Вы находитесь на странице: 1из 198

ProCurve Networking by HP

Student guide
Technical training

IP Routing Foundations
Version 5.21
Contents

Overview
Introduction ............................................................................................ Overview–1
Course objectives.................................................................................... Overview–1
Prerequisites ........................................................................................... Overview–1
Course module overviews ...................................................................... Overview–2
Course agenda ........................................................................................ Overview–3
Additional information ........................................................................... Overview–4
Module 1: IP Routing Basics
Objectives ............................................................................................................. 1–1
General network connectivity goals ..................................................................... 1–2
Scenario: ProCurve University............................................................................. 1–3
Router interfaces and port state ............................................................................ 1–4
Route tables and local address ranges .................................................................. 1–6
The route table...................................................................................................... 1–6
Multinetted interface ............................................................................................ 1–8
When multinetting is appropriate ......................................................................... 1–8
Loopback interface ............................................................................................. 1–10
Learning about remote networks ........................................................................ 1–11
Routing protocol categories................................................................................ 1–12
RIP and OSPF..................................................................................................... 1–13
Standard IGPs for IP networks ........................................................................... 1–14
The disadvantage of RIP .................................................................................... 1–14
Link-state protocols ............................................................................................ 1–15
Router1 RIP update to Router2 .......................................................................... 1–16
Cost..................................................................................................................... 1–16
RIP v2 use of multicast....................................................................................... 1–17
Router2 updates its route table ........................................................................... 1–18
Router2 RIP update to Router1 .......................................................................... 1–19
Router2 RIP update to Router3 .......................................................................... 1–20
Router3 updates its route table ........................................................................... 1–21
Assessing this topology ...................................................................................... 1–22
Providing a routed mesh..................................................................................... 1–23
Split horizon in a routed mesh............................................................................ 1–24
Processing inbound RIP updates ........................................................................ 1–25
Link failure recovery in mesh (1) ....................................................................... 1–27

Rev. 5.21 1
IP Routing Foundations

Link failure recovery in mesh (2) ....................................................................... 1–28


Link failure recovery in mesh (3) ....................................................................... 1–29
Poisoned Reverse................................................................................................ 1–30
Connecting to a core router ................................................................................ 1–31
Connecting to a core routing switch................................................................... 1–32
Connecting to redundant core............................................................................. 1–33
Routing among locations at ProCurve University.............................................. 1–34
Dynamic route exchange .................................................................................... 1–35
Network summarization ..................................................................................... 1–36
Summarization of address space using static routes........................................... 1–37
Route table lookup.............................................................................................. 1–39
Advertising static routes ..................................................................................... 1–40
Equal cost multipath ........................................................................................... 1–41
Module 1 summary............................................................................................. 1–42
Module 2: OSPF Routing
Objectives ............................................................................................................. 2–1
OSPF at ProCurve University ...................................................................... 2–2
Basic OSPF interactions ....................................................................................... 2–3
OSPF routing protocol ................................................................................. 2–4
OSPF hierarchy: Routers and networks ....................................................... 2–5
OSPF Router ID .......................................................................................... 2–5
OSPF adjacencies ........................................................................................ 2–5
OSPF network types .................................................................................... 2–6
OSPF area .................................................................................................... 2–7
OSPF hierarchy: Autonomous System ........................................................ 2–9
OSPF router boots up................................................................................. 2–10
Hello messages .......................................................................................... 2–10
Exchanging Hello packets.......................................................................... 2–11
Two-way neighbor recognition .................................................................. 2–13
Designated Router election ........................................................................ 2–14
Exchanging Database descriptions............................................................. 2–15
Link State Request packet.......................................................................... 2–17
Link State Update packet ........................................................................... 2–18
Updating the Link State Database.............................................................. 2–19
Originating new LSAs ............................................................................... 2–20
Flooding LSAs in Link State Update packet ............................................. 2–21
R1A’s LSA ................................................................................................ 2–22
SPF tree and IP route table......................................................................... 2–23
Summary of OSPF packet types ................................................................ 2–25
Summary of OSPF LSA types confined to a single area ........................... 2–27

2 Rev. 5.21
Contents

Distribution of link state changes ....................................................................... 2–28


Impact of link state changes....................................................................... 2–29
Connecting to existing multi-access network ............................................ 2–30
Recognizing a new router on a multi-access network................................ 2–31
Database synchronization .......................................................................... 2–32
Adjacencies established, database synchronized ....................................... 2–33
Flood new LSAs......................................................................................... 2–34
Acknowledging flooded LSAs................................................................... 2–35
Designated Router adjacency responsibilities............................................ 2–36
Designated Router LSA flooding responsibilities ..................................... 2–37
Non-DR LSA flooding responsibilities...................................................... 2–38
OSPF network types................................................................................... 2–39
Finding the shortest path ............................................................................ 2–41
OSPF’s performance in large intranet........................................................ 2–42
OSPF scalability......................................................................................... 2–44
Area Border Router (ABR) ....................................................................... 2–44
Multiple areas and adjacency ..................................................................... 2–45
ABR link state database synchronization................................................... 2–46
LSA flow between areas ............................................................................ 2–47
Flooding Summary LSAs........................................................................... 2–48
Hierarchical addressing enables summarization ........................................ 2–49
Summary of OSPF LSA types ................................................................... 2–50
External route information ................................................................................. 2–51
Redistributing non-OSPF network information ......................................... 2–52
ASBR ......................................................................................................... 2–53
Stub-area type: Injecting the default route ................................................. 2–54
Locating the ASBR .................................................................................... 2–55
Stub and “totally stubby” area ................................................................... 2–56
Not-so-stubby area (NSSA) ....................................................................... 2–57
Module 2 summary .................................................................................... 2–58
Module 3: Default Gateway Redundancy Protocols
Objectives ............................................................................................................. 3–1
Redundant router interfaces.................................................................................. 3–2
Redundant links: Physical view............................................................................ 3–3
Redundant links: Logical view............................................................................. 3–4
Impact of device failure........................................................................................ 3–5
Edge switch failure ............................................................................................... 3–5
Router failure........................................................................................................ 3–5
Providing a second router..................................................................................... 3–7
Why failover is not automatic (1)......................................................................... 3–8
Why failover is not automatic (2)......................................................................... 3–9
Why failover is not automatic (3)....................................................................... 3–10

Rev. 5.21 3
IP Routing Foundations

Automatic failover for default gateway.............................................................. 3–11


Common characteristics and operations ............................................................. 3–12
Virtual Router Redundancy Protocol ................................................................. 3–14
Virtual routers in VRRP ..................................................................................... 3–15
VRRP: Actual and virtual IP addresses.............................................................. 3–16
VRRP: Master and Backup states....................................................................... 3–17
VRRP: Virtual MAC address ............................................................................. 3–18
VRRP Master broadcasts “gratuitous ARP” ...................................................... 3–19
Master accepts traffic sent to virtual MAC address ........................................... 3–20
Virtual MAC address enables automatic failover .............................................. 3–21
VRRP advertisements......................................................................................... 3–22
VRRP advertisement packet format ................................................................... 3–23
VRRP support for load sharing .......................................................................... 3–24
Considering link failure vs. device failure ......................................................... 3–25
Mixed virtual router states (1) ............................................................................ 3–26
Mixed virtual router states (2) ............................................................................ 3–27
Proprietary variations and enhancements ........................................................... 3–28
VRRPE: Virtual and actual IP addresses............................................................ 3–29
XRRP.................................................................................................................. 3–30
Module 3 summary............................................................................................. 3–31
Module 4: ACL Theory
Objectives ............................................................................................................. 4–1
Device security and access control....................................................................... 4–2
Identity-based security.......................................................................................... 4–2
Role-based security .............................................................................................. 4–2
Rule-based security .............................................................................................. 4–3
Basic security principles: Physical security example........................................... 4–4
Security threats ..................................................................................................... 4–5
Basic security principles: Additional layer of physical security .......................... 4–6
Comparing physical and virtual security.............................................................. 4–7
Planning for rule-based access control ................................................................. 4–8
Rule-based access control example .................................................................... 4–10
Selection criteria in IP header............................................................................. 4–11
Determine which port(s) will filter traffic .......................................................... 4–12
A rule that may be applied to ingress or egress ports......................................... 4–13
The implied “deny any” rule .............................................................................. 4–14
Impact of applying Rule 1 at ingress port .......................................................... 4–15
Impact of applying Rule 1 at egress port............................................................ 4–16
Associating users with resource requirements ................................................... 4–17
Inbound ACL recommendations ........................................................................ 4–17
Outbound ACL recommendations...................................................................... 4–18

4 Rev. 5.21
Contents

Define characteristics of resources ..................................................................... 4–19


Strategies for defining inbound ACLs................................................................ 4–20
Access control for faculty users ......................................................................... 4–21
Access control criteria in TCP and UDP headers............................................... 4–22
Permit faculty user access to curriculum server network................................... 4–24
Permit faculty user access to SMTP services ..................................................... 4–25
Deny faculty user access to administrative servers ............................................ 4–26
Permit faculty user Internet access ..................................................................... 4–27
Access control for student users ......................................................................... 4–28
Permit student access to web registration server................................................ 4–29
Deny student traffic destined for administrative servers.................................... 4–30
Student Internet access ....................................................................................... 4–31
Access control of admin users............................................................................ 4–32
Permit admin user access to web registration server.......................................... 4–33
Permit admin access to HR and admin servers .................................................. 4–34
Access control for guests.................................................................................... 4–35
Deny guest access to intranet destinations ......................................................... 4–36
Permit guest access to Internet destinations ....................................................... 4–37
Module 4 summary............................................................................................. 4–38

Learning Check Answers

Rev. 5.21 5
IP Routing Foundations

6 Rev. 5.21
Overview

Introduction
IP Routing Foundations provides the basic knowledge of routing technologies
necessary to prepare for Routing Switch Essentials. Designed to be delivered as a
self-paced prestudy or in the classroom, IP Routing Foundations focuses on
standards, theories, and technologies and is not dependent on ProCurve products or
features.
Before taking IP Routing Foundations, students should complete Adaptive EDGE
Fundamentals or have attained equivalent background. The topics in Adaptive
EDGE Fundamentals include:
„ Basic Ethernet technology
„ IP addressing
„ VLANs
„ Spanning Tree
„ Link Aggregation
„ Fundamentals of switch technology
„ Traffic prioritization

Course objectives
During this course, you will:
„ Learn basic routing and traffic filtering technologies, including redundant
default gateway protocols, Router Information Protocol (RIP), Open Shortest
Path First (OSPF), and Access Control Lists (ACLs)
„ Prepare for the Routing Switch Essentials instructor-led course

Prerequisites
Adaptive EDGE Fundamentals

Rev. 5.21 Overview – 1


IP Routing Foundations

Course module overviews


Module 1, “IP Routing Basics,” describes RIP, static routes, and other information
necessary to develop routed networks in the contemporary enterprise.
Module 2, “OSPF Routing,” introduces the basic features and processes of the
OSPF routing protocol.
Module 3, “Default Gateway Redundancy and Protocols,” describes the Virtual
Router Redundancy Protocol and other technologies designed to ensure the
availability of default gateways.
Module 4, “ACL Theory,” describes the theory and planning for ACLs.

Overview – 2 Rev. 5.21


Overview

Course agenda
IP Routing Foundations is designed to be a self-paced prestudy for Routing Switch
Essentials. Students should complete each section and its related Learning Check
before moving to the next topic.

Rev. 5.21 Overview – 3


IP Routing Foundations

Additional information

Additional information

• The HP Certified Professional (HPCP) program is a world-class


certification program benchmarked around the world to ensure
validation of the technical and sales competencies and expertise
needed to plan, deploy, support and service HP technology and
solutions
• ProCurve participates in the Sales and Integration Tracks within HPCP
• This course, along with Routing Switch Essentials, prepares you for
the required exam for ASE – Routing Switch Essentials
• The exam number for this course is HPO-790
• For more information on HPCP, go to www.hp.com/certification
• For more information on HP ProCurve Training and Certification, go to
http://www.hp.com/rnd/training/certifications.htm

Rev 5.21 Student Guide: Overview–4 5

IP Routing Foundations is part of a series of courses on ProCurve products. For


more information, visit the ProCurve Web site.

Overview – 4 Rev. 5.21


IP Routing Basics
Module 1

Objectives:
After completing this module, you will be able to:
„ Categorize sources of routing information
• Static and dynamic
• Interior and exterior
• Distance vector and link state
„ Describe how a router builds its route table and how it chooses the best match
from the tables entries
„ Describe reasons for defining multinetted interfaces
„ Explain the value of a loopback interface
„ Describe the process a router uses to choose a path when its route table
includes multiple equal cost paths to the same destination

Rev. 5.21 1–1


IP Routing Foundations

General network connectivity goals

General network connectivity


goals
Establish connectivity among clients and resources
• Routers must obtain enough information to find the best path to each
address range and collect the information in a route table
Routing efficiency, economy, scalability
• Each route table entry specifies an address range that may represent:
– A single network (broadcast domain)
– A range of networks whose address space can be expressed as a
starting address and mask
• Summarize address space whenever possible to minimize the number
of route table entries
Enable selective forwarding based on resource needs
• Arrange clients and addressing scheme to selectively enable access to
resources
• Goals of limiting resource access may be based on traffic shaping or
security requirements
• Alternate paths for link failover
– Unlike STP, all links active (no blocked links)

Rev 5.21 Student Guide: 1–2 3

In general, routers exist to connect clients and resources. Routers learn the most
efficient way to reach each address range, collect the information, and organize it
in a route table. To enable routers to function efficiently, a medium-to-large
enterprise will use a hierarchical addressing scheme. Hierarchical addressing
enables an administrator to summarize the address range at remote locations using
the smallest number of route table entries. This is only possible when hosts within
an IP address range are at the same physical location. A sound IP addressing
scheme enables an intranet to scale to a very large size without exceeding the
capabilities of its routers.
Routers enable any-to-any communication. However, not all users are necessarily
able to reach all resources. This is true for two reasons:
1. Users simply don’t need all intranet resources.
2. Some user/resource pairs must be disallowed to conform to security policies.
The actual mechanisms used for traffic filtering are beyond the scope of this
module and will be discussed later in the course. However, to enable the
development of efficient traffic filters, administrators must take great care when
planning their IP addressing schemes. Basically, the IP addresses of clients with
common resource requirements should be within a range that can easily be
expressed by a starting address and mask. This module will provide more detail on
this topic.

1–2 Rev. 5.21


IP Routing Basics

Scenario: ProCurve University

Scenario: ProCurve University

The university comprises three campuses


Each campus supports a variety of users
• Students and guests
• Faculty and administration
Each campus supports a variety of applications, including web, e-mail,
and multimedia conferencing

10 GbE 10 GbE Northeast


Northwest High-speed
campus core campus

10 GbE

Southwest
campus

Rev 5.21 Student Guide: 1–3 4

This module and the rest of IP Routing Foundations will refer to ProCurve
University whenever it is useful to illustrate a basic technology principle. The
fictional university consists of three campuses connected by a high-speed core.
The university supports four types of users—students, guests, faculty, and
administrators—and a typical array of enterprise applications.
The university will appear more regularly in Routing Switch Essentials, which
focuses heavily upon the deployment and configuration of ProCurve routing
switches.

Rev. 5.21 1–3


IP Routing Foundations

Router interfaces and port state

Router interfaces and port


state
Every vendor’s router supports one or more of the following
interface types:
• Physical
– Created by assigning an IP address and mask to a physical port
– Interface state may be “up” only if the physical port state is “up”
• Virtual
– Associates IP address and mask with a VLAN
– Interface state may be “up” if at least one of the ports in the VLAN
is “up”
• Loopback
– Assigns IP address and mask to an interface whose state is not
bound to a physical port state
– Interface state is always “up”
• Multinetted
– Assigns two or more IP address/mask combinations to a physical,
virtual, or loopback interface

Rev 5.21 Student Guide: 1– 4 5

Every router in an enterprise, regardless of the vendor who provides it, must
enable communication among multiple networks. All routers accomplish this by
enabling administrators to define one or more of the following types of router
interfaces:
1. Physical
As its name suggests, the physical interface is created by assigning an IP
address and mask to a physical port. The rest of this module will focus
heavily on this type of interface, which is the “traditional” router interface.
2. Virtual
Common in contemporary enterprises, the virtual interface associates an IP
address and mask with a VLAN. This enables packets for multiple broadcast
domains to be forwarded through a single port.
3. Loopback
The loopback interface defines an IP address and mask that is not bound to
any port or VLAN. It is often used as the interface for management
communication.
4. Multinetted
In a multinetted configuration, two or more IP addresses and masks are
assigned to a single port, VLAN, or loopback interface.

1–4 Rev. 5.21


IP Routing Basics

Whether they are virtual or physical, router interfaces function in the same way in
terms of Layer 3 forwarding. Differences among the types of interfaces are
confined solely to Layer 2 forwarding issues. The physical interface associates
each router port with a different broadcast domain and thus a different address
range, while the virtual interface enables you to associate an arbitrary set of ports
with a broadcast domain/address range.

Rev. 5.21 1–5


IP Routing Foundations

Route tables and local address ranges

Route table and local address


ranges
• For each interface whose state is “up,” the router derives the local address
range by applying the mask to the assigned IP address
• Route table entries for local address ranges usually have a cost of “0”
• Router forwards traffic destined for local networks using port indicated in route
table
– Drops traffic destined for address ranges not represented in the table

IP Route Table
Network address Mask Gateway Port Cost Type
10.1.10.0 255.255.255.0 0.0.0.0 If 1 0 Local
10.1.30.0 255.255.255.0 0.0.0.0 If 2 0 Local

If 1 Router1
Port 1: 10.1.10.1/24
Port 2: 10.1.30.1/24
If 2

Switch1: 10.1.10.3/24 Switch2: 10.1.30.3/24

Router forwards traffic


Hosts in range 10.1.10.0/24 Hosts in range 10.1.30.0/24 among its local address
DG: 10.1.10.1 DG: 10.1.30.1
ranges

Rev 5.21 Student Guide: 1–6 6

In this example, a router has two interfaces defined. Because the physical port “If
1” is connected to Switch1, the interface state is up. Because the interface is
defined in the router’s configuration as 10.1.10.1/24, the router applies the mask to
the address and derives a range of addresses that it expects to find through that
port.
In this case, the range of local addresses the router puts in the route table is
10.1.10.0 with a mask of 255.255.255.0. When this dotted decimal mask is
converted to binary, the mask includes 24 “1” bits and eight “0” bits. In the
application of the mask to the address, each of the “1” bits indicates the number of
high order—that is, “most significant”—bits in the address that are common to all
of the hosts connected to this interface. The “0” bits of the mask represent the low
order—that is, “least significant”—bits in each host’s address that may have any
value. All of the combinations of these eight bits—from 0000 0000 to 1111
1111—are considered part of the address range. However, lowest value (0) and the
highest value (255) are not permissible as addresses for individual hosts. The
lowest value is the network address, also known as the “starting address.” The
highest value is the broadcast address. The same principles apply to If 2.

The route table


A router bases forwarding decisions on the content of its route table. While a
Layer 2 forwarding device, such as a switch, floods traffic destined for unknown
MAC addresses, a router drops traffic whose destination IP address does not match
any of the entries in the route table.

1–6 Rev. 5.21


IP Routing Basics

The graphic on the previous page shows route table entries for two networks—
10.1.10.0 and 10.1.30.0. Although routers from different vendors may display
routing information differently, all route tables contain the same basic information.
Common fields include:
„ The “Gateway” field for each address range is sometimes labeled as the
“Next Hop” field, but its function is to tell the router how to reach the address
range. In this case, because all three address ranges are local, this router uses
all zeros in dotted decimal format. Once again, different vendors represent
this in different ways.
„ The “Port” field indicates which of the router’s interfaces leads toward the
best path to the destination.
„ The “Cost” field provides information about the distance to the network.
Because the address ranges in the example are local, Router1 records the
“Cost” for each route as “0.” Although the end stations in networks
10.1.10.0/24 and 10.1.30.0/24 are connected to a downstream switch,
Router1 considers the addresses to be “local” because Router1’s interfaces
are in the same broadcast domain as other hosts in the same address range.
The switch is transparent from an IP routing perspective because it forwards
traffic based on Layer 2 information rather than Layer 3. The switch’s own IP
address, which is assigned for management purposes, does not affect this
transparency.
„ The “Type” field indicates the source of the routing information. Because all
of these address ranges are local, their type is “D” which represents “directly
connected.” We will cover other sources of routing information later in this
module.
Because Router1 provides the default gateway for its local hosts, it can forward
traffic on their behalf and also deliver traffic that is destined for those hosts.
Because all hosts are local, the router uses ARP to obtain each destination host’s
MAC address and encapsulates each forwarded packet with a Layer 2 header that
contains its own MAC address in the source address field and the target host’s
MAC address in the destination address field.
The router does not change the source or destination IP address in the Layer 3
header. The source address field in the IP datagram header contains the address of
the sending host and the destination address field contains the address of the target
host. The router does not insert its own address into the IP datagram header as it
does with the Layer 2 header.
In most environments, a router is also required to forward traffic toward remote
networks.

Rev. 5.21 1–7


IP Routing Foundations

Multinetted interface

Multinetted interface

• Defined to provide default gateway addresses for hosts that are in same
broadcast domain but have different address ranges
• Each address range appears as route table entry

IP Route Table
Network address Mask Gateway Port Cost Type
10.1.10.0 255.255.255.0 0.0.0.0 If 1 0 Local
10.1.30.0 255.255.255.0 0.0.0.0 If 2 0 Local
172.16.150.0 255.255.255.0 0.0.0.0 If 2 0 Local

If 1 Router1
Port 1: 10.1.10.1/24
Port 2: 10.1.30.1/24
If 2

Switch1: 10.1.10.3/24 Switch2: 10.1.30.3/24

Hosts in range 10.1.10.0/24 Hosts in range 10.1.30.0/24


DG: 10.1.10.1 DG: 10.1.30.1
Hosts in range 172.16.150.0/24
DG: 172.16.150.1

Rev 5.21 Student Guide: 1–8 7

Multinetting enables an administrator to associate multiple IP addresses with a


single broadcast domain that might be physically bounded, using a physical
interface associated with a single router port, or virtually bounded, using a virtual
interface associated with a VLAN. Multinetting creates routing inefficiencies and
should be used only when necessary.
In contemporary networks, multinetting is usually not recommended, although it
was quite common in earlier periods, when physical router interfaces presented the
only router interface option. Furthermore, multinetting can create problems in
environments where hosts use DHCP to receive IP configuration information.
Hosts in a DHCP network usually will receive addresses in the same range;
consequently, hosts in a multinetted network may not receive an address in the
intended range.

When multinetting is appropriate


Multinetting can be necessary when the network includes a collection of hosts,
links, and legacy connectivity devices, such as hubs, that do not support VLANs.
The graphic above illustrates this point. Suppose that hosts in the 10.1.30.0/24
address range are used by clients who need access to the Internet. Their addresses
would be included in a range to be translated by a router, proxy server, or firewall
using NAT. However, the hosts in the range 172.16.150.0/24 are special-purpose
devices with statically defined addresses. Their access should be restricted. They
will never need to browse the Internet. An administrator might specifically omit
their address range from the range of addresses to be translated by the proxy,
firewall, or other NAT device.
1–8 Rev. 5.21
IP Routing Basics

Administrators might also implement multinetting as an interim step while


changing the IP addressing scheme. Suppose, for example, that an intranet
originally was configured to use statically defined public addresses and must now
be converted to a private addressing scheme where hosts dynamically obtain their
addresses. Enabling multinetting would enable the administrator to continue
providing connectivity for hosts whose addresses have not been converted, as well
as for those whose addresses have been converted to the new scheme.

Rev. 5.21 1–9


IP Routing Foundations

Loopback interface

Loopback interface

• Address range associated with loopback interface appears as a route table


entry
• May be used as source and/or destination for router’s host processes such as
SNMP, Telnet, and HTTP

IP Route Table
Network address Mask Gateway Port Cost Type
10.1.0.0 255.255.255.0 0.0.0.0 lb 1 0 Local
10.1.10.0 255.255.255.0 0.0.0.0 If 1 0 Local
10.1.30.0 255.255.255.0 0.0.0.0 If 2 0 Local
172.16.150.0 255.255.255.0 0.0.0.0 If 2 0 Local

If 1 Router1
Port 1: 10.1.10.1/24
Port 2: 10.1.30.1/24
If 2 Loopback 1: 10.1.0.1/24
Switch1: 10.1.10.3/24 Switch2: 10.1.30.3/24

Hosts in range 10.1.10.0/24 Hosts in range 10.1.30.0/24


DG: 10.1.10.1 DG: 10.1.30.1
Hosts in range 172.16.150.0/24
DG: 172.16.150.1

Rev 5.21 Student Guide: 1–10 8

A loopback interface is very useful for routers in an intranet that supports


redundant links. Because the state of a loopback interface is not dependent on the
state of any physical port, its IP address will be reachable if at least one other
router interface is up. Consequently, the loopback address often is used for in-band
device management.
Routers often are configured to use the loopback address for outbound
communication with network management stations or other routers. With no
loopback defined for this purpose, a router will send the packet through the
interface that is “closest” to the destination network; that is, the one that
corresponds with the route table’s next hop toward the destination network.
In the case of a network management station, administrators often set up filters
that allow the station to accept messages only from a set of source address ranges.
In a redundant network, one or more routers might choose different paths to the
network management station’s address range based on the physical state of some
of the intervening links. Consequently, it can be difficult to predict the address
from which a router will send a management message.
Furthermore, by using the loopback interface for all host-based communication
with the router, you can set up traffic filters that prohibit traffic produced by
typical management protocols—including HTTP, FTP, TFTP, Telnet and SSH—
from reaching any of the physical or virtual interfaces. The traffic can be permitted
to reach the loopback interface. All valid administrators would need to configure
and monitor the router using the loopback interface as a target address. (Traffic
filters will be discussed later in this course.)

1 – 10 Rev. 5.21
IP Routing Basics

Learning about remote networks

Learning about remote


networks
A router can learn of the existence of remote networks through
any combination of the following:
• Dynamic interaction with other routers that follow a common set of
rules for exchanging routing information
– These rules might include:
• Procedures for establishing relationships with neighboring
routers
• The frequency and format of messages exchanged with other
routers
• Static route configuration, which requires an administrator to:
– Specify an address range, expressed as starting address and mask
– Provide “next hop” information that will allow the router to send
traffic toward the address range
– Supply a cost to be associated with the path to the address range,
enabling router to choose the lowest-cost statically defined path
Network topology, including Internet and intranet connectivity,
determine appropriate methods for each situation
Rev 5.21 Student Guide: 1–11 9

A router can only forward traffic toward address ranges that appear in its route
table. If a router receives a routable packet with a destination address that does not
match with any route table entries, it drops the packet.
Routers may learn the information in their route tables dynamically through
interaction with other routers with which they share a common set of route
exchange rules known as a “routing protocol.” Routing protocols specify the
format of the information the routers exchange and the conditions that require a
router to send information to a neighboring router.
Administrators often choose to augment the dynamically learned information by
statically defining information that the router can use to reach specific address
ranges. In most contemporary networks, routers must be aware of remote networks
because most enterprise users require access to Internet and intranet resources.
Usually, route tables are populated with a combination of static and dynamically
learned routes.
In any case, routers cannot directly deliver traffic to remote hosts. Instead, they
deliver traffic destined for remote hosts to neighboring routers that provide the
best route to the remote address range.

Rev. 5.21 1 – 11
IP Routing Foundations

Routing protocol categories

Routing protocol categories

Interior Gateway Protocols (IGP)


• Facilitate exchange of information among routers under the same
organizational control; that is, within the same “autonomous system”
• Examples of standard IGPs:
– Routing Information Protocol (RIP)
– Open Shortest Path First (OSPF)
Exterior Gateway Protocols (EGP)
• Facilitate exchange of route information among routers in different
autonomous systems
• Border Gateway Protocol version 4 (BGP4) is current standard EGP for
Internet connectivity

Rev 5.21 Student Guide: 1–12 10

There are two types of dynamic interaction between routers:


1. Interior Gateway Protocols (IGP) involve communication among routers
that are under common administrative control and use the same protocol for
exchanging information; that is, in the same autonomous system.
2. Exterior Gateway Protocols (EGP) involve communication among routers
that are under different administrative control; that is, in different
autonomous systems.
An Internet Service Provider is likely to use a combination of interior and exterior
gateway protocols to facilitate exchange of routing information among the routers
that make up its own internal network as well as with the routers at subscriber
locations.
Not all Internet subscribers use an exterior gateway protocol; however, a very
large subscriber that load balances among multiple ISPs is the most likely
candidate for using a formalized exterior gateway protocol. Small-to-medium
sized subscribers are likely to use a combination of interior gateway protocols and
static routes to facilitate Internet connectivity.

1 – 12 Rev. 5.21
IP Routing Basics

RIP and OSPF


Several routing protocols have been formalized and are described in various
standards documents. In some cases, vendors implement these standards exactly as
written; other vendors enhance the protocols to optimize particular aspects or
functions. Other protocols are entirely proprietary, with their own reserved port
and/or protocol numbers. These protocols operate only with other routers from the
same vendor.
Two common routing protocols, RIP and OSPF, are both IGPs with the same high-
level goal: to enable connectivity within an autonomous system. In general,
because RIP and OSPF perform this task in completely different ways, each is best
suited for particular topologies. However, there is a large overlapping area of
applicability. Many intranets can deploy either protocol effectively.
Routing protocols specify the format of messages to be exchanged. As a fairly
simple routing protocol, RIP specifies only one type of message. On the other
hand, OSPF is a far more complex IGP that specifies several different types and
even sub-types of messages, specifying formal procedures for setting up
relationships with neighboring routers and types of messages that should be sent in
particular circumstances.
Routing protocols also specify the conditions that require a router to send an
advertisement. While a RIP router periodically sends routing information to its
neighbors, an OSPF router sends a particular type of message when it experiences
a change in the state of one of its links.
RIP will be described in more detail later in this module. A later module will
discuss OSPF.

Rev. 5.21 1 – 13
IP Routing Foundations

Standard IGPs for IP networks

Standard IGPs for IP networks

Distance vector: RIP


• Each router sends periodic updates containing a subset of its route
table entries to directly connected neighbor routers
• Information about remote networks is passed from router to router
based on each router’s perspective
• Time required for each router to find alternate path to an address
range after link failure depends on number of routers that separate it
from the address range
Link state: OSPF
• Each router reports to its neighbors the characteristics of its active
connections to local networks
• Updates are flooded to all routers within administratively defined
area, resulting in consistent picture of area’s routers and networks
• Each router builds a logical tree that calculates its shortest path to
each network address range
• Enables faster convergence – detection of alternate paths after link
failure – due to possession of first-hand information

Rev 5.21 Student Guide: 1–14 11

There are two types of standard IGPs available in IP networks:


1. Distance-vector protocols, such as RIP, require routers to integrate
information into their own tables and send the resulting entries, as modified,
from their own perspectives.
2. Link-state protocols, such as OSPF, require routers to establish neighbor
relationships with adjacent routers. Routers generate updates based on local
information and send the updates to neighbors, who then flood updates to all
their neighbors. Ideally, within a few milliseconds, every router in an
administratively defined area has identical information. Each router builds a
logical tree that traces out the shortest path to each advertised destination,
using itself as the root. As a result, every router has a consistent picture of the
network from its own perspective.

The disadvantage of RIP


While RIP and other distance-vector protocols are easier to configure than link-
state protocols, the distance-vector protocols have one serious disadvantage.
Changes in routing topology often propagate slowly because information in a
router’s table is acquired from other routers that may be as many as 15 hops away.

1 – 14 Rev. 5.21
IP Routing Basics

Suppose, for instance, that Router1 is directly connected to Network 1. When


Router1 loses its connection to Network 1, it immediately sends its neighbors an
update that reports the cost of Network 1 to be 16. In RIP, the cost of 16 represents
infinity and indicates the network is unreachable because the maximum number of
router hops in RIP is 15.
After Network 1 has been marked as unavailable, each router is free to accept
advertisements from other neighbors that offer a lower-cost path to Network 1.
Because there is a 30-second interval between RIP updates, and because RIP
updates move one hop at a time, several minutes may elapse before each router has
determined the lowest-cost path between itself and Network 1.

Link-state protocols
Link-state protocols avoid this issue because they do not rely on second-hand
information. A router sends an “advertisement” when it recognizes a link state
change. The update does not contain just the change, but the attributes of all of the
router’s currently active links. The router sends the advertisement to its immediate
neighbors. The neighbors are required by the protocol to immediately flood the
advertisement to all of their neighbors.
Unlike RIP routers, OSPF routers do not increment the costs as they flood updates.
In fact, an OSPF router is not permitted to make any changes to advertisements it
receives on one network before sending it out onto another network.
As a result, all of the routers in the area have a consistent picture of the
connections between all routers and networks in the area. Each router builds a tree
based on first-hand information that traces the shortest path between itself and
every router and network in the area. When a link state changes, the router
recalculates the tree based on the new information. Ideally, less than a second
passes between the time the router advertises its new state and the time when all of
the routers have found an alternate path, if one exists

Rev. 5.21 1 – 15
IP Routing Foundations

Router1 RIP update to Router2

Router1 RIP update to Router2


Ethernet header: Router1
Dest: 01005e-000009 Source: <R1 MAC>
IP datagram header: • Advertises entries in its
Source: 10.0.64.1 Dest: 224.0.0.9 route table through
UDP header: interface 3
Source: 520 Dest: 520
Routing Information Protocol: • Does not include the
Command: Response (2) Version: RIPv2 (2) address range associated
Network: 10.1.0.0 Mask: 255.255.255.0 Metric: 1 with interface 3
Network: 10.1.10.0 Mask: 255.255.255.0 Metric: 1
Network: 10.1.30.0 Mask: 255.255.255.0 Metric: 1 (10.0.64.0/24)
Network: 172.16.150.0 Mask: 255.255.255.0 Metric: 1

Network 10.0.64.0/24
If 3 If 3
10.0.64.1/24 10.0.64.2/24
RIP enabled
Loop 1: 10.1.0.1/24 Loop 1: 10.2.0.1/24
R1 R2
If 1 If 2 If 1 If 2
10.1.10.1/24 10.1.30.1/24 10.2.20.1/24 10.2.40.1/24
172.16.150.1/24
S1 S2 S3 S4
10.1.10.3/24 10.1.30.3/24 10.2.20.3/24 10.2.40.3/24
Hosts in Hosts in Hosts in Hosts in
10.1.10.0/24 10.1.30.0/24 10.2.20.0/24 10.2.40.0/24
172.16.150.0/24
Rev 5.21 Student Guide: 1–16 12

When RIP is enabled on an interface, the router prepares an update that advertises
the address ranges in its route table. In many cases, including the one above, each
address range in the table represents a network, a single broadcast domain.
However, this is not always the case. Sometimes the entries represent an address
range that includes many networks.
In the example above, Router1 advertises all of its connected networks with one
notable exception. A RIP advertisement doesn’t include the address range
associated with the interface through which the router sends the update. In this
case, the advertisement is being prepared for transmission over interface 3 (if 3),
which is associated with the address range 10.0.64.0/24. Accordingly, that network
is specifically omitted from the advertisement.
It is important to note that the update actually includes two distinct steps: the
preparation and the sending of the update. By default, this process occurs every 30
seconds; when this interval expires, the router must send advertisements through
all of its RIP-enabled interfaces.

Cost
Note that the cost associated with each of the advertised networks is 1. While
Router1 associates a cost of 0 with its locally connected address ranges, it
advertises these networks with a cost of 1. In some vendor implementations, the
cost used internally will be 1; however, the external cost is reported in the same
way by all router vendors.

1 – 16 Rev. 5.21
IP Routing Basics

RIP v2 use of multicast


The source address in the IP datagram that encapsulates the RIP advertisement is
the address of Router1’s interface on the network it shares with Router2. The
destination address is a multicast address, which is the requirement in RIP v2.
The use of multicast ensures that all routers connected to a network will receive
and process the update simultaneously. Routers or other devices on this network
that do not support RIP v2 will not process this update because they are not
members of the RIP Routers multicast group (224.0.0.9).
In the example, Router1 is the only RIP router on network 10.0.64.0. Note that
Router2 does not have RIP enabled. This does not affect Router1’s outbound RIP
updates. Because RIP is enabled on this interface, Router1 will continue sending
updates indefinitely.

Rev. 5.21 1 – 17
IP Routing Foundations

Router2 updates its route table

Router2 updates its route table


Network Gateway Port Cost Type • Router2 integrates
10.0.64.0/24 0.0.0.0 3 0 D networks from Router1’s
10.1.0.0/24 10.0.64.1 3 2 R
RIP update into its route
10.1.10.0/24 10.0.64.1 3 2 R
10.1.30.0/24 10.0.64.1 3 2 R table
10.2.0.0/24 0.0.0.0 Lo 1 0 D • “Gateway” associated with
10.2.20.0/24 0.0.0.0 1 0 D RIP-learned networks is
10.2.40.0/24 0.0.0.0 2 0 D source address from IP
172.16.150.0/24 10.0.64.1 3 2 R
datagram header of
Router1’s RIP update

Network 10.0.64.0/24
If 3 If 3
10.0.64.1/24 10.0.64.2/24
RIP enabled RIP enabled
Loop 1: 10.1.0.1/24 Loop 1: 10.2.0.1/24
R1 R2
If 1 If 2 If 1 If 2
10.1.10.1/24 10.1.30.1/24 10.2.20.1/24 10.2.40.1/24
172.16.150.1/24
S1 S2 S3 S4
10.1.10.3/24 10.1.30.3/24 10.2.20.3/24 10.2.40.3/24
Hosts in Hosts in Hosts in Hosts in
10.1.10.0/24 10.1.30.0/24 10.2.20.0/24 10.2.40.0/24
172.16.150.0/24
Rev 5.21 Student Guide: 1–18 13

In this example, RIP has been enabled on Router2’s interface on the 10.0.64.0/24
network. Router2 receives Router1’s RIP update and begins processing it. It
doesn’t matter if Router1’s RIP update arrived before Router2 sent any
advertisements over the network it shares with Router1 because each router’s
sending and receiving actions are independent.
When Router2 receives the advertisement, it compares each entry with the entries
already in its route table and immediately adds any advertised address range that
does not already appear there. In the example above, all of the address ranges are
new, so all are added. The cost of the RIP-learned address ranges is one number
higher than the cost advertised by Router1. This is only true if Router2’s
configured interface cost for interface 3 is at the default setting of “1.” While it is
possible to manipulate interface costs for the purpose of favoring one path over
another, it is usually not recommended for reasons discussed later in this module.
Every address range a router learns from a RIP update is set to type “R” (for RIP)
in the route table. The “Port” value is the interface through which Router2
received the update that advertised the address range.
In this example, every RIP-learned network in Router2’s route table has the same
next hop. This is because Router2 has only one neighbor.

1 – 18 Rev. 5.21
IP Routing Basics

Router2 RIP update to Router1

Router2 updates its route table


Network Gateway Port Cost Type • Router2 integrates
10.0.64.0/24 0.0.0.0 3 0 D networks from Router1’s
10.1.0.0/24 10.0.64.1 3 2 R
RIP update into its route
10.1.10.0/24 10.0.64.1 3 2 R
10.1.30.0/24 10.0.64.1 3 2 R table
10.2.0.0/24 0.0.0.0 Lo 1 0 D • “Gateway” associated with
10.2.20.0/24 0.0.0.0 1 0 D RIP-learned networks is
10.2.40.0/24 0.0.0.0 2 0 D source address from IP
172.16.150.0/24 10.0.64.1 3 2 R
datagram header of
Router1’s RIP update

Network 10.0.64.0/24
If 3 If 3
10.0.64.1/24 10.0.64.2/24
RIP enabled RIP enabled
Loop 1: 10.1.0.1/24 Loop 1: 10.2.0.1/24
R1 R2
If 1 If 2 If 1 If 2
10.1.10.1/24 10.1.30.1/24 10.2.20.1/24 10.2.40.1/24
172.16.150.1/24
S1 S2 S3 S4
10.1.10.3/24 10.1.30.3/24 10.2.20.3/24 10.2.40.3/24
Hosts in Hosts in Hosts in Hosts in
10.1.10.0/24 10.1.30.0/24 10.2.20.0/24 10.2.40.0/24
172.16.150.0/24
Rev 5.21 Student Guide: 1–19 13

When Router2 sends a RIP advertisement through its only RIP-enabled interface,
it does not include the address range 10.1.64.0/24 because that address range is
associated with interface 3.
Because Router2 has already received advertisements from Router1, it follows an
additional rule requiring that advertisements a router sends onto a network do not
include the address ranges for which the next hop is on that network.
In the example, none of the networks that Router2 learned from Router1 are
included in the RIP update Router2 sends onto network 10.0.64.0/24. Because
10.1.64.1 is the “next hop” for the address ranges 10.1.0.0/24, 10.1.10.0/24, and
10.1.30.0/24, and because the address range associated with interface 3 contains
the next hop address, these are omitted from the update.
The set of rules that govern which networks may be advertised is known as “Split
horizon.” The primary reason that RIP routers follow Split horizon rules is because
a neighbor simply doesn’t need to learn about networks for which it provides the
next hop. Other reasons for the Split horizon rules will be discussed later.

Rev. 5.21 1 – 19
IP Routing Foundations

Router2 RIP update to Router3

Router2 RIP update to Router3

IP datagram header:
• Router2’s RIP updates Source: 10.0.65.1 Dest: 224.0.0.9
through interface 4 UDP header:
include: Source: 520 Dest: 520
Routing Information Protocol:
– Locally defined Network: 10.0.64.0 Mask: 255.255.255.0 Metric: 1
networks Network: 10.1.0.0 Mask: 255.255.255.0 Metric: 2
– Routes to address Network: 10.1.10.0 Mask: 255.255.255.0 Metric: 2
Network: 10.1.30.0 Mask: 255.255.255.0 Metric: 2
ranges learned Network: 10.2.0.0 Mask: 255.255.255.0 Metric: 1
from a neighbor on Network: 10.2.20.0 Mask: 255.255.255.0 Metric: 1
interface 3 Network: 10.2.40.0 Mask: 255.255.255.0 Metric 1
Network: 172.16.150.0 Mask: 255.255.255.0 Metric: 2

Network 10.0.65.0/24
If 3 If 4 If 3
10.0.64.2/24 10.0.65.1/24 10.0.65.2/24
RIP enabled RIP enabled
Loop 1: 10.2.0.1/24 Loop 1: 10.3.0.1/24
R2 R3
If 1 If 2 If 1 If 2
10.2.20.1/24 10.2.40.1/24 10.3.10.1/24 10.3.30.1/24

Hosts in Hosts in Hosts in Hosts in


10.2.20.0/24 10.2.40.0/24 10.3.10.0/24 10.3.30.0/24

Rev 5.21 Student Guide: 1–20 15

In this example, Router2 has another neighbor that it reaches through a network
(10.0.65.0/24) associated with interface 4. Because Router3 does not have RIP
enabled, Router2 has not yet received any advertisements from Router3. Still,
because RIP is enabled on interface 4, Router2 sends periodic RIP updates
regardless of whether it has received any information from Router3.
The RIP update that Router2 sends to Router3 contains a completely different set
of address ranges than the update it sends to Router1. Following Split horizon
rules, the RIP advertisement Router2 sends through interface 4 does not include
the address range associated with interface 4, 10.0.65.0/24. However, it does
include all address ranges in its route table that are either local or learned from a
neighbor connected to an interface other than interface 4. Router2 advertises the
cost of these address ranges from its own perspective. In all cases except for local
networks, a RIP router advertises the cost that each address range has in its own
route table.
The “Gateway” or next hop value in the route table is the most important factor in
determining which address ranges Router2 will advertise through network
10.0.65.0/24. A RIP advertisement includes all local address ranges except the
network address associated with the interface over which the advertisement will be
transmitted. A remote address range will be included in the RIP advertisement
only if its associated “Gateway” or “next hop” IP address is outside the range of
the network associated with the interface over which the advertisement will be
transmitted.

1 – 20 Rev. 5.21
IP Routing Basics

Router3 updates its route table

Router3 updates its route table

• All routes known to Network Gateway Port Cost Type


Router3 are either local or 10.0.64.0/24 10.1.65.1 3 3 RIP
learned from 10.0.65.1 10.0.65.0/24 0.0.0.0 3 0 Direct
10.1.0.0/24 10.1.65.1 3 3 RIP
• Router3’s updates through 10.1.10.0/24 10.1.65.1 3 3 RIP
interface 3 include 10.1.30.0/24 10.1.65.1 3 3 RIP
networks not learned from 10.2.0.0/24 10.1.65.1 3 2 RIP
neighbors on the network 10.2.20.0/24 10.1.65.1 3 2 RIP
associated with that 10.2.40.0/24 10.1.65.1 3 2 RIP
10.3.0.0/24 0.0.0.0 Lo 1 0 Direct
interface
10.3.10.0/24 0.0.0.0 1 0 Direct
10.3.30.0/24 0.0.0.0 2 0 Direct
172.16.150.0/24 10.1.65.1 3 3 RIP

Network 10.0.65.0/24
If 3 If 4 If 3
10.0.64.2/24 10.0.65.1/24 10.0.65.2/24
RIP enabled RIP enabled RIP enabled
Loop 1: 10.2.0.1/24 Loop 1: 10.3.0.1/24
R2 R3
If 1 If 2 If 1 If 2
10.2.20.1/24 10.2.40.1/24 10.3.10.1/24 10.3.30.1/24

Hosts in Hosts in Hosts in Hosts in


10.2.20.0/24 10.2.40.0/24 10.3.10.0/24 10.3.30.0/24

Rev 5.21 Student Guide: 1–21 16

In the manner described earlier, Router3 increments the cost of all advertised
networks by the cost assigned to the interface through which the update arrives.
Everything that was advertised by Router2 with a cost of 1 appears in Router3’s
route table with a cost of 2. The address ranges reported with a cost of 2 have a
cost of 3 in Router3’s route table.
In this example, Router2 is Router3’s only neighbor, so the “Gateway” or next hop
router interface for every remote address range in Router3’s route table is
10.0.65.1, which is the IP address of Router2’s interface on the network that
connects the two routers. None of Router1’s interfaces appear in Router3’s route
table as a next hop because Router3 and Router1 do not share a network. The
“Type” column contains “RIP” for all address ranges that Router3 learns from
Router2’s advertisements.
When Router3 sends an advertisement to Router2, it will follow the Split horizon
rules described earlier. In this case, only three address ranges qualify for inclusion
in the RIP advertisement sent to Router2: 10.3.10.0/24, 10.3.30.0/24, and
10.3.0.1/24.

Rev. 5.21 1 – 21
IP Routing Foundations

Assessing this topology

Assessing this topology

Some of the problems with this topology include:


• Inefficient forwarding paths and potential bottleneck
– Traffic between Router1 and Router3 has to go through Router2
• Does not provide backup paths in the event of link failure
• Does not scale well

If 3 If 4
10.0.64.2/24 10.0.65.1/24
RIP enabled RIP enabled
Loop 1
R2
10.2.0.1/24

10.2.20.0/24 10.2.40.0/24 If 3
If 3
10.0.65.2/24
10.0.64.1/24
RIP enabled
RIP enabled
Loop 1: 10.1.0.1/24 R1 Loop 1 10.3.0.1/24
R3

10.1.10.0/24 10.1.30.0/24 10.3.10.0/24 10.3.30.0/24


172.16.150.0/24

Rev 5.21 Student Guide: 1–22 17

Although this topology is useful for describing RIP operations, it is clearly not an
efficient topology. If the links between routers have equal bandwidth, Router2 may
become a bottleneck because it must handle traffic between hosts connected to
Routers 1 and 3, as well as traffic coming from or destined for its locally
connected networks.
Furthermore, this topology also does not provide any redundancy. If either of the
links between Router2 and its neighbors should fail, many hosts would be isolated.
The above deficiencies would be magnified if this intranet needed to support more
than three routers. If we continued daisy-chaining routers in this manner, the
potential for bottlenecks and traffic delay would increase dramatically. The
vulnerability of the connections would also escalate.

1 – 22 Rev. 5.21
IP Routing Basics

Providing a routed mesh

Providing a routed mesh

A routed mesh
• Provides a dedicated link between each pair of routers
• Provides a backup path in the event of link failure
• Does not scale well beyond 3 or 4 nodes

10.0.64.0/24 10.0.65.0/24
Loop 1
R2
10.2.0.1/24

10.2.20.0/24 10.2.40.0/24

Loop 1: 10.1.0.1/24 10.0.66.0/24 Loop 1 10.3.0.1/24


R1 R3

10.1.10.0/24 10.1.30.0/24 10.0.10.0/24 10.3.30.0/24


172.16.150.0/24

Rev 5.21 Student Guide: 1–23 18

Creating a mesh of the routers would solve the problems relating to potential
bottlenecks and lack of redundancy. In a mesh, each device is connected to all
other devices. Rather than creating a bottleneck at Router2, the topology shown in
the example provides Router3 with a direct connection to Router1. If any of the
three links should fail, the remaining links would continue to provide connectivity
among all three routers. Of course, the potential for a bottleneck would then
increase until the mesh was restored.
However, the full mesh solution is not scalable. For every node added to the mesh,
the number of point-to-point connections increases dramatically. While it only
takes three links to create a full mesh among three nodes, six links are required to
fully connect four nodes. A full mesh for five nodes requires 10 point-to-point
links.
A full mesh for 10 nodes requires 45 point-to-point links. The number of links can
be calculated using the following formula: L = N(N-1)/2’where “L” represents the
number of point-to-point links and “N” represents the number of nodes to be
interconnected. The values for 10 nodes are 10*9/2=45.

Rev. 5.21 1 – 23
IP Routing Foundations

Split horizon in a routed mesh

Split Horizon in a routed mesh

Each router in a full mesh:


• Advertises to neighbors all networks learned from other neighbors
• Receives advertisements for each remote network from every neighbor
• Chooses the lowest cost path to each destination network

Next hop for 10.1.x.x traffic Next hop for 10.3.x.x traffic
(Do not advertise 10.1.x.x (Do not advertise 10.3.x.x
networks) networks)

Loop 1
Next hop for 10.2.x.x R2 Next hop for 10.2.x.x
10.2.0.1/24
traffic traffic
(Do not advertise (Do not advertise
10.2.x.x networks) 10.2.20.0/24 10.2.40.0/24 10.2.x.x networks)

Loop 1: 10.1.0.1/24 R1 Loop 1: 10.3.0.1/24


R3
Next hop for Next hop for
10.3.x.x traffic 10.1.x.x traffic
(Do not advertise (Do not advertise
10.3.x.x networks) 10.1.x.x networks)

10.1.10.0/24 10.1.30.0/24 10.3.10.0/24 10.3.30.0/24


172.16.150.0/24
Rev 5.21 Student Guide: 1–24 19

In the non-redundant topology described earlier, each router receives information


about a specific address range from only one neighbor. However, in a meshed
topology, such as the one shown, each router receives updates from both
neighbors. Consequently, there is some overlap in the advertised networks.
In the example above, Router3 will receive advertisements from Router1 and
Router2. Following Split horizon rules, Router2 advertises networks 10.2.x.x with
a cost of 1 because those networks are local to Router2. It also advertises networks
10.1.x.x and 172.16.150.0/24 with a cost of 2. If the update from Router2 is the
first one Router3 hears, it will add all seven of the advertised networks to its route
table. However, when the first RIP update from the neighbor Router1 arrives,
Router3 follows a very specific procedure for evaluating the shortest or lowest-
cost path.
It is important for RIP routers to follow Split horizon rules regardless of whether
routing loops exist. Even in the non-redundant topology illustrated earlier, failure
to follow Split horizon rules can result in significant confusion for the router.

1 – 24 Rev. 5.21
IP Routing Basics

Processing inbound RIP updates

Processing inbound RIP


updates
Read next
advertisement

Address Source
Yes Yes Replace
range exists = table entry
Gateway entry
in table
? ?
No No

Calc.
Create cost < table Yes Replace
entry entry Cost entry
?

No

Ignore

Rev 5.21 Student Guide: 1–25 20

When a RIP router receives an update, it follows an identical process for each
advertised address range. This process is illustrated above. First, the router
determines whether the address range already exists in the table. If it does not, the
router adds a new entry for this network. It places the source address in the IP
datagram header of the RIP update in the route table’s Gateway or Next Hop field.
It derives a cost by adding 1 (or the cost of the inbound interface) to the advertised
cost.
If the address range does appear in the route table, the router takes one of the
following actions:
„ The router ignores it because it already has the address range in the table and
the advertisement includes a higher cost than the entry already in the table.
„ The router replaces an existing entry with a new one. There are two
variations on this outcome.
The first variation typically occurs under normal circumstances, with every
periodic update. If the sender of the update is the same as the network’s next hop
in the route table, the router creates an entry with an age of 0 and a cost equal to
the advertised cost plus 1 (or the inbound interface cost). This entry replaces the
network’s current entry. If the network is stable, the new entry will contain the
same information as the one it replaced. However, even if the cost has changed
since the last update, the router accepts whatever cost is advertised because the
router considers the network’s current next hop to be the authority on information
relating to it.

Rev. 5.21 1 – 25
IP Routing Foundations

The second variation occurs when a neighbor other than the network’s current
advertises a lower cost. This variation should not occur frequently. If it does, it
means that some set of networks between the router and the destination network
are unstable.

1 – 26 Rev. 5.21
IP Routing Basics

Link failure recovery in mesh (1)

Link failure recovery in mesh (1)

Advertise Advertise
10.2.x.x 10.2.x.x
10.3.x.x 10.1.x.x
Link fails
between R2
10.0.64.0/24 R2
Loop 1 X and R3
10.2.0.1/24
10.0.65.0/24

Advertise 10.2.20.0/24 10.2.40.0/24


Advertise
10.1.x.x 10.3.x.x
10.3.x.x 10.1.x.x
10.0.66.0/24
Loop 1: 10.1.0.1/24 R1 Loop 1: 10.3.0.1/24
R3
Advertise Advertise
10.1.x.x 10.3.x.x
10.2.x.x 10.2.x.x

10.1.10.0/24 10.1.30.0/24 10.3.10.0/24 10.3.30/24


172.16.150.0/24
Rev 5.21 Student Guide: 1–27 21

In this example, a full mesh connects all three routers. Each router has a direct
connection to every router, eliminating the bottleneck. This topology provides
some resilience.
Note that each router advertises to each neighbor its own local networks as well as
the networks advertised by its other neighbor. Following Split horizon rules, none
of the routers advertise to a neighbor the networks for which that neighbor
provides the next hop.
The next few diagrams describe the sequence of events that occurs if one of the
router-to-router links fails.

Rev. 5.21 1 – 27
IP Routing Foundations

Link failure recovery in mesh (2)

Link failure recovery in mesh


(2)

Advertise
10.2.x.x R2 changes Cost to ’16’
for 10.3.x.x networks

10.0.64.0/24 Loop 1
R2
10.2.0.1/24

Advertise 10.2.20.0/24 10.2.40.0/24


R3 changes Cost to ’16’
10.1.x.x for 10.2.x.x networks
10.3.x.x
10.0.66.0/24
Loop 1: 10.1.0.1/24 R1 Loop 1: 10.3.0.1/24
R3
Advertise Advertise
10.1.x.x 10.3.x.x
10.2.x.x

10.1.10.0/24 10.1.30.0/24 10.3.10.0/24 10.3.30/24


172.16.150.0/24
Rev 5.21 Student Guide: 1–28 22

When a RIP router loses link on one of its interfaces, the router immediately
changes the cost of the address range associated with the failed interface and all of
the address ranges in its table whose next hop is within the address range
associated with the failed interface.
In this example, Router2 sets network 10.0.65.0/24 at a cost of 16, which is equal
to infinity because the maximum hop count is 15. The router also assigns a cost of
16 to the 10.3.x.x networks because the next hop for those networks is the
neighbor interface on Router3, 10.0.65.2. Similarly, Router3 assigns a cost of 16 to
network 10.0.65.0/24 and to the 10.2.x.x networks.

1 – 28 Rev. 5.21
IP Routing Basics

Link failure recovery in mesh (3)

Link failure recovery in mesh


(3)

R2 accepts R1’s advertisement


of 10.3.x.x networks, changes
Advertise Gateway to R1 and Cost to ‘3’
10.2.x.x

10.0.64.0/24 Loop 1
R2
10.2.0.1/24
R3 accepts R1’s
advertisement of
Advertise 10.2.20.0/24 10.2.40.0/24
10.2.x.x networks,
10.1.x.x changes Gateway to
10.3.x.x R1 and Cost to ‘3’
10.0.66.0/24
Loop 1: 10.1.0.1/24 R1 Loop 1: 10.3.0.1/24
R3
Advertise Advertise
10.1.x.x 10.3.x.x
10.2.x.x

10.1.10.0/24 10.1.30.0/24 10.3.10.0/24 10.3.30/24


172.16.150.0/24
Rev 5.21 Student Guide: 1–29 23

Although Router2 set its cost for the 10.3.x.x networks at 16 after the link failure,
within 30 seconds or less it should receive a RIP update from Router1 advertising
a path to these networks at a cost of 2. Router2 derives a cost of 3 by adding its
own interface cost to the advertised cost, compares that with the cost of 16
currently in the route table, and creates new route table entries for the 10.3.x.x
networks using an interface on Router1 as its next hop. Similarly, Router3 updates
its route table to use Router1 as a next hop to reach the 10.2.x.x networks. This is
an example of option 3 described on page 24—an advertisement indicates a better
RIP routers do not immediately remove entries from tables as soon as they become
aware that networks are unavailable. Instead, a Holddown Timer determines the
number of seconds that a router will keep a table entry with a cost of 16, waiting
for the link to come back up or for some alternate lower-cost path to displace it.
This mechanism enables the routers to adapt to changing conditions with minimal
disruptions.
The actual functioning of the Holddown Timer varies from vendor to vendor.
However, in general, the Holddown Timer starts when the route changes to a cost
of 16 and it continues for three times the update interval (90 seconds). When the
timer expires, the route is removed from the table if the router hasn’t received a
better path to the address range.

Rev. 5.21 1 – 29
IP Routing Foundations

Poisoned Reverse

Poisoned Reverse

A router using ‘Split Horizon with Poisoned Reverse’ advertises cost of 16


rather than omit routes it learned from neighbor

Routing Information Protocol: Routing Information Protocol:


Network: 10.0.66.0 Metric: 1 Network: 10.0.64.0 Metric: 1
Network: 10.1.0.0/24 Metric: 1 Network: 10.1.0.0/24 Metric: 1
Network: 10.1.10.0/24 Metric: 1 Network: 10.1.10.0/24 Metric: 1
Network: 10.1.30.0/24 Metric: 1 Network: 10.1.30.0/24 Metric: 1
Network: 10.2.0.0/24 Metric: 16 Network: 10.2.0.0/24 Metric: 2
Network: 10.2.20.0/24 Metric: 16 Network: 10.2.20.0/24 Metric: 2
Network: 10.2.40.0/24 Metric 16 Network: 10.2.40.0/24 Metric 2
Network: 10.3.0.0/24 Metric 2 Network: 10.3.0.0/24 Metric 16
Network: 10.3.10.0/24 Metric 2 Network: 10.3.10.0/24 Metric 16
Network: 10.3.30.0/24 Metric 2 Network: 10.3.30.0/24 Metric 16
Network: 172.16.150.0/24 Metric: 1 Network: 172.16.150.0/24 Metric: 1

If 3 If 3 If 4 If 4
10.0.64.2/24 10.0.64.1/24 10.0.66.2/24 10.0.66.1/24
RIP enabled RIP enabled RIP enabled RIP enabled
Loop 1 Loop 1 Loop 1
R2 R1 R3
10.2.0.1/24 10.1.0.1/24 10.3.0.1/24

10.2.20.0/24 10.2.40.0/24 10.1.10.0/24 10.1.30.0/24 10.0.10.0/24 10.3.30/24


172.16.150.0/24
Rev 5.21 Student Guide: 1–30 24

This example shows the routing mesh as it appears after the loss of the network
that formerly connected Router2 to Router3, 10.0.65.0/24. Now, however, the
routers are communicating through a mechanism known as “Poisoned Reverse.”
Poisoned Reverse is a variation of Split horizon that can help speed convergence in
meshed networks. Instead of omitting the routes that Split horizon rules exclude
from the advertisement, the router poisons those routes, making it impossible for
the router receiving the advertisement to consider the sender as a valid next hop
toward the poisoned address ranges.
A router that employs Split horizon with Poisoned Reverse advertises routes that
are excluded by Split horizon. As described earlier, the excluded routes include the
address range associated with the interface over which the update will be
transmitted. Split horizon also excludes all routes where the next hop Gateway
field lists is a host within the interface’s own address range.

1 – 30 Rev. 5.21
IP Routing Basics

Connecting to a core router

Connecting to a core router

• Connect user networks and


C1 resource networks to core
to provide equal access
• Each link between routers is
in a different network

10.0.64.0/24 10.0.67.0/24

10.0.65.0/24 10.0.66.0/24

R1 R2 R3 R4

10.0.64.2/24 10.0.65.2/24 10.0.66.2/24 10.0.67.2/24


10.1.10.0/24 10.2.10.0/24 10.3.10.0/24 10.4.10.0/24
10.1.20.0/24 10.2.20.0/24 10.3.20.0/24 10.4.20.0/24
10.1.30.0/24 10.2.30.0/24 10.3.30.0/24 10.4.30.0/24

Rev 5.21 Student Guide: 1–31 25

This example illustrates a more scalable alternative to the routing mesh. In this
hierarchical solution, four “edge” routers—that is, routers that support user
networks—are connected to a “core” router whose primary responsibility is to
interconnect other routers. This configuration eliminates the potential bottlenecks
in the routing mesh shown earlier.
The routers place each physical port into a different broadcast domain. Because
every connection between an edge router and the core router is in a different
broadcast domain, each connection takes up a different network address. If you are
trying to interconnect many locations, you could use up the IP address space
quickly.

Rev. 5.21 1 – 31
IP Routing Foundations

Connecting to a core routing switch

Connecting to a core routing


switch

• Routing switches often


support higher bandwidth
C1
• Placing edge router uplinks
in the same broadcast
domain conserves network
addresses
Network:
10.0.64.0/24

R1 R2 R3 R4

10.0.64.2/24 10.0.64.3/24 10.0.64.4/24 10.0.64.5/24


10.1.10.0/24 10.2.10.0/24 10.3.10.0/24 10.4.10.0/24
10.1.20.0/24 10.2.20.0/24 10.3.20.0/24 10.4.20.0/24
10.1.30.0/24 10.2.30.0/24 10.3.30.0/24 10.4.30.0/24
… … … …

Rev 5.21 Student Guide: 1–32 26

You can relieve the strain on IP address space by putting into the same broadcast
domain all of the router interfaces that connect the edge routers to the core
network.
Flexible assignment of physical ports to router interfaces is one of the primary
advantages that a routing switch has over a traditional router. The routing switch
also supports higher speed interfaces than most traditional routers. Consequently,
the network upgrade at ProCurve University will include the replacement of
traditional routers with routing switches that support dynamic routing protocols as
well as the definition of static routes.

1 – 32 Rev. 5.21
IP Routing Basics

Connecting to redundant core

Connecting to redundant core

Providing multiple paths


between users and
C2 C1
resources
• Provides resilience
• May increase core
Network: Network: capacity
10.0.65.0/24 10.0.64.0/24

R1 R2 R3 R4

10.0.64.2/24 10.0.64.3/24 10.0.64.4/24 10.0.64.5/24


10.0.65.2/24 10.0.65.3/24 10.0.65.4/24 10.0.65.5/24
10.1.10.0/24 10.2.10.0/24 10.3.10.0/24 10.4.10.0/24
10.1.20.0/24 10.2.20.0/24 10.3.20.0/24 10.4.20.0/24
10.1.30.0/24 10.2.30.0/24 10.3.30.0/24 10.4.30.0/24
… … … …
Rev 5.21 Student Guide: 1–33 27

ProCurve University’s network upgrade will feature a redundant core such as the
one shown. A redundant core can provide for recovery in the event of link failures.
Furthermore, some routers can make use of multiple equal-cost paths to the same
destination. On some routers, this feature works automatically; on others, it must
be configured. Still other products will only use the first path to each destination
that it finds. If and when a second neighbor advertises an equal-cost path to the
destination, the router stays with the one it learned first.
You can determine if your router supports equal cost-multipath (ECMP) by
inspecting the route table. If you see multiple entries to the same destination that
have different “Gateway” values, it usually means that your router is sharing the
load toward that destination over all of the links. The maximum number of ECMP
routes is usually configurable, as well as the method the router uses to determine
which packets will follow each route.

Rev. 5.21 1 – 33
IP Routing Foundations

Routing among locations at ProCurve University

Routing among locations at


ProCurve University
• Routers learn best path to destination networks at their own location by
exchanging routing information with neighbors
• One or two routers from each location exchange routing information with core
routers

10.3.0.0/24
10.3.1.0/24
University intranet core …
Networks 10.0.0.0/24 10.3.255.0/24
(up to 255 networks)
through 10.0.255.0/24
Northeast campus
Hosts in address range:
10.3.0.0 – 10.3.255.255

10.1.0.0/24 10.2.0.0/24
10.1.1.0/24 10.2.1.0/24
… …
10.1.255.0/24 10.2.255.0/24
(up to 255 networks) (up to 255 networks)

Northwest campus
Southwest campus Hosts in address range:
Hosts in address range: 10.2.0.0 – 10.2.255.255
10.1.0.0 – 10.1.255.255

Rev 5.21 Student Guide: 1–34 28

Each of ProCurve University’s three campuses has its own network with an
address range of 10.x.0.0/24 to 10.x.255.0. The campuses interconnect through an
intranet core with addresses in the range of 10.0.0.0/24 to 10.0.255.0/24.
The routing infrastructure supports more than 750 user networks distributed across
three physical locations. While the technologies in place are similar to earlier
examples, which showed only eight user networks, the complexity of this topology
presents a few new challenges.
For instance, because there are so many networks at each location, it would be
inefficient or even impossible to connect every router to the intranet core. Instead,
the topology features redundant links among routers at each location. Another
layer aggregates the traffic from the hosts at each location and connects that router
to the core. This multi-layered hierarchical approach can be scaled to support a
network with hundreds of locations, if necessary.

1 – 34 Rev. 5.21
IP Routing Basics

Dynamic route exchange

Dynamic route exchange

• If routers exchange entire route database with neighbors, they obtain detailed
information about the networks at every location
• Storing detailed information about other locations can result in inefficient use
of route table space

10.0.0.0/24-10.0.255.0/24
Intranet core 10.1.0.0/24-10.1.255.0/24
Networks: 10.2.0.0/24-10.2.255.0/24
(up to 768 networks) 10.3.0.0/24-10.3.255.0/24
10.0.0.0/24-10.0.255.0/24 (up to 256 networks)
10.0.0.0/24-10.0.255.0/24
10.0.0.0/24-10.0.255.0/24 10.1.0.0/24-10.1.255.0/24 Location C
10.2.0.0/24-10.2.255.0/24 10.3.0.0/24-10.3.255.0/24 Hosts in address range:
10.3.0.0/24-10.3.255.0/24 (up to 768 networks) 10.3.0.0 – 10.3.255.255
(up to 768 networks)

10.2.0.0/24-10.2.255.0/24
10.1.0.0/24-10.1.255.0/24 (up to 256 networks)
(up to 256 networks)
Each router may
Location A
Location B have up to 1,024
Hosts in address range: route table
Hosts in address range:
10.2.0.0 – 10.2.255.255 entries
10.1.0.0 – 10.1.255.255

Rev 5.21 Student Guide: 1–35 29

This diagram illustrates a hierarchical topology that requires all inter-location


traffic to transit the core. If the router that connects each location to the core
advertises all 256 of its networks, every router in the entire intranet will have over
750 entries in its route table. This is highly inefficient because it is not necessary
for every router to know every network.
To avoid this inefficiency, IP network designers usually assign contiguous address
space to physically separated locations, regardless of whether they are buildings
within the same campus separated by a short distance or campuses within a larger
enterprise that are separated by a greater distance. This makes it possible to
summarize the address space, enabling a range of networks to be represented by a
single route table entry.

Rev. 5.21 1 – 35
IP Routing Foundations

Network summarization

Network summarization

• Network summarization requires hierarchical addressing scheme


• Summaries provide a starting address and mask that describes a
range of addresses
• Benefits include:
– Minimize the number of route table entries
– Enable more efficient route table lookup
• Summarization methods within an autonomous system:
– Networks that use RIP
• Define a static route that specifies range’s starting address and
mask, next hop (gateway), and path cost
• Disable RIP on the interface that connects to the summarized
address range
– Networks that use OSPF
• May be divided into administratively defined “areas”
• Summaries configured at area boundaries

Rev 5.21 Student Guide: 1–36 30

Often, routers at a location have a limited number of paths to the networks within a
given address range. In these cases, you can increase routing efficiency by
replacing many individual, specific network advertisements with a single
statement that specifies a larger range of addresses using a shorter mask. In all
cases, a shorter mask specifies a larger address range and a longer mask specifies a
smaller range. Any starting address with a 24-bit mask specifies a range with 256
addresses. A starting address with a 16-bit mask specifies a range of 65,536
addresses.
This process is known as “network summarization.” In most vendor
implementations, neither RIP nor OSPF performs this summarization
automatically; both require that you perform some additional configuration steps
to enable network summarization.

1 – 36 Rev. 5.21
IP Routing Basics

Summarization of address space using static routes

Summarization of address
space using static routes
Intranet core router is configured with two static
summary routes toward address range 10.1.0.0/16
• One specifies A1 as next hop
• Another specifies A2 as next hop
Intranet core
10.0.0.0/16

A2
A1 Location A
10.1.0.0/16
Routers A1 and A2:
• Are configured with
A14
static default route
0.0.0.0/0; next hop is
a core router interface
• Include the static
A13
route in RIP updates
they send to the edge A11
A12
routers (A11-A14) at
Location A

Rev 5.21 Student Guide: 1–37 31

In networks that implement RIP, static routes usually provide the mechanism for
network summarization.
In this example, network summarization will prevent routers in Location A from
obtaining detailed, specific advertisements for every network in the intranet. This
process requires two steps:
1. Disable the operation of RIP on both sides of the links that connect Routers
A1 and A2 to the intranet core. This, of course, prevents the routers in
Location A from processing RIP advertisements sent from the core.
2. Define static routes for the path to networks or address ranges that do not
appear as more specific routes in the route table.
In the example, the goal is to provide a path for hosts at Location A to reach all
non-local destinations, including addresses on the public Internet. To accomplish
this, you would specify the default route (0.0.0.0/0) that uses an intranet core
interface as the next hop.

Rev. 5.21 1 – 37
IP Routing Foundations

While the core router may use a default static route to reach addresses in the public
Internet, it can’t use the default route to reach hosts at different locations. Instead,
the intranet core might have a summarized route to each location. Because the
addressing scheme is hierarchical, and all hosts between 10.1.0.0 and 10.1.255.255
are at Location A, you can define a static summary route for the path the core
router has to Location A with the starting address 10.1.0.0 and a 16-bit mask
(10.1.0.0/16). The 16-bit mask defines a range of over 65,536 addresses, although
some number of the addresses in this range would be inappropriate for host
addressing purposes.
For purposes of Layer 3 forwarding, a route table entry with a 16-bit mask matches
with a large range of destination addresses. For example, if a router within the
intranet core needs to forward traffic toward any of the potentially 65,536 address
between 10.1.0.0 and 10.1.255.255, it will forward the traffic to the next hop
gateway in the 10.1.0.0/16 route table entry.
Although the diagram shows detailed operation only for Location A, the same
procedures would be used for other locations. The intranet core router(s) would
need to have static routes specifying each of the locations’ address ranges. Each
router would forward traffic destined for a given address range in the direction of
the appropriate location. The routers that connect each location to the intranet core
would use the default route to forward all traffic for which they do not have a more
specific route in their route tables.

1 – 38 Rev. 5.21
IP Routing Basics

Route table lookup

Route table lookup

IP route table is a list of address ranges that may specify:


• A single network
• A network summary expressed as a starting address and mask
Route table lookup procedure:
• Compare packet’s destination IP address with route table entries
• If there is a match, forward the packet to the specified gateway
(next hop)
• If there is more than one match, forward the packet to the gateway
specified by the most specific match
• If there is no match, discard the packet
Default route
• Ultimate summarized route specifies the entire IP address space
(over 4 billion addresses)
• Only packets without a more specific match will be forwarded toward
the default route

Rev 5.21 Student Guide: 1–39 32

Although a packet’s destination address may match with multiple route table
entries, the router does not stop its evaluation on the first match. When a route
table contains multiple matches for an address, the most specific match defines the
path the packet will take. The router follows the entry that has the longest mask;
that is, the entry that is the most specific match with the packet’s destination
address.
Every address in the entire IP address space—between 0.0.0.0 and
255.255.255.255—is included in the range specified in the static default route.
Consequently, every packet will match with the default route. However, packets
whose destination addresses are within the specific ranges that appear in the route
table will match with two entries and will follow the most specific route.

Rev. 5.21 1 – 39
IP Routing Foundations

Advertising static routes

Advertising static routes

If there are other routers in the intranet core,


this RIP router may be configured to advertise
the static routes to its neighbors
Intranet core
10.0.0.0/16

A2
A1 Location A
10.1.0.0/16
Routers A1 and A2 must be
able to advertise default
route within RIP updates A14

Edge routers A11-A14


A13
must be able to accept
the default route A11
A12
advertisement (0.0.0.0/0)

Rev 5.21 Student Guide: 1–40 33

Often, network summarization using static routes requires further configuration for
the routers that advertise the static routes and the routers that receive them.
However, because network equipment manufacturers implement the relationship
between RIP and static routes in different ways, you should consult product
documentation to determine what configuration is necessary.
In the example, the static route is defined on routers A1 and A2. It may be
necessary to configure these routers to “redistribute” static routes, including the
default route. The recipient routers (A11-A14) may also need to be configured to
“listen” for the default route.
These configuration steps often are necessary because routers usually consider
RIP-learned routes, directly connected routes, and static routes to be different
“sources” of route information. Most routers automatically redistribute directly
connected network address ranges into RIP advertisements, but the choice of
whether to automatically redistribute static routes is up to vendor implementation.
Additionally, most routers enable the definition of filter lists for redistribution,
which allows an administrator to selectively redistribute static routes. For example,
some static routes may be useful locally but unsuitable for use by neighboring
routers.

1 – 40 Rev. 5.21
IP Routing Basics

Many routers treat the default static route as a special case of static route. That is,
without special configuration, some routers will not place the default route into
their route tables, even if it is advertised within a RIP update. Typically, if a router
does not automatically listen for or accept the default route, it is usually possible to
selectively enable default route listening or to enable it for all RIP interfaces on the
router.

Equal cost multipath


After the routers are configured to accept or listen for the default route, it is treated
just like any other address range. If a router has a neighbor advertising the default
route at a cost of 2 and another advertising the default route at a cost of 3, it will
choose the lower cost path. If the next hop router stops advertising the default
route and the entry ages out of the route table, the router will replace the invalid
route with a valid one.
In the example, Routers A11 through A14 each have two paths to the core and,
therefore, two paths to resources that may be available through the core. Whether a
given router will use the first-heard route or place both routes in its table and share
the traffic between them is entirely dependent on the router’s feature set. At the
very least, the second connection to the core provides redundancy.

Rev. 5.21 1 – 41
IP Routing Foundations

Module 1 summary

Module 1 summary

In this module, you learned:


• The basic types of router interfaces
• How the route table stores route information
• The types of routing protocols
• How RIP routers advertise routes and determine the best path to a
given resource
• The operation of Split Horizon and Poisoned Reverse
• How network summarization enables efficient route tables

Rev 5.21 Student Guide: 1–42 34

Module 1 of IP Routing Foundations introduced the basic concepts of IP routing,


with an emphasis on RIP. Specific topics included types of router interfaces, the
basic operation of RIP, and the types of routing protocols.

1 – 42 Rev. 5.21
IP Routing Basics

Learning check
Module 1

Rev. 5.21 1 – 43
IP Routing Foundations

1. What are the four types of router interfaces.


a. ........................................................................................................................
b. ........................................................................................................................
c. ........................................................................................................................
d. ........................................................................................................................

2. What is the difference between an Interior Gateway Protocol and an Exterior


Gateway Protocol?
............................................................................................................................
............................................................................................................................
............................................................................................................................

3. Name and describe one important disadvantage of RIP.


............................................................................................................................
............................................................................................................................
............................................................................................................................

4. What is “Split horizon”?


............................................................................................................................
............................................................................................................................
............................................................................................................................

5. What is network summarization and why is it necessary?


............................................................................................................................
............................................................................................................................
............................................................................................................................

6. What is “poisoned reverse”?


............................................................................................................................
............................................................................................................................
............................................................................................................................

1 – 44 Rev. 5.21
OSPF Routing
Module 2

Objectives
After completing this module, you will be able to:
„ Compare and contrast RIP and OSPF
„ Explain why OSPF provides more efficient routing than RIP in large-scale
intranets
„ Describe the basic process for propagating route information throughout
OSPF domains
„ Describe the roles of the OSPF router types
„ Explain the functions of the OSPF message types
„ Describe the OSPF area types and their proper uses
„ Explain the process of network summarization for OSPF domains

Rev 5.21 2–1


IP Routing Foundations

OSPF at ProCurve University

OSPF at ProCurve University

Intranet characteristics that make OSPF a good choice for IGP


• Infrastructure provides multiple paths to each address range
• Complex connectivity provided by links with varying bandwidth
• Topology is hierarchical
• Addressing scheme is hierarchical, following physical hierarchy

Plan for ProCurve University intranet upgrade includes:


• High availability characteristics
– Locations are interconnected through dual core
– Redundant links within each location
• Hierarchical addressing scheme
– Address range will be assigned to networks within each campus
location
– Address range will be assigned to networks within intranet core

Rev 5.21 Student Guide: 2–2 3

Often, OSPF will be a better choice for RIP as an IGP. This is especially true in
intranets that provide multiple paths to each address range, have complex
connectivity with links of varying bandwidth, and that have hierarchical
addressing schemes and topologies.
The network upgrade at ProCurve University will include an OSPF
implementation for the reasons shown. Specifics about the design and
implementation will be described in Routing Switch Essentials.

2–2 Rev 5.21


OSPF Routing

Basic OSPF interactions

Basic OSPF interactions

Basic OSPF interactions


ƒ Hierarchy
ƒ Message types
ƒ Router communications
Distribution of link state changes
External route information

Rev 5.21 Student Guide: 2–3 4

The first section of Module 2 describes the basic interactions between OSPF
routers. Specific topics include the OSPF hierarchy, OSPF Hello messages, and
the link state messages and database.

Rev 5.21 2–3


IP Routing Foundations

OSPF routing protocol

OSPF routing protocol

Benefits when compared with RIP


• Faster convergence
– Advertisements flooded throughout domain
– Each router advertises only its own connected networks
• Intelligent path selection
– Supports variable link cost assignment
• Scalable with no specific limit on the number of router hops between
a source and destination host

Rev 5.21 Student Guide: 2–4 5

The benefits of OSPF are most evident in large intranets with redundant routed
links. Unlike RIP routers, OSPF routers are immediately aware of changes in
network topology and can quickly adjust their next hop information for remote
networks.
When a network becomes unavailable due to link failure, the OSPF routers
connected to the network immediately pass the information on to all routers in the
area. By contrast, RIP updates move from hop to hop, which delays convergence
and can cause routers to have contradictory or inconsistent information in their
route tables.

2–4 Rev 5.21


OSPF Routing

OSPF hierarchy: Routers and networks

OSPF hierarchy: Routers


and networks
OSPF routers
• Uniquely identified by 32-bit dotted decimal value
• Establish formal relationship known as ‘adjacency’ with neighbors
• Advertise their own directly connected networks and associated link cost
OSPF networks
• Uniquely identified by starting address and mask
• Classified based on their function in the ‘tree’ that represents the collection of
routers and networks
– ‘Transit’ networks can carry traffic destined for other networks
– ‘Stub’ networks have a single entry/exit point

R1A 10.1.64.0/24 R1B


Router ID: 10.1.208.1 Router ID: 10.1.209.1
(transit)
10.1.10.0/24 10.1.20.0/24
(stub) (stub)

Rev 5.21 Student Guide: 2–5 6

Several important features of OSPF routers and networks enable them to function
more efficiently than RIP routers and networks. In particular, the networks and
routers in an OSPF domain follow a specific hierarchy that enables efficient
communication.

OSPF Router ID
An OSPF router uses its Router ID—a unique 32-bit dotted decimal value—to
advertise itself and its connected networks and neighbors to all other OSPF
routers. By contrast, a RIP router gathers information about its immediate
neighbors from periodic updates.
Most vendors’ implementations of OSPF establish rules that enable a router to
select a Router ID from among its active IP interfaces if an administrator has not
statically defined a Router ID. Many routers require that the Router ID follow the
ID of an active interface. The loopback interface is often the default value for the
Router ID because it is the interface least likely to become unavailable.

OSPF adjacencies
One primary task of an OSPF router is to establish a formal relationship, called an
“adjacency,” with routers on its local networks. In the example, R1A has three
OSPF interfaces, one of which is its loopback interface. It periodically sends
“Hello” messages through all of those interfaces in an effort to find neighbors and
establish adjacencies. After the adjacency is established, OSPF routers periodically
send Hello messages indefinitely to maintain their relationship.

Rev 5.21 2–5


IP Routing Foundations

For each of its IP interfaces, the OSPF router applies the assigned mask to the
assigned IP address to derive the local address range and sends an advertisement
that includes every locally connected network. By contrast, if the routers in the
example were configured for RIP, Split Horizon rules would prohibit R1A from
advertising network 10.1.64.0/24.

OSPF network types


Unlike RIP, OSPF routers differentiate among network types in their
advertisements. The OSPF specification (RFC 2338) lists many numbered network
types and sub-types. However, they fall into two main categories:
1. Transit networks have two or more connected routers. As such, they are
potential paths for traffic that originates within or is destined for some other
network.
2. Stub networks have only one router. They are considered stubs because
there is only one point of entry (router) to the network. Traffic that comes
from or is destined for other networks is never forwarded into a stub network.
Stub networks will be discussed in more detail later in this module.
OSPF routers determine whether a network is stub or transit by listening for
neighbors. If a router detects at least one neighbor on an interface, the network is a
transit network. The router finds no neighbors on stub networks.
By default, OSPF routers will continue sending Hello messages on all interfaces,
including those that lead to stub networks. Most OSPF routers send Hello
messages through their loopback interfaces, even though they are completely
isolated from physical network media and will never lead to neighbors.
However, administrators can configure OSPF routers to not send advertisements
through specific interfaces, including the loopback. Many router platforms allow
administrators to define certain OSPF interfaces, including the loopback interface,
as “passive.” An OSPF router will not send Hello messages through passive
interfaces and consequently will not form adjacencies or flood updates into the
connected network.

2–6 Rev 5.21


OSPF Routing

OSPF area

OSPF area

• A group of networks interconnected by OSPF routers


• Area ID may be expressed as a decimal or dotted decimal number
• Networks are identified as members of an area by their connected routers

10.2.10.0/24 10.2.20.0/24
(Area 0 (Area 0)

Router ID: 10.2.208.1 R2A 10.2.64.0/24 R2B Router ID: 10.2.209.1


(Area 0)
C1
10.0.100.0/24
(Area 0)

Router ID: 10.1.208.1 R1A 10.1.64.0/24 R1B Router ID: 10.1.209.1


(Area 0)
10.1.10.0/24 10.1.20.0/24
(Area 0) (Area 0)

Rev 5.21 Student Guide: 2–7 7

The next level in the OSPF hierarchy is the area, which is a contiguous collection
of networks. Every OSPF router must belong to at least one area.
An area receives its ID from the routers whose networks are contained within it.
Two routers that share a network must agree on its area ID. If the routers do not
assign the same area ID to the network, they will fail to form an adjacency.
Without an adjacency, the routers will not share information and will not forward
IP traffic over the network. They will, however, continue attempting to form an
adjacency indefinitely until an administrator resolves the conflict.
All routers that are interconnected by networks that have a common area ID will
obtain detailed information about the networks connected to other routers in the
area. When a router originates a Router Link State Advertisement (LSA), it sends
it to its immediate neighbors, who in turn flood the LSA to all of their neighbors
without changing it. In this manner, every Router LSA reaches every router in the
area. As a result, every router in the area has an identical collection of router
LSAs.
Unlike RIP advertisements, the OSPF advertisement does not immediately yield a
next hop gateway for the receiving router to place in its route table. Instead, each
router uses the collected advertisements to build a tree, using itself as the root, that
represents the shortest path to all of the routers and networks in the area. Each
router produces a set of route table entries based on the tree.

Rev 5.21 2–7


IP Routing Foundations

Any router that experiences a change in the state of one of its links must
immediately send a newer instance of its LSA to inform all of the routers in the
area of the change. Routers flood the advertisement over the networks that
constitute the area. Receipt of a new LSA may cause every router in the area to
simultaneously build a new shortest path first (SPF) tree based on the most current
information, and potentially (depending on each router’s proximity of the link
whose state has changed) place new next hop gateway values in its route table.

2–8 Rev 5.21


OSPF Routing

OSPF hierarchy: Autonomous System

OSPF hierarchy: Autonomous


System
OSPF Autonomous System (AS)
• A collection of interconnected OSPF areas, one of which is Area 0 (backbone)
• Area Border Routers (ABR) connect non-backbone areas to backbone

ABR ABR

Area 1 Area 3

ABR ABR
Area 0

Area 2

Rev 5.21 Student Guide: 2–9 8

The highest level of hierarchy in an OSPF domain is the Autonomous System


(AS), which is a collection of interconnected areas. Each area is a portion of the
AS where routers exchange detailed information about their link states. It is
certainly possible for all of the routers and networks in an AS to be placed into the
same OSPF area. However, this approach will limit the maximum number of
routers and networks that can be efficiently serviced.
For best results, the logical addressing hierarchy should follow the physical
hierarchy. Networks that are in the same physical location should be assigned
addresses within a range that can be expressed using a starting address and mask.

Rev 5.21 2–9


IP Routing Foundations

OSPF router boots up

OSPF router boots up

First actions taken by a router with


IP header
Src: 10.1.10.1 Dst: 224.0.0.5 active OSPF interfaces:
OSPF Header • Create a Router LSA that describes its
Source router: 10.1.208.1
Area ID: 0.0.0.0 connected OSPF networks, store in link
Hello packet state database
Network mask: 255.255.255.0
Hello interval: 10 sec
• Send Hello messages over all OSPF
Dead interval: 40 sec interfaces every 10 seconds

10.1.10.1/24 10.1.30.0/24
OSPF cost 100 10.1.64.1/24 10.1.64.1/24
R1A OSPF cost 10 No OSPF R1B
Loopback 1: 10.1.208.1 OSPF

Type: Router LSA IP header


Link state ID:10.1.208.1 Src: 10.1.64.1 Dst: 224.0.0.5
Adv. Router: 10.1.208.1 OSPF Header
Sequence: 80000000 Source router: 10.1.208.1
No of links: 3 Area ID: 0.0.0.0
Stub 10.1.10.0/24 cost 100 Hello packet
Stub 10.1.64.0/24 cost 10 Network mask: 255.255.255.0
Hello interval: 10 sec
Stub 10.1.208.0/24 cost 1
Dead interval: 40 sec

Rev 5.21 Student Guide: 2–10 9

When an OSPF router boots up or when OSPF is activated, the router immediately
performs two tasks. It places information about its own connected networks into its
link state database and begins looking for neighbors on its connected networks.
The first entry in every OSPF router’s Link State Database is its own Router LSA.
The diagram shows the highlights of the Router LSA for R1A. The sequence
number (80000000 hex) indicates this is R1A’s first instance of a Router LSA. All
of R1A’s networks are considered “stub” networks because it has not discovered
any neighbors at this point.
If R1A later detects any change in the state of its connected networks—that is, if
any of the networks go down or if additional OSPF networks are configured—the
router will create a new LSA containing the most recent information and replace
the one currently in the database.

Hello messages
Currently, R1A is the only OSPF router in its area, although it is directly
connected to R1B. However, OSPF is not enabled on R1B. Still, immediately after
it boots up, R1A will begin sending Hello messages over all of its interfaces,
including network 10.1.64.0/24. Furthermore, because the formation of
adjacencies is crucial to OSPF operation, R1A will continue sending Hello
messages unless the interface goes down or an administrator explicitly defines this
interface as passive.

2 – 10 Rev 5.21
OSPF Routing

Exchanging Hello packets

Exchanging Hello packets

OSPF Routers
• Send Hello packets periodically to
– Exchange their Router IDs
– Verify that they agree on their shared network’s mask and the area to
which it is assigned
– Propose or confirm parameters of their relationship, including timers
• Do not use Hello packets to share information about networks other than the
one they share
10.1.10.0/24 10.1.30.0/24

Router ID: 10.1.208.1 .1 .2


R1A 10.1.64.0/24 R1B Router ID: 10.1.209.1

IP header IP header
Src: 10.1.64.1 Dst: 224.0.0.5 Src: 10.1.64.2 Dst: 224.0.0.5
OSPF Header OSPF Header
Source router: 10.1.208.1 Source router: 10.1.209.1
Area ID: 0.0.0.0 Area ID: 0.0.0.0
Hello packet Hello packet
Network mask: 255.255.255.0 Network mask: 255.255.255.0
Hello interval: 10 sec Hello interval: 10 sec
Dead interval: 40 sec Dead interval: 40 sec
Neighbor: 0.0.0.0 Neighbor: 10.1.208.1
R1B’s first Hello packet
Rev 5.21 Student Guide: 2–11 10

In this example, OSPF has been activated on R1B. This router has created a Router
LSA that represents its own connected networks, stored the LSA in its link state
database, and sent its first Hello packet.
All OSPF packets are directly encapsulated by an IP datagram header without
using TCP or UDP. The destination address in the IP datagram header is a
multicast address, 224.0.0.5, which is reserved for OSPF routers. (Other types of
OSPF communication are sent over unicast addresses.)
The information each OSPF router includes in its Hello packets includes the area
ID, which must be identical if the routers are to become adjacent. In the example,
the networks are identified as members of the unnumbered area known as Area
0.0.0.0 or Area 0. (Other special properties of Area 0 will be discussed later in this
module.)
In addition to an area ID, each OSPF interface is configured with values that
define its expectations for neighbor interaction. These include the Hello interval,
which is the interval between the router’s Hello messages, and the dead interval,
which is the interval that a router will wait for a neighbor’s Hello messages before
considering the neighbor to be down.

Rev 5.21 2 – 11
IP Routing Foundations

In the example above, one of R1A’s Hello packets arrived at R1B before it sent its
first Hello packet. R1B compared R1A’s proposed parameters with its own
configured parameters. R1B’s Hello messages signaled acceptance of R1A’s Hello
messages because the source address in the IP datagram header is in the same
address range as the address configured on the receiving interface and because the
following parameters were identical:
„ Area ID
„ Subnet mask
„ Hello interval
„ Dead interval
If any of these parameters differed in the two routers’ messages, or if the routers
had the same Router ID, the routers would not move to the next state. Instead, they
would continue sending Hello packets with an empty Neighbor field indefinitely,
without including each other’s Router ID in the Hello packets they send.
Most routers report parameter mismatches in an event log. In the event of a
mismatch, log entries include error messages indicating which parameter was
mismatched. The logs also include an error message if Router IDs are identical.

2 – 12 Rev 5.21
OSPF Routing

Two-way neighbor recognition

Two-way neighbor recognition

• After initial Hello packet exchange each router includes neighbor’s Router ID in
Hello packets
• When a router sees its own Router ID in a Hello packet from a neighbor, it
enters the ‘Two-way’ state
• When both routers are in the Two-way state, they may proceed to the next
step toward adjacency

10.1.10.0/24 10.1.30.0/24

Router ID: 10.1.208.1 .1 .2


R1A 10.1.64.0/24 R1B Router ID: 10.1.209.1

IP header IP header
Src: 10.1.64.1 Dst: 224.0.0.5 Src: 10.1.64.2 Dst: 224.0.0.5
OSPF Header OSPF Header
Source router: 10.1.208.1 Source router: 10.1.209.1
Area ID: 0.0.0.0 Area ID: 0.0.0.0
Hello packet Hello packet
Network mask: 255.255.255.0 Network mask: 255.255.255.0
Hello interval: 10 sec Hello interval: 10 sec
Dead interval: 40 sec Dead interval: 40 sec
Neighbor: 10.1.209.1 Neighbor: 10.1.208.1

Rev 5.21 Student Guide: 2–13 11

R1A and R1B now send Hello packets every 10 seconds. When R1A receives
R1B’s Hello packet containing R1B’s Router ID, R1A begins sending Hello
packets that list Router ID 10.1.209.1 as a neighbor. At this point, the routers move
to the “two-way state,” which is the next step in their path toward adjacency.
Because R1A and R1B are the only two routers on network 10.1.64.0/24, they will
become adjacent. However, not all routers that share a network will become
adjacent. In a network that contains many routers, it would be resource-intensive to
establish a full mesh of adjacencies among all of the routers. Consequently, the
OSPF specification includes a solution for ensuring that routers won’t form so
many adjacencies that routing efficiency is compromised. (This solution will be
discussed in more detail later in this module.)

Rev 5.21 2 – 13
IP Routing Foundations

Designated Router election

Designated Router election

• Specific adjacency formation procedures vary by network type


• When an Ethernet network supports only two routers, one is elected
Designated Router (DR) and the other becomes Backup DR
• Additional routers form adjacencies with DR and Backup DR but not
with each other
• DR is responsible for generating Network LSA

10.1.10.0/24 10.1.30.0/24

Router ID: 10.1.208.1 .1 .2


R1A 10.1.64.0/24 R1B Router ID: 10.1.209.1

IP header IP header
Src: 10.1.64.1 Dst: 224.0.0.5 Src: 10.1.64.2 Dst: 224.0.0.5
OSPF Header OSPF Header
Source router: 10.1.208.1 Source router: 10.1.209.1
Area ID: 0.0.0.0 Area ID: 0.0.0.0
Hello packet Hello packet
Network mask: 255.255.255.0 Network mask: 255.255.255.0
Hello interval: 10 sec Hello interval: 10 sec
Dead interval: 40 sec Dead interval: 40 sec
Designated Router: 10.1.64.2 Designated Router: 10.1.64.2
Backup DR: 10.1.64.1 Backup DR: 10.1.64.1
Neighbor: 10.1.209.1 Neighbor: 10.1.208.1

Rev 5.21 Student Guide: 2–14 12

Because an Ethernet network can support many routers within the same broadcast
domain, one OSPF router on each Ethernet network becomes the Designated
Router (DR) and another becomes the Backup DR (BDR). Subsequent neighbors
on the network become adjacent to the DR and BDR, but not to each other.
The DR has some additional responsibilities, which include generation of another
LSA type, known as a Network LSA, which is generated after the DR and BDR
have established full adjacency.
Typically, the first two routers on a multi-access network become the DR and the
Backup DR. Administrators can influence DR selection by configuring a higher
priority on an OSPF router’s interface to a multi-access network. However, if the
first routers to connect to the network have equal priority, the one with the higher
Router ID will become the DR. Once established in its role, the DR does not
relinquish DR responsibility even if another router with a higher priority later
becomes adjacent to it.

2 – 14 Rev 5.21
OSPF Routing

Exchanging Database descriptions

Exchanging Database
descriptions
IP header IP header:
Src: 10.1.64.1 Dst: 10.1.64.2 Src: 10.1.64.2 Dst: 10.1.64.1
OSPF Header OSPF Header
Source router: 10.1.208.1 Source router: 10.1.209.1
Area ID: 0.0.0.0 Area ID: 0.0.0.0
DB Desc Packet DB Desc Packet
LSA Header 1 LSA Header 1
Type: Router LSA Type: Router LSA
Link state ID:10.1.208.1 Link state ID:10.1.209.1
Adv. Router: 10.1.208.1 Adv. Router: 10.1.209.1
Sequence: 80000002 Sequence: 80000002

10.1.10.0/24 10.1.30.0/24

Router ID: 10.1.208.1 .1 .2


R1A 10.1.64.0/24 R1B Router ID: 10.1.209.1

LSDB LSDB

1 Type: Router LSA 1 Type: Router LSA


Link state ID:10.1.208.1 Each router Link state ID:10.1.209.1
Adv. Router: 10.1.208.1 Adv. Router: 10.1.209.1
Sequence: 80000002 sends all LSA Sequence: 80000002
No of links: 3 headers from No of links: 3
Stub 10.1.10.0/24 cost 100 Stub 10.1.30.0/24 cost 100
Stub 10.1.64.0/24 cost 10 LSDB Stub 10.1.64.0/24 cost 10
Stub 10.1.208.0/24 cost 1 Stub 10.1.209.0/24 cost 1

Rev 5.21 Student Guide: 2–15 13

The next stage in the process of forming an adjacency is the exchange of link state
database entries. In the example, each router’s link state database (LSDB) contains
one entry—the Router LSA it created to advertise its own networks.
In the first phase of database synchronization, both routers send OSPF Database
Description packets. The first Database Description packet from each router
indicates its intention to send the headers of the LSAs in its own LSDB and
indicates the maximum packet size it will use. Each router sends a second
Database description packet that contains headers from LSAs in its own link state
database. Each router compares the offered LSA headers with those in its own
database.
In the example, the process is fairly quick because each router’s LDSB contains
only its own Router LSA. However, in a larger intranet, each router may have
hundreds of LSAs in its database and it is possible that the list of LSA headers
might require several packets.
If you are using monitoring or logging facilities to observe router states as they
proceed through adjacency formation, this state appears as “ExStart.”

Rev 5.21 2 – 15
IP Routing Foundations

The four items that uniquely identify an LSA are


1. Type
The LSA types include the Router LSA, the Network LSA, and four other
types that will be described later in this module.
2. Link State ID
The type of information in this field is unique to each type of LSA. In a
Router LSA, the Link State ID is the Router ID.
3. Advertising Router
The router that originated the LSA. In the example, the originating (or
advertising) router and the sending router (as shown in IP datagram header)
are actually the same router; but this is not always the case.
4. Sequence number
The first LSA that a router generates has a sequence number of 80 million.
When a router experiences a link state change, it generates a new Router LSA
that replaces the obsolete one. The second instance of the same type of LSA
sent by the same router is identical on the first three items, but the fourth
item—the sequence number—is incremented by a locally significant value.
A router uses the sequence number in the LSA header to differentiate instances of
the same Router’s LSA. Depending upon the routers’ past relationship, this could
be important to this phase of adjacency. For example, if R1A and R1B were
previously adjacent and their link went down, each would keep the other’s LSA
for an entire hour. Every LSA has a lifetime of 3600 seconds and an age of 0
seconds when it is originated. By the time an LSA is included in another router’s
LSDB, it might be a few seconds old, but it continues to age the entire time it is in
the database. If a replacement LSA has not arrived before its lifetime expires, the
LSA is aged out of the database.
An OSPF router generates a current Router LSA every 30 minutes to refresh the
databases of every router in the area. However, the router does not send every LSA
in its database, just the ones it is responsible for generating. By comparison, RIP
routers advertise their entire route tables every 30 seconds.

2 – 16 Rev 5.21
OSPF Routing

Link State Request packet

Link State Request packet

IP header: IP header:
Src: 10.1.64.1 Dst: 10.1.64.2
Each router Src: 10.1.64.2 Dst: 10.1.64.1
OSPF Header requests LSAs OSPF Header
Source router: 10.1.208.1 Source router: 10.1.209.1
Area ID: 0.0.0.0 not in its own Area ID: 0.0.0.0
Link State Request packet LSDB Link State Request packet
Type: Router LSA Type: Router LSA
Link state ID:10.1.209.1 Link state ID:10.1.208.1
Adv. Router: 10.1.209.1 Adv. Router: 10.1.208.1
Sequence: 80000002 Sequence: 80000002
10.1.10.0/24 10.1.30.0/24

Router ID: 10.1.208.1 .1 .2


R1A 10.1.64.0/24 R1B Router ID: 10.1.209.1

LSDB LSDB

1 Type: Router LSA 1 Type: Router LSA


Link state ID:10.1.208.1 Link state ID:10.1.209.1
Adv. Router: 10.1.208.1 Adv. Router: 10.1.209.1
Sequence: 80000002 Sequence: 80000002
No of links: 3 No of links: 3
Stub 10.1.10.0/24 cost 100 Stub 10.1.30.0/24 cost 100
Stub 10.1.64.0/24 cost 10 Stub 10.1.64.0/24 cost 10
Stub 10.1.208.0/24 cost 1 Stub 10.1.209.0/24 cost 1

Rev 5.21 Student Guide: 2–17 14

Now that each router has received the headers of the LSAs contained in the other
router’s LSDB, it can compare the contents of its own LSDB with the proposed
headers from the other router. Each router uses a Link State Request packet to
return the LSA headers for which the router needs the full advertisement.
In this simple example, each router requests the LSA that was advertised by the
other by returning the header in a Link State Request. Basically, this is because
there is only one path between the routers but, of course, this is not always the
case. In a situation where there are redundant links, each router may already have
some subset of the LSAs proposed in the Database Description due to its
adjacencies on other interfaces.

Rev 5.21 2 – 17
IP Routing Foundations

Link State Update packet

Link State Update packet


OSPF Header OSPF Header
Source router: 10.1.208.1 Source router: 10.1.209.1
Area ID: 0.0.0.0 Each router Area ID: 0.0.0.0
Link State Update packet Link State Update packet
Type: Router LSA provides
Type: Router LSA
Link state ID:10.1.208.1 requested LSAs Link state ID:10.1.209.1
Adv. Router: 10.1.208.1 Adv. Router: 10.1.209.1
Sequence: 80000002 Sequence: 80000002
No. of links: 3 No. of links: 3
Stub 10.1.10.0/24 cost 100 Stub 10.1.30.0/24 cost 100
Stub 10.1.64.0/24 cost 10 Stub 10.1.64.0/24 cost 10
Stub 10.1.208.0/24 cost 1 Stub 10.1.209.0/24 cost 1

10.1.10.0/24 10.1.30.0/24

Router ID: 10.1.208.1 .1 .2


R1A 10.1.64.0/24 R1B Router ID: 10.1.209.1

LSDB LSDB

1 Type: Router LSA 1 Type: Router LSA


Link state ID:10.1.208.1 Link state ID:10.1.209.1
Adv. Router: 10.1.208.1 Adv. Router: 10.1.209.1
Sequence: 80000002 Sequence: 80000002
No of links: 3 No of links: 3
Stub 10.1.10.0/24 cost 100 Stub 10.1.30.0/24 cost 100
Stub 10.1.64.0/24 cost 10 Stub 10.1.64.0/24 cost 10
Stub 10.1.208.0/24 cost 1 Stub 10.1.209.0/24 cost 1
Rev 5.21 Student Guide: 2–18 15

While the OSPF Database Description and Link State Request packet types are
used only in the early stages of adjacency formation, the Link State Update packet
is the primary mechanism for sending Link State Advertisements, both during
adjacency formation and whenever link state changes occur.
As used in this stage of adjacency formation, Link State Update packets are sent to
the neighbor’s unicast address. However, a router sends Link State Update packets
to a reserved multicast address when it contains LSAs that result from link state
changes.
A Link State Update packet can contain as many LSAs as the router can fit into the
maximum packet size for the network, which is usually 1500 bytes.
When link state changes occur, LSAs are flooded over all adjacencies throughout
an entire area. Consequently, a router often will receive multiple copies of the
same LSA. A router uses the sequence number to determine whether an incoming
LSA is another copy of an advertisement already installed in the database or
whether it is a new instance of an LSA that will cause it to change its shortest-
path-first tree and next hop values.

2 – 18 Rev 5.21
OSPF Routing

Updating the Link State Database

Updating the Link State


Database

10.1.10.0/24 10.1.30.0/24

Router ID: 10.1.208.1 .1 .2


R1A 10.1.64.0/24 R1B Router ID: 10.1.209.1

LSDB LSDB

1 Type: Router LSA 1 Type: Router LSA


Link State ID:10.1.208.1 Link State ID:10.1.209.1
Adv. Router: 10.1.208.1 Adjacency Adv. Router: 10.1.209.1
Sequence: 80000004 Sequence: 80000004
causes state
No of links: 3 No of links: 3
Stub 10.1.10.0/24 cost 100 change for Stub 10.1.30.0/24 cost 100
Transit 10.1.64.0/24 cost 10 network Transit 10.1.64.0/24 cost 10
Stub 10.1.208.0/24 cost 1 10.1.64.0/24 Stub 10.1.209.0/24 cost 1
2 Type: Router LSA 2 Type: Router LSA
Link State ID: 10.1.209.1 Link State ID: 10.1.208.1
Adv. Router: 10.1.209.1 Adv. Router: 10.1.208.1
Sequence: 80000002 Sequence: 80000002
No. of links: 3 No. of links: 3
Stub 10.1.30.0/24 cost 100 Stub 10.1.10.0/24 cost 100
Stub 10.1.64.0/24 cost 10 Stub 10.1.64.0/24 cost 10
Stub 10.1.209.0/24 cost 1 Stub 10.1.208.0/24 cost 1

Rev 5.21 Student Guide: 2–19 16

The establishment of full adjacency between these routers causes a state change on
the network they share—10.1.64.0/24. Because each router now has a neighbor on
the network, it is no longer a stub network, but a transit network. In response to
this state change, each router generates a new instance of its Router LSA, places it
in its LSDB, and floods it to adjacent neighbors.
This state change causes R1B, the Designated Router, to generate another type of
LSA that is described on the next few pages.

Rev 5.21 2 – 19
IP Routing Foundations

Originating new LSAs

Originating new LSAs

10.1.10.0/24 10.1.30.0/24

Router ID: 10.1.208.1 .1 .2


R1A 10.1.64.0/24 R1B Router ID: 10.1.209.1

LSDB LSDB
1 Type: Router LSA 1 Type: Router LSA
Link State ID:10.1.208.1 Link State ID:10.1.209.1
Adv. Router: 10.1.208.1 Adv. Router: 10.1.209.1
Sequence: 80000004 Sequence: 80000004
No of links: 3 No of links: 3
Stub 10.1.10.0/24 cost 100 Stub 10.1.30.0/24 cost 100
Transit 10.1.64.0/24 cost 10 Transit 10.1.64.0/24 cost 10
Stub 10.1.208.0/24 cost 1 Stub 10.1.209.0/24 cost 1
2 Type: Router LSA 2 Type: Router LSA
Link State ID: 10.1.209.1 Link State ID: 10.1.208.1
Adv. Router: 10.1.209.1 Adv. Router: 10.1.208.1
No. of links: 3 Sequence: 80000002
Stub 10.1.30.0/24 cost 100 No of links: 3
Stub 10.1.64.0/24 cost 10 …
Stub 10.1.209.0/24 cost 1 3 Type: Network LSA
Link State ID: 10.1.64.2
Adv Router: 10.1.209.1
Sequence: 80000002
Netmask: 255.255.255.0
Attached Router: 10.1.208.1
Attached Router: 10.1.209.1
Rev 5.21 Student Guide: 2–20 17

Because R1B is the DR of the network 10.1.64.0/24, it originates a Network LSA


that describes the network. Network LSAs contain the following information:
„ The LSA type, which is a Network LSA
„ Link State ID = the DR’s IP address on the network
„ Advertising Router is the DR’s Router ID
„ Sequence number indicates this is the first instance of the LSA
These four pieces of information uniquely identify this instance of the Network
LSA for the network 10.1.64.0/24.

2 – 20 Rev 5.21
OSPF Routing

Flooding LSAs in Link State Update packet

Flooding LSAs in Link State


Update packet
IP header:
Src: 10.1.64.2 Dst: 224.0.0.5 LSAs generated due to link state
OSPF Header change are
Source router: 10.1.209.1
Area ID: 0.0.0.0 • Encapsulated in a Link State Update
Link State Update packet packet
Type: Router LSA
Link state ID:10.1.209.1 • Sent to All OSPF Routers multicast
Adv. Router: 10.1.209.1 address
Sequence: 80000004
Type: Network LSA
Router can send multiple LSAs in the
Link State ID: 10.1.64.2 same Link State Update packet
Sequence: 80000002
Netmask: 255.255.255.0
Attached router: 10.1.208.0 1 Type: Router LSA
Attached router: 10.1.209.0 Link State ID:10.1.209.1
Adv. Router: 10.1.209.1
10.1.30.0/24 Sequence: 80000004
2 Type: Router LSA
.2 Link State ID: 10.1.208.1
10.1.64.0/24 R1B Router ID:
10.1.209.1 Adv. Router: 10.1.208.1
Sequence: 80000002
The neighbor returns a Link 3 Type: Network LSA
State Acknowledgment to LSDB Link State ID: 10.1.64.2
224.0.0.5 containing the LSA Adv Router: 10.1.209.1
headers it received Sequence: 80000002

Rev 5.21 Student Guide: 2–21 18

Link State Update packets generated as the result of a link state change such as the
one shown are sent to the “All OSPF Routers” multicast address 224.0.0.5. The
Link State Update packet is immediately flooded to all routers in the area. This
example has only two routers, but in an OSPF domain with many routers, all
would receive the new instances of the LSAs.”
After receiving the R1B’s Link State Update, R1A acknowledges receipt by
sending a Link State Acknowledgement. Proper OSPF operation depends on
synchronization of the LSAs stored in each router’s link state database. Like the
update packet, an acknowledgement is sent to 224.0.0.5, the OSPF router multicast
address. If neighbors do not send an acknowledgment within a configurable
period, R1B will send the Link State Update again.

Rev 5.21 2 – 21
IP Routing Foundations

R1A’s LSA
R1A must also originate a new LSA because it also experienced a state change
when the network type associated with 10.1.64.0/24 transitioned from a stub
network to a transit network. This new LSA is shown in the previous diagram with
the sequence number of 80000004. R1B is obligated to send a Link State
Acknowledgement in response to the Link State Update packet that contained the
new instance of R1A’s Router LSA.
The Link State Update and Link State Acknowledgements that result from link
state changes are always sent to a multicast address. Note that this is different from
the unicast addresses used in messages sent and received during database
synchronization phase of adjacency formation.

2 – 22 Rev 5.21
OSPF Routing

SPF tree and IP route table

SPF tree and IP route table

Each OSPF router:


• Uses LSAs in its link state database as input to an algorithm that finds
the shortest path to each destination
• Puts itself at the root of its ‘shortest path first’ tree
– All LSAs are identical within an area, perspective is different for
each router
• Derives next hop for IP route table from SPF tree
Equal cost multi-path
• On finding equal cost paths to a given destination, many routers
install an IP route table entry for each path
• If multiple route table entries specify different next hop to same
destination network, traffic may be shared among them

Rev 5.21 Student Guide: 2–23 19

Each router’s advertisements describe its own directly connected networks. When
a router originates a Router LSA, it sends it to its immediate neighbors, who in
turn flood the LSA to all of their neighbors without changing it in any way. In this
manner, every Router LSA reaches every router in the area. Consequently, each
router in the area has an identical collection of router LSAs.
Any router that experiences a change in the state of one of its links must
immediately inform all of the routers in the area by sending a newer instance of its
Router LSA. The advertisement reaches all of the routers in the area very quickly.
Routers flood the advertisement over the networks that make up the area.
Receipt of a new advertisement may cause every router in the area to
simultaneously build a new shortest path first (SPF) tree based on the most current
information. Depending on the router’s proximity to the link whose state has
changed, the router might place new next hop gateway values in its route table.
Link state changes that involve a “transit” type network will cause all routers in
the area to follow this procedure:
1. Receive new LSA(s). In the case of a state change in a transit network, the
router is likely to receive at least two new Router LSAs—one for each router
connected to the changed network.
2. Remove all OSPF routes from the route table. A link state routing protocol
considers lack of routing information to be superior to invalid or obsolete
routing information.

Rev 5.21 2 – 23
IP Routing Foundations

3. Run an algorithm to produce the shortest-path-first (SPF) tree based on the


latest information. The OSPF RFC describes the operation of the Dijkstra
algorithm; however, it also makes allowances for vendors to use any
equivalent algorithms to produce the shortest-path-first tree.
4. Install new next hop values for each remote address range
If a router loses a path to a stub network, the routers flood the new instance of the
router’s LSA, but all routers in the area don’t need to remove OSPF routes from
the route table, run the algorithm, or install new next hop values. From the
perspective of the SPF tree, a stub network is like a leaf on the tree. Because the
stub network never carries traffic from or to another address range, link state
changes allow the router to add or drop a “leaf” instead of entirely recreating the
tree.

2 – 24 Rev 5.21
OSPF Routing

Summary of OSPF packet types

Summary of OSPF packet


types
ID Name Purpose

1 Hello Initiates adjacency, continues through all


states of adjacency formation, and maintains
adjacency
2 Database Description Offers headers of all known LSAs to
neighbor, used in ExStart state of adjacency
establishment
3 Link State Request Returns headers of LSAs needed to
accomplish synchronization, used in ExStart
state
4 Link State Update During database synchronization,
encapsulates requested LSAs; also used to
flood LSAs over established adjacencies
5 Link State Acknowledgment Returns headers of flooded LSAs received in
a Link State Update; not used in adjacency
formation, only for LSAs flooded over full
adjacency

Rev 5.21 Student Guide: 2–25 20

OSPF uses five packet types, as shown above. Their ID numbers, which are
significant when examining packet traces, follow the order in which they occur in
the adjacency formation process. The various types of packets are sent to different
destination addresses, with some addressed to multicast groups and some to
individual routers.
„ Hello packets are always sent to 224.0.0.5, which is the All OSPF Routers
multicast group.
„ Database Description packets and Link State Request packets are sent
only during the ExStart state of adjacency establishment. Because adjacency
is a one-to-one relationship, these packets are addressed to a single router.
„ Link State Update packets have three possible destination addresses.
During adjacency formation, link state updates are sent to the neighboring
interface unicast address to accomplish database synchronization with a
single neighbor. After adjacency is formed, link state updates contain LSAs
that must be flooded to all routers to enable them to immediately obtain the
most current information. Link State Update packets containing LSAs that
resulted from a link state change are sent to one of the reserved OSPF router
multicast addresses—224.0.0.5 or 224.0.0.6. The choice of address depends
on whether the sending router is a DR or a non-DR. (The process for flooding
of LSAs, including the use of these multicast addresses, will be described
later in this module.)

Rev 5.21 2 – 25
IP Routing Foundations

„ Link State Acknowledgment packets, like Link State Update packets, are
sent to 224.0.0.5 if the sender of the acknowledgment is a DR and to
224.0.0.6 if the sender is a non-DR. The completion of the adjacency process
inevitably causes link state changes that trigger flooding of new LSAs to the
multicast address. When a router receives a Link State Update that was sent
to a multicast address, it sends the Link State Acknowledgment to the same
multicast address.

2 – 26 Rev 5.21
OSPF Routing

Summary of OSPF LSA types confined to a single area

Summary of OSPF LSA types


confined to a single area

Type Name Advertises Advertising Router Link State ID

1 Router LSA Connected Router ID (one LSA Originating router ID


networks for each router in the
area)
2 Network LSA Connected DR of multi-access DR’s IP address on
routers transit network the network

• Each LSA is uniquely identified by four items:


1. LSA type, of which there are six different types
2. Advertising Router, which is always a Router ID
3. Link State ID, value depends on LSA type
4. Sequence number, which increments each time the originator generates
a new instance of the LSA
• Routers receiving flooded LSAs or LSA headers in Database Descriptions
compare advertised values with those in its LSDB to determine whether to
copy LSA into LSDB or ignore

Rev 5.21 Student Guide: 2–27 21

The two types of LSAs—Router LSAs and Network LSAs— perform different
functions in deriving next hop values from the SPF tree.. However, they share one
characteristic: they are confined to a single area. The processes and flow for LSAs
will be described in more detail later in this module.

Rev 5.21 2 – 27
IP Routing Foundations

Distribution of link state changes

Distribution of link state


changes
9 Basic OSPF interactions
Distribution of link state changes
ƒ Impact of link state changes
ƒ LSA flow
ƒ Area Border Routers (ABR)
ƒ Network summarization
External route information

Rev 5.21 Student Guide: 2–28 22

The rest of Module 2 will describe the process that OSPF routers use to respond to
link state changes. The discussion will include a detailed analysis of LSA flow, as
well as the different responsibilities of OSPF router types.

2 – 28 Rev 5.21
OSPF Routing

Impact of link state changes

Impact of link state changes

After two routers have formed an adjacency, they are obligated to


flood to each other:
• All self-originated LSAs
• All LSAs that arrive in Link State Update packets received from other
neighbors
If either router forms new adjacencies, it:
• Includes headers of all known LSAs in Database Description packets
during adjacency formation
• Immediately floods to all current neighbors the LSAs it receives during
adjacency formation

Rev 5.21 Student Guide: 2–29 23

In an OSPF network, link state changes prompt a complex, but predictable, series
of exchanges between each pair of adjacent routers. After forming an adjacency, a
router must flood to its neighbors all LSAs it creates based on local link state
changes as well as those it receives from neighbors. A Link State Update packet
can contain many LSAs from different sources. The maximum number of LSAs is
limited only by the maximum packet size supported by a router’s connected
networks.
During adjacency formation, the router includes the headers of all known LSAs in
Database Description packets. Similarly, the router must immediately flood to its
other neighbors the new LSAs it receives during adjacency formation.

Rev 5.21 2 – 29
IP Routing Foundations

Connecting to existing multi-access network

Connecting to existing
multi-access network
10.1.30.0/24
Router LSA; LSID: 10.1.208.1 .2
Router LSA; LSID: 10.1.209.1 R1B Router ID: 10.1.209.1
DR
Network LSA; LSID: 10.1.64.2

10.1.10.0/24 R1A ÅÆ R1B


.1
BDR
Router ID: 10.1.208.1 R1A 10.1.64.0/24
.1
RX ÅÆ RY = adjacency

Router LSA; LSID: 10.0.208.1


Router ID: 10.0.208.1 Router LSA; LSID: 10.2.209.1
Router LSA; LSID: 10.2.209.1
C1 Network LSA; LSID: 10.0.100.12
Network LSA; LSID: 10.2.64.2
BDR .1 C1 ÅÆ R2A
10.0.100.0/24
DR .12
Router ID: 10.2.208.1 R2A ÅÆ R2B
.1 .2 Router ID: 10.2.209.1
R2A 10.2.64.0/24 R2B
BDR DR
.1 .1
10.2.10.0/24 10.2.30.0/24
Rev 5.21 Student Guide: 2–30 24

This example shows two separate OSPF domains. Each router has full adjacency
with its neighbor(s), and all databases are synchronized. Although all routers
identify their connected networks as members of area 0, the clusters of routers are
physically separated.

2 – 30 Rev 5.21
OSPF Routing

Recognizing a new router on a multi-access network

Recognizing a new router on


a multi-access network
10.1.30.0/24
Router LSA; LSID: 10.1.208.1 .2
Router LSA; LSID: 10.1.209.1 R1B Router ID: 10.1.209.1
DR
Network LSA; LSID: 10.1.64.2

10.1.10.0/24 R1A ÅÆ R1B


.1
BDR
Router ID: 10.1.208.1 R1A 10.1.64.0/24
.1
.11

All 3 routers multicast Hello


messages; R1A learns
identity of DR and BDR
Router LSA; LSID: 10.0.208.1
Router ID: 10.0.208.1 Router LSA; LSID: 10.2.209.1
Router LSA; LSID: 10.2.209.1
C1 Network LSA; LSID: 10.0.100.12
Network LSA; LSID: 10.2.64.2
BDR .1 C1 ÅÆ R2A
10.0.100.0/24
DR .12
Router ID: 10.2.208.1 R2A ÅÆ R2B
.1 .2 Router ID: 10.2.209.1
R2A 10.2.64.0/24 R2B
BDR DR
.1 .1
10.2.10.0/24 10.2.30.0/24
Rev 5.21 Student Guide: 2–31 25

When R1A’s OSPF interface on network 10.0.100.0/24 comes up, it begins


receiving Hello messages that the DR and Backup DR are sending onto the multi-
access network.
The Hello messages contain Router 10.2.208.1 as DR and Router 10.0.208.1 as
Backup DR, immediately notifying R1A that it must establish adjacencies with
both routers.
R1A’s Hello messages list DR and Backup DR router IDs. When these routers
recognize their own Router IDs in the Hello packets, they add R1A’s address to
the Hello packets as a neighbor.
When all three routers have seen their own Router ID in a Hello packet, they move
to the two-way state, where they will begin the database exchange that leads to
adjacency.

Rev 5.21 2 – 31
IP Routing Foundations

Database synchronization

Database synchronization

10.1.30.0/24
Router LSA; LSID: 10.1.208.1 .2
Router LSA; LSID: 10.1.209.1 R1B Router ID: 10.1.209.1
DR
Network LSA; LSID: 10.1.64.2

10.1.10.0/24 R1A ÅÆ R1B


.1
BDR
Router ID: 10.1.208.1 R1A 10.1.64.0/24
.1
.11

R1A proceeds toward adjacency with DR


and BDR; they exchange DB Description,
LS Request, and LS Update packets
Router LSA; LSID: 10.0.208.1
Router ID: 10.0.208.1 Router LSA; LSID: 10.2.209.1
Router LSA; LSID: 10.2.209.1
C1 Network LSA; LSID: 10.0.100.12
Network LSA; LSID: 10.2.64.2
BDR .1 C1 ÅÆ R2A
10.0.100.0/24
DR .12
Router ID: 10.2.208.1 R2A ÅÆ R2B
.1 .2 Router ID: 10.2.209.1
R2A 10.2.64.0/24 R2B
BDR DR
.1 .1
10.2.10.0/24 10.2.30.0/24
Rev 5.21 Student Guide: 2–32 26

R1A must become adjacent to both the DR and the Backup DR. Accordingly, R1A
exchanges Database Description packets with both routers, offering the three LSAs
in its database. R2A (the DR) and C1 (the Backup DR) send Link State Requests
for all of the LSAs and each receives them in Link State Updates.
R2A and C1 also send Database Description packets to R1A, each offering the
same set of LSAs from their synchronized database. R1A requests all of the LSA
headers offered by one of the routers on the transit network, and receives the five
LSA headers in a Link State Update packet.

2 – 32 Rev 5.21
OSPF Routing

Adjacencies established, database synchronized

Adjacencies established,
database synchronized
The three routers on network 10.1.30.0/24
10.0.100.0/24 have exactly
.2
the same LSAs in their link R1B Router ID: 10.1.209.1
state databases DR

10.1.10.0/24 R1A ÅÆ R1B


.1
BDR
Router ID: 10.1.208.1 R1A 10.1.64.0/24
.1
.11
Router LSA; LSID: 10.0.208.1
R1A ÅÆ R2A Router LSA; LSID: 10.1.208.1
R1A ÅÆ C1 Router LSA; LSID: 10.1.209.1
Router LSA; LSID: 10.2.209.1
Router LSA; LSID: 10.2.209.1
Router ID: 10.0.208.1 Network LSA; LSID: 10.0.100.12
Network LSA; LSID: 10.1.64.2
C1 Network LSA; LSID: 10.2.64.2

BDR .1 C1 ÅÆ R2A
10.0.100.0/24
DR .12
R2A ÅÆ R2B
.1 .2
Router ID: 10.2.208.1 R2A 10.2.64.0/24 R2B Router ID: 10.2.209.1
BDR DR
.1 .1
10.2.10.0/24 10.2.30.0/24
Rev 5.21 Student Guide: 2–33 27

Each router sends Link State Update packets that contain the LSAs whose headers
were included in the Link State Requests. At the end of this process, two
additional adjacencies have been established. The three routers connected to
network 10.0.100.0/24 have identical entries in their link state databases.
Having established adjacencies with R1A, both R2A and C1 must flood the new
LSAs they received from R1A because they are DR and Backup DR for Network
10.0.100.0/24, a multi-access transit network.

Rev 5.21 2 – 33
IP Routing Foundations

Flood new LSAs

Flood new LSAs

10.1.30.0/24
.2
R1B Router ID: 10.1.209.1
DR

10.1.10.0/24 Flood new LSAs R1A ÅÆ R1B


.1
BDR
Router ID: 10.1.208.1 R1A 10.1.64.0/24
Router LSA; LSID: 10.0.208.1
.1
.11 Router LSA; LSID: 10.1.208.1
Router LSA; LSID: 10.1.209.1
R1A ÅÆ R2A Router LSA; LSID: 10.2.209.1
R1A ÅÆ C1 Router LSA; LSID: 10.2.209.1
Network LSA; LSID: 10.0.100.12
Network LSA; LSID: 10.1.64.2
Router ID: 10.0.208.1 Network LSA; LSID: 10.2.64.2

C1 C1 and R2A both


flood new LSAs
BDR .1 C1 ÅÆ R2A
10.0.100.0/24
DR .12
R2A ÅÆ R2B
.1 .2
Router ID: 10.2.208.1 R2A 10.2.64.0/24 R2B Router ID: 10.2.209.1
BDR DR
.1 Flood new LSAs .1
10.2.10.0/24 10.2.30.0/24
Rev 5.21 Student Guide: 2–34 28

As soon as R1A receives the LSAs from one of its neighbors on network
10.0.100.0/24, it floods the new LSAs over network 10.1.64.0/24. R1A
encapsulates the new LSAs in a Link State Update packet and encapsulates the
OSPF packet in an IP datagram whose destination address is the All OSPF Routers
multicast group 224.0.0.5.
The same is true for R2A and C1, both of whom have just become adjacent to
R1A. Because these routers are the DR and Backup DR of the network
10.0.100.0/24, they are responsible for flooding the LSAs to that network, even
though the new information came from that network.
This is quite different from RIP Split Horizon operation, which prevents routers
from sending advertisements to the network from which they originated. The
reason for the different OSPF operation will be described later in this module.

2 – 34 Rev 5.21
OSPF Routing

Acknowledging flooded LSAs

Acknowledging flooded LSAs

10.1.30.0/24
.2
R1B Router ID: 10.1.209.1
Acknowledge DR
receipt of LSAs

10.1.10.0/24 R1A ÅÆ R1B


.1
BDR
Router ID: 10.1.208.1 R1A 10.1.64.0/24
Router LSA; LSID: 10.0.208.1
.1
.11 Router LSA; LSID: 10.1.208.1
Router LSA; LSID: 10.1.209.1
R1A ÅÆ R2A Router LSA; LSID: 10.2.209.1
R1A ÅÆ C1 Router LSA; LSID: 10.2.209.1
Network LSA; LSID: 10.0.100.12
Network LSA; LSID: 10.1.64.2
Router ID: 10.0.208.1 Each router Network LSA; LSID: 10.2.64.2
acknowledges
C1 receipt of LSAs

BDR .1 C1 ÅÆ R2A
10.0.100.0/24
DR .12
R2A ÅÆ R2B
.1 .2
Router ID: 10.2.208.1 R2A 10.2.64.0/24 R2B Router ID: 10.2.209.1
BDR DR
.1 Acknowledge .1
10.2.10.0/24 receipt of LSAs 10.2.30.0/24
Rev 5.21 Student Guide: 2–35 29

A router must acknowledge flooded LSAs by multicasting a Link State


Acknowledgment to the network from which it received the Link State Update.
The LSA that is encapsulated by the Link State Update packet may have originated
with a router anywhere in the area. However, the source address in the IP datagram
header that encapsulates the Link State Update will be that of a neighbor because a
router’s LSA flooding operation involves creating a new OSPF packet that
contains the Link State Update which, in turn, contains the LSAs to be sent to
neighbors. So, too, the acknowledgment is sent using a multicast address that
reaches local routers
During this series of exchanges, only the LSA remains unchanged. The packets
that contain the LSA change at every hop.

Rev 5.21 2 – 35
IP Routing Foundations

Designated Router adjacency responsibilities

Designated Router adjacency


responsibilities
Differences between DRs and non-DRs become apparent when there are
four or more routers on a multi-access network
• DR and Backup DR become adjacent to all routers on the network
• Non-DRs become adjacent to DR and Backup DR but not to each other
• When a router joins a network that has a DR, Backup DR, and at least one
non-DR, the state of its relationship with other non-DRs remains at ‘two-way’

Network 1 Network 3

R1 R3
Non-DR BDR

Network 0
DR Non-DR

R2 R4

Network 2 Network 4

Rev 5.21 Student Guide: 2–36 30

This example uses a different set of routers and networks than the previous
examples to illustrate LSA flow when a multi-access network has four or more
connected routers. The multi-access network in the previous example supports a
full mesh of adjacencies because there is only one non-DR. However, in this
example there are two routers on Network 0 that are not DRs. All routers become
adjacent to the DR and the Backup DR, but non-DRs do not become adjacent to
each other.
However, the four routers connected by Network 0 do not form a complete mesh.
The DR and the Backup DR become adjacent to all routers.

2 – 36 Rev 5.21
OSPF Routing

Designated Router LSA flooding responsibilities

Designated Router LSA


flooding responsibilities
DR is chosen per network
• A router may be a DR for some of its interfaces and a non-DR for others
DR has adjacencies with all routers on Network 0
DR floods LSAs to multicast address 224.0.0.5 when it receives LSAs
that are:
• Received due to new adjacency on Network 0 or another network
• Flooded to it over existing adjacency on another network
• Generated due to a local link state change

Network 1 Network 3

R1 R3
DR floods LSAs
Non-DR BDR
to 224.0.0.5
Network 0
DR Non-DR
Link State Update
containing new LSAs R2 R4

Network 2 Network 4
Link state change
originates here

Rev 5.21 Student Guide: 2–37 31

A router’s role as DR applies only to a single interface, although the term


“designated routers” seems to suggest that it applies to all interfaces.
When a router receives a flooded LSA—that is, an LSA encapsulated in a Link
State Update packet that is sent to a multicast address—the router’s flooding
responsibilities differ according to its roles on its various interfaces. If it is the DR
for any of its connected networks, it floods the LSA to that network using the
multicast address 224.0.0.5.
For interfaces where it is not a DR, an OSPF router sends its Link State Updates to
a different reserved multicast address. This different behavior is necessary because
the DR needs to act as a mediator between non-DRs, who do not form adjacencies
with each other.

Rev 5.21 2 – 37
IP Routing Foundations

Non-DR LSA flooding responsibilities

Non-DR LSA flooding


responsibilities
• Non-DRs on Network 0 do not have adjacency with other non-DRs
• LSAs received due to adjacencies with other networks are flooded on to
Network 0 using the multicast address for All Designated Routers, 224.0.0.6
• Designated Routers receive the updates, encapsulate the LSAs in a new Link
State Update packet, and flood the packet back on to Network 0 using
multicast address for All OSPF Routers, 224.0.0.5
• Some routers receive multiple copies of the LSAs, verify sequence numbers,
discard duplicates

Network 1 Network 3

R1 R3 Non-DR floods
Non-DR BDR LSAs to 224.0.0.6

Network 0
DR Non-DR
DR floods new LSA R2 R4 Link State Update
to 224.0.0.5 containing new LSAs
Network 2 Link state change Network 4
originates here

Rev 5.21 Student Guide: 2–38 32

The Designated Router strategy is efficient for networks with many connected
routers. This strategy avoids the generation of unnecessary traffic by maintaining a
limited number of adjacencies.
Link State Updates can only be sent to adjacent neighbors. A non-DR is adjacent
only to DRs, so when it floods LSAs onto a network it sends the Link State Update
packet to the multicast address 224.0.0.6, which is the multicast address reserved
for all Designated Routers. Non-DRs do not receive the update; however, the DRs
will subsequently flood the LSAs in an update packet addressed to 224.0.0.5, the
multicast group reserved for all OSPF routers.
The process is the same for a router that is a DR for one network but a non-DR for
others. Because the DR responsibilities are assigned to an interface, a router can be
a DR for some networks and non-DR for others.
In the example, because of this process, all routers on Network 0 have the new
LSAs. They flood them to their neighbors on other networks and update their link
state databases.
An OSPF router compares characteristics of LSAs it receives with those of the
LSAs in its LSDB. It discards those that match with an existing LSA on all four
identifying characteristics (LSA type, Advertising Router, Link State ID, and
sequence number) or have a lower sequence number are discarded. A higher
sequence number indicates a newer LSA. The router replaces an older instance
with a newer one.

2 – 38 Rev 5.21
OSPF Routing

OSPF network types

OSPF network types

OSPF supports several types of networks, including:


• Broadcast, including Ethernet and other LAN media
• Point-to-point
– Allows exactly two adjacent routers on the network
– Usually a WAN link
– Both routers become adjacent; does not elect a DR/BDR
• Point-to-multipoint, used for partially meshed frame relay/ATM
• Unnumbered point-to-point
– Point-to-point link that does not take up any address space
– Another interface on the router provides an address for adjacency
purposes
• Non-broadcast multiple access, used for full mesh frame relay/ATM

Rev 5.21 Student Guide: 2–39 33

Because OSPF is designed to serve large-scale networks, the protocol supports


several types of networks, including:
„ Broadcast, such as Ethernet, where a single packet can simultaneously be sent
to multiple receives
„ Point-to-point, commonly used for WAN links
„ Point-to-multipoint, such as frame relay/ATM, where a single physical circuit
supports multiple virtual circuits
„ Unnumbered point-to-point
„ Non-broadcast multiple access
To support these various types of networks, OSPF offers several types of transit
networks. Each type is designed to serve the specific needs of a physical media
type. They are:
„ A point-to-point transit network, where a router establishes a relationship
with exactly one neighbor. After the routers form an adjacency, they will not
permit adjacencies to form with other routers. This network type is typically
used for point-to-point WAN links, but it can be useful for point-to-point
Gigabit Ethernet links.

Rev 5.21 2 – 39
IP Routing Foundations

„ A point-to-multipoint transit network, where a single physical circuit may


support multiple virtual circuits and locations are connected in a hub-and-
spoke or star configuration. This network type is appropriate for frame relay
or ATM networks.
„ A multi-access transit network, which usually refers to an Ethernet network
that has two or more connected routers. The underlying media access method
allows a router to send its Hello messages to the reserved multicast address
and reach all of its neighbors with a single packet.
„ A non-broadcast multi-access network (NBMA), which uses a media type
such as frame relay and ATM, and interconnects two or more routers using
virtual circuits. Its underlying media access method makes it impossible for a
router to reach all of its neighbors with a single Hello packet. Instead, a
router sends Hello packets to each of the routers on the NBMA

2 – 40 Rev 5.21
OSPF Routing

Finding the shortest path

Finding the shortest path

• Every time a router receives a new instance of an LSA, it assesses whether the
change involves any transit networks
• If it does, the router runs an algorithm against the LSAs in its link state
database resulting in a tree that includes all routers and networks in the area
and calculates the cost to each destination
• The router populates its IP route table with next hop information from the
‘shortest path first’ tree

= Shortest path from Router2A’s


perspective
10.2.10.0/24 10.2.20.0/24
Cost 100 Cost 100
Router ID: R2A 10.2.64.0/24 R2B
10.2.208.1 Router ID: 10.2.209.1
Cost 10
10.0.100.0/24
Cost 1

R1A 10.1.64.0/24 R1B Router ID: 10.1.209.1


Router ID: 10.1.208.1
Cost 10
10.1.10.0/24 10.1.20.0/24
Cost 100 Cost 100

Rev 5.21 Student Guide: 2–41 34

The LSAs discussed earlier in this module form the basis for the shortest-path-first
calculations that give OSPF its fast convergence.
Not every LSA requires the calculation of a new tree. For example, if Router2A
received an LSA originated by R1B indicating that its stub network 10.1.20.0/24
was down, it wouldn’t affect shortest-path-first calculation. R1A would simply
accept the LSA, replacing the earlier one that indicated the network was up and
available.
Suppose, however, that R2A lost its connection to the network 10.0.100.0/24. The
DR of this network would originate an LSA indicating that the neighbor list had
changed, and all routers would flood the LSA. Additionally, R2A would originate
and flood to its only remaining neighbor a new instance of its Router LSA. All
four routers would run the algorithm and recognize network 10.2.64.0/24 as the
path to R2A and network 10.2.10.0/24.

Rev 5.21 2 – 41
IP Routing Foundations

OSPF’s performance in large intranet

OSPF’s performance in large


intranet
• OSPF achieves fast convergence due to requirements it places on routers
– Maintain synchronized link state database among all routers
– Immediately flood over its adjacencies every LSA it receives
– Recalculate shortest-path-first tree and install new routes in route table
when link state changes occur
• These requirements can become a burden to a router if:
– Number of LSAs in link state database requires excessive memory
– Frequent state changes due to large number of routers and networks leads
to excessive recalculation of SPF tree and become a drain on CPU resources

Router and Network X


LSAs flow through Transit
entire area network
failure
Rev 5.21 Student Guide: 2–42 35

Fast convergence is one of OSPF’s main benefits. However, if a network is not


designed properly, the mechanisms that enable OSPF routers to respond quickly to
state changes and maintain current information can be detrimental to its
performance.
The diagram above represents a very large intranet, although it is not practical to
show all the routers in such a large network. The routers in the above example are
arranged hierarchically, with four router groups that are connected to a set of core
routers. As a practical matter, due to the relative isolation of the router groups, the
transit network failure shown in the diagram will not result in any route table
changes for routers in other groups. The links that connect groups to the core are
not affected. When a transit network in one of the locations goes down, the routers
in another location do not need to be updated. The links that the routers use to
reach the other location are still up.
However, because all of the routers are in a single area, they all receive the updates
and process them accordingly, which adds to router overhead. This issue becomes
more severe as more routers and networks are added because the probability
increases that one or more of them could be experiencing state changes at any
given time.

2 – 42 Rev 5.21
OSPF Routing

The creation of areas that include too many routers also can lead to large link state
databases that cannot be processed quickly enough to satisfy user needs. Because
the link state algorithm must examine all LSAs stored in the LSDB, the inclusion
of too many entries can lengthen processing time so that user sessions time out
before the router finds the shortest path and updates its route table.
The solution, of course is to divide the networks into areas. Many router vendors
recommend limiting the number of routers and networks in an area according to to
the available processor speed and memory. Many enable you to configure a
minimum interval between iterations of the shortest-path-first algorithm.

Rev 5.21 2 – 43
IP Routing Foundations

OSPF scalability

OSPF scalability

• Divide a large intranet into areas with fewer than 50 routers and fewer than
500 networks
• If you use multiple areas, one must be defined as Area 0
• Connect the areas using an Area Border Router (ABR) that has at least one
interface in Area 0 and at least one interface in a non-zero area
• Routers whose interfaces are all assigned to the same area are ‘internal’
routers

Networks assigned
to Area 0
Networks
assigned Networks
to Area 1 assigned
to Area 2

Rev 5.21 Student Guide: 2–44 36

To avoid overtaxing OSPF routers, you should divide the intranet into areas sized
so that LSA processing and storage do not interfere with performance. In general,
an area should have no more than 50 routers or 500 networks. It is also worth
noting that OSPF’s benefits are more apparent in larger networks. Consequently,
the likely OSPF deployment involves dividing up the networks by physical
proximity and creating boundaries between the areas.
In an intranet using multiple areas, one area must be the unnumbered area, often
referred to as “Area 0,” “Area 0.0.0.0,” or the “Backbone Area.”

Area Border Router (ABR)


To enable proper OSPF functioning, you must configure an OSPF router to be the
Area Border Router (ABR) by assigning some interfaces to Area 0 and other
interfaces to another area. The ABR must have at least one backbone interface.
The networks in an area must be contiguous. The design cannot place part of Area
1 in location A and another part of Area 1 in Location B, with connections
provided only by networks that belong to some other area.

2 – 44 Rev 5.21
OSPF Routing

Multiple areas and adjacency

Multiple areas and adjacency

• Adjacency is a requirement for all OSPF routers, whether internal or ABR


• Area ID is one of the first items checked in Hello packet
– Adjacency fails if the sender of Hello packet associates the network with a
different area ID than the receiver

Networks assigned
to area 0
Networks
assigned Networks
to area 1 assigned
to area 2

Rev 5.21 Student Guide: 2–45 37

Adjacency is fundamental to all communication between OSPF routers. Without


adjacency, routers cannot synchronize their link state databases and cannot flood
LSAs. Furthermore, a network with no adjacencies is recognized by all routers as a
stub network, instead of as a transit network capable of carrying traffic destined
for other networks.
As described earlier, in order to form an adjacency, the routers must agree on
many parameters, including area ID. In fact, area ID is one of the first items that
the receiver of a Hello message verifies. If the area IDs are different, neither side
can move to the Two-Way or ExStart states.
Every OSPF packet, including Hello, Database Description, Link State Request,
Link State Update, and Link State Acknowledgment, is encapsulated by an OSPF
packet header that contains the area ID and router ID.
If you change the area ID to which a network is assigned without changing the
area ID of other routers on that network, the router immediately loses any
adjacencies on that network. If other router interfaces subsequently change their
area IDs the routers may establish new adjacencies if all other parameters are
compatible.

Rev 5.21 2 – 45
IP Routing Foundations

ABR link state database synchronization

ABR link state database


synchronization
• Router LSAs and Network LSAs do not cross area boundaries
• Area Border Routers (ABR)
– Has adjacencies with neighbors in at least two areas
– Maintains database synchronization with routers in locally configured areas

ABR maintains ABR maintains


LSDB entries for LSDB entries for
area 0 and area 1 area 0 and area 2

Internal
router
Internal
in area 0
routers
in area 1 Internal
routers
in area 2

Rev 5.21 Student Guide: 2–46 38

An OSPF router assigns each of its OSPF interfaces to an area. An area border
router (ABR) assigns some of its interfaces to the backbone area and other
interfaces to a non-backbone area. The ABR must maintain database entries for
each area in which it has at least one interface. It does not maintain LSAs for areas
in which it has no interfaces.
In this example, each ABR has one interface in the backbone area and two or more
interfaces in a non-backbone area. It is possible for an ABR to have interfaces in
two non-backbone areas; however, this can add significant overhead because the
router must maintain entries for all connected areas. The ABR is a full participant
in each area, originating and flooding LSAs when it is appropriate.

2 – 46 Rev 5.21
OSPF Routing

LSA flow between areas

LSA flow between areas

• ABR generates and floods ‘Summary LSAs’ that:


– Describe networks in the backbone area and flood over all adjacencies in
non-backbone area
– Describe networks in the non-backbone area(s) and flood over all
adjacencies in backbone area
• ABR may be configured to substitute individual network advertisements with
range advertisements

s- Su
LS A 1 ne mma
m ary area two r
Sum orks in rks y LS
w in A s -
net are
a2
Internal
router
Internal
in area 0
routers
in area 1 Internal

Su two nd
-

ne a
As 0

m rk are
LS routers

m s
ary area

ar in a 1
m in in area 2

y ar
Sum orks ea 2

LS e
w r
net and a

As a 0
-
Rev 5.21 Student Guide: 2–47 39

ABRs have a set of database entries for each supported area and maintain
adjacencies with neighbors in those areas. The ABR is responsible for creating a
third type of LSA, known as a Summary LSA, which it uses to represent networks
from other areas.
In the backbone area section of the ABR’s database, backbone area networks are
represented by Router and Network LSAs, and non-backbone area networks are
represented by Summary LSAs.
The reverse is also true. In the non-backbone area section of the database, non-
backbone area networks are represented by Router and Network LSAs. The
backbone networks are represented by Summary LSAs.
Consequently, the link-state database of an ABR that supports two areas has
approximately twice as many entries as it would have if all of the interfaces were
in the same area. The link-state database of an ABR that supports two areas has
approximately three times as many entries as it would have if all of the interfaces
were in the same area. Memory consumption is one of the primary reasons that
most vendors put limits on the number of areas an OSPF router can support.

Rev 5.21 2 – 47
IP Routing Foundations

Flooding Summary LSAs

Flooding Summary LSAs

10.1.30.1/24
10.1.64.2/24 Area 1
10.1.10.1/24 Area 1
Area 1 R1B
Router ID: 10.1.209.1
Router ID: 10.1.208.1 Loopback interface
10.1.64.1/24 Area 1
Loopback interface R1A Area 1
Area 1 (ABR)
R1A (an ABR)
10.0.100.11/24 OSPF Header
Area 0 Link State Update packet • Floods into area 0
Type: Summary LSA a Summary LSA
Link state ID:10.1.10.0
for each network
Adv. Router: 10.1.208.1
Netmask: 255.255.255.0 in Area 1
Type: Summary LSA • Floods into area 1
Link state ID: 10.1.30.0

a Summary LSA
for each network
10.0.100.21/24 in Area 0
Area 0 10.2.64.2/24
Router ID: 10.2.208.1
Loopback interface R2A Area 2 Router ID: 10.2.209.1
R2B
Area 2 (ABR)
10.2.64.1/24 Loopback interface
Area 2 10.2.30.1/24 Area 2
10.2.10.1/24 Area 2
Area 2

Rev 5.21 Student Guide: 2–48 40

A Summary LSA contains the starting address and mask of a network from one
area that is sent into another area. The example above shows one Summary LSA
and the beginning of a second Summary LSA. Like the Router LSA and Network
LSA, the Summary LSA is encapsulated in a Link State Update packet and
flooded to a router’s adjacent neighbors. Unlike the Router and Network LSA, the
Summary LSA crosses area boundaries. The Summary LSA created by R1A and
flooded into the backbone area is also flooded into area 2 by R2A, the ABR that
connects area 2 to the backbone. Similarly, the Summary LSAs created by R2A
that describe networks in area 2 are flooded through the backbone and into area 1.
As a result of the ABR’s creation and flooding of Summary LSAs, an internal
(non-ABR) router has Router and Network LSAs that describe networks in its
local area, and Summary LSAs that describe networks in other areas.
In the example above, each non-backbone area has a single ABR that connects to
the backbone area. However, designers may provide additional resilience by
configuring two ABRs per area. In that case, each ABR independently creates and
floods summary LSAs from one area into the other. Internal routers in the area
would receive twice as many Summary LSAs as they would receive if the area had
only one ABR.
Dividing a large intranet into multiple areas will limit the scope of Router LSAs
and Network LSAs, but this action alone isn’t sufficient to minimize the size of the
link state database. The creation of multiple areas actually increases the size of the
LSDB for ABRs and may increase the number of entries for internal routers.

2 – 48 Rev 5.21
OSPF Routing

Hierarchical addressing enables summarization

Hierarchical addressing
enables summarization
10.1.30.1/24
10.1.64.2/24 Area 1
10.1.10.1/24 Area 1
Area 1 Flood Summary LSA R1B
Router ID: 10.1.209.1
Router ID: 10.1.208.1 Loopback interface
10.1.64.1/24 Area 1
Loopback interface R1A Area 1
Area 1 (ABR)

10.0.100.11/24 OSPF Header


Area 0 Link State Update packet Summarize area’s
OSPF Header
Type: Summary LSA entire address
Link state ID:10.1.0.0
Link State Update packet Adv. Router: 10.1.208.1 range with starting
Type: Summary LSA
Link state ID:10.2.0.0
Netmask: 255.255.0.0 address and mask
Adv. Router: 10.2.208.1
Netmask: 255.255.0.0

10.0.100.21/24
Area 0 10.2.64.2/24
Router ID: 10.2.208.1
Loopback interface R2A Area 2 Router ID: 10.2.209.1
R2B
Area 2 (ABR)
10.2.64.1/24 Loopback interface
Area 2 10.2.30.1/24 Area 2
10.2.10.1/24 Area 2
Flood Summary LSA
Area 2

Rev 5.21 Student Guide: 2–49 41

Dividing an intranet into separate areas makes it possible to summarize address


space at area boundaries. An ABR can be configured to create Summary LSAs that
express the address space of an area as a range rather than as separate networks.
While this requires you to carefully plan and implement a hierarchical addressing
scheme in order to summarize the address space of an area with a single range
statement; the benefits are significant in terms of LSDB size. In particular, this
enables the LSDBs of internal routers within non-backbone areas to list a single
route to addresses in other areas, instead of listing individual networks in their
LSDB and route table.
The diagram above shows a hypothetical example. In practice, of course, you
would not divide a network this small into three separate areas. In fact, the benefits
of OSPF are most apparent in larger networks with redundant paths.

Rev 5.21 2 – 49
IP Routing Foundations

Summary of OSPF LSA types

Summary of OSPF LSA types

Type Name Scope Advertising Router Link State ID

1 Router LSA Within a Router ID (one LSA for Originating router ID


single area each router in the area)

2 Network LSA Within a DR of multi-access DR’s IP address on the


single area transit network network

3 Summary LSA All areas Area Border Router Starting IP address of


other than address range in
stub-no another area
summary
4 AS Summary Normal areas Area Border Router ASBR’s Router ID
LSA

5 AS External Normal areas Autonomous system Starting IP address of


LSA Boundary Router external address range

7 NSSA LSA Within a not- Autonomous system Starting IP address of


so-stubby Boundary Router external address range
area

Rev 5.21 Student Guide: 2–50 42

As shown above, OSPF supports six types of LSA.


Router LSA and Network LSAs are exchange by routers in a single area, as
described earlier in this module.
When you define multiple areas on a router, the router automatically becomes an
ABR. It creates Summary LSAS that describe networks in the backbone and floods
them to adjacent neighbors in non-backbone areas. It also creates Summary LSAs
that describe non-backbone networks and floods them to the backbone. Summary
LSAs flow through area border routers into “normal” OSPF areas.
The rest of this module will describe three other types of OSPF areas and the uses
for the remaining LSA types shown in the table above.

2 – 50 Rev 5.21
OSPF Routing

External route information

External route information

9 Basic OSPF interactions


9 Distribution of link state changes
External route information
ƒ Redistributing non-OSPF network information
ƒ Autonomous System Boundary Router (ASBR)
ƒ Not-so-stubby area (NSSA)

Rev 5.21 Student Guide: 2–51 43

The final section of Module 2 will describe the processes for redistributing
information about non-OSPF networks to OSPF routers.

Rev 5.21 2 – 51
IP Routing Foundations

Redistributing non-OSPF network information

Redistributing non-OSPF
network information
OSPF routers advertise:
• Locally connected OSPF networks using Router LSAs and Network
LSAs
• Networks in another area using Summary LSAs
Routing information that comes from a source other than OSPF is
considered ‘external’
Examples include:
• Default route to the Internet
• Static route to portions of the intranet that do not use OSPF
• Routes learned from RIP neighbors
Autonomous System Boundary Router (ASBR) is an OSPF router
that has learned routes from a non-OSPF source

Rev 5.21 Student Guide: 2–52 44

OSPF routers advertise native OSPF networks using Router LSAs, Network LSAs,
and Summary LSAs. When an OSPF router has information in its route table that
came from a source other than OSPF, it cannot include that information in its
Router LSA because the Router LSA refers strictly to OSPF native networks.
Sources of non-OSPF router can include:
„ Static routes
„ Directly connected networks (local interfaces) where OSPF is not enabled
„ RIP domains within the intranet. These are collections of routers that support
RIP and exchange RIP advertisements, but do not support OSPF.
„ User-defined default route or BGP routes that direct traffic toward an ISP or
other location.
Because OSPF routers often must have access to these types of routes, OSPF
domains often include an Autonomous System Boundary Router (ASBR), a type
of OSPF router that has direct knowledge of non-OSPF information. While
configuration procedures are vendor- or platform-specific, the process of
transforming routing information from one source into another is often referred to
as “redistribution.”

2 – 52 Rev 5.21
OSPF Routing

ASBR

ASBR

• A router that has access to non-OSPF route information may be configured to


redistribute that information into the OSPF Autonomous System
• ASBR generates one AS External LSA for each non-OSPF network
– Can be configured to summarize address ranges
• ASBR floods AS External LSA to its adjacent neighbors
• Routers in “normal” areas flood AS External LSAs to adjacent neighbors
• External address range appears in LSDB and IP route tables of all routers

ASBR
Non-OSPF
s domain
LS A
rnal
Exte
AS

Area 0

Area 1
Area 2

Rev 5.21 Student Guide: 2–53 45

The ASBR is responsible for generating an AS External LSA for each non-OSPF
network. Like all other LSAs, it is encapsulated in a Link State Update packet,
OSPF packet, and IP packet, and flooded to adjacent neighbors.
On most systems, administrators can configure ranges of external networks to
minimize the actual number of advertisements the ASBR must send and,
consequently, limit the number of LSAs that every router in the domain must keep
in its LSDB. If the ASBR provides a path to the Internet or to all networks not
specifically listed in the domain’s route tables, administrators can configure it to
originate the default route by creating and flooding a Type 5 AS External LSA that
advertises the address range 0.0.0.0/0.
An AS External LSA may be forwarded over adjacencies, through ABRs, and
reach every router in the domain if the external information being advertised is
worthy of that kind of distribution. In many cases, external routes are connected to
a single ASBR and if there are a limited number of paths to that ASBR, it might be
more efficient to stop the AS External LSAs from being flooded into every area.

Rev 5.21 2 – 53
IP Routing Foundations

Stub-area type: Injecting the default route

Stub area type: Injecting the


default route
• OSPF routers internal to non-backbone areas may not require the specific
addresses of non-OSPF networks
• To replace the specific advertisements of non-OSPF networks with the default
route, define non-backbone areas as ‘stub’ type areas
• The backbone may not be defined as a stub area
• Link State Database in stub area cannot contain AS Summary LSAs or AS
External LSAs; ASBR may not reside within a stub area

ABRs do not flood AS


External LSAs into stub ASBR
Non-OSPF
area; inject Summary LSA domain
s
that specifies default route LS A
rnal
Exte
AS
0. 0/0 ABR ABR
0.0.
Area 0 0.0.0.0
/0

Area 1
(Stub) Area 2
Default route appears in (Stub)
LSDB and route tables of
Internal routers
Rev 5.21 Student Guide: 2–54 46

The ABR of a stub area receives AS External LSAs from its adjacent neighbors in
the backbone area and stores them in its link state database. It does not flood AS
External LSAs into the stub area, but instead creates a Type 3 Summary LSA
containing the default route and floods that LSA to neighbors in the stub area.
Because the routers internal to the stub area receive the default route, they can
forward traffic toward the remote networks managed or discovered by other
routing protocols. However, they are not required to maintain individual entries for
those networks. This minimizes the number of LSAs in internal routers’ link state
database, along with the size of the IP route table.
The ABR’s status as a member of the stub area does not cause it to have the
default route in its route table. Instead, its route table contains whatever specific
networks or summarized address ranges the ASBR has advertised. If the ASBR
has been configured to originate the default route, the databases of all OSPF
routers in normal areas will contain the Type 5 AS External LSA that advertises
the default route. Internal routers in stub areas will also have the default route in
their route tables, but that information comes from the Type 3 Summary LSA that
was injected into the stub area by the ABR.
As described earlier, the ABR must always be a member of Area 0 and at least one
non-backbone area. Area 0 cannot be defined as a stub area type because it is a
connecting point for all of the areas in the OSPF AS. In the diagram, the ASBR is
located within Area 0 by design. The ASBR cannot be placed in a stub area.

2 – 54 Rev 5.21
OSPF Routing

Locating the ASBR

Locating the ASBR

• ASBRs may be located in any ‘normal’ area, never in a stub area


• ASBRs indicate their role by setting an option bit in their Router LSAs
• ABR detects the presence of an ASBR in an area under its control, originate an
AS Summary LSA, and flood it into the backbone area
• AS External LSA includes the ASBR’s Router ID; without the AS Summary LSA,
routers would not know which area the ASBR resides in, preventing them from
forwarding traffic toward the non-OSPF networks

Type Name Scope Advertising Router Link State ID

4 AS Normal areas Area Border Router ASBR’s Router ID


Summary
LSA

5 AS Normal areas Autonomous System Starting IP address of


External Boundary Router external address range
LSA

Rev 5.21 Student Guide: 2–55 47

The AS Summary LSA advertises into all normal areas the router ID that connects
to the area in which a given ASBR is located. Without this advertisement, an
internal router in a different area than the ASBR would not know how to forward
traffic toward the non-OSPF networks.
Unlike all of the other LSA types, the AS Summary LSA does not contain any
information that appears in a route table. However, because it is in the link state
database, it is available for use when OSPF routers calculate the shortest path to
each destination network, including the external networks advertised by the
ASBR.

Rev 5.21 2 – 55
IP Routing Foundations

Stub and “totally stubby” area

Stub and ‘totally stubby’ area

Defining area as stub reduces size of LSDB and IP route table


To further minimize LSDB and IP route table, configure ABR to withhold
Summary LSAs.
• Result is more compact LSDB and IP route tables
• External networks and networks from other areas are summarized with the
default route

Stub no-summary or ‘totally


stubby’ area border routers ASBR
prohibit AS External LSAs Non-OSPF
s domain
and Summary LSAs LS A
rnal
Exte
AS
0. 0/0 ABR ABR
0.0.
Area 0 0.0.0.0
/0

Area 1
(Stub) Area 2
Default route represents (Stub)
external networks and those
in other OSPF areas
Rev 5.21 Student Guide: 2–56 48

In addition to defining an area’s type as “stub,” you can configure the ABR not to
flood Type 3 Summary LSAs to adjacent neighbors in the area. This is advisable
when there are a limited number of entry and exit points to a given area. For
example, all routers in Area 1 usually do not require detailed information about the
networks in Area 2.
Although the example shows only one ABR for each non-backbone area, it is often
the case that a stub area is connected to the backbone by two ABRs. Although both
ABRs will advertise the default route, the one advertising the lowest metric will
provide the backbone connection for all routers. If both ABRs advertise the default
route with an equal metric, all traffic leaving the area will go through the ABR
with the highest router ID.

2 – 56 Rev 5.21
OSPF Routing

Not-so-stubby area (NSSA)

Not-so-stubby area (NSSA)

NSSA combines efficiency of default route summarization (similar to stub


area) with flexibility of ASBR definition
• ASBR within NSSA originates Type 7 LSA (NSSA)
• ABR transforms Type 7 LSAs into Type 5 and floods them into the backbone

Non-OSPF information
that originates outside
Area 1 is summarized
as default route ASBR
Default route
s to Internet
This router has LS A
rnal Default route
some RIP routes Exte
AS represents all
0. 0/0 ABR ABR networks not in Area 2
0.0.
Area 0 0.0.0.0
ASBR /0

Area 1
RIP routes appear in Area 2
(NSSA)
route tables within (Totally Stubby)
Area 1 as ‘External’

Rev 5.21 Student Guide: 2–57 49

OSPF rules prohibit Type 4 or Type 5 LSAs in a stub area. However, if a non-
backbone area must include an ASBR, it can be defined as a not-so-stubby area
(NSSA) to enable internal routers to gain the efficiency typical of stub areas.
The ABR connected to a not-so-stubby area converts external information that
originates outside the area into the default route in the same manner it would if the
area were defined as a stub area. This is possible because the ASBR in a not-so-
stubby area advertises its external networks using a Type 7 NSSA LSA. The
external networks appear in the route tables of routers in the area, and the ABR
translates the Type 7 LSAs into Type 5 AS External LSAs and floods them to
adjacent neighbors in the backbone. From the backbone, the external network
information is summarized as the default route for stub and totally stubby areas.

Rev 5.21 2 – 57
IP Routing Foundations

Module 2 summary

Module 2 summary

In this module, you learned:


• The basic operation of the OSPF
• Why OSPF provides for more efficient routing than RIP, especially in
large-scale intranets
• The functions of the types of OSPF routers
• The role of different types of OSPF areas

Rev 5.21 Student Guide: 2–58 50

Module 2 of IP Routing Foundations described the OSPF routing protocol,


including the OSPF router and area types. The module emphasized reasons why
OSPF is more efficient than RIP in large-scale intranets.

2 – 58 Rev 5.21
OSPF Routing

Learning check
Module 2

Rev 5.21 2 – 59
IP Routing Foundations

1. Name two types of OSPF networks.


a. ........................................................................................................................
b. ........................................................................................................................

2. Define the purposes of:


ABR: .................................................................................................................
ASBR: ...............................................................................................................

3. Describe the process by which OSPF routers form adjacencies.


............................................................................................................................
............................................................................................................................
............................................................................................................................

4. What types of OSPF LSAs are confined to a single area and how are they
used?
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................

5. What techniques enable administrators to limit the size of OSPF link state
databases and enhance routing efficiency?
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................

2 – 60 Rev 5.21
Default Gateway Redundancy Protocols
Module 3

Objectives
„ Describe the benefits of providing redundant default gateway service for
clients
„ List common characteristics of protocols that provide automatic default
gateway failover
„ Describe the operation of the Virtual Router Redundancy Protocol (VRRP)

Rev. 5.21 3–1


IP Routing Foundations

Redundant router interfaces

Redundant router interfaces

Multiple router interfaces are members of a group known


as a ‘virtual router’
At any given moment, one router interface is ‘master’
• The other will become master only if current master fails

Intranet and/or
Internet

Router A Router B
Multiple router interfaces comprise a
virtual router configured with a
common virtual IP address: 10.1.10.1

Host: 10.1.10.10/24
Default Gateway: 10.1.10.1

Rev 5.21 Student Guide: 3–2 3

All of the default gateway redundancy technologies discussed throughout this


module share the basic features shown above. This highly simplified example
illustrates the redundant router topology from the perspective of a single network.
In most configurations, two routers will be connected to exactly the same set of
networks. Although each router has a unique IP address, they will be configured to
share a common virtual IP address. This address will be used as the default
gateway for each network to which the routers provide redundant default gateway
service.

3–2 Rev. 5.21


Default Gateway Redundancy Protocols

Redundant links: Physical view

Redundant links: Physical view

• Redundant links enable a client’s connections with off-network hosts to


continue despite failure of a link along the primary path to its default gateway
• In this example, a router with five interfaces performs default gateway service
for hosts in five networks

Router1
VLAN 1: ve 1: 10.x.1.1/24
Router forwards VLAN 10: ve 10: 10.x.10.1/24
traffic among its VLAN 20: ve 20: 10.x.20.1/24
connected VLANs VLAN 30: ve 30: 10.x.30.1/24
VLAN 40: ve 40: 10.x.40.1/24

Link A Link B
Untagged 1, Untagged 1,
Tagged 10, 20, 30, 40 Tagged 10, 20, 30, 40
Link C
Untagged 1,
Tagged 10, 20, 30, 40

Hosts in network 10.1.10.0/24 Hosts in network 10.1.20.0/24


DG: 10.1.10.1 DG: 10.1.20.1

Hosts in network 10.1.30.0/24 Hosts in network 10.1.40.0/24


Switch1 DG: 10.1.30.1 Switch2 DG: 10.1.40.1

Rev 5.21 Student Guide: 3–3 4

Many contemporary networks employ Spanning Tree Protocol to ensure that the
failure of a single switch-to-switch link will not disrupt connectivity. For instance,
in the topology shown above, hosts in all four user VLANs—10, 20, 30, and 40—
have two paths to the router that is their default gateway.
Router1 is the sole connecting point for all of the VLANs/networks. Because the
router is also the root of the Spanning Tree, Link C (between Switch1 and
Switch2) will only be used if either Link A or Link B should fail. The primary path
for off-network communication from all hosts in networks 10.1.10.0 and 10.1.30.0
is through Switch1 and Link A. The primary path for hosts in networks 10.1.20.0
and 10.1.40 is through Switch2 and Link B.
If Link A should fail, off-network traffic generated by hosts in networks 10.1.10.0
and 10.1.30.0 will be carried by Link C and Link B. Both links are tagged
members of the VLANs associated with these networks (VLANs 10 and 30) and
this allows the off-network traffic to take an alternate path to the default gateway.
Since all three of the links (A, B, and C) are members of all five VLANs, the
failure of any one of the links would not prevent hosts from reaching their default
gateway.

Rev. 5.21 3–3


IP Routing Foundations

Redundant links: Logical view

Redundant links: Logical view

IP route table
Destination gateway port cost
10.1.1.0/24 0.0.0.0 v1 1
10.1.10.0/24 0.0.0.0 v10 1
10.1.20.0/24 0.0.0.0 v20 1
10.1.30.0/24 0.0.0.0 v30 1
10.1.40.0/24 0.0.0.0 v40 1

Network 10.1.10.0/24
All hosts’ DG: 10.1.10.1
Network 10.1.20.0/24
All hosts’ DG: 10.1.20.1
Network 10.1.30.0/24
All hosts’ DG: 10.1.30.1
Network 10.1.40.0/24
All hosts’ DG: 10.1.40.1
Network 10.1.1.0/24
Layer 2 edge switches:
• Provide physical connections within
Switch1: 10.1.1.25/24 Switch2: 10.1.1.26/24
each network, but are not hosts on
DG: 10.1.1.1 DG: 10.1.1.1
networks 10.1.10.0, 10.1.20.0,
10.1.30.0, or 10.1.40.0
• Are hosts on the 10.1.1.0 network
Rev 5.21 Student Guide: 3–4 5

This diagram provides a logical view of the network topology shown on the
previous page. After Spanning Tree blocks the link between Switch1 and Switch2,
there is a single active path between each host and its default gateway, Router1. If
a physical link fails, the physical path to the default gateway might change.
However, the logical view would remain the same.
The switches shown in the logical diagram provide the physical connections within
each network. However, they are not hosts on any network other than the
management network, 10.1.1.0/24.

3–4 Rev. 5.21


Default Gateway Redundancy Protocols

Impact of device failure

Impact of device failure


Failure of the router:
• All hosts that use this router as a default
gateway would be cut off from resources in
other networks
• Impact has wider scope
• Potentially expensive solution – replace router
components, possibly restore configuration

Network 10.1.10.0/24
All hosts’ DG: 10.1.10.1
Network 10.1.20.0/24
All hosts’ DG: 10.1.20.1
Network 10.1.30.0/24
All hosts’ DG: 10.1.30.1
Network 10.1.40.0/24
All hosts’ DG: 10.1.40.1
Network 10.1.1.0/24

Failure of one Layer 2 edge switch:


• Hosts connected to those switches
Switch1: 10.1.1.25/24 Switch2: 10.1.1.26/24 would be cut off from the network
DG: 10.1.1.1 DG: 10.1.1.1
• Highly localized impact with
relatively inexpensive solution –
replace switch, restore configuration

Rev 5.21 Student Guide: 3–5 6

The redundant link between Switch1 and Switch2 ensures that this topology is
tolerant of link failure. However, in order to design a truly fault-tolerant
infrastructure, a network designer must consider the possibility that a component,
such as a switch or router, can fail. The topology above does not meet this
requirement.

Edge switch failure


In many cases, little can be done to prepare for the failure of an edge switch.
Network hosts typically are connected to only one switch, which makes it
impossible to provide redundant wired links. If, however, network administrators
are using a management and monitoring application, they can react quickly to a
switch failure by replacing the switch or by providing an alternate connection to
affected users. For instance, if client computers have wireless adapters and the
network offers a wireless infrastructure, the clients can activate their wireless
adapters and connect through a wireless access point. The users can return to their
wired Ethernet connections after the failed switch is replaced.

Router failure
The failure of a router has far wider consequences than the failure of an edge
switch. If a router fails, hosts may continue to have connectivity with other hosts
in their own network, but they will not be able to access resources on other
networks. In contemporary enterprises, this is not acceptable because direct peer-
to-peer communication without an intervening server or other device is not
common.

Rev. 5.21 3–5


IP Routing Foundations

Furthermore, routers and routing switches in a production network are likely to


support far more networks and clients than are shown in this example. In addition
to providing access to resources within an organization, the router is the first point
of contact in establishing and maintaining connections with the global Internet.
Consequently, network designers must make allowances for router failures.

3–6 Rev. 5.21


Default Gateway Redundancy Protocols

Providing a second router

Providing a second router

• If you provide a second router, you might use a DHCP


scope that includes both default gateway addresses
• If Router1 fails, clients can obtain a new DHCP lease that Router1 interfaces:
10.1.1.1/24
specifies Router2’s IP address as default gateway 10.1.10.1/24
10.1.20.1/24
10.1.30.1/24
10.1.40.1/24

Network 10.1.10.0/24
All hosts’ DG: 10.1.10.1
Network 10.1.20.0/24
All hosts’ DG: 10.1.20.1
Network 10.1.30.0/24
All hosts’ DG: 10.1.30.1
Network 10.1.40.0/24
All hosts’ DG: 10.1.40.1

Network 10.1.1.0/24
Router2 interfaces:
10.1.1.2/24
10.1.10.2/24
10.1.20.2/24
Switch1: 10.1.1.25/24 Switch2: 10.1.1.26/24 10.1.30.2/24
DG: 10.1.1.1 DG: 10.1.1.1 10.1.40.2/24

Rev 5.21 Student Guide: 3–7 7

It is tempting to believe you can overcome router failure by simply installing a


second router that provides access to the same resources as the first. However, this
solution is not adequate because the second router must have a different IP address
than the first. Consequently, if the first router fails, all connected hosts must
change their default gateway settings to the address of the second router.
Although most IP stacks enable you define a second default gateway address, most
do not automatically failover to the second gateway without special configuration.
In the example above, to enable Router2 to perform the function of Router1,
administrators must change the default gateway settings for all connected hosts.
Obviously, the manual reconfiguration of every host is impractical for a network
of any size. Alternately, administrators could reconfigure the network’s DHCP
scope and require users to obtain a new DHCP lease with the new gateway.
However, this solution is also impractical, for reasons that will be discussed on
subsequent pages.

Rev. 5.21 3–7


IP Routing Foundations

Why failover is not automatic (1)

Why failover is not automatic


(1)
• Interfaces on Router1 provide default gateway service for hosts on both
networks
• Layer 2 header destination address of all off-network traffic is that of Router1

Router1 interfaces:

10.1.20.1/24
Layer 2 header …
Host20: 10.1.20.20/24 Dest. Host20 MAC 10.1.40.1/24
DG: 10.1.20.1 Source: Router1 MAC
Layer 3 header:
Source:10.1.40.40
Dest: 10.1.20.20

Layer 2 header Router2 interfaces:


Dest. Router1 MAC …
Source: Host 40 MAC 10.1.20.2/24
Layer 3 header: …
Host40: 10.1.40.40/24
Source: 10.1.40.40 10.1.40.2/24
DG: 10.1.40.1
Dest: 10.1.20.20

Rev 5.21 Student Guide: 3–8 8

Although it is possible to use DHCP leases to change the default gateway settings
for all network hosts, this solution will not provide automatic failover.
Suppose, for instance, that a host with the IP address 10.1.40.40/24 has an ongoing
session with the host 10.1.20.20/24. The client directs its off-network traffic to its
default gateway by inserting the MAC address of the local router interface into the
Layer 2 header.
If the router providing default gateway service becomes unavailable, the session
will terminate after a few retries and a given timeout period.

3–8 Rev. 5.21


Default Gateway Redundancy Protocols

Why failover is not automatic (2)

Why failover is not automatic


(2)
• Despite the failure of Router1, the host continues to send off-network traffic to
Router1’s MAC address
• Host will not send traffic to Router2’s MAC address unless its IP stack
configuration is changed to specify a default gateway address on Router2

Host20: 10.1.20.20/24
DG: 10.1.20.1

Layer 2 header Router2 interfaces:


Dest. Router1 MAC …
Source: Host 40 MAC 10.1.20.2/24
Layer 3 header: …
Host40: 10.1.40.40/24
Source: 10.1.40.40 10.1.40.2/24
DG: 10.1.40.1
Dest: 10.1.20.20

Rev 5.21 Student Guide: 3–9 9

In this example, the failure of Router1 has disrupted Host40’s session with
resources in addresses ranges outside of its own. Unless the client has a special
default gateway failover configuration, the client will continue to send packets
with the default gateway’s MAC address until the session times out and eventually
terminates altogether.
If the user tries to re-establish the connection with the off-network resource, the
new session also will fail because the computer’s IP stack configuration still lists
its primary default gateway as 10.1.40.1. The entry in the ARP cache associated
with that IP address is the MAC address of the VLAN 40 interface on Router1,
which is now down.
The IP stack will never failover to the second default gateway, even if the user
doesn’t start a new session until Router1’s MAC address has aged out of the PC’s
ARP cache. The only way to cause the IP host to use the second router interface
(for example, 10.1.40.2) as its default gateway is to modify the IP stack and
remove 10.1.40.1 from the default gateway configuration, leaving 10.1.40.2 as the
configured default gateway.

Rev. 5.21 3–9


IP Routing Foundations

Why failover is not automatic (3)

Why failover is not automatic


(3)
After you change the default gateway on all hosts to a local interface on
Router2, each host:
• Uses ARP to obtain the MAC address for Router2
• Sends off-network traffic to Router2’s MAC address

Layer 2 header
Host20: 10.1.20.20/24 Dest. Host20 MAC
DG: 10.1.20.2 Source: Router2 MAC
Layer 3 header:
Source: 10.1.20.20
Dest: 10.1.40.40
x

Layer 2 header Router2 interfaces:


Dest. Router2 MAC …
Source: Host 40 MAC 10.1.20.2/24
Layer 3 header: …
Host40: 10.1.40.40/24
Source: 10.1.40.40 10.1.40.2/24
DG: 10.1.40.2
Dest: 10.1.20.20

Rev 5.21 Student Guide: 3–10 10

After Host40 is configured to use Router2 as its primary default gateway, the IP
host process sends an ARP request to learn the MAC address of the device that is
using the IP address 10.1.40.2. Subsequent off-network traffic contains the MAC
address associated with 10.1.40.2. The user now can establish a new connection
with the resource they were using before Router1 failed and hope to pick up the
session where they left off.
This solution presents two problems:
1. Very few end users will go to this much effort to remain in contact with
crucial resources. If the hosts are using DHCP, you could simplify their
involvement by clearing all of the active leases for the network and forcing
each host to obtain a new lease. However, this will require significant
administrative and traffic overhead, especially if the failed router was
performing default gateway service for dozens of networks.
2. Many sessions are not tolerant of lost connections. If users were performing
transaction-oriented procedures, they may not be able to return easily to the
location they were accessing when the link or device failure occurred.

3 – 10 Rev. 5.21
Default Gateway Redundancy Protocols

Automatic failover for default gateway

Automatic failover for default


gateway
Automatic failover can be provided using several different
standard and proprietary methods
• Virtual Router Redundancy Protocol: IETF RFC 2338
• VRRP Extended: Proprietary method available on 9300m series
routing switch
• XRRP: Proprietary method available on 5300xl and 3400cl series
switches
• Other vendor-specific implementations
Common goals for default gateway redundancy methods:
• Enable continuity for off-network communication despite the failure of
the primary default gateway
• Provide for automatic failover from primary to backup default gateway
within typical session timeout intervals

Rev 5.21 Student Guide: 3–11 11

All strategies for providing redundant default gateway service have the same goal:
To provide seamless failover that ensures uninterrupted communication with
remote hosts despite the failure of the primary default gateway. Automatic failover
typically occurs within timeout intervals for TCP communication, enabling a client
to continue its open sessions through a backup default gateway if the primary
gateway fails.
Obviously, any two routers with interfaces on the same network are not necessarily
candidates for default gateway redundancy. If each router leads to different parts
of the network—for example, one leads toward the core and another leads away
from the core—only one will be a suitable default gateway candidate. In general, a
hierarchical design that interconnects networks is considered superior to one that
has multiple layers of router hops.

Rev. 5.21 3 – 11
IP Routing Foundations

Common characteristics and operations

Common characteristics and


operations
• Assign a common ID to members of a redundancy group
• Apply priorities to determine which router is preferable as primary or
“Master” default gateway for hosts
• Require Master to continually announce its availability, enabling
backup routers to automatically detect its failure
• Assign “virtual” IP address to routers in redundancy group
– Actual IP address of each router interface on the network is unique
– Common virtual IP address is assigned to all router interfaces in the
redundancy group
• Resolve virtual IP address to a virtual MAC address
– Current Master forwards traffic sent to the virtual MAC address
– Backup routers ignore traffic sent to the virtual MAC address

Rev 5.21 Student Guide: 3–12 12

Vendors and standards groups have devised many protocols and implementations
for default gateway redundancy. However, although their terminology,
configuration, and monitoring procedures might differ, all of the default gateway
redundancy techniques perform the same procedures and operations.
First, all default gateway redundancy implementations define a method for
distinguishing router interfaces that are members of the same default gateway
redundancy group. A common value is assigned to all router interfaces on a
network that can provide default gateway service for the network’s hosts.
Some default gateway redundancy protocols enable you to define a redundancy
group consisting of exactly two routers—a primary and a backup. Other protocols
enable you to define more than two. All the routers in the same redundancy group
must be equally capable of providing default gateway service for hosts on the
network.
In most network topologies, one router is a more qualified candidate for “Master”
status. Typically, you will configure that router as the primary default gateway.
The Master router forwards traffic under normal circumstances, when all links and
routers are available. All default gateway redundancy methods enable you to
prioritize the routers so that you can determine which router will be Master and
which will be the first choice for its backup in the event the Master fails.
Immediate detection in the event of the Master router’s failure is crucial to
automatic failover. All default gateway redundancy protocols provide some means
for the Master to periodically announce its availability. Backup routers listen for

3 – 12 Rev. 5.21
Default Gateway Redundancy Protocols

these messages and will assert themselves as Master in the event of the Master’s
failure. Priority settings are used to select the current Master.
Every host on an IP network, including routers, must have a unique IP address. To
enable a group of routers to provide equivalent default gateway service, a common
virtual IP address is assigned to the routers in the redundancy group. The virtual IP
address is defined as the default gateway in the hosts’ IP stack configuration.
Finally, all default gateway redundancy protocols use a virtual MAC address. This
address appears in the ARP cache of each IP host on the network associated with
the virtual default gateway IP address. The current Master router on a given
network forwards traffic sent to the virtual MAC address. When a backup router
transitions to Master, it immediately begins forwarding traffic that has the virtual
MAC address in the destination field of the Layer 2 header.

Rev. 5.21 3 – 13
IP Routing Foundations

Virtual Router Redundancy Protocol

Virtual Router Redundancy


Protocol
• Described in RFC 2338 and updated in RFC 3768
• VRRP offers a method for defining a “virtual router,” a group of
redundant router interfaces on a network
• A router that implements VRRP may support multiple virtual routers,
each of which is identified by an integer between 1 and 255
• The Master of the group periodically advertises its availability
– The Backup router asserts itself as Master if it stops hearing
the periodic advertisement

Rev 5.21 Student Guide: 3–14 13

The Virtual Router Redundancy Protocol (VRRP) is a common default gateway


redundancy protocol defined as a standard in RFC 2338 and updated in RFC 3768.
Like all default gateway redundancy protocols, VRRP enables administrators to
define a “virtual router,” which is a group of redundant routers on a network. Each
VRRP router can participate in multiple VRRP groups, which are identified by
integers between 1 and 255.
VRRP relies upon the definition of Master and Backup routers. The Master of each
group acts as the default gateway for network hosts and periodically advertises its
availability. Backup routers assume forwarding duties if they stop receiving
advertisements from the Master.

3 – 14 Rev. 5.21
Default Gateway Redundancy Protocols

Virtual routers in VRRP

Virtual routers in VRRP

Group of redundant router interfaces on the same network is


known as a “virtual router”
All have the following items in common:
• Identified by a numeric integer between 1 and 255 known as “Virtual
Router ID” (VRID)
• Configured with a “Virtual IP address” that matches the IP stack
default gateway of hosts on the network

Rev 5.21 Student Guide: 3–15 14

VRRP identifies a group of routers that can provide equivalent default gateway
service to hosts on a given network as a “virtual router.” While VRRP allows you
to define more than two members of a redundancy group, two routers are sufficient
for most networks.
A “VRRP router” is defined as any router that implements the VRRP protocol and
supports at least one virtual router. Typically, a VRRP router participates in more
than one virtual router.
VRRP routers whose interfaces will serve as members of the same virtual router
must agree on its identifier, often called a “Virtual Router ID” (VRID). The routers
in the group must also be configured with a virtual IP address that hosts on the
network will use as their default gateway.

Rev. 5.21 3 – 15
IP Routing Foundations

VRRP: Actual and virtual IP addresses

VRRP: Actual and virtual IP


addresses
• If the actual IP address assigned to one of the routers matches the virtual IP
address, that router is the “Owner” of the address
• The Owner will be the VRRP Master if it is available on the network
• Another router can become the Master only if the Owner is not available

Host20: 10.1.20.20/24
DG: 10.1.20.1
VRID 1 Master (Owner) VRID 1 Backup
Actual IP: 10.1.20.1/24 Actual IP: 10.1.20.2/24
Virtual IP: 10.1.20.1 Virtual IP: 10.1.20.1

Router1 Router2

VRID 2 Master (Owner) VRID 2 Backup


Actual IP: 10.1.40.1/24 Actual IP: 10.1.40.2/24
Virtual IP: 10.1.40.1 Virtual IP: 10.1.40.1

Host40: 10.1.40.40/24
DG: 10.1.40.1

Rev 5.21 Student Guide: 3–16 15

Because every host on an IP network must have a unique IP address, the router
interfaces that make up the virtual router can’t be configured with the same
address.
However, you can configure one of the routers to have the same actual IP address
as the virtual IP address associated with the VRID. In this configuration, the router
whose actual IP address matches the virtual IP address is considered the IP address
“Owner.” The Owner of the IP address is assigned a priority value of 255, which is
the highest possible value. If the Owner is present on the network, it will be the
Master router; all other routers will be Backup.
The highest priority that can be assigned to a non-owner—that is, a router whose
IP address is not the same as the virtual IP address—is 254. The VRRP standard
specifies that the default priority for a backup is 100. If you have only two routers
in the VR redundancy group, you can assign the default priority to the router that
is not the IP address owner. However, if the network has one Master and two or
more Backups, you must assign different priorities to the backups.

3 – 16 Rev. 5.21
Default Gateway Redundancy Protocols

VRRP: Master and Backup states

VRRP: Master and Backup


states
Master
• Forwards off-network traffic for hosts that use the virtual IP address as their
default gateway
Backup
• Does not forward traffic sent to the virtual IP address
• Is not in an idle state for general IP communication
– Can send and receive traffic through its interface on the network

Host20: 10.1.20.20/24
DG: 10.1.20.1 Master router Backup router
Virtual Router ID: 1 Virtual Router ID: 1
Virtual IP: 10.1.20.1 Virtual IP: 10.1.20.1

Router1 Router2

Master router Backup router


Virtual Router ID: 2 Virtual Router ID: 2
Virtual IP: 10.1.40.1 Virtual IP: 10.1.40.1
Host40: 10.1.40.40/24
DG: 10.1.40.1

Rev 5.21 Student Guide: 3–17 16

In this example, Router1 and Router2 have been configured with two common
VRID and virtual IP addresses and are members of two virtual routers. One virtual
router is VRID 1, with the virtual IP address 10.1.20.1. The other virtual router is
VRID 2, with the virtual IP address 10.1.40.1.
In this configuration, Router1 is the Master router for both VRIDs. Router2 acts as
Backup. As described earlier, the Master router forwards all off-network traffic
sent to the virtual IP addresses for either VRID. The Backup takes over this
forwarding duty only if the Master router becomes unavailable.
Although Router2 is not the Master of either virtual router, it can send and receive
traffic through its interfaces on both networks. If hosts on the network
10.1.40.0/24 were configured with 10.1.40.2 as their default gateway, Router2
would forward their off-network traffic.
Each router’s role as Master or Backup is determined by a priority value associated
with the VRID/Virtual IP address.

Rev. 5.21 3 – 17
IP Routing Foundations

VRRP: Virtual MAC address

VRRP: Virtual MAC address

• Clients send off-network traffic to default gateway’s MAC address


• IP address associated with virtual router resolves to a virtual MAC
address

00-00-5e-00-01-01

First 5 octets defined Last octet


in VRRP standard is VRID

• Virtual MAC address ensures continuity of clients’ sessions with off-


network resources despite failure of Master

Rev 5.21 Student Guide: 3–18 17

A client forwards all off-network traffic to its default gateway defined by the IP
address in its IP stack configuration. In a network protected by VRRP, the virtual
IP address should be the one configured as the clients’ default gateway. Often, this
address is the configured IP address of the VRRP Master router.
Because the clients use a virtual IP address for their default gateway, the MAC
address associated with the IP address must also be virtual.

3 – 18 Rev. 5.21
Default Gateway Redundancy Protocols

VRRP Master broadcasts “gratuitous ARP”

VRRP Master broadcasts


“gratuitous ARP”
• When a VRRP router transitions to the Master role, it broadcasts a
gratuitous ARP message on to each network that contains:
– The virtual IP address
– The virtual MAC address
• All local hosts receive the message, and
– Create an ARP cache entry associating the virtual MAC address with their
default gateway
– Send all off-network traffic to the virtual MAC address

Rev 5.21 Student Guide: 3–19 18

To enable a client’s existing sessions to continue despite the failure of the Master,
hosts must be sending off-network traffic to the virtual MAC address instead the
physical MAC address. To ensure that clients will correctly resolve their (virtual)
default gateway’s MAC address, the VRRP Master broadcasts a gratuitous ARP
message to all local hosts. Each host that receives the message creates an ARP
cache entry and subsequently sends off-network traffic to the virtual MAC
address.

Rev. 5.21 3 – 19
IP Routing Foundations

Master accepts traffic sent to virtual MAC address

Master accepts traffic sent to


virtual MAC address
• Hosts on a VRRP-protected network learn the virtual MAC address through
gratuitous ARP request sent by the Master
• Master accepts traffic sent to the virtual MAC address; Backup does not

VRID 1 Master
(Owner) VRID 1 Backup
Layer 2 header
Dest. Host20 MAC Actual: 10.1.20.1/24 Actual: 10.1.20.2/24
Host20: 10.1.20.20/24
Source: Router1 MAC Virtual: 10.1.20.1 Virtual: 10.1.20.1
DG: 10.1.20.1
Layer 3 header:
Source:10.1.40.40
Dest: 10.1.20.20
Router1

VRID 2 Master VRID 2 Backup


Layer 2 header (Owner) Actual: 10.1.40.2/24
Dest. 00-00-5e-00-01-02 Actual: 10.1.40.1/24 Virtual: 10.1.40.1
Source: Host 40 MAC Virtual: 10.1.40.1
Layer 3 header:
Host40: 10.1.40.40/24 Source: 10.1.40.40
DG: 10.1.40.1 Dest: 10.1.20.20

Rev 5.21 Student Guide: 3–20 19

In this example, the IP host 10.1.40.40 has an ongoing session with a host in
another network. It sends the traffic to the virtual MAC address associated with the
virtual IP address of VRID 2.

3 – 20 Rev. 5.21
Default Gateway Redundancy Protocols

Virtual MAC address enables automatic failover

Virtual MAC address enables


automatic failover
• If the Owner/Master fails, the Backup begins forwarding traffic addressed to
the VRID 2 virtual MAC address
• Host40 does not require any configuration changes or restarted sessions,
unaware that a different router is forwarding its off-network traffic

VRID 1 Master
Layer 2 header
Actual: 10.1.20.2/24
Host20: 10.1.20.20/24 Dest. Host20 MAC
Virtual: 10.1.20.1
DG: 10.1.20.1 Source: Router2 MAC
Layer 3 header:
Source:10.1.40.40
Dest: 10.1.20.20
x Router2

VRID 2 Master
Actual: 10.1.40.2/24
Layer 2 header Virtual: 10.1.40.1
Dest. 00-00-5e-00-01-02
Source: Host 40 MAC
Layer 3 header:
Host40: 10.1.40.40/24 Source: 10.1.40.40
DG: 10.1.40.1 Dest: 10.1.20.20

Rev 5.21 Student Guide: 3–21 20

When the Master for the network 10.1.40.0/24 fails, Router2 transitions to the
Master state and begins forwarding traffic for the networks associated with
VRID 1 and VRID 2.
VRRP uses an advertisement that contains information about a virtual router,
including the VRID and the virtual IP address associated with the virtual router.
Because each advertisement contains information about one virtual router
interface, a router that is Master of multiple VRIDs will generate a separate
advertisement for each virtual router and send it through its interface to the
network associated with the VRID.

Rev. 5.21 3 – 21
IP Routing Foundations

VRRP advertisements

VRRP advertisements

• Master periodically advertises its availability to Backup routers


• Default advertisement interval of one second enables very fast recovery
from failure of Master
• If a router is the Master for multiple virtual routers, it generates one
advertisement every second for each VRID

Master Backup
VRID 1: 10.1.20.1 VRID 1: 10.1.20.1
Host20: 10.1.20.20/24
DG: 10.1.20.1 Router1 Router2
Master Backup
Host40: 10.1.40.40/24
VRID 2: 10.1.40.1 VRID 2: 10.1.40.1
DG: 10.1.40.1

Rev 5.21 Student Guide: 3–22 21

Because one router interface is configured or elected as the Master for each VRID,
the Backup needs a reliable, automated mechanism for determining that the Master
is still alive and forwarding traffic.
VRRP uses an advertisement that contains information about the virtual router,
including the VRID and the virtual IP address associated with the virtual router.
Because each advertisement contains information about one VRID, a router that is
Master of multiple VRIDs will generate a separate advertisement for each VRID.
The Backup router retains its state for as long as it continues to receive the
advertisements within the expected interval. A very short advertisement interval
(one second at default settings) enables the Backup to quickly recognize when a
Master goes down. However, the Backup doesn’t assume the primary router
interface is down after missing just one message. Rather, it has a “dead interval”
that is based on the advertisement interval.
VRRP advertisements are sent to IP multicast address 224.0.0.18. However, the
advertisements are not processed by hosts other than VRRP routers.

3 – 22 Rev. 5.21
Default Gateway Redundancy Protocols

VRRP advertisement packet format

VRRP advertisement packet


format

Rev 5.21 Student Guide: 3–23 22

This is an example of a VRRP advertisement. Note that the source MAC address is
the virtual MAC address for VRID 40 (28 hex). The source address field in the IP
datagram header contains the actual IP address of the router that is sending the
advertisement, which need not be the same as the virtual IP address although it is
the same in this example because the address Owner is the Master.
The destination address in the IP datagram header is the multicast group reserved
for VRRP. Because 224.0.0.18 is a locally scoped IP multicast address, it can only
be forwarded over the network that is local to the interface over which the router
sent the advertisement.
A VRRP advertisement is encapsulated directly into an IP datagram using the
protocol 112 (70 hex). It does not use TCP or UDP.
The advertisement is VRRP packet type 1. There are no other standardized VRRP
packet types. However, some vendor-specific implementations may use other
packet types that can be interpreted only by routers from the same vendor. The
advertisement contains the VRID, this VRRP router’s configured priority, and the
IP address associated with this VRID.

Rev. 5.21 3 – 23
IP Routing Foundations

VRRP support for load sharing

VRRP support for load sharing

• VRRP enables you to define multiple VRIDs on each network to share default
gateway responsibility
• Each router can be the Master for one VRID and Backup for the other

Hosts using Hosts using


10.1.10.1 as DG 10.1.10.2 as DG

10.1.10.0/24

Actual IP: 10.1.10.1/24 Actual IP: 10.1.10.2/24


VRID 11: 10.1.10.1 (Master) VRID 11: 10.1.10.1 (Backup)
Router1 VRID 12: 10.1.10.2 (Backup) VRID 12: 10.1.10.2 (Master) Router2

Actual IP: 10.1.20.1/24 Actual IP: 10.1.20.2/24


VRID 21: 10.1.20.1 (Master) VRID 21: 10.1.20.1 (Backup)
VRID 22: 10.1.20.2 (Backup) VRID 22: 10.1.20.2 (Master)

10.1.20.0/24

Hosts using Hosts using


10.1.20.1 as DG 10.1.20.2 as DG

Rev 5.21 Student Guide: 3–24 23

To enable efficient use of routers, VRRP supports load sharing by allowing you to
define more than one VRID in a single network.
In the example above, four VRIDs—11, 12, 21, and 22—have been defined for
network 10.1.10.0/24. Router1 is Master for VRID 11 and VRID 21, while
Router2 is Master for VRID 12 and VRID 22. Each router is Backup for the
VRIDs for which it is not Master.
Because each router is the backup of the other, if either router fails, the remaining
router will provide default gateway service to all four VRIDs.
Notice that default gateway duties on each network are divided between the two
routers. For instance, half of the hosts on network 10.1.10.0/24 use the virtual IP
address associated with VRID 11 as their default gateway, and half of the hosts on
the same network use the virtual IP address associated with VRID 12. Similarly,
the hosts on network 10.1.20.0/24 are divided between the virtual IP addresses
associated with VRID 21 and VRID 22.
While this load-sharing method seems efficient, most hosts in production networks
use DHCP to obtain an address and default gateway. Using different DHCP scopes
for hosts in the same network can be challenging.
When multiple VLANs are carried over a set of physical links, you divide the
hosts along VLAN boundaries. Configure some VLANs to use one router as
Master and other VLANs to use a different router as Master.

3 – 24 Rev. 5.21
Default Gateway Redundancy Protocols

Considering link failure vs. device failure

Considering link failure vs.


device failure
VRRP provides reliable protection against router failure
Link failure can lead to mixed interface states and result in sub-optimal
routing

Router2 (backup)
Hosts on network 10.1.10.0/24 10.1.10.2/24
B 10.1.20.2/24
B 10.1.30.2/24
M
M
Hosts on network 10.1.20.0/24 M

x Router1 (owner):
10.1.10.1/24
10.1.20.1/24
10.1.30.1/24
Hosts on network 10.1.30.0/24

Rev 5.21 Student Guide: 3–25 24

This example includes two routers, one of which is the owner of the IP addresses
associated with the VRIDs on three networks. The owner/master (Router1) loses
its connection to network 10.1.30.0/24. Router stops hearing advertisements from
Router1. After a few seconds, Router2 starts sending VRRP advertisements,
announcing itself as the Master of the VRID associated with network 10.1.30.0.
Router2 begins forwarding off-network traffic on behalf of hosts on that network.

Rev. 5.21 3 – 25
IP Routing Foundations

Mixed virtual router states (1)

Mixed virtual router states (1)

Router2:
• Becomes Master for VRID associated with network 10.1.30.0/24
• Can forward traffic onto networks 10.1.10.0 and 10.1.20.0 regardless of its
Backup state
IP route table
Network/mask cost next hop
10.1.10.0/24 0 local
10.1.20.0/24 0 local
10.1.30.0/24 0 local

10.1.10.0/24
B
B
Router2
10.1.10.10/24 M
M
10.1.20.0/24 M

x
Router1

10.1.30.0/24
Layer 3 header:
Source: 10.1.30.30
Dest: 10.1.10.10
Rev 5.21 Student Guide: 3–26 25

Although Router2’s interfaces on networks 10.1.10.0/24 and 10.1.20.0/24 are in


the VRRP Backup state, the router can use those interfaces to deliver traffic that
originates within network 10.1.30.0 and is destined for hosts in networks 10.1.10.0
and 10.1.20.0. Router2’s Backup state for networks 10.1.10.0 and 10.1.20.0 means
only that Router2 will not forward traffic from those networks that is addressed to
either virtual IP address.

3 – 26 Rev. 5.21
Default Gateway Redundancy Protocols

Mixed virtual router states (2)

Mixed virtual router states (2)

Router1:
• Remains Master for VRIDs associated with networks 10.1.10.0 and 10.1.20.0
• Has no local path to network 10.1.30.0, will drop traffic for that network unless
configured to use a Router1 interface as next hop

10.1.10.0/24
B
B
M
M
10.1.20.0/24 M
Layer 3 header:
Source: 10.1.20.20 x
Dest: 10.1.30.30

10.1.30.0/24
IP route table
Network/mask cost next hop
10.1.10.0/24 0 local
10.1.30.30/24
10.1.20.0/24 0 local
10.1.0.0/16 2 10.1.20.2

Rev 5.21 Student Guide: 3–27 26

The result of having mixed states for its virtual routers is a bit more significant in
the case of the IP address owner, Router1. Because a router’s state for each VRID
is separately determined, a router can retain its Master state for some VRIDs even
though it has lost its physical connection to other networks.
The loss of Router1’s connection to network 10.1.30.0 causes important changes
to its route table. The table no longer has an entry for network 10.1.30.0 and
cannot forward to that network locally. In a sense, Router1 is no longer qualified
to perform default gateway service for hosts on networks 10.1.10.0 and 10.1.20.0
because it doesn’t have a path to network 10.1.30.0. Without additional
configuration, Router1 would simply discard all traffic destined for that network.
A partial solution to this problem is to create static routes that will allow Router1
to forward traffic destined for unknown networks (i.e. not local, in this example)
through other routers. However, this path would be far less efficient than the path
that would result if Router1 could be configured to relinquish its Master state on
all of its interfaces.

Rev. 5.21 3 – 27
IP Routing Foundations

Proprietary variations and enhancements

Proprietary variations and


enhancements
VRRP variations on ProCurve Routing Switch 9300m
• VRRP Extended (VRRPE)
– No IP Address Owner; all routers defined as Backup
– VRRP Master for each VRID is the one with highest priority
• Track ports (for VRRP and VRRPE)
– Define ports whose physical state should be tracked
– Loss of link on any tracked port causes failover of entire router

Rev 5.21 Student Guide: 3–28 27

The 9300m offers two significant enhancements on the VRRP standard:


1. VRRP Extended (VRRPE)
In this proprietary protocol, no router is defined as the IP Address Owner.
Instead, all routers are defined as Backup Routers. The Master for each VRID
is determined by configured priorities. This provides administrators and
designers with flexibility in design and implementation of redundant routing
topologies.
2. Track ports
Implemented for VRRP and VRRPE, track ports may be used to resolve the
issue with mixed virtual router states by enabling administrators to define
ports whose physical state should dictate the router’s role. The router can be
configured to abdicate its Master status on any or all VRIDs if it detects loss
of link on any tracked port.

3 – 28 Rev. 5.21
Default Gateway Redundancy Protocols

VRRPE: Virtual and actual IP addresses

VRRPE: Virtual and actual IP


addresses
• The virtual IP address is the one configured as default gateway of hosts on the
network
• The actual IP addresses assigned to router interfaces must be different from
the virtual IP address
• The router with the highest priority value becomes the Master

Host20: 10.1.20.20/24
VRID 1 (Master) VRID 1 (Backup)
DG: 10.1.20.1
Priority 120 Priority 100
Actual: 10.1.20.11/24 Actual: 10.1.20.12/24
Virtual: 10.1.20.1 Virtual: 10.1.20.1

Router1 Router2
VRID 2 (Master) VRID 2 (Backup)
Priority 120 Priority 100
Actual: 10.1.40.11/24 Actual: 10.1.40.12/24
Virtual: 10.1.40.1 Virtual: 10.1.40.1
Host40: 10.1.40.40/24
DG: 10.1.40.1

Rev 5.21 Student Guide: 3–29 28

As shown above, configuration for VRRPE is different from VRRP configuration


in two ways:
1. Most significantly, the actual IP addresses assigned to router interfaces must
be different from the virtual IP address. In VRRP, by contrast, the virtual IP
address can be the interface address of one of the routers, which then
becomes the Owner of the IP address.
2. The state of a router—that is, Master or Backup—is determined entirely by a
priority value associated with each VRID. The router with the highest priority
is automatically the Master. In the example, Router1 is Master for VRID 1
and VRID 2 because its priority is set at 120. Router2 has the default priority
of 100. Valid priority values are 3-254.

Rev. 5.21 3 – 29
IP Routing Foundations

XRRP

XRRP

XL Router Redundancy Protocol


• Protection domain consists of two routers
• IP Address Owner is the router that is configured with the virtual IP
address
• Link failure causes failover of entire router
VRRP equivalent for:
• ProCurve 3400cl series
• ProCurve 6400cl series
• ProCurve 5300xl series

Rev 5.21 Student Guide: 3–30 29

Several ProCurve switches, including the 3400cl series, the 5300xl series, and the
6400cl series, support the XL Router Redundancy Protocol (XRRP), which is a
proprietary default gateway redundancy protocol.
In XRRP, each protection domain consists of exactly two routers. As in VRRP, the
virtual IP address is the interface address of one of the routers, which is the Owner
and Master for the virtual address.
If a link fails for an XRRP router, the entire router fails over, which prevents the
formation of mixed virtual router states.

3 – 30 Rev. 5.21
Default Gateway Redundancy Protocols

Module 3 summary

Module 3 summary

In this module, you learned:


• Why router redundancy protocols are necessary to ensure network
operation in the event of router failure
• Similarities among proprietary and standards-based router
redundancy protocols
• Basic information about the operation of VRRP
• Basic information about the operation of VRRPE
• Basic information about XRRP

Rev 5.21 Student Guide: 3–31 30

Module 3 of IP Routing Foundations described the requirements for router


redundancy. While many contemporary networks use Spanning Tree to protect
against link failure, a separate configuration is necessary to ensure seamless
failover in the event of router failure. The module described several propriety and
standards-based redundancy protocols, including VRRP, VRRPE, and XRRP.
Routing Switch Essentials will provide detailed instructions on the configuration of
VRRPE on the ProCurve 9300m Routing Switch.

Rev. 5.21 3 – 31
IP Routing Foundations

Learning check
Module 3

3 – 32 Rev. 5.21
Default Gateway Redundancy Protocols

1. Why is Spanning Tree an incomplete solution for redundancy in a routed


network?
............................................................................................................................
............................................................................................................................

2. Name the technologies for default gateway redundancy that are supported by
ProCurve switches.
a. ........................................................................................................................
b. ........................................................................................................................
c. ........................................................................................................................

3. How is the Master router determined in a VRRP implementation?


............................................................................................................................
............................................................................................................................

4. How does VRRPE differ from VRRP?


............................................................................................................................
............................................................................................................................
............................................................................................................................

Rev. 5.21 3 – 33
IP Routing Foundations

3 – 34 Rev. 5.21
ACL Theory
Module 4

Objectives
After completing this module, you will be able to:
„ Differentiate between rule-based access control and role- and identity-based
access control
„ Describe the steps necessary to plan for rule-based access control
„ List the criteria by which you can select traffic for special handling
„ Configure ACLs so that rules are applied in the proper order
„ Implement a strategy for applying ACLs to user traffic

Rev. 5.21 4–1


IP Routing Foundations

Device security and access control

Device security and traffic


control
Resources in the corporate intranet may be protected by multiple
levels of access control, including:
• Identity-based access control
– Defined centrally or on each server
– Permissions based on user’s identity, which may be authenticated
by passwords or other means
• Role-based access control
– After identity has been authenticated, user may obtain additional
permissions associated with organizational function or role
• Rule-based access control
– Router examines traffic and permits or denies it based on a set of
rules
– Does not replace identity- and role-based security, but is used in
conjunction with these forms of access control

Rev 5.21 Student Guide: 4–2 3

Every enterprise must implement several types of network security to control


access to resources. Three or these are:
1. Identity-based security
2. Role-based security
3. Rule-based security

Identity-based security
The security methods most apparent to end users are based on user identity. In this
type of security, users are required to assert their identities, often by providing a
user name. They are then required to prove or authenticate their identities by
providing passwords or biometric information. Identity-based security can be
enforced through centralized authentication services and may involve directory
services, public key cryptography, or other technologies. After the process is
complete, the authenticated user is authorized to use some set of resources.

Role-based security
In role-based security, users are authenticated according to their membership in
organizational functions or groups to which an administrator has assigned access
rights or permissions. After a user’s identity has been authenticated, the user
receives a combination of the rights associated with the individual and those
associated with any relevant groups. Role-based security can be enforced by
servers and by switches at the edge of the network.

4–2 Rev. 5.21


ACL Theory

Rule-based security
Finally, routers can be configured to perform access control functions that
selectively permit or deny traffic based on the content of specific fields within the
headers of each packet. This form of security is enforced through Access Control
Lists (ACLs), which are the subject of this module.

Rev. 5.21 4–3


IP Routing Foundations

Basic security principles: Physical security example

Basic security principles:


Physical security example
A building is accessible to employees with key-card access
Rooms with storage cabinets have no doors
• Key 10 opens the cabinets in Room A
• Key 4 opens the cabinets in Room B
• Keys are not required to access the cabinets in Room C
Potential problems for Rooms A and B:
• Brute force security breach
• Denial of service

10 4

10 4

10 10 4 4

Room A Room B Room C


Rev 5.21 Student Guide: 4–4 4

Network security issues and solutions often are similar in concept to physical
security issues and solutions.
The slide above uses an unnamed physical facility to illustrate these principles. A
building used to store sensitive items requires identity-based and role-based
access. Employees use security badges to present their identities and gain access to
the building.
Once inside the building, employees can enter any of three storage rooms.
However, a role-based security procedure governs access to storage cabinets inside
the rooms. Employees use key cards to gain access only to the cabinets appropriate
for their organizational functions. The requirements for the three rooms are:
1. Key card 10 is required to access cabinets in Room A. Because this room
holds the most sensitive material, card 10 is issued to the fewest number of
employees. However, the door to the room remains unlocked because prompt
access is important for these employees.
2. Key card 4 is required to access cabinets in Room B.
3. No card is required to access cabinets in Room C, which means they are
accessible to all employees with access to the building.

4–4 Rev. 5.21


ACL Theory

Security threats
Because the rooms themselves are unlocked, this building faces two important
security threats that are analogous to threats encountered in enterprise networks.
1. Brute force attacks
Because the doors are unlocked, unauthorized persons could easily gain
access to the rooms and force open the locks to the cabinets.
2. Denial of service attacks
As well as being able to force open the cabinet locks, intruders could prevent
employees from gaining access to the cabinets. While it is unlikely, because
anyone can enter the rooms, a crowd of unauthorized individuals theoretically
could gather to deny service to authorized individuals.

Rev. 5.21 4–5


IP Routing Foundations

Basic security principles: Additional layer of physical security

Additional layer of physical


security
Security devices are positioned at entrances to Rooms A and B
• Programmed with rules to characterize individuals that should be allowed
access
• All others are denied access
Locked cabinets in Rooms A and B remain accessible only to individuals
in possession of correct keys

security security
device device

10 6

10 6

10 10 4 4

Room A Room B
Rev 5.21 Student Guide: 4–6 5

In this example, security at the fictitious building is heightened by adding locks to


the doors of Room A and Room B. By providing an additional layer of security,
these devices prevent unauthorized persons from entering rooms that contain
resources they are not allowed to use.
Note, however, that the locks are not replacements for the locks on the cabinets.
They are additional security measures designed to serve two purposes:
1. Enhance security by making it less likely that an unauthorized persons will
find a way to break through the locks on the cabinets
2. Enhance availability by preventing unauthorized persons from impeding the
access of authorized persons

4–6 Rev. 5.21


ACL Theory

Comparing physical and virtual security

Comparing physical and virtual


security
Providing multiple access control levels enhances network
security:
• Identity- or role-based access control
– Goal is to allow appropriate user access to services
– Analogous to locks on storage cabinets
• Rule-based access control
– Defined on routers and routing switches
– Goal is traffic control to relieve congestion, limit opportunity for
denial of service attacks
– Analogous to security device installed on certain doors

Rev 5.21 Student Guide: 4–7 6

In some ways, the tools and procedures used for network security are similar to
those used for physical security. In both cases, administratively defined policies
determine which users can access specific resources and what level of access each
user will have.
The locks installed on the rooms in the example are analogous to rule-based
security in the enterprise intranet. Just as the locks prevent unauthorized users
from entering rooms where they are not permitted, enterprise routers can limit
traffic flow to ensure that unauthorized users cannot “see” sensitive resources.
In the network, the filters examine packets to compare their source and destination
addresses and traffic types with a set of rules configured by administrators. This
significantly decreases the likelihood that resources will be compromised or that
service will be denied to authorized users.
The rest of this module will discuss rule-based security in the form of ACLs
configured on routers.

Rev. 5.21 4–7


IP Routing Foundations

Planning for rule-based access control

Planning for rule-based access


control
Identify characteristics of the resource to be protected, such as:
• Individual hosts by their IP address
• Functional groups of servers by an IP address range
• Server-based applications supported by protocol and/or TCP/UDP port
without regard to IP address
For each resource, identify selection criteria:
• Common characteristics of traffic that should be permitted
• Common characteristics of traffic that should be denied
Based on location of resources and distribution of authorized and
unauthorized traffic sources, identify:
• All paths through the intranet that could carry identified traffic
• Where to place controls
– Ingress and egress ports

Rev 5.21 Student Guide: 4–8 7

Before implementing rule-based access control, you must know what you are
trying to protect. Resources can be identified in a number of ways, including IP
address and protocol or application.
Access control requirements often play an important role in selecting an
addressing scheme. Typically, resources that must be accessed by the same set of
users are placed in the same network. This addressing strategy simplifies access
control by enabling an administrator to refer to a group of servers as a range of IP
addresses rather than as a series of individual IP addresses. Similarly, an efficient
IP addressing scheme places users with identical resource needs into the same
network or range of networks. When a set of users authorized to access a particular
set of resources can be referred to using an IP address range, an administrator can
minimize the number of rules required to meet the organization’s traffic control
goals. Specific recommendations for IP addressing scheme design are covered in
the Routing Switch Essentials course.
Suppose, for example, that several servers provide storage for a particular
department, and that all users in the department require equal access to the servers.
Because you have placed users into VLANs/networks based on the function or role
associated with their identities, all of the users are within a definable range of IP
addresses. If the servers are assigned IP addresses within a given address range,
such as a subnet or network with a 24-bit mask, they can also be specified as a
resource by their address range.

4–8 Rev. 5.21


ACL Theory

Alternatively, several servers distributed across many address ranges might


support a particular protocol, application, or other function that is definable by a
protocol name or number, or by a TCP or UDP port. You can refer to the
application as a resource without regard to the IP addresses of specific servers.
SMTP is one example of this type of resource.
As well as defining the rules, you must also determine which router interfaces
should enforce the access control rules and whether the rules should be applied to
inbound or outbound traffic. Additionally, because an organization’s rule-based
security policies often require the configuration of multiple rules, you must
determine the sequence in which the rules should be applied to inbound or
outbound traffic.
The next few slides will illustrate a simple rule-based access control example.

Rev. 5.21 4–9


IP Routing Foundations

Rule-based access control example

Rule-based access control


example
• The ‘curriculum’ network is accessible to all
Internet through the intranet core
• Identity-based security allows authenticated
Curriculum faculty members to access the servers on this
10.0.130.0/24
network
• Edge router will be configured with traffic
filters that enforce rule-based security to
Intranet core permit only faculty members to access the
10.0.100.0/24
curriculum network

10.1.68.0/24
10.1.65.0/24 10.1.66.0/24
10.1.67.0/24

Guests Admin Students Faculty


10.1.10.0/24 10.1.30.0/24 10.1.40.0/24 10.1.20.0/24

Rev 5.21 Student Guide: 4–10 8

At ProCurve University, many resources must be protected by access control rules.


One such resource is the curriculum network, an enterprise-wide resource that
hosts servers for materials relating to curriculum. These materials include
supplementary handouts, quizzes, and exams.
The next few slides will show how to configure ACLs to permit faculty members
at one campus to access the servers. This example will illustrate two important
points:
1. How to identify the values in IP datagram header that will be specified in the
rules
2. Possible locations for application of the rules

4 – 10 Rev. 5.21
ACL Theory

Selection criteria in IP header

Selection criteria in IP header

Packet matching criteria:


• IP datagram header information that identifies permitted traffic:
– Destination IP address between 10.0.130.0 and 10.0.130.255
– Source IP address between 10.1.20.0 and 10.1.20.255
• IP datagram header information that identifies denied traffic:
– Destination IP addresses other than 10.0.130.0 - 10.0.130.255
– Source IP addresses other than 10.1.20.0 - 10.1.20.255

Version Hdr Lgth Type of Service Total Length


Identifier Flags Fragment Offset

IP Time to Live Protocol Header Checksum


header Source Address
Destination Address
Options (if any) Padding

Rev 5.21 Student Guide: 4–11 9

The first step in planning for rule-based access control is to determine the IP
header characteristics that identify permitted traffic. In this example, the permitted
traffic originates within the faculty network and is destined for the curriculum
network. The source address field in the headers of packets sent by faculty users is
within the range 10.1.20.0-10.1.20.255. The value in the destination address field
will be 10.0.130.0-10.0.130.255.
All IP traffic with a source and destination address that matches the rule will be
subjected to the specified action. All packets that have a source IP address between
10.1.20.0 and 10.1.20.255 and a destination IP address between 10.0.130.0 and
10.0.130.255 will be permitted.
With this rule applied, a router will make forwarding decisions based only on IP
address. However, rules can use IP protocol fields to determine which applications
can access certain resources. For instance, a rule could permit only HTTP requests,
effectively blocking Telnet, FTP, and other IP applications.

Rev. 5.21 4 – 11
IP Routing Foundations

Determine which port(s) will filter traffic

Decide which port(s) will filter


traffic
Internet • Determine all paths that can
carry traffic from the faculty
Curriculum user network to the curriculum
10.0.130.0/24
server network
C1 Curriculum server • Identify ingress and egress
egress port ports for the traffic
Intranet core
10.0.100.0/24

R1A R1B
10.1.68.0/24 Faculty
10.1.65.0/24 10.1.66.0/24 ingress port
10.1.67.0/24
R1C R1D
Guests Admin Students Faculty
10.1.10.0/24 10.1.30.0/24 10.1.40.0/24 10.1.20.0/24

Rev 5.21 Student Guide: 4–12 10

Without any traffic controls implemented, routers forward all traffic based on
route table entries. The policy defined in this example requires the router to permit
traffic that comes from the faculty users and is destined for the curriculum server.
Given the goal of permitting traffic from the faculty user network to the
curriculum server network, the rule could be applied at either of the two points
shown on the diagram. The interface on R1D that connects to the faculty user
network is called the “ingress” port because it is the only point through which
traffic generated by faculty users can enter the intranet.
Similarly, the only point through which traffic destined for the curriculum server
network can exit the intranet is known as the “egress” port.

4 – 12 Rev. 5.21
ACL Theory

A rule that may be applied to ingress or egress ports

A rule that may be applied to


ingress or egress ports
Guests Faculty Admin Students
Internet
Curriculum X
Emp servers
10.0.128.0/24
Rule 1: permit all IP traffic whose source address
Admin servers is in the range 10.0.20.0/24 AND whose
10.0.129.0/24
destination address is in the range 10.0.130.0/24.
Curriculum
10.0.130.0/24

C1 Apply Rule 1 OR
outbound
10.0.100.0/24

R1A R1B
10.1.68.0/24
10.1.65.0/24 10.1.66.0/24 Apply Rule 1
10.1.67.0/24 inbound
R1C R1D

Guests Admin Students Faculty


10.1.10.0/24 10.1.30.0/24 10.1.40.0/24 10.1.20.0/24

Rev 5.21 Student Guide: 4–13 11

The ProCurve University intranet provides multiple paths to the core from each
edge router. Traffic between the faculty user network and the curriculum server
network may be forwarded onto the core network by either R1A or R1B.
Regardless of which router handles this traffic, the ingress and egress ports remain
the same. While the rule shown on the diagram could be applied to inbound traffic
on the ingress port or to outbound traffic on the egress port, one port might be
more efficient than the other due to platform-specific factors. Additionally, the
impact of applying this rule at the ingress port is completely different from the
impact of applying it at the egress port.

Rev. 5.21 4 – 13
IP Routing Foundations

The implied “deny any” rule

The implied ‘deny any’ rule

A traffic filtering rule is applied to an interface as a member of an


ordered list of rules known as an Access Control List (ACL)
The last rule in every ACL denies all traffic that does not meet conditions
of rules that appear earlier in the list
• Permit IP traffic matching source address range 10.1.20.0/24 AND destination
address range 10.0.130.0/24
• (Implicit) Deny IP traffic from any source to any destination

• Packets that match the conditions


of the first rule are subject to the
action specified in the rule Test yes
Rule 1. follow end
• Packets that do not match the Match? action
conditions of the first rule are
compared to remaining rules in the no
list
deny any
• Packets that do not match with any
explicitly defined rule are denied
end

Rev 5.21 Student Guide: 4–14 12

An access control rule is applied to a router interface as a member of an ACL. An


ACL frequently contains multiple rules, which are also known as “access control
entries” or “ACL entries,” because each router interface can have only one
inbound ACL and one outbound ACL. The entries are added to the ACL in the
order they should be applied to transiting traffic.
The last rule in an ACL implicitly denies all traffic that was not explicitly
permitted by a rule that appears earlier in the list. This rule, called the implied
“deny any” rule, is one important reason why the outcome of a particular rule can
be different if it is applied as part of an inbound ACL or an outbound ACL.

4 – 14 Rev. 5.21
ACL Theory

Impact of applying Rule 1 at ingress port

Impact of applying Rule 1 at


ingress port
Result 1: Faculty member traffic destined for
Internet curriculum network is permitted; traffic destined for
other resource networks is implicitly denied
Emp servers
10.0.128.0/24 Result 2: Traffic produced by hosts in guest, student,
and admin networks is not impacted by rules applied
Admin servers at faculty ingress port.
10.0.129.0/24
Curriculum Rule 1: permit all IP traffic whose source address
10.0.130.0/24
is in the range 10.0.20.0/24 AND whose
C1 destination address is in the range 10.0.130.0/24

10.0.100.0/24

R1A R1B
10.1.68.0/24
10.1.65.0/24 10.1.66.0/24 Apply Rule 1
10.1.67.0/24 inbound
R1C R1D

Guests Admin Students Faculty


10.1.10.0/24 10.1.30.0/24 10.1.40.0/24 10.1.20.0/24

Rev 5.21 Student Guide: 4–15 13

In this example, an ACL developed for ProCurve University contains only one
rule. If an administrator applies this rule at the ingress port, faculty users will be
able to access curriculum servers. However, because of the implicit “deny any”
rule, faculty users will not be able to access any resources located on networks
other than 10.0.130.0/24.
Additionally, the placement of the ACL at the ingress port does nothing to limit
access to the curriculum server network by users in the guest, admin, and student
user networks.

Rev. 5.21 4 – 15
IP Routing Foundations

Impact of applying Rule 1 at egress port

Impact of applying Rule 1 at


egress port
Result 1: Traffic sent by hosts in faculty network is
Internet explicitly permitted on to the curriculum network; no
impact on faculty traffic destined for other networks
Emp servers
10.0.128.0/24 Result 2: Traffic sent by hosts in guest, admin, and
student networks is explicitly denied entry to the
Admin servers
curriculum network
10.0.129.0/24
Curriculum
10.0.130.0/24 Rule 1: permit all IP traffic whose source address
is in the range 10.0.20.0/24 AND whose
C1 Apply Rule 1 destination address is in the range 10.0.130.0/24
outbound
10.0.100.0/24

R1A R1B
10.1.68.0/24
10.1.65.0/24 10.1.66.0/24
10.1.67.0/24
R1C R1D

Guests Admin Students Faculty


10.1.10.0/24 10.1.30.0/24 10.1.40.0/24 10.1.20.0/24

Rev 5.21 Student Guide: 4–16 14

The application of the rule at the curriculum server egress port meets the goal of
permitting faculty users to access curriculum servers while denying access to users
in the guest, admin, and student networks. However, it is not a complete solution
because it does nothing to restrict access to resources on any other networks.

4 – 16 Rev. 5.21
ACL Theory

Associating users with resource requirements

Associating users with their


resource requirements
Approaches to defining and applying ACLs:
• Determine resources per user type and apply inbound filters at the ingress port
for each user network
• Determine user types per resource and apply outbound filters at the egress
port for each resource network
Inbound filters are generally considered more efficient than outbound
filters

Guests Faculty Admin Students


Internet X X X X
Curriculum X
Accounting X
Email/scheduling app. X X
Human resources X
Web-based registration X X X

Rev 5.21 Student Guide: 4–17 15

As the previous example illustrates, a single rule is usually not sufficient to meet
the traffic filtering requirements for a given interface. Because only one inbound
ACL and one outbound ACL can be associated with each interface, ACLs require
significant planning. You must assess the security requirements of the entire
intranet and carefully define and apply ACLs to avoid inadvertently providing
inappropriate user access or denying users legitimate access to resources.
Inbound ACLs are generally considered more efficient than outbound ACLs.
However, because the advantages of inbound ACLs are often platform-dependent,
outbound ACLs can be preferable in certain situations.

Inbound ACL recommendations


If you choose to define rule-based access control using inbound ACLs, you would
assess resource requirements from the user perspective. For each interface, you
would determine all of the resources required by the type of user on that network.
You would then define an ordered list of rules to specify the characteristics of
permitted and denied traffic.
One accepted procedure is to associate a “permit” action with characteristics of
traffic that should be allowed to enter the router from the user network. You may
also need to associate a “deny” action with characteristics of traffic that should not
be allowed to enter the router from the user network.

Rev. 5.21 4 – 17
IP Routing Foundations

Outbound ACL recommendations


If you choose to implement access control using outbound ACLs, you will work
from the resource perspective. For each network that provides resources, you
might choose to define an ordered list of rules that specify characteristics of user
traffic that should or should not be allowed to exit the router and reach the hosts
that provide resources.
Definition and application of access control rules is typically based on pre-defined
organizational security policies and requires knowledge of specific resource
requirements for all user types. This module uses the user types and resources at
ProCurve University to describe the information that must be gathered in order to
plan and implement ACLs.
The next few pages will provide specific address ranges and traffic types, as well
as the physical locations for both resources and users within the enterprise intranet.

4 – 18 Rev. 5.21
ACL Theory

Define characteristics of resources

Define characteristics of
resources
Resource Characteristic
Internet Internet Address range 0.0.0.0/0 AND
NOT 10.0.0.0/8
Emp servers Curriculum servers Address range 10.0.130.0/24
10.0.128.0/24
Accounting servers Address range 10.0.129.0/24
Admin servers
Email scheduling app Address range 10.0.0.0/8 AND
10.0.129.0/24
TCP port 25 (SMTP)
Curriculum
10.0.130.0/24 Human resources servers Address range 10.0.129.0/24
Web-based registration Host 10.0.130.115 AND
C1 server TCP port 80 (HTTP)

10.0.100.0/24

R1A R1B
10.1.68.0/24
10.1.65.0/24 10.1.66.0/24
10.1.67.0/24
R1C R1D
Guests .1 .1 Admin Faculty .1 .1 Students
10.1.10.0/24 10.1.30.0/24 10.1.20.0/24 10.1.40.0/24

Rev 5.21 Student Guide: 4–19 16

The diagram and table above illustrate how administrators at ProCurve University
might approach the process of planning their traffic filters. After identifying the
intranet’s resources, administrators must determine how those resources can be
characterized. More specifically, they must determine what portions of the IP
header contain the information that distinguishes one resource from another.
In most cases, the IP address will be an important differentiator. For example, the
curriculum servers are all located on the same network, within an address range
that can be defined by the starting address 10.0.130.0 and the mask of
255.255.255.0 or 24 contiguous bits.
Other resources include servers such as the accounting and human resources
servers, which are used only by members of the administrative department. These
servers also are located on the same network, within an address range that can be
expressed by a starting address and mask.
However, the email/scheduling application resides on many servers that are
distributed across several networks. Consequently, administrators cannot easily
base their ACLs on the addresses of all of the servers that support this application.
Instead, they can use the well-known port number for SMTP, which is 25.
This slide also shows how the users are characterized. Because administrators have
assigned users to VLANs based on their resource needs, they can use a starting
address and mask to describe users who perform a particular job function and
associate them with the resources to which they need access.

Rev. 5.21 4 – 19
IP Routing Foundations

Strategies for defining inbound ACLs

Strategies for defining inbound


ACLs
• Filtering traffic at the edge makes efficient use of router resources
– Each router interface can support only one inbound ACL
– Identify the permitted and denied resources for hosts on the connected
network
• Two main strategies for associating rules with ACL:
1. Create rules that define characteristics of permitted traffic, deny all other
traffic implicitly
2. Create rules for each edge interface that define characteristics of denied
traffic, create a rule that permits all traffic not denied by rules that appear
earlier in the list

Internet Curriculum Accounting Email/ HR Registration


sched
Guests X
Faculty X X X X
Admin X X X X X
Students X X
Rev 5.21 Student Guide: 4–20 17

The implementation of access control is simplified if all of the hosts in a given


VLAN/network/broadcast domain have similar resource requirements. However,
because each interface can support only one inbound ACL and one outbound ACL,
you must have a plan for organizing all of the traffic filtering rules that must be
grouped together into an access list. In order to be effective, the rules must be in a
correct and precise order.
The choice of a strategy for enabling access control often depends on the number
of resources and types of user groups that must be controlled. Two common
approaches are:
1. Create rules that specify the characteristics of the traffic that should be
permitted. You then implement the implicit-deny-any rule to deny all traffic
not explicitly permitted.
2. Create rules that specify characteristics of traffic to be denied. You then
specify a statement to permit all traffic not explicitly denied.

4 – 20 Rev. 5.21
ACL Theory

Access control for faculty users

Access control for faculty users


Faculty Web-based Host 10.0.130.115
registration server AND TCP port 80
Internet
Curriculum servers Range 10.0.130.0/24
Emp servers Email/scheduling Range 10.0.0.0/8 AND
10.0.128.0/24 TCP port 25
Admin servers Internet All destinations not in
10.0.129.0/24 10.0.0.0/8 range
Curriculum
10.0.130.0/24 .115

C1

10.0.100.0/24

R1A R1B
10.1.68.0/24
10.1.65.0/24 10.1.66.0/24
10.1.67.0/24
R1C R1D
Guests Admin Students Faculty
10.1.10.0/24 10.1.30.0/24 10.1.40.0/24 10.1.20.0/24

Rev 5.21 Student Guide: 4–21 18

Faculty members at ProCurve University require access to four network resources:


1. Web-based registration server
2. Curriculum servers
3. Email/scheduling application
4. Internet
The next few pages will present the logic for an ACL to permit this access while
denying access to other resources.

Rev. 5.21 4 – 21
IP Routing Foundations

Access control criteria in TCP and UDP headers

Access control criteria in TCP


and UDP headers

Source port Destination port


Sequence number
Acknowledgment number
TCP
Hdr Lgth Reserved Code bits Window
header
Checksum Urgent pointer
Options (if any) Padding
Data

Source port Destination port


UDP
Checksum Urgent pointer
header
Data

Rev 5.21 Student Guide: 4–22 19

ACLs enable you to base traffic controls on fields in the TCP and UDP headers.
For instance, at ProCurve University, the ACL that will be applied inbound to the
faculty user network interface uses TCP port number 25, which is the well-known
port SMTP, as a selection criterion.
The graphic above illustrates the placement of this information in the TCP and
UDP header. If the protocol field in the IP datagram headers indicates that the
protocol is TCP, the TCP header immediately follows the IP header.
Because TCP provides connection-oriented service for upper-layer applications,
the TCP header contains more fields than the UDP header. UDP acts like a pass-
through between IP and the upper layer applications. However, two fields appear
in both types of headers: the source and destination port fields.
When combined with the three fields in the IP header that can be used for selecting
packets for special handling, the TCP and UDP source and destination port fields
provide flexibility in characterizing traffic that the router should permit or deny.
The field that contains code bits is used during the three-way handshake that sets
up a TCP connection, enabling other applications to run over the connection-
oriented, flow-controlled session. It is possible to differentiate the value of the
code bit field in a packet that is part of an established conversation from the value
of the code bit field that is attempting to initiate a new conversation.

4 – 22 Rev. 5.21
ACL Theory

By making this field part of the criteria for a traffic filter, you can deny inbound
packets whose code bit field value indicates an attempt to start a session from
outside a given network using a TCP-based application. You can permit responses
to sessions that were generated inside a given network.

Rev. 5.21 4 – 23
IP Routing Foundations

Permit faculty user access to curriculum server network

Permit faculty user access to


curriculum server network
Faculty users can send traffic to any host on the curriculum network
using any application

Packet to be tested Match first entry? Yes


IP header
Protocol: 6
Action = Permit
Src: 10.1.20.20 Dst: 10.0.130.115
TCP Header
Src: 1052 Dst: 80

[data]

Rules in access control list applied to faculty ingress port


1 Permit source range 10.1.20.0/24 and dest. range 10.0.130.0/24
2 Permit source range 10.1.20.0/24 and dest. range 10.0.0.0/8 and dest. TCP port 25
3 Deny source range 10.1.20.0/24 and destination range 10.0.0.0/8
4 Permit source range 10.1.20.0/24 and any destination address
(implicit) Deny any source address and any destination address

Rev 5.21 Student Guide: 4–24 20

Because the ProCurve University network is well planned, most of the resources
needed by the faculty members are on the curriculum server network. This makes
it simpler to define access control rules than it would be if faculty resources were
distributed across the entire intranet.
In addition to the curriculum servers, the faculty users need access to the Internet
and to the email/scheduling application that is distributed across the entire intranet.
Because the registration server is on the curriculum network, faculty members do
not need an explicit rule to permit access to that host. Their access to the entire
curriculum server network will include the registration server. You would only
need to define rules in an ACL for both resources if you needed to deny access to
one and permit access to the other.
The slide above shows an example of a specific packet being tested by the inbound
ACL, which means the router tests the traffic as it enters the interface.
The first rule provides access to the address range 10.0.130.0/24, which is the
network that contains all of the curriculum servers. The router compares relevant
portions of the packet to the filtering rule and determines that the source and
destination IP addresses match both the source and destination address ranges
specified in the rule. The router takes the action associated with the first rule,
which is to permit the packet to pass. Every packet the router interface sees that
has a source and destination address within the ranges specified by the first rule
will be permitted.
The impact of the other rules in this ACL will be described later in this module.

4 – 24 Rev. 5.21
ACL Theory

Permit faculty user access to SMTP services

Permit faculty user access to


SMTP services
Faculty users can send SMTP traffic to any host in the intranet

Packet to be tested Match first entry? No


IP header
Protocol: 6
Match second entry? Yes
Src: 10.1.20.20 Dst: 10.0.129.143 Action = Permit
TCP Header
Src: 1064 Dst: 25

[data]

Rules in access control list applied to faculty ingress port


1 Permit source range 10.1.20.0/24 and dest. range 10.0.130.0/24
2 Permit source range 10.1.20.0/24 and dest. range 10.0.0.0/8 and dest. TCP port 25
3 Deny source range 10.1.20.0/24 and destination range 10.0.0.0/8
4 Permit source range 10.1.20.0/24 and any destination address
(implicit) Deny any source address and any destination address

Rev 5.21 Student Guide: 4–25 21

In addition to the curriculum servers, the faculty users need access to the
email/scheduling application that is distributed across the entire intranet. Instead of
specifying each potential destination host that supports the SMTP-based
application, administrators can specify a “permit” rule that specifies TCP port 25
for any destination host in the range 10.0.0.0/8.
In this example, the router is examining an inbound packet on the faculty ingress
port. The router compares this packet with the first filtering rule and determines
that it does not match. Following well-defined ACL testing procedures, the router
compares relevant portions of the packet to the second rule. Because the packet
has a destination IP address and destination TCP port that matches the second rule,
the router follows the “permit” action associated with the second rule.
Because the first two access control entries specify resources to be permitted, their
sequence does impact the overall effect of the ACL.

Rev. 5.21 4 – 25
IP Routing Foundations

Deny faculty user access to administrative servers

Deny faculty user access to


administrative servers
Faculty users should not have access to administrative servers

Packet to be tested Match first entry? No


IP header
Protocol: 6
Match second entry? No
Src: 10.1.40.40 Dst: 10.0.129.143 Match third entry? Yes
TCP Header Action = Deny
Src: 1052 Dst: 80

[data]

Rules in access control list applied to faculty ingress port


1 Permit source range 10.1.20.0/24 and dest. range 10.0.130.0/24
2 Permit source range 10.1.20.0/24 and dest. range 10.0.0.0/8 and dest. TCP port 25
3 Deny source range 10.1.20.0/24 and destination range 10.0.0.0/8
4 Permit source range 10.1.20.0/24 and any destination address
(implicit) Deny any source address and any destination address

Rev 5.21 Student Guide: 4–26 22

The third rule in this ACL causes the router to deny traffic that is destined for any
address within the 10.0.0.0/8 network that was not explicitly permitted by the first
or second rules in the list.
In this case, a faculty member is trying to access a host on the administrative
server network. Identity-based or role-based security probably would limit this
user’s access to the server. However, the third rule in the list prevents faculty users
from accessing the administrative server network and creating additional
congestion.
Because the packet does not match the conditions of the first or second rules, and
the destination address does fall within the range specified in the third rule, the
router follows the action associated with the third rule, and denies or drops the
packet.

4 – 26 Rev. 5.21
ACL Theory

Permit faculty user Internet access

Permit faculty user Internet


access
Faculty users should have access to the Internet

Packet to be tested Match first entry? No


IP header
Protocol: 6
Match second entry? No
Src: 10.1.40.40 Dst: 15.15.15.150 Match third entry? No
TCP Header Match fourth entry? Yes
Src: 1066 Dst: 80
… Action = Permit
[data]

Rules in access control list applied to faculty ingress port


1 Permit source range 10.1.20.0/24 and dest. range 10.0.130.0/24
2 Permit source range 10.1.20.0/24 and dest. range 10.0.0.0/8 and dest. TCP port 25
3 Deny source range 10.1.20.0/24 and destination range 10.0.0.0/8
4 Permit source range 10.1.20.0/24 and any destination address
(implicit) Deny any source address and any destination address

Rev 5.21 Student Guide: 4–27 23

This slide shows the logic necessary for permitting Internet access by faculty
users. The sequence of the last two rules is crucial. While the third rule denies
access to intranet destinations not explicitly permitted by rules that appear earlier
in the list, the fourth rule permits access to all Internet destinations; that is, to
addresses outside of 10.0.0.0/8. This rule effectively overrides the implicit “deny
any” rule.

Rev. 5.21 4 – 27
IP Routing Foundations

Access control for student users

Access control for student


users
Students Web-based Host 10.0.130.115
Internet
registration server AND TCP port 80

Emp servers Internet All destinations not in


10.0.128.0/24 10.0.0.0/8 range

Admin servers
10.0.129.0/24
Curriculum
10.0.130.0/24 .115

C1

10.0.100.0/24

R1A R1B
10.1.68.0/24
10.1.65.0/24 10.1.66.0/24
10.1.67.0/24
R1C R1D
Guests Admin Students Faculty
10.1.10.0/24 10.1.30.0/24 10.1.40.0/24 10.1.20.0/24

Rev 5.21 Student Guide: 4–28 24

ProCurve University students require access to the Internet and, when they are on
campus, to a web-based registration server on the curriculum network. Students
should not be able to access any other servers on the curriculum network, nor
should they be able to use protocols other than HTTP on the registration server.
The next few pages will describe ACL logic to accomplish these goals.

4 – 28 Rev. 5.21
ACL Theory

Permit student access to web registration server

Permit student access to web


registration server
Students have access to only one web server on the curriculum network.
They should be denied access to all other servers in the intranet.

Packet to be tested
Match first entry? Yes
IP header
Protocol: 6 Action = Permit
Src: 10.1.40.40 Dst: 10.0.130.115
TCP Header
Src: 1044 Dst: 80

[data]

Rules in ACL applied to student ingress port


1 Permit source range 10.1.40.0/24 and dest. host 10.0.130.115 and dest TCP port 80
2 Deny source range 10.1.40.0/24 and destination range 10.0.0.0/8
3 Permit source range 10.1.40.0/24 and any destination address
(implicit) Deny any source address and any destination address

Rev 5.21 Student Guide: 4–29 25

In this example, a student is sending HTTP traffic to the web registration server.
Because the inbound packet on the student ingress port has characteristics that
match all of the conditions of the first rule, the router follows the action associated
with this rule and permits the packet.
Note that the first rule specifies port 80, the well-known TCP port for HTTP
traffic. This ensures that students will only have web access to the registration
server. Of course, the rule could specify another port number if the application
used a custom port or if, for instance, it used Secure Sockets Layer (SSL), which
uses the well-known port of 443.

Rev. 5.21 4 – 29
IP Routing Foundations

Deny student traffic destined for administrative servers

Deny student traffic destined


for administrative servers
The second rule in the list prevents students from sending traffic to any
intranet hosts other than the one permitted by the first rule

Packet to be tested
Match first entry? No
IP header
Protocol: 6 Match second entry? Yes
Src: 10.1.40.40 Dst: 10.0.129.143
TCP Header
Action = Deny
Src: 1048 Dst: 80

[data]

Rules in ACL applied to student ingress port


1 Permit source range 10.1.40.0/24 and dest. host 10.0.130.115 and dest TCP port 80
2 Deny source range 10.1.40.0/24 and destination range 10.0.0.0/8
3 Permit source range 10.1.40.0/24 and any destination address
(implicit) Deny any source address and any destination address

Rev 5.21 Student Guide: 4–30 26

In this case, a student is trying to access a host on the administrative server


network. The characteristics of the packet shown above do not match with the first
rule, so the router compares the packet with the second rule. Because the
destination address falls within the range 10.0.0.0/8, the router drops the packet.
Of course, identity- or role-based security probably would prevent this user from
accessing the server. However, this ACL provides an additional layer of security
and prevents congestion by preventing the students from even sending packets to
the administrative server network.
The Access Control Entries (ACEs) are always processed in the order they were
created. In the example above, the host address permitted in the first rule is a
subset of the address range denied in the second rule. Because traffic destined for
the registration server matches both Rule 1 and Rule 2, reversing the sequence of
the rules would cause denial of traffic destined for the registration server. This
sequence demonstrates a general rule of ACL development. Entries that refer to a
more specific address range (i.e. smaller range, longer mask) should precede those
that refer to a less specific address range (i.e. larger range, shorter mask).

4 – 30 Rev. 5.21
ACL Theory

Student Internet access

Student Internet access

Traffic with destinations outside 10.0.0.0/8 is permitted because it


matches the third rule

Packet to be tested
Match first entry? No
IP header
Protocol: 6 Match second entry? No
Src: 10.1.40.40 Dst: 15.15.15.15 Match third entry? Yes
TCP Header
Src: 1052 Dst: 80 Action = Permit

[data]

Rules in ACL applied to student ingress port


1 Permit source range 10.1.40.0/24 and dest. host 10.0.130.115 and dest TCP port 80
2 Deny source range 10.1.40.0/24 and destination range 10.0.0.0/8
3 Permit source range 10.1.40.0/24 and any destination address
(implicit) Deny any source address and any destination address

Rev 5.21 Student Guide: 4–31 27

Most traffic that originates in the student user network is destined for the Internet.
Accordingly, all traffic that has a destination address outside the 10.0.0.0/8 range
matches with the third rule and is permitted.
The destination address range specified in Rule 2 is a subset of the address range
specified in Rule 3. If these rules were reversed, and the entry with the larger range
appeared earlier in the list than the entry with the smaller range, students would be
able to send traffic to all intranet destinations as well as the Internet destinations
allowed by the university’s security policy.

Rev. 5.21 4 – 31
IP Routing Foundations

Access control of admin users

Access control for admin users


Admin Admin and HR servers Range 10.0.129.0/24
Internet Web-based registration Host 10.0.130.115 AND
server TCP port 80
Emp servers Email/scheduling Range 10.0.0.0/8 AND
10.0.128.0/24 TCP port 25
Admin servers
10.0.129.0/24 Internet All destinations not in
10.0.0.0/8 range
Curriculum
10.0.130.0/24
.115

C1

10.0.100.0/24

R1A R1B
10.1.68.0/24
10.1.65.0/24 10.1.66.0/24
10.1.67.0/24
R1C R1D
Guests Admin Students Faculty
10.1.10.0/24 10.1.30.0/24 10.1.40.0/24 10.1.20.0/24

Rev 5.21 Student Guide: 4–32 28

Administrative users at ProCurve University require the following access to


resources:
„ The network that contains administrative and HR servers
„ Web-based registration server (but not the entire curriculum network)
„ Email/scheduling application
„ Internet
The next few pages will present the logic for an ACL to permit this access while
denying access to other resources.

4 – 32 Rev. 5.21
ACL Theory

Permit admin user access to web registration server

Permit admin user access to


web registration server

Packet to be tested
Match first entry? No
IP header
Protocol: 6 Match second entry? Yes
Src: 10.1.30.30 Dst: 10.0.130.115 Action = Permit
TCP Header
Src: 1036 Dst: 80

[data]

Rules in ACL applied to admin ingress port


1 Permit source range 10.1.30.0/24 and dest. range 10.0.129.0/24
2 Permit source range 10.1.30.0/24 and dest. host 10.0.130.115 and dest. TCP port 80
3 Permit source range 10.1.30.0/24 and dest. range 10.0.0.0/8 and dest. TCP port 25
4 Deny source range 10.1.30.0/24 and destination range 10.0.0.0/8
5 Permit source range 10.1.30.0/24 and any destination address
(implicit) Deny any source address and any destination address

Rev 5.21 Student Guide: 4–33 29

In this example, a user from the administrative network is attempting to access the
web registration server. The characteristics of the inbound packet being tested do
not match with the first rule in the ACL, but they do match with the second rule.
The packet is permitted.

Rev. 5.21 4 – 33
IP Routing Foundations

Permit admin access to HR and admin servers

Permit admin access to HR and


admin servers

Packet to be tested
Match first entry? Yes
IP header
Protocol: 6 Action = Permit
Src: 10.1.30.30 Dst: 10.0.129.143
TCP Header
Src: 1042 Dst: 80

[data]

Rules in ACL applied to admin ingress port


1 Permit source range 10.1.30.0/24 and dest. range 10.0.129.0/24
2 Permit source range 10.1.30.0/24 and dest. host 10.0.130.115 and dest. TCP port 80
3 Permit source range 10.1.30.0/24 and dest. range 10.0.0.0/8 and dest. TCP port 25
4 Deny source range 10.1.30.0/24 and destination range 10.0.0.0/8
5 Permit source range 10.1.30.0/24 and any destination address
(implicit) Deny any source address and any destination address

Rev 5.21 Student Guide: 4–34 30

In this example, the user is permitted access to a host on the administrative server
network. The first rule in the ACL permits access to any host in the range
10.0.129.0/24.
Like the ACL applied to the faculty ingress port, this ACL contains a rule that
provides access to the email/scheduling application. Because the admin users need
access to the web registration server, this ACL also contains a rule that provides
access to that resource. In fact, the first three rules in the ACL could be entered in
any order because they all specify the “permit” action. However, the rule that
permits access to the administrative network is placed first because that is the
resource most frequently accessed by these users.
Because admin users need Internet access, the final explicit entry in the ACL
applied to their ingress port overrides the implicit “deny any” entry.

4 – 34 Rev. 5.21
ACL Theory

Access control for guests

Access control for guests

Internet Guests Internet All destinations not in 10.0.0.0/8


range
Emp servers
10.0.128.0/24

Admin servers
10.0.129.0/24
Curriculum
10.0.130.0/24 .115

C1

10.0.100.0/24

R1A R1B
10.1.68.0/24
10.1.65.0/24 10.1.66.0/24
10.1.67.0/24
R1C R1D
Guests Admin Students Faculty
10.1.10.0/24 10.1.30.0/24 10.1.40.0/24 10.1.20.0/24

Rev 5.21 Student Guide: 4–35 31

Because guests only have access to the Internet, the ACL applied to their ingress
port is quite simple.

Rev. 5.21 4 – 35
IP Routing Foundations

Deny guest access to intranet destinations

Deny guest access to intranet


destinations
Guest users are denied access to any host in the 10.0.0.0/8 address
range

Packet to be tested
Match first entry? Yes
IP header
Protocol: 6 Action = Deny
Src: 10.1.10.10 Dst: 10.0.130.115
TCP Header
Src: 1052 Dst: 80

[data]

Rules in ACL applied to guest ingress port


1 Deny source range 10.1.10.0/24 and destination range 10.0.0.0/8
2 Permit source range 10.1.10.0/24 and any destination address
(implicit) Deny any source address and any destination address

Rev 5.21 Student Guide: 4–36 32

The ACL applied to the guest ingress port has only two rules. The first denies
traffic with a destination within the 10.0.0.0/8 range and the second, shown on the
next page, permits traffic with address outside that range.

4 – 36 Rev. 5.21
ACL Theory

Permit guest access to Internet destinations

Permit guest access to


Internet destinations
Guest users are permitted access to hosts outside the 10.0.0.0/8
address range

Packet to be tested
Match first entry? No
IP header
Protocol: 6 Match second entry? Yes
Src: 10.1.10.10 Dst: 15.15.15.15 Action = Permit
TCP Header
Src: 1052 Dst: 80

[data]

Rules in ACL applied to guest ingress port


1 Deny source range 10.1.10.0/24 and destination range 10.0.0.0/8
2 Permit source range 10.1.10.0/24 and any destination address
(implicit) Deny any source address and any destination address

Rev 5.21 Student Guide: 4–37 33

Guest packets destined for networks outside the range of 10.0.0.0/8 match the
second rule and are permitted.

Rev. 5.21 4 – 37
IP Routing Foundations

Module 4 summary

Module 4 summary

In this module, you learned:


• How ACLs enhance network security
• Criteria that can be used as the basis for ACLs
• How to plan for effective ACLs
• General rules for the development of effective ACLs

Rev 5.21 Student Guide: 4–38 34

Module 4 of IP Routing Foundations described the theory underlying the


development of effective ACLs. Using the physical security requirements of a
hospital as an analogy, the module showed how ACLs can enhance the security of
network resources, including resources such as servers that are already protected
by passwords and other measures. The module also showed the criteria, including
IP, TCP, and UDP header fields, that can be used as a basis for ACL development.
Finally, the module presented rules and techniques for planning and developing
effective ACLs.

4 – 38 Rev. 5.21
ACL Theory

Learning check
Module 4

Rev. 5.21 4 – 39
IP Routing Foundations

1. Name three criteria that can be used to specify traffic for special handling in
an ACL.
a. ........................................................................................................................
b. ........................................................................................................................
c. ........................................................................................................................

2. What is the implied “deny any” rule?


............................................................................................................................
............................................................................................................................

3. In an ACL, why should a more specific (longer mask) rule precede the less
specific (shorter mask) rule?
............................................................................................................................
............................................................................................................................
............................................................................................................................
............................................................................................................................

4 – 40 Rev. 5.21
Learning Check Answers

Rev. 5.21 Answers – 1


IP Routing Foundations

Module 1 learning check


1. What are the four types of router interfaces.
a. physical, created by assigning a mask and IP address to a physical port
b. virtual, associates an IP address and mask with a VLAN
c. loopback, assigns IP address and mask to interface not associated with any
physical port
d. multinetted, assigns two or more IP addresses and masks to a physical,
virtual, or loopback interface

2. What is the difference between an Interior Gateway Protocol and an Exterior


Gateway Protocol?
Interior Gateway Protocols (IGP) involve communication among routers
that are under common administrative control and use the same protocol for
exchanging information; that is, in the same autonomous system. Exterior
Gateway Protocols (EGP) involve communication among routers that are
under different administrative control; that is, in different autonomous
systems.

3. Name and describe one important disadvantage of RIP.


Changes in routing topology often propagate slowly (in comparison to OSPF)
because information in each router’s table is acquired from routers as many
as 15 hops away.

4. What is “Split Horizon”?


Advertisements a router sends onto a network do not include the address
ranges for which the next hop is on that network.

5. What is network summarization and why is it necessary?


Network summarization can increase routing efficiency by replacing many
individual, specific network advertisements with a single statement that
specifies a larger range of addresses using a shorter mask.

6. What is “poisoned reverse”?


Poisoned Reverse is a variation of Split Horizon that can help speed
convergence in meshed networks. Instead of omitting the routes that Split
Horizon rules exclude from the advertisement, the router poisons those
routes, making it impossible for the router receiving the advertisement to
consider the sender as a valid next hop toward the poisoned address ranges.

Answers – 2 Rev. 5.21


Answers

Module 2 learning check


1. Name the two types of OSPF networks.
a. Transit networks have two or more connected routers. As such, they are
potential paths for traffic that originates within or is destined for some
other network.
b. Stub networks have only one router. They are considered stubs because
there is only one point of entry (router) to the network. Traffic that
comes from or is destined for other networks is never forwarded into a
stub network. Stub networks will be discussed in more detail later in this
module.

2. Define the following:


ABR: A router with an interface in the backbone and in at least one other
area.
ASBR: A router responsible for generating an AS External LSA for each
non-OSPF network.

3. Describe the process by which OSPF routers form adjacencies.


a. Exchange Hello messages
b. Two-way neighbor recognition
c. DR election
d. Exchange database descriptions
e. Request and exchange link state packets
f. Update link state databases

4. What types of OSPF LSAs are confined to a single area and how are they
used?
Router LSAs and Network LSAs are confined to a single area. DRs send
Network LSAs to advertise networks. All OSPF routers send Router LSAs to
advertise changes in their link states.

5. What techniques enable administrators to limit the size of OSPF link-state


databases and enhance routing efficiency?
Make sure areas are not too large and do not contain too many routers. Use
network summarization to limit number of entries in databases.

Rev. 5.21 Answers – 3


IP Routing Foundations

Module 3 learning check


1. Why is Spanning Tree an incomplete solution for redundancy in a routed
network?
Spanning Tree ensures link redundancy, but does not address issues that can
arise when hosts lose contact with their default gateways.

2. Name the technologies for default gateway redundancy that are supported by
ProCurve switches.
a. VRRP (9300m)
b. VRRPE (9300m)
c. XRRP (3400cl/5300xl)

3. How is the Master router determined in a VRRP implementation?


The Owner of the shared IP address is the Master for each VRID.

4. How does VRRPE differ from VRRP?


VRRPE is a proprietary enhancement of VRRP available on the 9300m. In
VRRPE, there is no IP address Owner. Instead, the Master for each VRID is
the router configured with the highest priority. The virtual IP address is
configured by the administrator.

Answers – 4 Rev. 5.21


Answers

Module 4 learning check


1. Name three criteria that can be used to specify traffic for special handling in
an ACL.
a. source address
b. destination address
c. TCP or UDP port number.

2. What is the implied “deny any” rule and why is it necessary?


The implied “deny any” rule is the last rule in an ACL. It implicitly denies all
traffic that was not explicitly permitted by a rule that appears earlier in the
list.

3. In an ACL, why should a more specific (longer mask) rule precede the less
specific (shorter mask) rule?
Because ACLs are processed in the order they are created. When the switch
locates a match, it stops processing the ACL. If the rule with a shorter mask
is applied first, it may prevent a more specific rule from being applied.

Rev. 5.21 Answers – 5


IP Routing Foundations

Answers – 6 Rev. 5.21


For further information, please visit our Web site at:
www.procurve.com

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is


subject to change without notice. The only warranties for HP products and services are set forth in
the express warranty statements accompanying such products and services. Nothing herein should
be construed as constituting an additional warranty. HP shall not be liable for technical or
editorial errors or omissions contained herein.