One of the advantages of VRRP over HSRP as a first hop redundancy protocol is that one of the routers can have the same IP address as the virtual IP address. This is handy when you’re using public IPv4 space as it’s limited. If you had a firewall connected to two routers via HSRP, you need to have 1 public IP address for each router, plus one address for the virtual IP.
With VRRP one of the routers can have the same address, and hence you only need two addresses, not three.
However there is an issue, at least with IOS, when you do it this way. On Cisco’s IOS, if a router has the same address as the VIP, then the priority of that router cannot be reduced. It cannot be manually or automatically reduced via a track object. Let’s take the following diagram as a basis for the post:
R3 represents a host. R1 and R2 are my VRRP routers. Both of these routers connect to R4 via OSPF which sends the route 4.4.4.4/32 via OSPF.
This is the config of R1 and R2:
R1: interface FastEthernet1/0 ip address 10.0.123.200 255.255.255.0 ip ospf 1 area 0 vrrp 1 ip 10.0.123.200 R2: interface FastEthernet1/0 ip address 10.0.123.2 255.255.255.0 ip ospf 1 area 0 vrrp 1 ip 10.0.123.200
On R1, I would like to track the existence of 4.4.4.4/32 and decrement the priority of R1 if I lose that route. However I can’t do this if R1 is configured with the same IP address of the VIP:
R1#conf t Enter configuration commands, one per line. End with CNTL/Z. R1(config)#track 1 ip route 4.4.4.4 255.255.255.255 reachability R1(config-track)#int fa1/0 R1(config-if)#vrrp 1 track 1 decrement 200 % tracking not supported on IP address owner
On Cisco’s page over here is specifically states this limitation:
Restrictions for VRRP Object Tracking
If a VRRP group is the IP address owner, its priority is fixed at 255 and can not be reduced through object tracking.
This removes the benefit of the router and VIP sharing the same IP address, but we can use event manager to get around this. Why not use event manager to check the status of the track object. When the track object goes down, then have event manager shut the LAN port. This will cause R2 to take over the VIP. Let’s configure it like so:
event manager applet SHUT_PORT event syslog pattern "%TRACKING-5-STATE: 1 ip route 4.4.4.4/32 reachability Up->Down" action 1.0 cli command "enable" action 1.1 cli command "conf t" action 1.2 cli command "interface FastEthernet1/0" action 1.3 cli command "shut" action 1.4 cli command "end" action 1.5 cli command "wr me" action 1.6 cli command "exit"
Of course, let’ not forget to configure the router to no shut the interface again when the route comes back:
event manager applet UN_SHUT_PORT event syslog pattern "%TRACKING-5-STATE: 1 ip route 4.4.4.4/32 reachability Down->Up" action 1.0 cli command "enable" action 1.1 cli command "conf t" action 1.2 cli command "interface FastEthernet1/0" action 1.3 cli command "no shut" action 1.4 cli command "end" action 1.5 cli command "wr me" action 1.6 cli command "exit"
Let’s have a quick look to see if this works. First let’s check the status of the VRRP group on R2:
R2#show vrrp FastEthernet1/0 - Group 1 State is Backup Virtual IP address is 10.0.123.200 Virtual MAC address is 0000.5e00.0101 Advertisement interval is 1.000 sec Preemption enabled Priority is 100 Master Router is 10.0.123.200, priority is 255 Master Advertisement interval is 1.000 sec Master Down interval is 3.609 sec (expires in 3.025 sec)
Let’s shut R4′s link to R1. This will cause R1 to lose it’s route to 4.4.4.4/32 which in trurn causes the track object to go down. Event manager will pick up on this via the syslog and shut interface fa1/0. Finally this will cause R2 to take ownership of the group as it’s priority of 100 beats nothing.
R4#conf t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#int fa1/0 R4(config-if)#shut
R1′s window:
R1# *Jan 7 15:39:39.591: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet1/1 from FULL to DOWN, Neighbor Do wn: Dead timer expired R1# *Jan 7 15:39:48.119: %TRACKING-5-STATE: 1 ip route 4.4.4.4/32 reachability Up->Down *Jan 7 15:39:48.331: %VRRP-6-STATECHANGE: Fa1/0 Grp 1 state Master -> Init R1# *Jan 7 15:39:48.391: %SYS-5-CONFIG_I: Configured from console by on vty0 (EEM:SHUT_PORT) R1# *Jan 7 15:39:50.335: %LINK-5-CHANGED: Interface FastEthernet1/0, changed state to administratively down *Jan 7 15:39:51.335: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to down
Which finally causes R2 to take the VIP:
R2#show vrrp FastEthernet1/0 - Group 1 State is Master Virtual IP address is 10.0.123.200 Virtual MAC address is 0000.5e00.0101 Advertisement interval is 1.000 sec Preemption enabled Priority is 100 Master Router is 10.0.123.2 (local), priority is 100 Master Advertisement interval is 1.000 sec Master Down interval is 3.609 sec
Once we do a no shut on R4 again, event manager ensures R1′s port is brought up and it then takes over the VIP:
R4#conf t Enter configuration commands, one per line. End with CNTL/Z. R4(config)#int fa1/0 R4(config-if)#no shut
R1′s window:
R1# *Jan 7 15:41:33.671: %OSPF-5-ADJCHG: Process 1, Nbr 4.4.4.4 on FastEthernet1/1 from LOADING to FULL, Loading Done R1# R1# *Jan 7 15:41:48.119: %TRACKING-5-STATE: 1 ip route 4.4.4.4/32 reachability Down->Up *Jan 7 15:41:48.247: %VRRP-6-STATECHANGE: Fa1/0 Grp 1 state Init -> Master R1# *Jan 7 15:41:48.315: %SYS-5-CONFIG_I: Configured from console by on vty0 (EEM:UN_SHUT_PORT) R1# *Jan 7 15:41:50.231: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up *Jan 7 15:41:51.231: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
R2 now sees R1 as the master again, and itself as the backup:
R2#show vrrp FastEthernet1/0 - Group 1 State is Backup Virtual IP address is 10.0.123.200 Virtual MAC address is 0000.5e00.0101 Advertisement interval is 1.000 sec Preemption enabled Priority is 100 Master Router is 10.0.123.200, priority is 255 Master Advertisement interval is 1.000 sec Master Down interval is 3.609 sec (expires in 2.997 sec)
EDIT (08/01/2013) – Jochen in the comments below mentioned that instead of tracking a syslog message showing the track state, I could just check the track state via EEM directly. I’ve tested this and it works just as expected. This is my final config on R1:
event manager applet SHUT_PORT event track 1 state down action 1.0 cli command "enable" action 1.1 cli command "conf t" action 1.2 cli command "interface FastEthernet1/0" action 1.3 cli command "shut" action 1.4 cli command "end" action 1.5 cli command "wr me" action 1.6 cli command "exit" event manager applet UN_SHUT_PORT event track 1 state up action 1.0 cli command "enable" action 1.1 cli command "conf t" action 1.2 cli command "interface FastEthernet1/0" action 1.3 cli command "no shut" action 1.4 cli command "end" action 1.5 cli command "wr me" action 1.6 cli command "exit"
Ok, it took a bit longer than I wanted it to but here we go.
You can now reach www.mellowd.co.uk/ccie via both IPv4 and IPv6 natively. Hooray.
And it only makes sense to get an address with ccie in it? Sure!
Name: mellowd.co.uk
Addresses: 2001:a08:da2::cc1e
89.248.22.45
A couple of things to note. I had to enable listening on ipv6 of my web server software as well as sort my ip6tables out. ICMP is a lot more important in IPv6 than it is in IPv4 so watch that.
Sparse mode:
- When user joins, connected router will have *,G entry, as it knows the group joined by the user, but not the source of that feed yet. This is the SHARED tree.
- The RP WILL have an S,G entry. Once the router connects it will stay on the *,G shared tree at first, then switch over to the S,G source tree.
- While on the shared tree, the RPF check will be towards the RP, NOT the source! This will change to the source once the router connects to the source tree
- ip pim spt threshold controls when the router will switch from the *,G to the S,G tree. A value of infinity means it’ll NEVER switch to the S,G tree
Dense mode:
- In dense mode you’ll always see S,G entries as the source has been flooded through the network. i.e. all PIM routers will already have the feed, and hence will know the source
Sparse-Dense mode:
- Sparse-dense mode is mainly like sparse mode, but any group that cannot be registered with the RP becomes dense mode
- This is good for Auto-RP, but it also means that mis-configurations on the RP could cause lots of groups to be dense mode instead of sparse mode
Rendezvous point:
All modes:
- You need to run PIM on the interface that you are advertising as the RP. i.e if you’re running it on a loopback interface, run PIM on that loopback!
- Auto assignments OVERRIDE static assignments! You can use ip pim rp-address (rp_address) (acl) override to override this default behaviour
Static RP:
- Easiest to configure, pretty much like a static route
- ip pim rp-address (rp_address) (acl)
- (acl) determines what groups the router will be the RP for
- The RP router ALSO needs to have the above configured. i.e the RP does not automatically know it is the RP, you need to tell the router that it is!
Auto-RP (Cisco proprietary):
- Auto-RP is made up of 1 or more routers announcing themselves as candidate RPs using the command: ip pim send-rp-announce (acl) as well as a mapping agent using the command: ip pim send-rp-discovery
- Only the mapping agent listens to the RP announcements
- The MA then determines which RP to use for which groups and advertises that to all other PIM routers
- The auto-rp process uses the 224.0.1.39 and 224.0.1.40 groups
- In sparse-dense mode the 2 groups above are automatically in dense mode
- If running sparse mode only, you need to configure ip pim auto-rp listener on transit PIM interfaces which will ensure that ONLY 224.0.1.39 and 224.0.1.40 are in dense mode
- If the MA receives 2 announcements from candidate RPs for the same groups, the MA will choose the one with the highest IP address
- The RP and MA can be the same device if needs be
- Auto-RP IS supported by a number of Non Cisco devices. Confirm with proctor is question is not clear
- When specifying an ACL with a RP announcement, the deny statements will create negative entries for groups. However a deny any at the end of the ACL will effectively make ALL groups negative, and hence dense mode, regardless of what’s configured. As an example:
ip pim send-rp-announce Loopback0 scope 15 group-list 12 interval 1
access-list 12 deny 224.110.110.110
access-list 12 permit 224.0.0.0 15.255.255.255
access-list 12 deny any
If you check the mapping agent you see this:
Group(s) (-)224.0.0.0/4
RP 150.1.10.10 (?), v2v1
Info source: 150.1.10.10 (?), elected via Auto-RP
Once the deny statement at the end of the ACL is removed, you see this:
Group(s) 224.0.0.0/4
RP 150.1.10.10 (?), v2v1
Info source: 150.1.10.10 (?), elected via Auto-RP
Bootstrap router – BSR (Open standard)
- BSR uses the group 224.0.0.13, but it does NOT need to be in dense mode, unlike auto-rp
- 224.0.0.13 is the link-local ALL PIM ROUTERS address as well
- The Bootstrap router is the Mapping Agent in auto-rp, configured using: ip pim bsr-candidate (int) (hash) (pri)
- The RP uses the same name as in auto-rp, configured using: ip pim rp-candidate (int) (ttl) (pri) (acl)
- The hash field will allow you to load balance groups over your RPs – A hash value of 31 ensures all even groups are with on RP and odds are with another, if you have 2 RPs
- You can see which group is mapped to which RP with show ip pim rp-hash (group)
- BSR has priority fields so you can choose which router does what without having to rely on the high IP taking over
- If priority is the same, then highest IP will be chosen like auto-rp
- ip pim bsr-border will allow you to run PIM on an edge interface, but not to share bsr messages
Multicast on Frame-Relay:
- By default, multicast traffic is process switched over frame-relay. Multicast frames also have the pak-priority set so have the highest priority
- If you have a hub router connected to 2 spokes over the same interface, you’ll have problem with RPF checks as you are going in and out the same interface. You can also have problem where a spoke says it no longer wants to receive a feed, this would make the hun stop sending to ALL spokes.
- ip pim nbma-mode fixes both of the above issues. When configuring nbma mode on sparse-dense and dense mode interfaces you’ll get a warning, but it’ll still work.
Multicast Boundry:
- int# ip multicast-boundry will stop multicast packets getting through an interface.
- Any address ALLOWED through the acl is ALLOWED through the interface
- The boundry is bidirectional by default. If you specify the IN option it will prevent multicast control traffic coming into the interface. If you specify the OUT option it will prevent the interface from being added to the OIL
Stub Multicast:
- Prevent routers from fully participating in PIM. Consider the diagram:
- R2 has users on the Fa0/0 interface that want to join the multicast feed. However you do not want R2 to fully run PIM. In order to do so, you need to have R1 configured to prevent R2 from becoming a PIM neighbour. You need then to configure R2 to forward IGMP join messages to R1. Note that dense mode is configured on R2 as it needs to flood multicast traffic over to fa0/0 when it gets an igmp join.
R1:
access-list 1 deny 192.168.1.2
!
int s0/0
ip pim sparse-mode
ip pim neighbor-filter 1
R2:
int s0/0
ip pim dense-mode
!
int fa0/0
ip pim dense-mode
ip igmp helper-address 192.168.1.1
Multicast/Broadcast conversion:
- You can convert multicast to broadcast, and from broadcast to multicast. You can also do this multiple times backwards and forwards if you need to. Consider the following example:
- We have a server with the IP of 172.16.1.25 that is sending out a udp broadcast to port 5000. For whatever reason we need that same frame to be broadcasted onto the 10.50.50.0/24 network.
- To convert from broadcast to multicast you configure like so:
R1:
access-list 100 permit udp host 172.16.1.25 any eq 5000
!
ip forward-protocol udp 5000
!
int fa0/1
ip multicast helper-map broadcast 224.10.10.10 100
- Then back from multicast to broadcast like so:
R3:
ip forward-protocol udp 5000
!
access-list 100 permit udp host 172.16.1.25 any eq 5000
!
int fa0/0
ip multicast helper-map 224.10.10.10 10.50.50.255 100
!
int fa0/1
ip directed-broadcast
MSDP:
- MSDP is used for inter-domain multicasting as well as to allow RPs in a single AS to share source information if running anycast RP. All you need to configure on the RPs is:
ip msdp peer (peer_unique_address) connect-source (local_unique_interface)
ip msdp originator-id (unique_address_interface)
Bidirectional PIM:
- You need to configure ip pim bidir-enable on ALL PIM interfaces. Most RP commands will then have the bidir switch added to the end of commands.
IPv6 Multicast:
- Sparse mode only
- Enabled using Ipv6 multicast-routing
- When enabled, Pim will run automatically on all ipv6 interfaces. Need to run no ipv6 pim on the interface to remove
- Multicast listener discovery (MLD), part of ICMPv6, replaces igmp
- Mldv1 is equivalent to IGMPv2. Same timers and so on
- Mldv2 equivalent to IGMP3 for ssm
- BSR and Static RP only. No auto-rp. You can also use embedded RP which encodes the RP address in the group address
- sh ipv6 Pim range-list will show you the rp mapping
- ipv6 mld join-group will join a group on an interface
- IPv6 mroute is created using ipv6 route (address/prefix) (next_hop) multicast, NOT ipv6 mroute
- Pretty much everything else is the same as ipv4
Miscellaneous:
- PIM assert will take the Administrative Distance into account first, and then metric if that AD matches. So in order to force a router to be the PIM assert router, you may need to adjust the AD
- ip pim accept-rp (acl) will ensure the RP only accepts *,G joins for groups defined in the ACL. In theory you only need to put this on the RP, but it’s more efficient to put it on all routers so they drop the requests before it even gets to the RP
- int#ip igmp (acl) is used to allow only joins to certain groups through an interface. This interface is pointing towards the receivers as the control packet is igmp
- int#ip igmp limit is used to limit the amount of igmp states on an interface. Can also configure this globally
- When configuring source specific multicast, you are required to configure ip pim ssm default or ip pim ssm (acl) on all PIM routers to ensure they do not create *,G entries. SSM does not actually need an RP as they do not connect to shared trees, only source trees.
- On an ethernet segment a DR will be chosen between the PIM neighbours. By default, the priority is 1. If the priority is the same, the highest IP wins. This can be changed with the int#ip pim dr-priority command. Note that not all switches support this command!
- If your IGP is load-balancing certain paths, you can load-balanse multicast as well with the ip multicast multipath command. This is essential so that your rpf checks don’t fail.
I went a bit fast when I posted this write-up: http://mellowd.co.uk/ccie/?p=1369
I think it’s better to have a longer discussion about how authentication OSPFv3 SHOULD be set up to begin with, then show how it doesn’t work without a security license.
Let’s begin with regular IPv4. I’ve got 2 1841′s running and this is the config. This config is IDENTICAL whether you’re using a base license or security license, as the authentication is handled by OSPF’s internal authentication.
Router1
interface FastEthernet0/0 ip address 10.0.0.1 255.0.0.0 duplex auto speed auto ! router ospf 1 router-id 10.0.0.1 log-adjacency-changes network 10.0.0.1 0.0.0.0 area 0
Router2
interface FastEthernet0/0 ip address 10.0.0.2 255.0.0.0 duplex auto speed auto ! router ospf 1 router-id 10.0.0.2 log-adjacency-changes network 10.0.0.2 0.0.0.0 area 0
They see each other?
1841test2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.0.0.1 1 FULL/BDR 00:00:38 10.0.0.1 FastEthernet0/0
Let’s authenticate. Again, you can do this on a base license.
interface FastEthernet0/0 ip address 10.0.0.2 255.0.0.0 ip ospf message-digest-key 1 md5 ipv4test ! router ospf 1 router-id 10.0.0.2 area 0 authentication message-digest network 10.0.0.2 0.0.0.0 area 0
1841test2# sh ip ospf 1
! - removed
Area has message digest authentication
Let’s now move to IPv6 and OSPFv3. This is a regular set up without authentication:
ipv6 unicast-routing ipv6 cef ! interface FastEthernet0/1 no ip address ipv6 address 2001:DB8::/64 eui-64 ipv6 ospf 1 area 0 ! ipv6 router ospf 1 router-id 2.2.2.2 log-adjacency-changes
router2
ipv6 unicast-routing ipv6 cef ! interface FastEthernet0/1 no ip address ipv6 address 2001:DB8::/64 eui-64 ipv6 ospf 1 area 0 ! ipv6 router ospf 1 router-id 1.1.1.1 log-adjacency-changes
1841test1#sh ipv6 ospf neighbor Neighbor ID Pri State Dead Time Interface ID Interface 2.2.2.2 1 FULL/BDR 00:00:39 4 FastEthernet0/1
Let’s now add authentication. In order to do so we use the interface specific “ipv6 ospf authentication ipsec” command
interface FastEthernet0/1 no ip address duplex auto speed auto ipv6 address 2001:DB8::/64 eui-64 ipv6 ospf 1 area 0 ipv6 ospf authentication ipsec spi 512 sha1 5C4070ED005A378F1529065802B4B5BF44032A0F
We immediately see the following error as the other side has no authentication set up:
#:%IPSECV6-4-RECVD_PKT_NOT_IPSECV6: Rec'd packet not an IPSEC packet.
(ip) dest_addr= FF02::5, src_addr= FE80::6616:8DFF:FECB:C32B, prot= 89
Let’s fix it quick:
interface FastEthernet0/1 no ip address duplex auto speed auto ipv6 address 2001:DB8::/64 eui-64 ipv6 ospf 1 area 0 ipv6 ospf authentication ipsec spi 512 sha1 5C4070ED005A378F1529065802B4B5BF44032A0F
Comes straight up again:
#:%OSPFv3-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/1 from LOADING to FULL, Loading Done
This is all great, until you realise that you can NOT set ipsec authentication without an expensive security license!
This is a router with a security license:
1841test1(config-if)#ipv6 ospf ?
<1-65535> Process ID
authentication Enable authentication
cost Interface cost
database-filter Filter OSPF LSA during synchronization and flooding
dead-interval Interval after which a neighbor is declared dead
demand-circuit OSPF demand circuit
flood-reduction OSPF Flood Reduction
hello-interval Time between HELLO packets
mtu-ignore Ignores the MTU in DBD packets
neighbor OSPF neighbor
network Network type
priority Router priority
retransmit-interval Time between retransmitting lost link state
advertisements
transmit-delay Link state transmit delay
This is a 1941 with a base license:
1941test(config-if)#ipv6 ospf ?
<1-65535> Process ID
cost Route cost of this interface
database-filter Filter OSPF LSA during synchronization and flooding
dead-interval Interval after which a neighbor is declared dead
demand-circuit OSPF demand circuit
flood-reduction OSPF Flood Reduction
hello-interval Time between HELLO packets
mtu-ignore Ignores the MTU in DBD packets
network Network type
priority Router priority
retransmit-interval Time between retransmitting lost link state
advertisements
We’re busy implementing IPv6 on our BGP edges and eventually in our core at the moment. It’s pretty easy in the IPv4 world to work out what addresses are what, but there are loads more in IPv6.
I’ve decided to list the current assigned and reserved IPv4 and IPv6 address spaces here. Note that this list is still a work in progress, especially on the IPv6 side of things.
Let’s start with IPv4. Most of you should know most of the reserved ranges, but there may be a few you didn’t know about.
IPv4
Reserved:
0.0.0.0/8 – RFC1700
127.0.0.0/8 – Loopback
Internal private ranges (RFC1918)
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Documentation (RFC5737)
192.0.2.0/24
198.51.100.0/24
203.0.113.0/24
Multicast (RFC5771, RFC6034 & RFC2365)
224.0.0.0/8 – 239.0.0.0/8
‘Future use’ – will never be used
240.0.0.0/8 – 255.0.0.0/8
255.255.255.255 is reserved for limited broadcast (RFC919 and RFC922)
IPv6
Now let’s check IPv6. The current Global Unique (aka public IP) range is 2000::/3 – that means any address from 2000:0000:0000:0000:0000:0000:0000:0000 – 3FFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF is a global unique unicast address – However, RFC3849 deems it fit to assign 2001:0DB8::/32 as non-routable to be used for documentation. Why they couldn’t use a range outside 2000::/3 is beyond me.
The following are all reserved by the IEFT (RFC4291, RFC4048 and RFC3879)
0100::/8
0200::/7
0400::/6
0800::/5
1000::/4
4000::/3
6000::/3
8000::/3
A000::/3
C000::/3
E000::/4
F000::/5
F800::/6
FE00::/9
FEC0::/10
Unique Local Unicast addresses (RFC4193)
FC00::/7
Link Local Unicast addresses (RFC4291)
FE80::/10
Multicast addresses (RFC4291)
FF00::/8
Loopback address
::1
Default route
::/0
6to4 tunnels
2002::/16
Teredo (RFC4380)
2001::/32
Unspecified
::
I’m sure I may have missed some out, so please let me know if I have
Comments