Escolar Documentos
Profissional Documentos
Cultura Documentos
Enterprise Routing
Course Overview
Version 4.04
A Siemens Enterprise Communications Company
During this course, you will learn how to setup and configure
Enterasys Switches for various network topologies, explore different
router operating modes such as RIP, OSPF, PIM-SM, IGMP, LS-NAT,
and VRRP, and gain experience in troubleshooting the Enterasys
routing product line.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
7/2/2011
Day Two
Module #4: LS-NAT
- Lab #3- LS-NAT Configuration
Day Three
Module #7: Multicast Routing
- Lab #5- PIM-SM Multicast Routing Configuration
Experienced PC user
In depth discussion of :
Operational knowledge of
802.1D (STP)
Ethernet
TCP/IP
802.1D standard
Network design
802.1Q standard
Wireless
OSPF
PIM-SM
IGMP
VRRP
LS-NAT
TWCB
NetSight NMS
Dragon
In depth discussion of the following Protocols,
OSPF, PIM-SM, IGMP, and VRRP or other
routing protocols.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
7/2/2011
Explain the differences and similarities between the B3/B5/C2/C3/C5, G-Series, N-Series DFEs, and S-Series routers for
routing.
OSPF
- Verify that basic OSPF network is configured correctly via various show commands. If not correct troubleshoot network.
- Configure static routes for redistribution into OSPF and verify network changes correctly, troubleshoot network if incorrect.
- Configure OSPF Areas for stub areas and NSSA, Authentication, and Summarization. Then verify network changes are correct,
troubleshoot network if in correct.
LS-NAT
- Configure LSNAT on routers/switches. Verify that the network is configured correctly via various show commands, troubleshoot
if incorrect.
- Implementation, send and Receive data traffic using LSNAT setup. Verify that traffic is being received and properly load
balanced over available servers, troubleshoot if incorrect
TWCB
- Review Transparent Web Cache Balancing feature on N & S-Series products, Discuss configuration related parameters for
implementing feature.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
ACLs
- Configuration
- Implementation
PIM-SM
- Configure PIM-SM & IGMP on routers/switches and verify that the multicast network is configured correctly via various show
commands, troubleshoot if incorrect.
- Send and Receive multicast traffic throughout the network, verify that traffic is being received over correct links and joins are
complete, troubleshoot if incorrect.
- Stop receiving multicast, verify that prunes have halted traffic correctly, and troubleshoot if incorrect.
VRRP
- Configure a basic VRRP network and verify that it is configured correctly via various show commands. If not correct
troubleshoot network.
- Configure VRRP Critical IP; verify VRRP is configured correctly, if not troubleshoot.
- Disable Critical IP interface, verify VRRP switches to new master correctly, if not troubleshoot. Added multiple VRRP instances
to network, with load sharing of clients between instances. Verify that VRRP is correctly configured.
Troubleshooting
- Examine the commands and tools most commonly used to determine if a reported problem within a routed environment, is
actually a network related issue.
- Implement the mechanisms used to isolate a problem down to a specific category.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
7/2/2011
- 9:00 am to 5:00 pm
Instructor
- Nicols Martnez
Attendees
- Name?
- Company?
- Job Description?
- What is your experience with routing?
- Are you currently using Enterasys routing products? (Which?)
- What do you hope to learn about routing from this course?
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
Enterprise Routing
Routing Products Overview
Version 4.03
A Siemens Enterprise Communications Company
7/2/2011
Destination System
Source System
Application
Application
Presentation
Presentation
Session
Session
Router
Transport
Network
Transport
Routing Function
Network
Data Link
Data Link
Data Link
Data Link
Physical
Physical
Physical
Physical
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
Layer 2 Switching:
- Switch packets between different physical networks, based - Switch frames within the same physical network, based
upon Network-layer addressing
upon Data Link-layer (MAC) addressing
- Do not flood MAC-layer broadcasts from one attached
network to another
- Are protocol dependent (e.g., IPv4 routed to IPv4; IPv6
routed to IPv6).
- Support packet fragmentation
- Support multiple Physical- and Mac-layer packet
encapsulation types, and have the ability to translate from
one type to another
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
10
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
11
Path Selection. Routers can use the best path which physically
exists between source and destination systems. Some routers
allow for load balancing over redundant paths
The total size of the network interconnected with routers is, for all
practical purposes, unlimited
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
12
7/2/2011
Cost, routers are typically more complex devices than switches and
can be more expensive
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
13
- S Series
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
14
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
15
Enterasys G Series
- Routing features
- Basic routing (RIP v1/v2) included
- Advanced routing option (OSPF, DVMRP, PIM-SM, VRRP)
- IPv6 management and IPv6 routing (option)
16
7/2/2011
17
Resource |
Entries
Memory (bytes)
Max-InUse=Avail | *Each ~=
Max
InUse
1024
3 32765 |
92 3014656
92
1024 |
276
94208
288 3535776
2016
7 12270 |
Static Routes |
1024
1024 |
44
45056
IP Helper |
5120
5120 |
12
61440
LSA type 1 * |
512
508 |
1672
856064
6688
LSA type 2 * |
512
510 |
1596
817152
3192
LSA type 3 * |
3000
3000 |
248
744000
LSA type 4 * |
3000
3000 |
324
972000
LSA type 5 * |
4000
4000 |
428 1712000
LSA type 7 * |
4000
4000 |
444 1776000
LSA type 9 * |
512
512 |
1548
792576
LSA type 10 * |
64
64 |
1548
99072
LSA type 11 * |
512
512 |
1548
792576
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
18
7/2/2011
Entries
Resource |
Max-InUse=Avail | *Each ~=
Max
InUse
0 10000 |
Interfaces |
277
274 |
Secondary Addresses |
2000
2000 |
300
300 |
Rip Routes |
3000
3000 |
VRRP Entries |
1024
PBR Entries
5000
50
124 1240000
1072
3216
12
3600
32
96000
1024 |
724
741376
4999 |
120
600000
120
50 | 19696
984800
0 32000 |
340 10880000
2000
2000 |
212
424000
1024
1024 |
172
176128
31435424
15508
Total: |
PreAllocated *: |
Total Avail Mem (Appx):
296944
25295104
124556808
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
19
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
20
10
7/2/2011
Enterprise Routing
S-Series Routing Products
S8
Connectivity
S4
S3
21
Edge/Access
Distribution/Data
Center
Core
SSA
SSA
S3
S8
S4
S4
S8
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
22
11
7/2/2011
premium
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
23
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
24
12
7/2/2011
The show router limits command can be used to determine Layer 3 related system limits
for S-Series routers
S Chassis(rw-config)->show router limits
Chassis limits:
Application
---------------------------------------access-list-entries
5000
access-lists
applied-access-lists-ipv4-in 256
applied-access-lists-ipv4-out 256
applied-access-lists-ipv6-in 256
applied-access-lists-ipv6-out 256
appsvc-ftp-alg-entries
appsvc-global-bindings
bgp-limits
dhcp-leases
dvmrp-limits
26214400
entries-per-access-list
ip-addresses
4373
ip-interfaces
256
ip-interface-addresses
lo-interfaces
8
lpbk-interfaces
multicast-flows
nat-global-bindings
nat-ip-addresses
nat-pools
nat-portmapped-addresses 10
nat-static-rules
nd-dynamic-entries
Limit
In use Entry size
--------- ----------------------0
1000
0
0
0
0
0
4000
0
40B
32768
0
100B
262144
0
1B
1000
0
56B
0
1B
25M
5000
0
128
21
4096
0
148B
32768
0
12B
1000
0
36B
10
0
280B
0
8.6K
85.9K
500
0
96B
32768
2
48B
Total Memory
156.3K
3.1M
25M
54.7K
-
592K
384K
35.2K
2.7K
46.9K
1.5M
25
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
N-series (Diamond
Platinum and Gold)
S Series
B3/B5/C2/C3/C5
&
G-Series
*
*
BGP
****
IS-IS
****
DVMRP
*
****
*
PIM-SM
* **
RIP v1/v2
OSPF
*
IPv6
***
IRDP
VRRP
*
Standard ACLs
* **
Extended ACLs
LSNAT
*
*
PBR
DoS Prevention
DHCP Server
26
13
7/2/2011
Dynamic Routes
IP Interfaces
Static Routes
~262k
1,024
256
12,276/25,000
1,024
256
10,117
512
96
5000
128
48
2,500
64
24
Routers use routing protocols to maintain their routing tables. Routing tables can be maintained
either statically or dynamically.
Static Routes
- Static routes are manually configured and entered into a switchs routing table. Static routes take default precedence
over routes chosen by dynamic routing protocols.
Dynamic Routes
- Dynamic routes are learned when routers send routing table information to each other.
- The two forms of dynamic routing that are most commonly used are Distance Vector and Link State. The specific
Distance Vector and Link State protocols used on Enterasys products are discussed below.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
27
B3/B5/C2/C3/C5
G-Series
OSPF
110
110
110
110
ISIS
n/a
115
n/a
n/a
RIP
120
120
120
120
EBGP
n/a
20
n/a
n/a
IBGP
n/a
200
n/a
n/a
Directly connected
Static
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
28
14
7/2/2011
N3 (su)->show ip route
Codes: C - connected, S - static, R - RIP, O - OSPF, IA - OSPF interarea
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
E - EGP, i - IS-IS, L1 - IS-IS level-1, LS - IS-IS level-2
* - candidate default, U - per user static route
C 1.1.1.1/32 [0/1] directly connected, Loopback 1
O 2.2.2.2/32 [110/10] via 10.1.1.2, Vlan 10
C 10.1.1.0/24 [0/1] directly connected, Vlan 10
R 11.1.1.0/24 [120/2] via 10.1.1.2, Vlan 10
S 12.1.1.0/24 [1/0] via 10.1.1.2, Vlan 10
29
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
Maximum
paths
Round
Robin
Hashing
RIP
OSPF
Static Routes
S-Series
N-Series Platinum/Diamond
N-Series Gold
C2 /C3/C5/G3
30
15
7/2/2011
Enterprise Routing
Basic Routing Config
Version 4.03
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
32
16
7/2/2011
2.
disable
Disable GVRP
C3(su)->set gvrp
disable
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
33
Switched
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
34
17
7/2/2011
1. Create the VLAN used for IP routing from the switch CLI
C3(su)-> set vlan create 5
Port
String
VLAN id
VLAN
id
VLAN
id
modify-egress
OR
Port VLAN
String id
Port
String
35
VLAN 5
VLAN 10
C3(su)->router
36
18
7/2/2011
Unified CLI:
Prior to firmware 7.0, when logging in to an NSeries device,
system or switch command mode of the CLI
This command mode provided access to all nonrouting device configuration (e.g., STP, LACP,
VLAN creation, LACP, etc)
Entering a completely different CLI mode was required to configure or monitor routing level
functionality
Once in routing mode, switch related configuration and monitoring was no longer available.
Switch and routing configuration and monitoring took place within separate, distinct CLI
subsystems between which there was no communication
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
37
NChassis(rw)->
N Chassis(rw)->configure
N Chassis(rw-config)->ip access-list standard 10
N Chassis(rw-cfg-std-acl)->set time 04/15/2009
N Chassis(rw-cfg-std-acl)-><163>Apr 14 09:07:56 0.0.0.0 System[1]Time and Date set
(by user) to: WED APR 15 09:07:56 2009
N Chassis(rw-cfg-std-acl)->
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
38
19
7/2/2011
VLAN 10
VLAN 5
39
The loopback can be used for remote administration of the router in lieu of the host
interface.
The loopback interface must be reachable via standard routing methods, (i.e.,
through a static, or dynamic route).
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
40
20
7/2/2011
Routers use routing protocols to maintain their routing tables. Routing tables can
be maintained either statically or dynamically.
Static Routes
- Static routes are manually configured and entered into a switchs routing table. Static
routes take default precedence over routes chosen by dynamic routing protocols.
Dynamic Routes
- Dynamic routes are learned when routers send routing table information to each other.
- The three forms of dynamic routing that are most commonly used are Distance Vector,
Link State and Path vector protocols.
- Distance Vector Protocols
- RIPv1 and RIPv2
- DVMRP
- Link State Protocols
- OSPFv2
- IS-IS
- Path Vector Protocols
- BGP4
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
41
Router 192.168.5.2
R1
R2
10.10.1.1 Network
Mask
Next-Hop
R1(su)->show ip route
Codes: C - connected, S - static, R - RIP, O - OSPF, IA - OSPF interarea
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
E - EGP, i - IS-IS, L1 - IS-IS level-1, LS - IS-IS level-2
* - candidate default, U - per user static route
C
S
42
21
7/2/2011
RIP updates occur every 30 seconds and sends the entire routing table
contents.
- IP/UDP port 520
- Up to 25 routes per packet
43
Create IP Interfaces
Enable RIP
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
44
22
7/2/2011
192.168.10.0/24
R1
192.168.5.0
.1
.2
R2
192.168.4.0
C Series Config
N Series Config
R1 (su-config)-> router rip
R1 (su-config-rip)-> network 192.168.5.0 0.0.0.255
R1(su-config-rip)-> network 192.168.10.0 0.0.0.255
R1(su-config-rip)-> exit
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
45
192.168.10.0/24
R1
192.168.5.0
.1
.2
R2
192.168.4.0
R1(su)->show ip route
Codes: C - connected, S - static, R - RIP, O - OSPF, IA - OSPF interarea
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
E - EGP, i - IS-IS, L1 - IS-IS level-1, LS - IS-IS level-2
* - candidate default, U - per user static route
R2(su)->router> show ip route
C
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
46
23
7/2/2011
Routing Configuration
Connected, Static, & Dynamic Routes
RIP
Enabled
192.168.10.0/24
R1
192.168.5.0
.1
.2
R2
192.168.4.0
10.10.1.0
R1(su)->show ip route
Codes: C - connected, S - static, R - RIP, O - OSPF, IA - OSPF interarea
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
E - EGP, i - IS-IS, L1 - IS-IS level-1, LS - IS-IS level-2
* - candidate default, U - per user static route
C
C
S
R
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
47
Using DHCP/BOOTP relay, a router interface can forward the DHCP request
to a server located on another network if, the IP forwardprotocol is enabled
for UDP and the address of the DHCP server is configured as a helper
address ip helper on the receiving interface of the router.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
48
24
7/2/2011
The DHCP/BOOTP relay function will detect the DHCP request and make the
necessary changes to the IP packet header, replacing the destination IP
address with the address of the DHCP server, and the source IP address with
the address configured on the receiving interface.
The router then sends the DHCP request to the DHCP server identified by the
ip helper address.
When the response is returned from the DHCP server, the DHCP/ BOOTP
relay function sends it to the host, allowing the host to obtain its IP address
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
49
Note: use of the ip forward-protocol command is required only on S & N Series Routers NOT on C Series devices.
Use the ip helper-address address command to enable DHCP/BOOTP relay and the
forwarding of local UDP broadcasts. This is an interface level command
The configuration below permits UDP broadcasts from hosts on the 1.35.11.0/24 network to reach a DHCP
server (1.35.0.1) on the 1.35.0.0 network
Router(su-config)-> interface vlan 3511
Router(su-config-intf)-> ip address 1.35.11.254 255.255.255.0
Router(su-config-intf)->ip helper-address 1.35.0.1
Router(su-config-intf)->no shutdown
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
50
25
7/2/2011
ARP Configuration
-
C2(su)->
-
show arp
C2(su)->router>
-
show ip arp
C2(su)->router(Config)#
arp <ip-address>
<h-h-h>
Configuration Limits
-
51
write file This command saves the router configuration (N Series 6.12)
The write file command is not required when using 7.xx firmware
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
52
26
7/2/2011
The host interface is always up and utilizes an ARP cache and route table
independent from the ARP cache and route table used by the routing layer IP
subsystem
The C2/C3/C5 host interface address can not be assigned to the same network as
the local routed VLAN interface.
To assign host interface address to a VLAN other than 1, for C-Series, use
command:
C-Series> set host vlan vlan-id
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
53
The ability to set a unique IP address on each VLAN configured on the switch means that host management
can be accessed from any VLAN configured with its own IP
The ability to assign an IP subnet to an interface that is separate from a subnet which is passing data through
the switch allows the network administrator to create an outofband management subnet designed to only
pass network management data
Use the set ip address command to create a nonrouting host management IP interface for a VLAN:
S Chassis(rw)->set ip address 125.100.10.1 mask 255.255.0.0 interface vlan.0.5
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
54
27
7/2/2011
RouterA>(config)# no ip routing
On the N & S-series Routers running 7.x firmware, use the clear router all command
to remove all routing configuration from a system
-
By default, when VLAN IP interfaces are created on the N, S, & C2/C3/C5, they are
administratively DOWN
-
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
55
There are two show ip route commands, one in switch mode and one in router
mode
Switch mode- show ip route command shows Host routes:
C2(su)->show ip route
ROUTE TABLE
Destination
Gateway
Mask
Tos Flags Refcnt Use
Interface
----------------------------------------------------------------------------default
192.168.0.1
00000000
0
UGC
0
0
host
127.0.0.1
127.0.0.1
00000000
0
UH
0
0
loopback
192.168.0.0
192.168.0.2
ffffff00
0
UC
1
0
host
-----------------------------------------------------------------------------
The host interface maintains a separate routing table from the VLAN interfaces
Each can be separately viewed and maintained
Each can have a separate and distinct default route
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
56
28
7/2/2011
Routing Mode- show ip route shows all static and dynamic routes
To see the routing table for the Routed IP interfaces, you must be in router mode
for B, C, and G-Series routers.
C2(su)->router> show ip route
Codes: C - connected, S - static, R - RIP, O - OSPF, IA - OSPF interarea
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
E - EGP, i - IS-IS, L1 - IS-IS level-1, LS - IS-IS level-2
* - candidate default, U - per user static route
C
C
C
C
S
S
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
57
Enterprise Routing
OSPF Configurations
Version 4.03
A Siemens Enterprise Communications Company
29
7/2/2011
Developed by the Interior Gateway Protocol (IGP) working group of the IETF
(mid-1980s)
- RFC 2328
- RFC 1583
OSPF was created because RIP was increasingly unable to serve large,
heterogeneous networks
- Routing loops occurred with sudden topology changes
- Using distance metric to determine reachability resulted in count to Infinity delays
- Slow convergence
59
Equal-cost multipath
- If multiple equal cost paths to a destination exist, the paths are inserted in routing table
- Load balancing among the routes
- Default path costs are 10
Routing Hierarchy
- Routing domain can be divided into areas for ease of management and control
- Support for route summarization and aggregation by area
Security
- Simple or MD5 Authentication
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
60
30
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
61
The network topology must appear consistent - the link state database must be
identical on all routers
All entities in the routing domain use unique 32 bit numbers for identification
- Routers are assigned a router ID normally based on their IP address
- Networks either use their network id or IP address of a router interface on that network
- Areas are strictly administratively assigned
Routers use OSPF Hello protocol to identify neighbors and maintain neighbor
relationships
Only Routers in an adjacency state of are permitted to exchange link state
information
- The necessity of ensuring consistency in the LSDB prohibits simple broadcasting on route
information.
- Flooding information uses a split horizon technique
62
31
7/2/2011
63
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
Example:
AREA 0.0.0.34
10.10.10.1/24
AREA: 0.0.0.34
AREA 0.0.0.0
20.30.20.1/24
20.30.20.2/24
AREA: 0.0.0.0 AREA: 0.0.0.0
50.30.20.2/24
AREA: 0.0.0.0
10.10.10.2/24
AREA: 0.0.0.34
10.10.10.0/24
20.30.20.0/24
50.30.20.0/24
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
88
32
7/2/2011
- Internal Router:
- Routers interfaces completed contained within an OSPF area
Example:
OSPF IGP Domain
AREA 0.0.0.34
AREA 0.0.0.0
10.10.10.1/24
AREA: 0.0.0.34
20.30.20.1/24
AREA: 0.0.0.0
10.10.10.2/24
AREA: 0.0.0.34
20.30.20.2/24
AREA: 0.0.0.0
10.10.10.0/24
50.30.20.2/24
AREA: 0.0.0.0
50.30.20.0/24
20.30.20.0/24
89
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
Inter-Area
Routes
40.0.0.0/24
10.0.0.0/24
30.0.0.0/24
20.0.0.0/24
50.0.0.0/24
50.0.0.0/24
60.0.0.0/24
Area 0.0.0.1
60.0.0.0/24
10.0.0.0/24
Backbone
20.0.0.0/24 Area 0.0.0.0
30.0.0.0/24
40.0.0.0/24
C
A
Area 0.0.0.2
Area 0.0.0.0
Area 0.0.0.1
Intra-Area
Routes
Inter-Area
Routes
50.0.0.0/24
10.0.0.0/24
60.0.0.0/24
20.0.0.0/24
Intra-Area
Route
Inter-Area
Route
30.0.0.0/24
10.0.0.0/24
30.0.0.0/24
40.0.0.0/24
20.0.0.0/24
40.0.0.0/24
50.0.0.0/24
60.0.0.0/24
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
66
33
7/2/2011
A dead-end area
There are no other ways to enter
ASBR
Summaries
from Area
0.0.0.0
ASBR
ABR
Normal
0.0.0.0
Stub
0.0.0.1
A
Default
Route
67
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
68
34
7/2/2011
- Timers
Hello
- Authentication
- Simple
Dead
Retransmit Interval
Transmit delay
- MD5
spf
- Redistribution
- Cost
- Static
- Priority
- Rip
- Stub
NSSA
- Direct
Totally Stub
- BGP **
- IS-IS **
- OSPF
- Virtual Links
- Summarization
- Passive Interface
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
69
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
70
35
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
71
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
72
36
7/2/2011
OSPF Process
Disable GVRP and spanning tree
OSPF
Configuration Configure OSPF networks and areas
Ensure the advanced routing license is setup
C2/C3/C5
Enable OSPF at VLAN interface level
additional
OSPF steps Create Router ID (must be done before enabling
OSPF at global level).
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
73
Create a Router ID
- Router id 5.5.5.5
74
37
7/2/2011
Use network command and reverse mask to associate subnets with OSPF
instance. Set area that subnet is a part of.
- network 20.1.2.0 0.0.0.255 area 0.0.0.0
- network 20.1.3.0 0.0.0.255 area 1
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
75
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
76
38
7/2/2011
111.1.3.0/24
111.1.2.0/24
111.1.1.0/24
IA 30.1.3.0/24
IA 30.1.2.0/24
IA 30.1.1.0/24
20.1.3.0/24
20.1.2.0/24
20.1.1.0/24
IA 10.3.2.0/24
IA 10.2.1.0/24
IA 10.3.1.0/24
10.1.2.0/24
10.1.1.0/24
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
77
Show ip ospf
78
39
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
79
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
80
40
7/2/2011
81
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
82
41
7/2/2011
Router1 (su-config)->
New Path Cost
Router1 (su-config)-> router ospf 10
Router1 (su-config-ospf-10)-> redistribute static metric 22 subnets
Include all subnets
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
83
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
84
42
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
85
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
86
43
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
87
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
88
44
7/2/2011
S & N-series
Router1(su-config)->router ospf 10
Router1 (su-config-ospf-10)->area 0.0.0.2 authentication message-digest
Router1 (su-config-ospf-10)->exit
Router1 (su-config)->interface vlan 32
Router1 (su-config-intf-vlan.0.32)ospf message-digest-key 22 md5 pats05
Router1 (su-config-intf-vlan.0.32)->exit
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
89
Create IP Interfaces
Setup Summarization
Setup Authentication
Simple
MD5
RID 3.3.3.3
RID 1.1.1.1
RID 2.2.2.2
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
90
45
7/2/2011
Enterprise Routing
LSNAT Configuration
Version 4.03
A Siemens Enterprise Communications Company
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
92
46
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
93
A request for service is sent by the client to the server farm. The destination
address for the service request is the virtual servers unique Virtual IP
(VIP)address.
The LSNAT configured router recognizes the VIP address and knows that
LSNAT must select a real server to forward the request to.
Before forwarding the request, based upon the server load balancing
process configured, LSNAT selects the real server for this request.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
94
47
7/2/2011
LSNAT changes the destination IP address from the VIP address to the
address of the selected real server member of the server farm associated
with the VIP address.
The real server sends a service response back to the client with its address
as the response source address.
At the router, LSNAT sees the real server address and knows it must first
translate it back to the VIP address before forwarding the packet on to the
client.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
95
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
96
48
7/2/2011
Reliability
- Server reliability is increased by allowing you to take individual servers offline without with
out ongoing service operations
Redundancy
- Load sharing also provides redundancy in the case of a server failure. LSNAT
automatically removes the failed server from the selection process.
Security
- Security is improved since only the VIP is known, not the real server IP addresses
Performance
- LSNAT improves network performance by leveling traffic over many systems
- Using LSNAT in conjunction with Aggregate Links removes the performance bottleneck
concerns of one physical link to a server by bundling multiple switch to server links
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
97
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
98
49
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
99
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
100
50
7/2/2011
Enterprise Routing
Transparent Web Cache Balancing
(TWCB)
Version 4.03
A Siemens Enterprise Communications Company
When a user first accesses a web object, the object is stored on a cache
server. Each subsequent request for the object uses the cached object,
avoiding the need to access the host web site.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
102
51
7/2/2011
Web caching reduces network traffic and aides in optimizing bandwidth usage by localizing web
traffic patterns
Web caching allows endusers to access web objects stored on local cacheservers with a much
faster response time than accessing the same objects over an internet connection or through a
default gateway
Transparency, TWCB is transparent to the user, web traffic is automatically rerouted to the webcache server
Load balancing, TWCB provides for load balancing across all cacheservers of a given server
farm. The farm can be configured so heavy webusers can be distributed across server resources
using a predictor roundrobin algorithm.
Scalability, TWCB provides by the ability to associate up to 128 cacheservers with the web-cache.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
103
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
104
52
7/2/2011
The webcache: A logical entity in which all server farms reside. The current TWCB
implementation supports a single webcache. You create a webcache by naming it in
router configuration command mode.
4. The outbound interface: Typically an interface that connects to the internet. It is the
interface that will be used for redirecting web objects from the host web site to the
cache server
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
105
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
106
53
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
107
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
108
54
7/2/2011
Enterprise Routing
ACL Configurations
Version 4.03
A Siemens Enterprise Communications Company
A standard ACL supports traffic control based on only the source IP address.
An extended ACL supports traffic control based on both the source and destination IP
address, as well as protocol and layer 4 port.
All ACLs are set with an implicit deny all rule as the last rule upon ACL creation.
N and S-Series Routers support the creation on both numbered and named ACLs in
Release 7.0
110
55
7/2/2011
Access-List
Standard
N-series
Diamond
N-series
Platinum
Nseries
Gold
S Series
C2/C3
C5
B5
B3
G3
Access-List
Extended
*
*
Named ACLs,
Standard/Extende
d
*
*
Interface Inbound
Interface
Outbound
5,000
5,000
1,000
5000
100
400
200
100
100
Maximum Rules
per group
999
999
999
999
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
111
Configuration Limits
-
Only one inbound and one outbound (if suppported) ACL, standard or extended, may be
statically applied per interface.
An ACL can contain up to a set maximum number of rules plus the implicit deny all rule.
ACL rules are added and deleted to an ACL group through CLI commands from router
configuration CLI mode or NetSight ACL Manager.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
112
56
7/2/2011
Example:
C2(su)->router(Config)# access-list 108 deny tcp 10.1.2.0 0.0.0.255 eq 80 any
Example:
C2(su)->router(Config)# access-list 101 permit ip any any
Valid number values are between 100 and 199 for extended ACLs.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
113
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
114
57
7/2/2011
N & S-Series
- The N & S-Series systems allows a total of 5,000 access rules to be applied to
Access Control Lists (ACLs)
- Individual ACL groups will support up to 999 access rules.
- 200 ACL groups can be created for both standard and extended
- For standard ACLs, valid values are 1 to 99 or named
- For extended ACLs, valid values are 100 to 199 or named
- To configure extended ACLs on N Gold and Platinum DFEs the advanced routing license is
required.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
115
N & S-Series
- To move entries within an ACL:
N3 Chassis(su-config)->ip access-list standard 1
N3 Chassis(su-cfg-std-acl-1)-> move before 2 from 3 to 6
N3 Chassis(su-cfg-std-acl-1)-> exitt
- To show ACLs:
N3 Chassis(su-config)->show access-lists
Standard IP access list 1 (9 entries)
1 permit 192.5.34.0 0.0.0.255
2 deny host 201.201.201.201
3 deny 201.1.1.1 0.0.0.255
4 permit 1.35.1.1 0.0.0.255
5 deny 201.1.1.2 0.0.0.255
6 deny host 101.101.101.101
7 deny 201.1.1.3 0.0.0.255
8 permit 201.1.1.4 0.0.0.255
-- implicit deny all
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
116
58
7/2/2011
ACL Logging, optionally, a user can configure N & S Series Routers to log
traffic hits of ACL rules through syslog messaging
Example:
N3 Chassis(su-cfg-std-acl-1)->permit 100.1.1.1 0.0.0.255 {log or log-verbose}
- Appending the log parameter to an ACL rule, allows the router to keeps track of ACL rule
hits for a defined parameter set. When access-list 102 is applied to an interface, traffic
matching this rule will be denied, and the event will be passed by the router to a syslog
server for logging purposes.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
117
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
118
59
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
119
Displaying ACLs
- To display the current ACLs configured on the C2/C3, use the following
command from router mode:
C2(su)->router> show access-lists [number]
- Example:
C2(su)->router> show access-lists
Standard IP access-list 10
1: permit 192.168.100.0 0.0.0.255
2: permit 192.168.200.0 0.0.0.255
3: permit host 192.168.30.1
4: deny 192.168.0.0 0.0.255.255
5: deny 172.16.0.0 0.0.255.255
6: permit any
Extended IP access list 110
1: permit tcp host 10.1.2.3 eq 17 any
2: deny udp host 14.9.123.52 eq 512 14.0.0.0 0.255.255.255
3: permit tcp host 125.34.12.4 eq 25 host 15.23.19.3
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
120
60
7/2/2011
- Example:
C2(su)->router> show ip interface vlan 123
Vlan 123 is Admin UP
Vlan 123 is Oper UP
Primary IP Address is 172.16.0.1
Frame Type Ethernet
MAC-Address 0001.F45F.49C5
ip access-group 64 in
Outgoing AccessList is not set
MTU is 6145 bytes
ARP Timeout is 1 seconds
Direct Broadcast Disabled
Proxy ARP is Disabled
Mask
255.255.255.0
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
121
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
122
61
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
123
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
124
62
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
125
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
126
63
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
127
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
128
64
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
129
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
130
65
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
131
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
132
66
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
133
Policy Based Routing (PBR)- Allows packets that meet an ACLs criteria to be looked up in a route
map to determine the next hop.
This allows packets that meet one criteria to go one direction while those that meet a different
criteria to go another way, all without the use of a routing protocol.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
134
67
7/2/2011
RouterA(su-config)->show ip route
Codes: C-connected, S-static, R-RIP, B-BGP, O-OSPF, IA-OSPF
interarea
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
type 2
E1 - 0SPF external type 1, E2 - 0SPF external type 2
E - EGP, i - IS-IS, L1 - IS-IS level-1, LS - IS-IS level-2
* - candidate default, U - per-user static route, o - ODR
O IA 10.1.4.0/24 [110/20] via 10.1.3.2 Vlan 13
C
10.1.1.0/24 [0/1] directly connected, Vlan 10
C
10.1.2.0/24 [0/1] directly connected, Vlan 12
C
10.1.3.0/24 [0/1] directly connected, Vlan 13
C
10.1.5.0/24 [0/1] directly connected, Vlan 15
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
135
Create an ACL
RouterA(su-config)->ip access-list extended 101
RouterA(su-cfg-ext-acl-101)->permit ip 10.1.1.0 0.0.0.255 10.1.4.0 0.0.0.255
136
68
7/2/2011
VLAN 10
RouterA(su-config)->show ip route
Codes: C-connected, S-static, R-RIP, B-BGP, O-OSPF, IA-OSPF
interarea
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external
type 2
E1 - 0SPF external type 1, E2 - 0SPF external type 2
E - EGP, i - IS-IS, L1 - IS-IS level-1, LS - IS-IS level-2
* - candidate default, U - per-user static route, o - ODR
O IA 10.1.4.0/24 [110/20] via 10.1.3.2 Vlan 13
C
10.1.1.0/24 [0/1] directly connected, Vlan 10
C
10.1.2.0/24 [0/1] directly connected, Vlan 12
C
10.1.3.0/24 [0/1] directly connected, Vlan 13
C
10.1.5.0/24 [0/1] directly connected, Vlan 15
137
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
Enterprise Routing
Multicast Routing
Version 4.03
A Siemens Enterprise Communications Company
69
7/2/2011
Designated
Router
192.18.0.32
Last-Hop
Router
Multicast dataflow
Switch
Sales
No receivers
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
139
Requirements for one to many, many to many and many to one data
transmissions are standardizing.
Multicast protocol applications solve the inefficient way that traditional unicast
transmissions route these types of traffic.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
140
70
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
141
2. Querier
A Querier is a switch or router that manages IGMP group memberships for a
network and communicates with the Hosts on the LAN segment to establish these
memberships.
Only one Querier exists per LAN segment. This may be implemented by a layer 2 or
layer 3 device.
The lowest IP address assumes the role of Querier for a LAN segment.
3. Hosts
Hosts are IGMP clients who wish to participate in the IGMP groups for the receipt of
multicast traffic.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
142
71
7/2/2011
When a querier wants to discover if on-link hosts want to receive multicast traffic, it
sends an IGMP Query message.
143
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
Solicited Join
3.
4.
5.
Network A
2.
Switch 2
Receiver 1
Switch 1
Unsolicited Join
& IGMP Leave
Router 1
Multicast
Server
Switch 3
Receiver 2
6.
7.
8.
1.
The multicast
stream is sent to the
switch by the host
(server)
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
144
72
7/2/2011
Although configuration of a unicast routing protocol such as OSPF is required with PIM,
PIM-SM is protocol independent. That is, it does not rely on any one particular underlying
routing protocol to operate. It can function using routes from, OSPF, RIP, static
configuration, or a combination of unicast route types.
PIM relies on IGMP to determine group memberships and uses unicast routes to perform
reverse path forwarding (RPF) checks, which are essentially route lookups on the multicast
source.
PIM-SM works on the assumption that recipients for any multicast group will be sparsely
distributed throughout a network. Therefore, not all subnets in a network will have interest in
multicast traffic.
It over comes scaling limitations present in earlier multicast routing protocols such as
DVMRP, in which packets were flooded everywhere and then pruned off branches where no
receivers were present.
PIM-SM explicitly constructs a tree from each sender to receivers in a multicast group
making better use of bandwidth.
Scenarios for using PIM-SM include desktop video conferencing and telephone conference
calls.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
145
PIM-SM dynamically builds a distributed tree topology for forwarding multicast data on a network.
The protocol designates a router as a rendezvous point (RP).
The RP represents the root of the distributed or shared tree. It is generally recommended that the
RP be statically configured on routers participating in a PIM-SM environment.
1. When a designated router (DR) receives multicast traffic from a particular source, traffic flows
through the DR to the RP. The RP then forwards traffic on towards multicast receivers
requesting in that group.
-
The multicast sources DR registers with the RP and sends multicast data from the source directly to the
RP via a unicast routing protocol.
2. When a last-hop router receives the first packet of traffic for a multicast group requested by a
multicast receiver on that router, the last-hop router forwards traffic to the receiver, and then
uses reverse path forwarding (RFP) to learn the shortest path to the group source.
-
The DR then stops using the RP (a prune message is sent to terminate traffic along that route) and
begins using the shortest path tree (SPT) between the multicast source and multicast receiver.
By using the SPT or shortest path route, unnecessary traffic concentrations and throughput delays are
reduced.
Alternatively, the network can be setup to allow multicast traffic to flow only through the RP, doing so
can increase the traffic load on the RP and cause delays in packet delivery
3. If the RP has no current join requests for the group, source traffic is dropped at the RP.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
146
73
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
147
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
148
74
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
149
Within a PIM-SM domain, routers can statically or dynamically configured to perform different
roles:
150
75
7/2/2011
PIM-SM version 1 messages are used within IGMP packets. PIM-SM version 2 messages are
encapsulated in IP packets with a protocol number of 103. Initially, PIM-SM uses a shared tree for
multicast distribution. A router is administratively elected as the rendezvous point in the network. New
sources are required to register with the rendezvous point. Once this is done, then multicast packets
are forwarded to receivers.
Enterasys PIM-SM enabled devices use the following message types:
151
1.
The sources DR registers and sends multicast data from the source directly to the RP via a unicast
routing protocol.
2.
The leaf/last-hop router (that is, the receivers router) sends a multicast group (*,G) join message
upstream to the RP, indicating that the receiver wants to receive the multicast data. This builds the
reverse path tree (RPT) between the leaf router and the RP.
3.
4.
The last-hop router joins the shortest path tree (SPT) and sends an (S,G) join message to the source.
This builds the shortest path tree(SPT).
5.
Native multicast packets (that is, nonregistered packets) are sent from the sources DR to the receiver
on its SPT, while registered multicast packets continue to be sent from the sources DR to the RP.
6.
7.
As a result of the prune sent in step 6, a prune message (registerstop) is sent from the RP to the
sources DR once traffic is flowing down the SPT, the RPT is then pruned for that given (S,G).
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
152
76
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
153
Operational Considerations
Enterasys support version 2 of the PIM protocol as described in RFC 2362 and
draft-ietf-pim-sm-v2-new-09.
PIM-SM is supported on Enterasys Matrix N & S-Series, Secure Stack C2 and C3,
and G-Series platforms on which routing has been enabled.
On Secure Stack C2 and C3 devices and G-Series devices, PIM-SM is an
advanced routing feature that must be enabled with via a license key.
A minimum of 256 MB of memory is required on DFE modules in order to enable
PIM.
- Use the show system hardware command to display the amount of memory installed on a
module. Module memory can be upgraded to 256 MB using the DFE-256MB-UGK memory
kit.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
154
77
7/2/2011
Enterprise Routing
Virtual Router Redundancy Protocol (VRRP)
A Siemens Enterprise Communications Company
Version 4.03
156
78
7/2/2011
- IP Address Owner
VRRP cfg:
VRID=1
IP=IP1
Pri=255
VR Master Election
VRRP cfg:
VRID=1
IP=IP1
Pri=100
- VR Master
IP1
IP2
ADV
Normal Operation
ADV
Master
VMAC1
- VRRP Advertisement
MAC1
MAC3
MAC4
IP3
IP4
Gateway=IP1
MAC(IP1)=VMAC1
MAC2
Backup
New Master
Gateway=IP1
MAC(IP1)=VMAC1
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
157
where Skew_Time=(256-Priority)/256
00
IANA
5E
00
01
VRRP
xx
VRID
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
158
79
7/2/2011
RouterB(rw)->Router#show ip vrrp
Vlan Vrid State
Owner AssocIpAddr Priority VirtMacAddr
10
1
Backup
0
10.1.1.254
100 0000.5e00.0101
Advertisement
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
159
Host ARP
- When a host sends an ARP request for a VR IP address:
- VR Master must respond with virtual MAC address (00-00-5e-00-01-VRID)
- regardless its the IP address owner or not
- VR Backup must not respond to the ARP request
Gratuitous ARP
- When a VR becomes the master, it sends gratuitous ARP for the VR IP address with the
virtual MAC address.
- Enables switches to bind the VR MAC address to the correct port in FDB and updating on
ARP caches for all on-link nodes, the VR master sends gratuitous ARP every 10 seconds.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
160
80
7/2/2011
The virtual router is configured with a VRID, or Virtual Router Identifier. This VRID
can range from 1 to 255 and is unique to each virtual router on a particular LAN
segment.
Critical IP functionality allows the user to force a VRRP failover if a specified
interface goes down, such as the uplink to the default gateway for instance.
The master-icmp-reply command enables an enhancement to the standard RFC
behavior which allows the VRRP master to reply to ICMP requests when it is not
the IP owner.
Preempt mode and delay allow the user to control whether or not a failover occurs
when the Primary master comes back up and how long to wait before the preempt
161
occurs.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
Switch Family
Max Entries
(Total VRRP
Networks)
Virtual IP
Addresses per
Interface
Virtual
Router IDs
per IF
Critical IPs
per VID
S-Series
2048
16
10
N-Series (Platinum)
1,024
N-Series (Gold)
128
C2/C3/C5
480
20
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
162
81
7/2/2011
N & S-Series
- Prior to firmware release 7.0, VRRP was configured from the router VRRP configuration command mode. VRRP
configuration has been moved to the interface configuration command mode for release 7.0.
- Support VRRP state transition and authentication failure traps.
- Support MD5 and text authentication of VRRP advertisements.
- Up to 10 Critical IPs.
- If IP owner, the Master will always preempt immediately, regardless of preempt mode settings, to avoid this issue use a
Virtual IP address that does not exist on the routers already.
- Supports master-icmp reply, to enable ICMP replies for non-owner masters.
Configuration Command
Explanation
vrrp address
Example:
su-config-intf-vlan.0.10)->vrrp address 1
10.1.1.254
Associates the virtual address of 10.1.1.254 with VRID 1 for the interface on VLAN 10 as non-IP
address owner
vrrp priority
Example:
(su-config-intf-vlan.0.10)->vrrp priority 1 200
Assigns a priority of 200 to VRID 1 for the interface on VLAN 10. Possible values are from 1 to 254,
with the higher values indicating increased priority. The value of 255 is reserved for the VRRP
router that owns the IP address associated with the virtual router. Priority 0 is reserved for signaling
that the master has stopped working.
Assigns the critical IP address of 10.1.3.1 for VRID 1 on the interface on VLAN 10. Therefore, if the
local interface with this IP Address was unreachable it would reduce the VRIDs priority by the
critical priority setting (default 10), when priority falls below the backup it indicates that the Master
has failed.
vrrp enable
Example:
(su-config-intf-vlan.0.10)-> vrrp enable
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
163
ICMP Echo
- Per RFC, only the IP address owner responds to ICMP Echo Requests destined to virtual
routers IP address
- Depending on implementation, non-owner master may respond to ICMP Echo Request by
a configuration option:
- N & S Series: RouterA(su-config-intf-vlan.0.10)->vrrp accept-mode <VRRP ID>
ICMP Redirect
- When a default router finds another router on the same subnet provides a better first hop in
the path to a destination, it sends an ICMP Redirect to notify the host
- Depending on the network topology, there could create issues when VRRP is running as
well
- Per RFC, ICMP Redirects may be used together with VRRP in an asymmetric topology
- If used, the IP source address of an ICMP redirect should be set to the virtual routers IP address
when a VRRP master router is generating the ICMP Redirect message.
- It may be useful to disable Redirects for specific cases where VRRP is used to load share
traffic in a symmetric topology
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
164
82
7/2/2011
N-Series
RouterA(su-config-intf-vlan.0.10)->
RouterA: vrrp create 1 v2-IPv4
RouterA: vrrp address 1 10.1.1.254
RouterA: vrrp priority 1 200
RouterA: vrrp critical-ip 1 10.1.3.1 101
RouterA: vrrp accept-mode 1
RouterA: vrrp enable 1
router vrrp
RouterB: create vlan 10 1
RouterB: address vlan 10 1 10.1.1.254 0
RouterB: priority vlan 10 1 100
RouterB: enable vlan 10 1
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
165
N-Series
RouterA(su-config-intf-vlan.0.20)->
RouterA: vrrp create 2 v2-IPv4
RouterA: vrrp address 2 10.1.2.2
RouterA: vrrp enable 2
router vrrp
RouterB: create vlan 20 2
RouterB: address vlan 20 2 10.1.2.2 1
RouterB: enable vlan 20 2
RouterB(su)->router#show ip vrrp
Vlan Vrid State
Owner AssocIpAddr
20 2
Master
1
10.1.2.2
Priority
255
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
166
83
7/2/2011
Master
New Master
ADV(0)
- When the path restores, so does the VR priority and the master
will resume to master state if Preemption enabled
167
RouterB(rw)->Router#show ip vrrp
Vlan Vrid State
Owner AssocIpAddr Priority VirtMacAddr
10 1
Master
0
10.1.1.254
100 0000.5e00.0101
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
168
84
7/2/2011
Authentication can help to guarantee that routing information is imported only from
trusted routers.
Authentication can be used to avoid careless mis-configuration
Simple and MD5 authentication schemes can be used, but a single scheme must
be configured for each network.
The authentication command specified at the interface level determines the type of
authentication and key values used for each VRRP instance
Simple Authentication:
RouterA(su-config)->interface vlan.0.10
RouterA(su-config-intf-vlan.0.10)->vrrp authentication simple vrrpkey
169
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
Enterprise Routing
Troubleshooting
Version 4.03
A Siemens Enterprise Communications Company
85
7/2/2011
Within this module, we will examine the commands and tools most
commonly used to determine if a reported problem, within a routed
environment, is actually a network related issue.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
171
Show Commands
Logging Commands
Ping & Trace Route
Debugging Commands (N & S Series)
Third Party Tools (e.g., Wireshark)
NMS (NetSight)
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
172
86
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
173
The show commands listed in the following slides are some of the most
frequently used commands for troubleshooting network problems:
- show version (Use this command to display hardware and firmware information)
- show system utilization (Use this command to display system resource utilization
information)
- show port status (Use this command to display operating and admin status, speed,
duplex mode and port type for one or more ports on the device)
- show port counters (Use this command to display port counter statistics detailing traffic
through the device)
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
174
87
7/2/2011
- show spantree stats [port port-string] [sid sid] (Use this command to display Spanning
Tree information for one or more ports.)
RouterB(su)->show spantree stats port ge.1.1
Spanning tree status
- disabled
-0
- 00:11:88:64:FB:42
-0
-0
- 20
-2
- 15
- 00:11:88:64:FB:42
Bridge ID Priority
- 32768
- 20
-2
- 15
-0
- 0 days 2:47:42
- 20
State
Role
Cost
ge.1.1
Disabled
Disabled
Priority
--------
128
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
175
- show vlan [vlan-list] (Use this command to display all information related to one
or more VLANs. Only ports that are in a forwarding state will be displayed by this
command)
This example shows how to display information for a VLAN
Matrix(rw)->show vlan 1
VLAN: 1 NAME: DEFAULT VLAN Status: Enabled
VLAN Type: Permanent FID: 1
Creation Time: 4 days 9 hours 4 minutes 50 seconds ago
Egress Ports
host.0.1, fe.1.1-10, ge.2.1-4, fe.3.1-7, lag.0.1-32
Forbidden Egress Ports
None.
Untagged Ports
host.0.1, fe.1.1-10, ge.2.1-4, fe.3.1-7, lag.0.1-32
- show vlan static [vlan-list] (Use this command to display all information related
to one or more VLANs, regardless of port state. Note, both forwarding and nonforwarding ports will be displayed by this command)
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
176
88
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
177
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
178
89
7/2/2011
- show ip arp [ip-address] (Use this command to display entries in the Address
Resolution Protocol, ARP table. ARP converts an IP address into a physical
address.)
This example shows how to use the show ip arp command:
Router#show ip arp
Protocol
Address
Age (min)
Hardware Addr
Type
Interface
---------------------------------------------------------------------------------------------Internet
192.168.200.251
0003.4712.7a99
ARPA
Vlan1
Internet
192.168.200.141
0002.1664.a5b3
ARPA
Vlan1
Internet
134.141.235.167
00d0.cf00.4b74
ARPA
Vlan2
179
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
R1
192.168.5.0
.1
VLAN 5
.2
R2
192.168.4.0
10.10.1.0
R1(su)->router> show ip route
Codes: C - connected, S - static, R - RIP, O - OSPF, IA - OSPF interarea
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
E - EGP, i - IS-IS, L1 - IS-IS level-1, LS - IS-IS level-2
* - candidate default, U - per user static route
C
C
S
R
180
90
7/2/2011
- show ip protocol (Use this command to display information about IP protocols running on
the device)
This example shows how to display IP protocol information. In this case, the routing protocol is
OSPF:
RouterC(rw)->Router#show ip protocols
Routing Protocol is "ospf 10
Outgoing update filter list for all interfaces is not set
Incoming update filter list for all interfaces is not set
Redistributing: ospf 10
Routing for Networks:
3.3.3.3/32
10.1.3.0/24
10.1.2.0/24
Routing Information Sources:
Gateway
Distance
2.2.2.2
10
0:05:34
Last Update
1.1.1.1
10
0:05:34
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
181
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
182
91
7/2/2011
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
183
- Limit the types of messages that are logged to by setting the appropriate logging severity
level (For syslog server only)
Note:
Logging messages can also be viewed by issuing the show logging buffer command. By default, all log
messages are directed to the log buffer. The log buffer is cleared on system reboot.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
184
92
7/2/2011
- show logging all (Use this command to display all configuration information for
system logging.)
RouterC(su)->show logging all
Application
-------------------------------------------------------------------------------------------------------------------------------89
CLI
1-8
90
SNMP
1-8
91
Webview
1-8
93
System
1-8
95
RtrFe
1-8
96
Trace
1-8
112
UPN
1-8
117
AAA
1-8
118
Router
1-8
140
AddrNtfy
1-8
141
OSPF
1-8
142
VRRP
1-8
147
LACP
1-8
1(emergencies)
2(alerts)
4(errors)
6(notifications)
5(warnings)
7(information)
IP Address
3(critical)
8(debugging)
Facility
Severity
Description
Port
Status
----------------------------------------------------------------------------------1 10.1.12.12
Defaults:
ocal4 debugging(8)
default
local4 debugging(8)
514 enabled
514
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
185
- show logging buffer(Use this command to display the last 256 messages
logged within logging buffer)
This example shows a portion of the information displayed with the show logging buffer command
RouterC(su)show logging buffer
<164>Aug 19 14:15:37 172.10.1.101 Trace[1]OSPF: rcv. v:2 t:1 l:48 rid:1.1.1.1 ai
d:0.0.0.0 chk:dc8d aut:0 auk: from vlan 20
<164>Aug 19 14:15:37 172.10.1.101 Trace[1]OSPF: rcv. v:2 t:1 l:48 rid:2.2.2.2 ai
d:0.0.0.0 chk:d88b aut:0 auk: from vlan 30
<164>Aug 19 14:15:44 172.10.1.101 Trace[1]OSPF: tx. v:2 t:1 l:48 aid:0.0.0.0 chk
:d88b aut:0 auk: src:10.1.3.2 dst:224.0.0.5 to vlan 30
<164>Aug 19 14:15:44 172.10.1.101 Trace[1]OSPF: tx. v:2 t:1 l:48 aid:0.0.0.0 chk
:dc8d aut:0 auk: src:10.1.2.2 dst:224.0.0.5 to vlan 20
<164>Aug 19 14:15:47 172.10.1.101 Trace[1]OSPF: rcv. v:2 t:1 l:48 rid:1.1.1.1 ai
d:0.0.0.0 chk:dc8d aut:0 auk: from vlan 20
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
186
93
7/2/2011
- show logging local (Use this command to view the current status for local logging
configuration)
RouterC(su)->show logging local
Syslog Console Logging enabled
Syslog File Logging disabled
- set logging local console {enable | disable} file {enable | disable} (Use this command
to configure log messages to the console and a persistent file)
- clear logging local (Use this command to clear the console and persistent store logging
for the local session)
- set logging here {enable | disable} (Use this command to enable or disable the current
CLI session as a Syslog destination)
- clear logging here (Use this command to clear the logging state for the current CLI
session)
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
187
- set logging server {index, ip-addr} (Use this command to configure a Syslog server)
- show logging server (Use this command to display the Syslog configuration for a
particular server)
RouterC(su)->show logging
IP Address
Facility Severity
Description
Port Status
------------------------------------------------------------------------1 10.1.12.12
local4 debugging(8)
default
514 enabled
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
188
94
7/2/2011
Once syslog has been configured, log messages can be directed to and save at an external location
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
189
Two handy tools for troubleshooting network related problems are ping and trace
route.
Both ping and trace route are based on the Internet Control Message protocol
(ICMP), which is used within IP to communicate network conditions that may require
attention.
The ping command can be used to verify end station reachability and network
connectivity.
- Ping (Use this command to test routing network connectivity by sending IP ping requests)
This example shows output from a successful ping to IP address 182.127.63.23:
Router#ping 182.127.63.23
Reply from 182.127.63.23
Reply from 182.127.63.23
Reply from 182.127.63.23
This example shows output from an unsuccessful ping to IP address 182.127.63.24:
Matrix>Router#ping 182.127.63.24
Timed Out
Timed Out
Timed Out
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
190
95
7/2/2011
The trace route command is a helpful tool that can be used to debug IP route
forwarding issues, by discovering the path that a routers packets will follow when
traveling to a destination
As with ping, it is generally a good idea to use the traceroute command when the
network is functioning correctly so you have a baseline to compare against when
troubleshooting.
- traceroute (Use this command to display a hopbyhop path through an IP network from the device to a
specific destination host)
Router#traceroute 192.167.225.46
Traceroute to 192.167.225.46, 30 hops max, 40 byte packets
1 10.00 ms 20.00 ms 20.00 ms 192.167.201.2 []
2 20.00 ms 20.00 ms 20.00 ms 192.4.9.10 [enatel-rtr10.enatel.com]
3 240.00 ms * 480.00 ms 192.167.208.43 [enatel-rtr43.enatel.com]
4 <1 ms * 20.00 ms 192.167.225.46 [enatel-rtr46.enatel.com]
TraceRoute Complete
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
191
Router debugging is a powerful tool that can be used to isolate network problems
It provides a mechanism collect data on network traffic which is present (or not
present) on the network.
- debug ip (Use this command to enable the debug IP packet utility for monitoring of IP traffic)
RouterA(su-config)->debug ip ?
ospf
packet
vrrp
debug vrrp
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
192
96
7/2/2011
This example shows how to setup a debug session for IP OSPF adjacency events
Router(config)#debug ip ospf ?
adj
flood
OSPF flooding
OSPF packets
OSPF graceful restart
OSPF spf
Before entering the debug ip ospf adj command, enter a set logging here enable command to direct
SYSLOG messages to the CLI session window:
RouterC(su)->set logging here
193
- show debugging (Use this command to display the debug IP Packet utility settings)
Router(config)#show debugging
OSPF adj debugging is on
OSPF restart debugging is on
- debug ip packet restart (Use this command to restart the debug IP packet utility)
- no debug ip ospf adj (Use this command to disable the debug IP packet utility for OSPF
adjacency events)
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
194
97
7/2/2011
In many instances, a 3rd party diagnostic tool can be just as useful in diagnosing a
network failures as the routers built in commands and tools.
Network analyzers like Wireshark, can be used to decode many types of protocols
across numerous layers of the OSI model.
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
195
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
196
98
7/2/2011
NetSight Console provides a collection of tools that let you monitor device status,
define network configuration, and automate troubleshooting tasks.
It is designed to facilitate specific network management tasks (such as
troubleshooting) while sharing data and providing common controls and a
consistent user interface.
Console Tools:
- MIB Tools
- Topology Manager
- Compass
- FlexViews
- VLAN Editor
- TFTP
- Device Manager
- Alarms/Events
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
197
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
198
99
7/2/2011
MIB-II Information
Device-level configurations:
Port Level RMON
Real Time view of traffic or Errors
2011 Enterasys Networks, Inc., A Siemens Enterprise Communications Company All rights reserved.
199
100