
A single multipoint interface is 0.0.0.0/0
easier to configure but it can be
harder to troubleshoot
Same Interface
Queue Congestion/Drops bottleneck is the primary
limiting factor
Theoretical Limitations
EIGRP has a limitation of 2000 peers per interface, currently
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 153
Hub and Spoke
EIGRP Scaling
The blue line shows the rate at which the convergence time increases
as EIGRP neighbors are added to hub routers and does not pass 500
The red line shows the convergence time if the neighbors added are
all configured as EIGRP stub routers and scales to over 1000 peers
Measure initial bring up convergence until all neighbors are established
and queues empty
Dual Homed Remotes, NPE-G1 with 1G RAM, 3000 prefixes advertised
to each spoke
9
Time (minutes)
Non-Stub
EIGRP Stub
2
0 500 1000 1500
Number of Neighbors
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 154
Hub and Spoke
EIGRP Scaling
The blue line with the steep slope shows the rate at which the failover convergence
time increases as EIGRP neighbors are added to a single hub router
The red line shows the failover convergence time if the neighbors added are all
configured as EIGRP stub routers and is extremely linear in behavior
Primary Hub failed, time measured for EIGRP to complete failover convergence
Dual Homed Remotes, NPE-G1 with 1G RAM, 3000 prefixes advertised to
each spoke
60
Time (minutes)
Non-Stub
1
EIGRP Stub
0
0 200 400 600 800 1000 1200 1400 1600
Number of Neighbors
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 155
Hub and Spoke
EIGRP Scaling
Most EIGRP Neighbors Seen
800 deployed in live, working networks
1400 is the largest number ever tested in a lab environment
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 156
Hub and Spoke
OSPF
interface s0/0
OSPF can treat a multipoint ip address 10.1.1. 255.255.255.0
link as a broadcast network, but ip ospf priority 200
we need to be careful about ....
interface s0
designated router (DR) issues ip ospf priority 0
....
B and D don‘t receive C‘s packets, ―C is DR‖
so they think A has the highest IP
A
address, and elect A as DR
C elects itself as DR
Flooding will fail miserably
in this situation
B C D
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 157
Hub and Spoke
OSPF
interface s0/0
Set the OSPF DR priorities ip address 10.1.1. 255.255.255.0
so the hub router is always ip ospf priority 200
elected DR ....
interface s0
Set the spokes to 0 so they don‘t ip ospf priority 0
participate in DR election ....
―C is DR‖
The remote sites won‘t be A
able to reach each other
without some special
considerations, either
Maps pointing each remote‘s B C D
address to A‘s circuit can
solve this
―A is DR‖ ―C is DR‖ ―A is DR‖
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 158
Hub and Spoke
OSPF
OSPF can treat a multipoint link interface s0/0
ip ospf network non-broadcast
as a non-broadcast network ....
router ospf 100
Each spoke router must be neighbor 10.1.1.2
manually configured as neighbor 10.1.1.3
a neighbor neighbor 10.1.1.4
interface s0
ip ospf network non-broadcast
....
router ospf 100
neighbor 10.1.1.1
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 159
Hub and Spoke
OSPF
You can also configure the serial
interface s0/0
interface at the hub router as a ip address 10.1.1.1 255.255.255.0
point-to-multipoint type ip ospf network point-to-multipoint
interface s0
ip address 10.1.1.x 255.255.255.0
ip ospf network point-to-point
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 160
Hub and Spoke
OSPF
interface s0/0.1 point-to-point
OSPF can also use point- ip address 10.1.1.0 255.255.255.254
....
to-point subinterfaces, interface s0/0.2 point-to-point
treating each one as a ip address 10.1.1.2 255.255.255.254
....
separate point-to-point link interface s0/0.3 point-to-point
ip address 10.1.1.4 255.255.255.254
These uses more address
space, and requires more
administration on the router
Use /31 addresses for
these point to point links
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 161
Hub and Spoke
OSPF
Network Type Advantages Disadvantages
Manual configuration of
Single interface at the hub treated as
each spoke with the correct
an OSPF broadcast network Single IP subnet
OSPF priority
ip ospf network-type Fewer nodes in the SPF tree
broadcast Remote-to-remote
connectivity difficult
Manual configuration of the
Single interface at the hub treated as
hub and spokes with correct
an OSPF nonbroadcast network Single IP subnet
unicast neighbors
ip ospf network-type Fewer nodes in the SPF tree
nonbroadcast Remote-to-remote
connectivity difficult
Additional host routes inserted
Single interface at the hub treated as Single IP subnet
in the OSPF database and
an OSPF point-to-multipoint network No configuration per spoke
routing table
Individual point-to-point interface at
Lost IP address space
the hub for each spoke Can take advantage of end-to-
end signaling for down state More routes in the OSPF
ip ospf network-type point-
database and routing table
to-point
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 162
Hub and Spoke
OSPF
router ospf 100
The areas the spokes are area 1 stub no-summary
placed in should always be ....
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 163
Hub and Spoke
OSPF
If you need to leak some ip prefix-list 10 permit 10.1.1.0/24 ge 25
routing information from area ip prefix-list 10 deny all
....
0 into the spoke areas, use router ospf 100
type 3 LSA filtering at the area 1 filter-list prefix-list 10 in
border to remove as much
information as possible
OSPF Hub and Spoke
Areas, currently in Area 1
development, would allow
an area where the spoke
routers only receive the
default route
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 164
Hub and Spoke
OSPF
Once you‘ve determined
how to configure the hub‘s
interface, you need to
decide how to divide the
remote sites among
flooding domains
If the hub and spoke
section of the network is
small, and fits well within
some other area structure,
then the entire hub and
spoke can be placed in this
single flooding domain
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 165
Hub and Spoke
OSPF
If the hub and spoke is
large enough, you‘ll want
to split it off as its own
flooding domain
Remember each spoke router
receives all the topology
information from all the other
spoke routers
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 166
Hub and Spoke
OSPF
Low speed links and large
numbers of spoke may require
multiple flooding domains
Balance the number of
flooding domains on the hub
against the number of spokes
in each flooding domain
The link speeds and the
amount of information being
passed through the network
determine the right balance
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 167
Hub and Spoke
OSPF
Dual homed remotes make
the division of flooding
domains significantly
more difficult
If all the spoke routers will
fit, put both the hubs and
all the spokes in a single
flooding domain
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 168
Hub and Spoke
OSPF
If all the spokes will not fit into a
single flooding domain, split the
hub and spoke up into multiple
areas or flooding domains
You should build links between the
hub routers within each flooding
domain in some way to prevent
routing black holes
Put two links between the area
borders, one in each area or
flooding domain
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 169
Hub and Spoke
OSPF Scaling
The blue line shows the rate at which the startup convergence time increases as
OSPF neighbors are added to the hub routers and peaks at the 700 router mark
The red line starts and ends below the green line showing the startup convergence
time if the neighbors added are all configured as OSPF neighbors are added to a
Totally Stubby area
Measure initial bring up convergence until all neighbors are established and
queues empty, SPF completes
Dual Homed Remotes, NPE-G1 with 1G RAM, 800 prefixes advertised to
each spoke
400
Convergence Time (seconds)
350
Totally Stubby Area
300
250
Single Area
200
150
100
Test performed with 12.3(14)T1
50
0
0 100 200 300 400 500 600 700 800
45
Single Area
40
35
Totally Stubby Area
30
25
20
15
10
Test performed with 12.3(14)T1
5
0
0 100 200 300 400 500 600 700 800
Number of Spokes
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 171
Hub and Spoke
OSPF Scaling
Most OSPF Neighbors Seen
200 Deployed in live, working networks
600 is the largest number ever tested in a lab environment
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 172
Full Mesh
Full mesh topologies are complex:
2 routers == 1 link
3 routers == 3 links
4 routers == 6 links
5 routers == 10 links
6 routers == 15 links
...
Adjacencies == nodes(nodes-1)/2
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 173
Full Mesh
Scaling Tests
60 node TEST network
1770 links
NPE-G1, NPE-400s
All devices on same physical Ethernet (via a switch),
full mesh created with GRE Tunnels
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 174
Full Mesh
Scaling Tests
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 175
Full Mesh
OSPF
Flooding routing information
through a full mesh topology is
also complicated
Each router will, with optimal timing,
receive at least one copy of every
new piece of information from each
neighbor on the full mesh
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 176
Full Mesh
OSPF
Pick one or two routers to flood
into the mesh, and block
flooding on the remainder
This will reduce the number
of times information is flooded
over a full mesh topology
interface serial x
ip ospf database-filter all out
....
New information
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 177
Full Mesh
EIGRP
Routes must be advertised
between every pair of peers
in the mesh so each router
has the correct next hop and
routing information
Number the links so they can
be summarized to a single
advertisement at the edge
Number the links so the link
information can be filtered
out at the edge
Summarize
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 178
Full Mesh
Consider High Availability
ring topologies, such as SRP,
SONET rings, and others as
an alternative to full mesh high
speed networks in POPs and
other enclosed networks
This can provide resiliency
against a single failure in the
network, and simplify the
topology from the perspective
of routing dramatically
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 179
Link State Border Connections
Be careful with links between 100
B
border routers in OSPF 10 10
and IS-IS
10.1.1.0/24, cost 10
Traffic prefers to stay within
the flooding domain no matter 100 A
what the actual link costs are
To reach A, we will take the
higher cost link if the border
link is in the backbone 100
B
To reach B, we will take the 10 10
higher cost link if the border
link is in the area or L1 domain 10.1.1.0/24, cost 10
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 180
Link State Border Connections
In OSPF, we have to decide 100
B
which traffic we want to 10 10
route optimally
10.1.1.0/24, cost 10
The ability to place a single
link in two areas is under
consideration within the 100 A
OSPF working group
100 A
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 181
Working with
Redistribution
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 182
Working with Redistribution
Alternatives to Redistribution
Single Point of Redistribution
Multiple Points of Redistribution
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 183
Alternatives to Redistribution
When connecting to an ip route 10.2.0.0 255.255.255.0 s0/0
!
outside network, creating router eigrp 100
redistribute state metric 1000 1 255 1 1500
static routes at the edge,
and redistribute those, BigShoes, Inc
instead of redistributing 10.1.0.0/16
live routing information
This prevents misconfigurations Redistribute
OSPF to EIGRP
and rapid topology changes
in the other network from
Redistribute
impacting you EIGRP to OSPF
MediumSocks, LTD
AS65001
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 185
Alternatives to Redistribution
Use redistribution when
permanently merging two Socks&Shoes, Corp
networks into a single
administrative domain
BigShoes, Inc
Use redistribution as a
transition strategy when
switching routing protocols Redistribute
OSPF to EIGRP
Use redistribution to split
off a section of the network Redistribute
EIGRP to OSPF
for security, experimental,
or administrative reasons
MediumSocks, LTD
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 186
Single Point of Redistribution
Single points of Single point of failure
redistribution are simple
to manage and control
EIGRP
OSPF
There is little or no chance
of routing loops or other
problems with single
points of redistribution
They are also single points
of failure; consider using
high availability methods
to reduce the risk
router ospf 100
redistribute eigrp 100 metric 10
....
!
router eigrp 100
redistribute ospf 100 metric 1000 1 255 1 1500
....
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 187
Multiple Points of Redistribution
router ospf 100
Multiple points of redistribute eigrp 100 metric 10
....
redistribution resolve !
router eigrp 100
the single point of failure redistribute ospf 100 metric 1000 1 255 1 1500
....
The cost is dramatically
increased network
complexity and the
EIGRP
OSPF
possibility of permanent
routing loops
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 188
Multiple Points of Redistribution
A route is injected into
EIGRP as an external;
this route is redistributed Metric 25
A
Metric 2560256
through B into OSPF
EIGRP
Metric
OSPF
The route is transmitted 2688000
to A through OSPF, and
redistributed into EIGRP Metric 10 Metric 2816000
B
The metric is set manually
in redistribution at A to
something lower than the 10.1.1.0/24
original external injected Metric 2560256
into EIGRP
B prefers this route, building
a routing loop
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 189
Multiple Points of Redistribution
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 190
Multiple Points of Redistribution
Single Redistribution Direction
If live routing data is
only needed in one 10.1.2.0/24 10.1.1.0/24
direction (normally, A
this is true), redistribute
a static in one direction,
EIGRP
OSPF
and between protocols
in the other direction
B
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 191
Multiple Points of Redistribution
Filtering Based on Prefixes
To filter based on prefixes,
configure access lists which 10.1.2.0/24 10.1.1.0/24
match the address ranges A
used by each section of
the network
EIGRP
OSPF
Use these access lists to
filter routes redistributed
between protocols B
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 192
Multiple Points of Redistribution
EIGRP and OSPF can set
tags on their external routes 10.1.2.0/24 10.1.1.0/24
A
Set the tag when
redistributing between
EIGRP
OSPF
the protocols; deny
tagged routes at the
redistribution point
B
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 194
Transitioning Routing Protocols
Basics
Cutover At Once
Splitting the Problem
Using Redistribution
Using Administrative Distance
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 195
Transitioning Routing Protocols
Basics
There is a quick and easy way to transition from one
protocol another without any network downtime
Perhaps—If you discover it, let me know
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 196
Transitioning Routing Protocols
Basics
It‘s never worth the trouble of switching routing protocols
That depends...
Would the cost benefits outweigh the transition costs?
Differentials in overall equipment costs in the future
Convergence speeds on specific network topologies
Other factors
You sometimes don‘t have a choice, such as when merging two networks
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 197
Transitioning Routing Protocols
Basics
What reasons have we heard in the field for switching
routing protocols?
―We want faster convergence...‖
Generally convergence is a matter of design, rather than protocol
―Our network design is hub and spoke, so it fits better for EIGRP...‖
Can‘t argue with this one…
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 198
Cutover at Once
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 199
Cutover at Once
If the network destabilizes, Configure Remove
take a break routing routing
Wait for
At each router, wait until convergence Telnet
the network has converged Configure
before moving to the routing Remove
routing
next router Wait for
convergence
When you configure routing on a Telnet
given router, wait until the routing Configure
routing
protocol is quiescent Remove
Wait for routing
For instance, for EIGRP, look at show convergence
ip eigrp neighbors, and wait until
the Q Count is 0 on all interfaces Configure Telnet
routing
This technique should be used Wait for
Remove
routing
whether converting manually or convergence
when using a script
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 200
Cutover at Once
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 201
Cutover at Once
Make the Process Atomic
Create each new routing host#telnet <a>
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 202
Cutover at Once
Make the Process Atomic
Create each new routing host#telnet <a>
After the new routing protocol Router can be reached through new
is configured routing protocol or direct connections
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 204
Splitting the Problem
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 205
Splitting the Problem
Hierarchical Division Points
In a two layer hierarchy,
the only real choice is to
core
split the network along the
core/aggregation divide
aggregation
Each ―lobe‖ within the
aggregation layer can
be converted separately
The network core can
be converted separately
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 206
Splitting the Problem
Hierarchical Division Points
In a three layer hierarchy,
the split points are going
to depend on the size of core
each ―lobe‖ and ―layer‖
in the network distribution
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 207
Splitting the Problem
Hierarchical Division Points
Which part should you
convert first?
Core Out?
Edge in?
Start at the edge and work in?
Start at the core and work out?
This question applies to both
Converting individual pieces
of the network
The order in which to convert
network pieces
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 208
Splitting the Problem
Hierarchical Division Points
Typically, it‘s easier to work
from the edge in…
Core Out?
Edge in?
This tends to work with
aggregation and network
design, rather than against it
Provides a set of ―lower
risk‖ areas to work in,
and perfect techniques
But… in some cases, core out
might be easier
I‘ve just never seen a network
where it is…
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 209
Splitting the Problem
Aggregation Points
Another good place to
divide the network is at
aggregation points
This will often be
along hierarchical
boundaries, anyway…
If you choose different
aggregates in the new
protocol, both protocols
can run at the same time,
along the edges
This allows you to convert
one section of the network
at a time
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 210
Using Redistribution
Once you‘ve split the
network up into pieces router ospf 100
network 0.0.0.0 0.0.0.0 area 0
to convert, how do you A
actually convert each
piece, and still have a
working network? router ospf 100
network 0.0.0.0 0.0.0.0 area 0
One ―easy‖ answer area 0 range 10.1.0.0 0.0.255.255
....
is redistribution… B router eigrp 100
network 0.0.0.0
Redistribute here?
router eigrp 100
network 0.0.0.0
C
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 211
Using Redistribution
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 212
Using Redistribution
In a simple network design,
it‘s easy to move redistribution New protocol New protocol
New protocol
Old protocol Redistribution
Old protocol
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 213
Using Redistribution
The more complex a
New Protocol
network‘s topology is, the
more places redistribution Redistribution
is required to convert from
one protocol to another
More points of
redistribution means:
More complexity in moving
the protocol conversion over
at each step
More chances for human
error in configurations
More complex problems if the
network fails during conversion Old Protocol
etc.
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 214
Using Administrative Distance
Distance Vector to Link State
When converting from a A
Distance Vector to Link
State protocol…
Create the new protocol on all the
routers B router ospf 100
network 0.0.0.0 0.0.0.0 area 0
Set the administrative distance so distance 200
10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 215
Using Administrative Distance
Distance Vector to Link State
Add OSPF to all routers A
At B, remove RIP
no router rip
Does this work?
B router ospf 100
A has a route to 10.1.1.0/24 network 0.0.0.0 0.0.0.0 area 0
through OSPF distance 200
10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 216
Using Administrative Distance
Distance Vector to Link State
Best path to 10.1.2.1 is through B
Things can get harder
around aggregation points
and area borders RIP
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 217
Using Administrative Distance
Distance Vector to Distance Vector
Add EIGRP to all routers A
10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 218
Using Administrative Distance
Distance Vector to Distance Vector
Note B is the first router A
that doesn‘t have a route
to 10.1.1.0/24 no router rip
10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 219
Using Administrative Distance
Combined with a Cutover
You can use the administrative Configure Remove
distance to your advantage routing routing
when using a ―cutover at Wait for
convergence
once‖ technique Telnet
Configure
Rather than removing the old routing Remove
routing
routing protocol at each step, Wait for
then installing the new one… convergence
Telnet
Configure
Configure the new routing protocol routing
at each router, making certain the Remove
new protocol doesn‘t take routing over Wait for routing
convergence
To convert the network, walk through
Configure Telnet
the each router, changing one of the routing
two protocol‘s administrative distance Remove
to make the new protocol win, and the Wait for routing
convergence
old protocol lose
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 220
Using Administrative Distance
Combined with a Cutover
If you use this technique…
Watch for unpredictable routing as you‘re converting, especially
if you‘re converting from a distance vector protocol to a link
state protocol
Be careful not to rely on routing to modify routing
Never count on a routed path to reach a router that you‘re working on
Always telnet hop by hop when converting
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 221
Using Administrative Distance
Warning
For protocols that rely on the administrative distance
to sort routes…
EIGRP
BGP
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 222
BGP
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 223
BGP
BGP Basics
Route Reflectors
BGP Cores
Outside Connections
BGP/IGP Interaction
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 224
BGP Basics
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 225
BGP Basics
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 226
BGP Basics
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 227
BGP Basics
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 228
BGP Basics
Peering
External (eBGP) connections BGP core
are to BGP peers in other
autonomous systems A
Internal (iBGP) peers are iBGP
to BGP peers in the same session
autonomous system
B
eBGP
router bgp 65000
session
neighbor 10.1.1.1 remote-as 65000
C
router bgp 65000
neighbor 10.1.1.2 remote-as 65000
neighbor 10.2.2.1 remote-as 65001
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 229
BGP Basics
Peering
When B learns a route from C BGP AS
through eBGP, it sets the next
Next hop
hop towards the destination to C remains C A
When it advertises this route to
A, through iBGP, it does not reset
the next hop Next hop is
B
set to C
A need to learn how to reach
C through some other method A needs to learn eBGP
than BGP how to reach C session
BGP AS
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 230
BGP Basics
Peering
Routes learned from eBGP BGP AS
peers are readvertised to
iBGP peers iBGP session A
Routes learned from iBGP Don‘t readvertise
iBGP
iBGP routes to
peers are not readvertised iBGP peers
session
to other iBGP peers
B
iBGP peers have to be
Readvertise
fully meshed, or some eBGP routes to iBGP
other technique needs iBGP peers session
to be used to distribute
C
iBGP routes through
an autonomous system eBGP
Learn eBGP routes session
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 231
Route Reflectors
Basics
We know that iBGP doesn‘t
guarantee loop free routing A AS65000
through an AS
eBGP
10.1.1.0/24
B receives 10.1.1.0/24 with an AS
Path of {65000,65001}
C receives 10.1.1.0/24 with an AS B
Path of {65001,65000}
10.1.1.0/24
D receives 10.1.1.0/24 with an AS
Path of {65001,65000} 10.1.1.0/24
B receives the same route with the C
same attributes, setting up a loop! D
10.1.1.0/24
AS65001
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 232
Route Reflectors
Basics
What we need is an AS Path to prevent loops within
the AS!
RFC2796, BGP Route Reflection, defines two BGP
attributes to provide loop detection within an AS
Originator ID
Set to the ID of the router injecting the route into the AS
Cluster List
Each route reflector the route passes through adds their ID to
this list
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 233
Route Reflectors
Basics
B receives 10.1.1.0/24 with A AS65000
an AS Path of {65000,65001}
eBGP
10.1.1.0/24
C receives 10.1.1.0/24 with
an AS Path of {65001,65000},
but adds A‘s Router ID as the B
Originator ID 10.1.1.0/24
C also starts a Cluster List,
and adds its own local Router D C
ID into the list
AS65001
neighbor <B> route-reflector-client
neighbor <D> route-reflector-client
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 234
Route Reflectors
Basics
D receives 10.1.1.0/24 with A AS65000
an AS Path of {65001,65000}
and an Originator ID of A
eBGP
10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 235
Route Reflectors
Basics
A AS65000
10.1.1.0/24
eBGP
10.1.1.0/24 AS Path: {65001, 65000}
AS Path: {65001, 65000}
Originator ID: A B
Cluster List: {C,D} 10.1.1.0/24
AS Path: {65001, 65000}
Originator ID: A
Cluster List: {C}
D C
AS65001
neighbor <B> route-reflector-client
neighbor <D> route-reflector-client
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 236
Route Reflectors
Basics
A route reflector is an iBGP Route reflectors
speaker that reflects routes
learned from iBGP peers to
other iBGP peers
Route reflectors add the
Originator ID and the Cluster
List to routes they reflect
Route reflectors are
designated by configuring
some of their iBGP peers
as route reflector clients
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 241
Route Reflectors
Basics
If a route reflector receives a eBGP peer Non-client
route from an eBGP peer:
Send the route to all clients
Send the route to all non-clients
Send
Send
Send
Client
Client
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 242
Route Reflectors
Basics
If a route reflector receives eBGP peer Non-client
a route from a client:
Reflect the route to all clients Send
Reflect the route to all non-clients
Reflect
Send the route to all eBGP peers
Reflect
Client
Client
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 243
Route Reflectors
Basics
If a route reflector receives a eBGP peer Non-client
route from a non-client:
Reflect the route to all clients Send
Send the route to all eBGP peers
Reflect
Reflect
Client
Client
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 244
Route Reflectors
Basics
A advertises 10.1.1.0/24 to B
B sends 10.1.1.0/24 to D
C is a
E
D sends 10.1.1.0/24 to E client
3 of E
E reflects 10.1.1.0/24 to C D
B is a
D chooses the path through B client
(via C) 4 C of D
eBGP
We have a permanent routing loop! 1
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 245
Route Reflectors
Basics
Always configure the reflector
topology to follow the
physical topology C is a
E
client
No route reflector client 3 of E
should ever peer through a route D
reflector the client isn‘t peered to B is a
client
C (a client) should not be peered 4 C of D
to E (a reflector) through D (a
2
reflector) without being peering B
to D as well as E
eBGP
In this case, making C a client 1
of D would resolve the loop
A
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 246
Route Reflectors
Hierarchical Route Reflectors
All of the route reflectors
Full iBGP
will need to be fully meshed mesh
Reflectors still follow the between
normal rules of iBGP reflectors
route propagation
between themselves
Cluster
Cluster
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 247
Route Reflectors
Hierarchical Route Reflectors
To resolve this, route Client and reflector
reflectors can be
deployed in a hierarchy
A single router can Cluster
be a reflector client
and a reflector
Cluster
Cluster
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 248
Hierarchal Route Reflectors
Hierarchical Route Reflectors
An unlimited number of tiers that can be used
The edges of route reflector tiers are a natural place to
reduce the amount of routing information being carried
in the lower tiers
The same topology rule applies: The reflector topology
must follow the physical topology to prevent loops and
black holes
Suboptimal routing can actually be worse, and harder
to figure out
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 249
Route Reflectors
Deployment
Use the divide con conquer approach to convert from
a full iBGP mesh to route reflectors
Divide network into multiple clusters, using the
physical topology as a guide to the logical divisions
Pick out one router to act as the reflector in each
cluster, making certain reflection follows the physical
topology
Remove redundant iBGP sessions as you configure
reflectors in each cluster
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 250
Route Reflectors
Deployment
If you‘re going to use hierarchal route reflectors, do the
outer edge first, leaving the core full mesh iBGP until
the outer edge is done
Continue using a single IGP—the next-hop is
unmodified by reflectors unless set via an explicit
route-map
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 251
Route Reflectors
Deployment
A client may peer with more than one reflector,
in different clusters
A client that peers to only one reflector has a single point
of failure
Clients should peer to at least two reflectors to provide
redundancy
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 252
Route Reflectors
Deployment
How many route reflectors should a
A
single client be peered to?
Two considerations are important:
Network configuration and management
Router memory and processing requirements
B
If A is the client of only one reflector,
it only receives one copy of the route
to 10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 253
Route Reflectors
Deployment
E new route reflector A becomes a
A
client of adds more configuration
and management
Each new route reflector A becomes
a client of adds another path to
10.1.1.0/24 B C D
This increases the amount of memory
A requires to operate, and also
increases A‘s processing requirements
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 254
Route Reflectors
Deployment
Each new client B, C, and D are
A
peered to also increased their
processing requirements
At some point, the additional
reflectors will stop adding to the
resilience of the network, and B C D
make management and memory
requirements similar to a full
iBGP mesh
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 255
Route Reflectors
Deployment
Some redundancy is needed
Too much burns memory on RRCs because the
client learns the same information from each RR
Also burns memory on the RRs because they learn
multiple paths for each route introduced by a RRC
Two or three reflectors peer cluster should be plenty
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 256
Route Reflectors
Deployment
Assume A and B have the same
route reflector clients configured A B
These two reflectors
are redundant
Should they be configured with
the same cluster ID or different C D
cluster IDs?
E
neighbor <c> route-reflector-client
neighbor <d> route-reflector-client
10.1.1.0/24
neighbor <c> route-reflector-client
neighbor <d> route-reflector-client
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 257
Route Reflectors
Deployment
192.168.1.0/24
Assume A and B are using the Cluster: 10.10.10.10
192.168.1.0/24
same cluster ID, 10.10.10.10 A B
E advertises 192.168.1.0/24 to D
D sends this route to its reflector, B
B adds a Cluster List and the
Originator ID, and reflects the C D
route to A and C
192.168.1.0/24
When A receives this route, it
notes its local cluster ID is already
in the Cluster List (since A and B E
have the same cluster ID), and
rejects the route
192.168.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 258
Route Reflectors
Deployment
If the A to D link fails, A won‘t
have any path to 192.168.1.0/24, A B
since it is rejecting the route
from B
If the B to C link fails, C won‘t
have any path to 192.168.1.0/24,
since A is rejecting the route from C D
B, and won‘t reflect it to C
This configuration only protects
against some link failures, not all
of them E
192.168.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 259
Route Reflectors
Deployment
One way to resolve this problem is
to configure the iBGP sessions A B
between the router‘s loopbacks,
rather than their physical interfaces
If the A to B link fails, the A to B
iBGP session stays up (through C),
so A maintains connectivity to C D
192.168.1.0/24
If the B to C link fails, the B to C
iBGP session stays up (through A),
so C maintains connectivity to E
192.168.1.0/24
192.168.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 260
Route Reflectors
Deployment
192.168.1.0/24
Another option is to configure A Cluster: 10.10.10.10
192.168.1.0/24
and B with different cluster IDs A B
Now, when A receives B‘s
reflected route, it will keep the
route, since the cluster ID in the
Cluster List doesn‘t match its
own cluster ID C D
192.168.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 261
Route Reflectors
Deployment
If the A to D link fails, A will still
have the path through B to reach A B
192.168.1.0/24
If the B to C link fails, C will still
have the path through A to reach
192.168.1.0/24
C D
This provides full redundancy
192.168.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 262
Route Reflectors
Deployment
A now also has two routes to
192.168.1.0/24, one through D, A B
and one through B
Each additional path A must hold
and process adds additional
memory and processor overhead
C D
This solution is less scalable than
A and B being configured with the
same cluster ID
192.168.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 263
Route Reflectors
Deployment
Reflector
Administrative Attribute
Redundancy Memory
Factors Combinations
Consumption
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 264
BGP Cores
Why Use a BGP Core?
When the network becomes ―too large‖ for an interior
gateway protocol to manage
When the core of the network becomes an ―internal
service provider,‖ connecting several large,
independent networks with separate support staffs,
policies, and (possibly) interior gateway protocols
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 265
BGP Cores
Why Use a BGP Core?
How do you know your network is too big for a single
interior gateway protocol domain or instance to handle?
When the network fails on a regular basis
When the network never converges (constant churn)
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 266
BGP Cores
Why Use a BGP Core?
But…
If you have deployed the scaling techniques we‘ve talked about,
you shouldn‘t hit these limits until the network is truly gigantic!
BGP cores deployed for scaling are generally a sign the network
design needs to be rethought
In some cases, however, the network design is just what it is,
and we have to do what we can to make it work
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 267
BGP Cores
Why Use a BGP Core?
Some networks are not
networks, but rather
OSPF Core
internetworks
An internetwork is
made up of multiple
smaller networks, each
one under separate
administrative control Finance
(EIGRP)
An interior gateway
protocol may work as
a ―core protocol,‖ as
long as the network
isn‘t too large, and the HQ (RIP)
administrators all work Redistribute here
together well
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 268
BGP Cores
Why Use a BGP Core?
It‘s better to use a policy based
protocol in the core, however:
OSPFCore
BGP Core
Each administration team can better
control routing information flow
A major failure in one part of the
network is less likely to impact the
core or other sections of the network
Less finger pointing means
a smoother running, more Finance
stable network (EIGRP)
HQ (RIP)
Redistribute here
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 269
BGP Cores
Deployment
Determine where the
boundaries of the core BGP core
should be
Consider administrative
division points
Divide up complex areas of the
network as much as possible
Consider physical and topological
choke points
Consider places where you could
summarize, if at all possible
Complex
topological areas
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 270
BGP Cores
Deployment
Don‘t ever redistribute all the BGP core
routing data from BGP into
the IGP at the edge; routes 0.0.0.0/0
should be injected in a very
controlled manner
10.1.0.0/16
If possible, inject just the 10.2.0.0/16
default into the IGP
To provide optimal routing,
you can inject summaries
into the IGP as well, but this
should be limited to one
or two routes
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 271
BGP Cores
Deployment
There are several possible Generate or permit a default
ways to manage getting and other routes towards
the IGP area edge BGP core
routes into the IGP from Pass the entire BGP table to
the BGP core the IGP area edge
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 272
BGP Cores
Deployment
If the core doesn‘t have a default, you router bgp <AS number>
neighbor 10.1.1.1 default-information originate
can generate a default on the edge
router
BGP core
If the core has a default you can pass on ip route 0.0.0.0 0.0.0.0 null0 200
!
through the edge, but you want to make
access-list 10 permit host 0.0.0.0
certain there is always a default route !
supplied to the IGP areas route-map 0-only permit 10
match ip address 10
!
router bgp <AS number>
A
neighbor 10.1.1.1 distribute-list 10 out
redistribute static route-map 0-only
neighbor 10.1.1.1 default-information originate
If the core has a default and you want it access-list 10 permit host 0.0.0.0
!
to be dynamically provided to the IGP
router bgp <AS number>
areas redistribute eigrp 100 metric 10
neighbor 10.1.1.1 distribute-list 10 out B
neighbor 10.1.1.1 default-information originate
IGP Area
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 273
BGP Cores
Deployment
IGP Area
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 274
BGP Cores
Deployment
If the IGP area edge router
is receiving full routing
BGP core
information, filtering
redistribution into the
IGP is required
A
Full BGP routing
information
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 275
BGP Cores
Deployment
If the core edge router
isn‘t providing any routing
BGP core
information to the IGP area
edge, a locally generated
default can be created
A
No routing
information
B
OSPF router ospf 100
default-information originate always
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 276
BGP Cores
Deployment
Filter or summarize from the BGP core
IGP areas into the core; be
careful of routing black holes Summarize
and filter
Be very careful with complex
filtering techniques at the
edge; consider maintenance
requirements carefully
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 277
BGP Cores
Deployment
Filter the default route and any routes
learned from BGP when redistributing
BGP core
into BGP at the IGP area edge
Filtering routing information access-list 10 deny host 0.0.0.0
access-list 10 deny host 10.1.0.0
using a list of specific
access-list 10 permit any
prefixes !
route-map nolocalout permit 10
match ip address 10 A
!
router bgp <AS number>
redistribute ospf 100 route-map nolocalout
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 278
BGP Cores
Deployment
What autonomous system numbers should you use
when deploying a BGP core?
It depends on whether or not the BGP core is going
to be tied into the network‘s connectivity to the outside
networks, including the Internet
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 279
BGP Cores
Deployment
If the BGP running in the
core is not going to touch, Internet
Partner
in any way, connections
to outside networks, use
private AS numbers DMZ
throughout, even for the
network core
BGP core
Routes generated at the
edge, rather than passed
through from the core
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 280
BGP Cores
Deployment
If routes are passed through
the BGP core, a public AS Internet
Partner
number can be used for
the core
The IGP areas can be Routing
assigned private AS numbers information
passes through
Advertisements from the IGP the core
areas can be filtered at the edge
towards the outside networks
The routing information can be
BGP core
aggregated at the edge
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 281
BGP Cores
Deployment
If each IGP area is considered
a network under separate Internet
Partner
administrative control, the
BGP core can become a ―mini
service provider,‖ offering
various services to the ―client MPLS VPN
networks,‖ even though they between IGP
areas
are all within the same MPLS VPN to a
large organization partner
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 282
BGP Cores
Deployment
Routes from partner
The BGP core could also marked for QOS
provide quality of service Internet
service level
Partner
forwarding, using QPPB to
transport quality of service
information to the edges
of the core
Communities carried in BGP,
along with access lists and
AS path lists, can be used to
classify packets on the edges
BGP core
of the BGP core
This classification is then used
to modify the way packets are
forwarded through the network
Packets marked based on BGP
transported QOS information
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 283
BGP Cores
The BGP core could be
used as a basis for Internet
Internet
providing high quality
connectivity to the Internet
(and partners)
OER steers
Optimized Exit Routing traffic along the
(OER) can determine the best exit point
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 284
BGP Cores
Deployment
MPLS VPNs through a BGP Core
http://www.cisco.com/en/US/tech/tk436/tk428/technologies_
configuration_example09186a00800a6c11.shtml
RST-1601, Introduction to MPLS VPNs
RST-2602, Deploying MPLS VPNs
RST-3605, Troubleshooting MPLS VPNs
Quality of Service BGP Propagation
http://www.cisco.com/en/US/partner/products/hw/routers/ps133/
products_configuration_guide_chapter09186a008007df4f.html#
1015477
Optimized Exit Routing
RST-4311, Advances in Routing Protocols
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 285
BGP Cores
Deployment
A has two paths to 10.0.0.0/8 All traffic
with the same metric down to AS65000 sent through
C to
the router ID A 10.0.0.0/8
two paths
router-a#sh ip bgp 10.0.0.0 AS65001
65001 10.0.0.0/8
192.168.1.1 from 192.168.1.1
(192.168.1.1)
Origin IGP, metric 0, localpref 100,
valid, internal,
65001
192.168.2.2 from 192.168.2.2
(192.168.2.2)
Origin IGP, metric 0, localpref 100,
valid, internal, best
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 286
BGP Cores
Deployment
Flag multiple iBGP paths as ‗multipath‘
Each path must have a unique NEXT_HOP
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 288
BGP Cores
Deployment
If two paths are learned from AS65000
different autonomous systems,
it‘s impossible to load share A B
between them
C
AS65001
AS65003 AS65002
Cannot load share
10.0.0/8
router-a#sh ip bgp 10.0.0.0
65001 65002
192.168.1.1 from 192.168.1.1 (192.168.1.1)
Origin IGP, metric 0, localpref 100, valid, internal,
65003 65002
192.168.2.2 from 192.168.2.2 (192.168.2.2)
Origin IGP, metric 0, localpref 100, valid, internal, best
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 289
BGP Cores
Deployment
Even when two paths are learned AS65000
from the same AS through eBGP,
BGP won‘t load share between A B
them by default
But we could get load sharing by
building a single multihop session C
between B and C AS65001
10.1.2.1
10.1.1.1
router-s#sh ip route 10.0.0.0
Routing entry for 10.0.0.0/8
192.168.2.1, from 192.168.2.1, 00:00:09 ago
There‘s only one path to Route metric is 0, traffic share count is 1
10.0.0.0/8, but there are AS Hops 1
multiple paths to the next
router-a#show ip route 192.168.2.1
hop; A load shares
Routing entry for 192.168.2.1/32 B
between the two possible * 10.1.1.1 from 0.0.0.0, 00:00:00 ago
paths to the next hop Route metric is 0, traffic share count is 192.168.2.1
1
10.1.2.1 from 0.0.0.0, 00:00:00 ago
Route metric is 0, traffic share count is AS65001
1
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 291
Outside Connections
Advertising Routes Outside
If the BGP running in the core
is not going to touch, in any Internet
Partner
way, connections to outside
networks, use private AS
numbers throughout, even DMZ
for the network core
BGP core
Routes generated at the
edge, rather than passed
through from the core
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 292
Outside Connections
Advertising Routes Outside
If routes are passed through
the BGP core, a public AS Internet
Partner
number can be used for
the core
The IGP areas can be assigned Routing
private AS numbers information
passes
Advertisements from the IGP through the
areas can be filtered at the edge core
towards the outside networks
The routing information can be
BGP core
aggregated at the edge
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 293
Outside Connections
Advertising Routes Outside
! permit anything in 10.1.4.0/20 to partner 1
ip prefix-list pl-ptner1 permit 10.1.40.0/20 ge 21 Partner 1
! Internet
! permit anything from private as 65005 to partner 1
ip as-path access-list 100 permit ^.*_65005$
!
! route map putting partner 1’s filters together
route-map rm-ptner1 permit 10 BGP
match ip address prefix-list pl-ptner1 Core
route-map rm-ptner1 permit 20
match as-path 100
route-map rm-ptner1 deny 30
!
! other filters as needed for other partners
!
router bgp <public as number>
! aggregate public address space to the internet
aggregate-address 192.168.40.0 255.255.248.0 summary-only
neighbor <internet> remote-as <isp as>
! build peering with partner 1 and put filters on
neighbor <partner1> remote-as <partner as>
neighbor <partner1> route-map rm-ptner1 out
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 294
Outside Connections
Advertising Routes Outside
You can also use communities
to express filtering from the IGP Partner
areas into outside networks Internet
Apply communities
marking routes to be
filtered
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 295
Outside Connections
Advertising Routes Outside
route-map to-ptner1 permit 10
match community 10
set community NO_EXPORT
route-map to-ptner1 deny 20
Partner 1
! Internet
route-map to-ptner2 permit 10
match community 20
set community NO_EXPORT
route-map to-ptner2 deny 20
! BGP
router bgp 65000 Core
neighbor <partner 1> route-map to-ptner1 out
neighbor <partner 2> route-map to-ptner2 out
! routes to advertise to partner 1
access-list 10 permit 10.2.8.0/24
! routes to advertise to partner 2
access-list 20 permit 10.2.9.0/24
!
route-map tocore permit 10 ! routes to advertise to partner 1
match ip address 10 access-list 10 permit 10.1.1.0/24
set community 1000 !
route-map tocore permit 20 route-map tocore permit 10
match ip address 20 match ip address 10
set community 2000 set community 1000
! !
router bgp 65004 router bgp 65005
neighbor <bgp core> route-map tocore out neighbor <bgp core> route-map tocore out
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 296
Outside Connections
Advertising Routes Outside
Make use of the NO_EXPORT community to prevent
routes from leaking out of the BGP core
Make use of the NO_EXPORT community to prevent
routes from leaking out from partner networks to
their peers
In the future, more interesting filtering capabilities
will be built on BGP communities
NOPEER community for BGP route scope control
http://www.ietf.org/rfc/rfc3765.txt
Controlling the redistribution of BGP routes
http://www.ietf.org/proceedings/03mar/I-D/draft-ietf-
ptomaine-bgp-redistribution-02.txt
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 297
Outside Connections
Internet Connection Considerations
Should you run BGP at all to
connect to the Internet?
ISP
If you are connecting in a single
place, no
Distribute a default into your
192.168.1.0/24 A
network, and allow the ISP to
originate the routes to your
networks at their edge B
If you are dual homed to the same 0.0.0.0/0
Enterprise
192.168.1.0/24
ISP in the same physical location, C
there‘s no reason to run BGP
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 298
Outside Connections
Internet Connection Considerations
If you are dual homed to the ISP A
same SP in two different AS65000
locations, you may want to
accept at least partial routes
London Raleigh
at both locations, and use the
MED to route optimally Optimal Closest
path to exit path
If you always want to take the London to
closest exit point out of your London
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 299
Outside Connections
Internet Connection Considerations
If you are dual homed to
two ISPs, you should run ISP A
AS65000
BGP to advertise routing
information to both of them
ISP B
This doesn‘t mean you A AS65001
should accept the full
routing table from both
service providers, however 192.168.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 300
Outside Connections
Internet Connection Considerations
Why would you accept partial routes?
So you can optimally route to destinations connected to
one of the ISP‘s you‘re peering to, while allowing traffic
to more distant destinations to flow along default routes
Typically, you will accept all of the routes originated by
each ISP, and possibly the routes of each of their
directly connected customers
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 301
Outside Connections
Internet Connection Considerations
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 302
Outside Connections
Internet Connection Considerations
You can also ask the ISP
to filter the routes they are ISP A
AS65000
sending at the edge of their
network, which reduces the
load on your edge router ISP B
AS65001
Enterprise
Accept all AS65002
advertised
routes
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 303
Outside Connections
Internet Connection Considerations
You could ask the ISP to configure Outbound Route
Filtering, which allows you to configure the filters, but
the ISP router actually filters the routes
http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps18
39/products_feature_guide09186a0080087c26.html
http://www.ietf.org/internet-drafts/draft-ietf-idr-route-filter-10.txt
This only works for prefix based filters, not for AS Path
filters right now
http://www.ietf.org/internet-drafts/draft-ietf-idr-aspath-orf-06.txt
AS Path ORF support is planned in Cisco IOS
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 304
Outside Connections
Internet Connection Considerations
ISP advertises some
route to AS65002, which then ISP A
AS65000
readvertises the route to ISP B
ISP B chooses the path 172.18.1.0/24
ISP B
through AS65002 as the best AS65001
path, directing all traffic for Best path for
that destination through the 172.18.1.0/24
customer‘s network
The customer network has
become a transit
Enterprise
AS65002
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 305
Outside Connections
Internet Connection Considerations
How can you prevent this from happening?
One common way is to count on lack of synchronization
to prevent routes from being readvertised
Don‘t count on synchronization; at some point it will be off
by default!
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 306
Outside Connections
Internet Connection Considerations
ISP A
AS65000
ISP B
ip as-path access-list 100 permit ^$ AS65001
!
router bgp 65002
neighbor <ISP A> remote-as 65000
neighbor <ISP A> filter-list 100 out
neighbor <ISP B> remote-as 65001
neighbor <ISP B> filter-list 100 out
Enterprise
AS65002
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 307
Outside Connections
Internet Connection Considerations
You dual home to gain diversity ISP C
in your routing path:
If a links fails due to ISP A
AS65000
backhoe fade, you still
have a connection to
the outside
ISP B
If an ISPs fails, you still AS65001
have a connection to
the outside
What if the two physical links
run through the same conduit?
What if both ISPs use the
same upstream?
Enterprise
AS65002
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 308
Outside Connections
Internet Connection Considerations
The Problem:
Logical Diversity isn‘t the same as physical diversity
Diversity of any type at one point doesn‘t guarantee diversity
throughout; things may recombine at some point
The Solution:
When dual homing, try to dual home from and to physically
diverse points
If dual homing from the same physical location, consider using
a single provider, and putting physical diversity in the contract
Try to ensure that your providers aren‘t dependant on each
other, or on a common point behind them
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 309
BGP/IGP Interaction
BGP Synchronization
G advertises 10.1.1.0/24 10.1.1.0/24 via B
to F through eBGP; F A
readvertises it to B
G is reachable via D eBGP
through iBGP
B checks its local routing B
BGP AS
table, and finds that G is 10.1.1.0/24 via G
reachable, so it installs D iBGP E
the route, and advertises
10.1.1.0/24 to A
through eBGP F
eBGP
10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 310
BGP/IGP Interaction
BGP Synchronization
A receives a packet for 10.1.1.0/24 via B
10.1.1.1, and forwards it to B A
10.1.1.0/24 via G
B examines its routing table, G is reachable via D eBGP
and finds the next hop is G,
a recursive route, and find B
BGP AS
the next hop of the recursive
route is D, so it forwards the D iBGP E
packet to D
No route to
D, since it‘s not running BGP at 10.1.1.0/24!
F
all, has no route to 10.1.1.0/24,
so it drops the packet! eBGP
10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 311
BGP/IGP Interaction
BGP Synchronization
Synchronization solves this
by forcing the IGP and BGP A
routing tables to match before No IGP route to eBGP
a route can be advertised to 10.1.1.0/24; don‘t
a peer advertise to
eBGP peers B
BGP AS
B would not advertise
10.1.1.0/24 to A if the route D iBGP E
isn‘t reachable via some
path other than BGP
F
Unless you want 150,000
routes in your IGP, this isn‘t eBGP
very useful
G
10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 312
BGP/IGP Interaction
BGP Synchronization
The more general solution
is to run BGP on D an E, A
and disable synchronization
eBGP
This requires running full
mesh iBGP on B, D, E, and Full mesh iBGP B
BGP AS
F, or running route reflectors
in the core D E
eBGP
10.1.1.0/24
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 313
BGP/IGP Interaction
BGP/IGP Interaction
Conveys relative preference of entry points
Lowest MED is best—Default is no MED==0
Comparable only if paths are from same AS
Non-transitive—Do not pass MED from one AS to another
route-map: set metric
set metric-type internal
CITY A CITY A
AS 6 AS 3
AS 1 AS 2
AS 5 AS 4
CITY B
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 314
BGP/IGP Interaction
Set MED to IGP Metric
AS 6
AS 1 AS 2
B
AS
Configuration:
router bgp 1
neighbor x.x.x.x remote-as 2
neighbor x.x.x.x route-map set_MED out
!
route-map set_MED permit 10
match as-path 2
set metric-type internal
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 315
BGP/IGP Interaction
Wait for BGP
E is learning 10.1.1.0/24 through 10.1.1.0/24
iBGP from D with a next hop
of A
C starts and A
E examines the path to A, and provides a
better path to eBGP
finds an IGP route through D A
to A; it installs this route in the Original
best path
routing table 10 B 20 to A
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 316
BGP/IGP Interaction
Wait for BGP
However, BGP takes much 10.1.1.0/24
longer to converge if C is
accepting full routes (about
150,000 routes) from A; at A
least five minutes eBGP
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 317
BGP/IGP Interaction
Wait for BGP
Instead, once the IGP has 10.1.1.0/24
converged, C signals its IGP
neighbors that they should
not route this direction A
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 318
BGP/IGP Interaction
Wait for BGP
OSPF uses max-metric router-lsa on-startup wait-for-
bgp to configure this feature
Available in 12.2T
http://www.cisco.com/en/US/partner/products/sw/iosswrel/
ps1839/products_feature_guide09186a0080087c09.html
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 319
Summary
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 320
Other References
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 321
Other References
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 322
Other References
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 323
Recommended Reading
Continue your Networkers at
Cisco Live learning experience with
further reading from Cisco Press
Check the Recommended Reading
flyer for suggested books
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 325
Complete Your Online
Session Evaluation
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 326
TECRST-2021
13881_06_2007_c1 © 2007 Cisco Systems, Inc. All rights reserved. Cisco Confidential 327