HCIE R&S Huawei Certified Internetwork Expert-Routing and Switching Material V1.1 1212 PagesDeskripsi lengkap
HCIE R&S Huawei Certified Internetwork Expert-Routing and Switching Training Material V1.1 898 Pages
HCIE R&S Huawei Certified Internetwork Expert-Routing and Switching Training Lab Guide 228 PagesDeskripsi lengkap
Full description
CCNA Routing and Switching Practice and Study Guide
switching and routing course book written by polimi students. written in italian
community health
for CCNA curriculum 5.0 FAQs
saFull description
experiments about logic circuits
Full description
subsea produced waterDescripción completa
NX Open is an Application Programming Interface (API) that lets you write programs to customize or extend NX. The benefit is that applications created this way can often speed up repetitive tasks, ...
huaweiFull description
Full description
node BFull description
HCIE-R&S Material
Confidentiality Level
HCIE-R&S Material Chapter 1 RIP.......................................................................................................................... 4 1.1 Principles ........................................................................................................... 4 1.2 RIPv2 Enhanced Features .................................................................................. 6 1.3 Split Horizon and Poison Reverse ...................................................................... 7 1.4 Multi-process and Multi-instance ..................................................................... 9 1.5 RIP and BFD Association .................................................................................... 9 1.6 Hot Standby ..................................................................................................... 11 1.7 Examples for Configuring RIP .......................................................................... 11 Chapter 2 IS-IS...................................................................................................................... 20 2.1 IS-IS Basic Concepts ......................................................................................... 20 2.2 IS-IS Basic Principles ........................................................................................ 27 2.3 IS-IS Authentication ......................................................................................... 33 2.4 IS-IS Route Leaking .......................................................................................... 34 2.5 IS-IS Overload .................................................................................................. 35 2.6 IS-IS Route Management ................................................................................. 36 2.7 IS-IS LSP Fragment Extension .......................................................................... 40 2.8 IS-IS Host Name Mapping................................................................................ 43 2.9 IS-IS Reliability ................................................................................................. 43 2.10 IS-IS GR ............................................................................................................ 45 2.11 BFD for IS-IS ..................................................................................................... 50 2.12 IS-IS Auto FRR .................................................................................................. 53 2.13 IS-IS Multi-Instance and Multi-Process ........................................................... 56 2.14 IS-IS IPv6 .......................................................................................................... 57 2.15 Examples for Configuring of ISIS ...................................................................... 59 Chapter 3 OSPF .................................................................................................................. 112 3.1 OSPF Summary ..............................................................................................112 3.2 Fundamentals of OSPF ..................................................................................112 3.3 BFD for OSPF .................................................................................................122 3.4 OSPF GTSM ....................................................................................................124 3.5 OSPF Smart-discover .....................................................................................125 3.6 OSPF VPN.......................................................................................................125 3.7 OSPF NSSA .....................................................................................................132 3.8 OSPF Fast Convergence .................................................................................133 3.9 OSPF IP FRR ...................................................................................................135 3.10 Advertising Host Routes ................................................................................136 3.11 OSPF-BGP Association ...................................................................................137 3.12 OSPF GR.........................................................................................................138 3.13 OSPF-LDP Association....................................................................................141 2016-1-11
Huawei Confidential
Page 1 of 1210
HCIE-R&S Material
3.14 3.15 3.16
Confidentiality Level
OSPF Database Overflow...............................................................................143 OSPF Mesh-Group .........................................................................................144 Example for Configuring of OSPF ..................................................................146
Chapter 4 BGP .................................................................................................................... 192 4.1 BGP Concepts ................................................................................................192 4.2 BGP Working Principles .................................................................................194 4.3 Interaction between BGP and an IGP ............................................................197 4.4 BGP Security ..................................................................................................198 4.5 BGP Route Selection Rules and Load Balancing ............................................199 4.6 Examples for Configuring of BGP...................................................................203 Chapter 5 BGP Extension Technique ................................................................................ 234 5.1 Route Reflector..............................................................................................234 5.2 BGP Confederation ........................................................................................238 5.3 Route Summarization ....................................................................................240 5.4 Route Dampening..........................................................................................240 5.5 Association between BGP and BFD ...............................................................241 5.6 BGP Tracking ..................................................................................................242 5.7 BGP Auto FRR ................................................................................................243 5.8 BGP GR and NSR ............................................................................................244 5.9 Dynamic Update Peer-Groups .......................................................................245 5.10 Examples for Configuring of BGP Extension Technique.................................248 Chapter 6 Router Import and Control .............................................................................. 267 6.1 Routing Policy ................................................................................................267 6.2 Policy-based Routing .....................................................................................270 6.3 Examples for Configuring of Route Import and Control ................................273 Chapter 7 VLAN ................................................................................................................. 310 7.1 Basic Concepts of VLAN.................................................................................310 7.2 VLAN Assignment ..........................................................................................314 7.3 Principle of VLAN Communication ................................................................318 7.4 VLAN Aggregation .........................................................................................324 7.5 MUX VLAN .....................................................................................................331 7.6 Examples for Configuring of VLAN ................................................................332 Chapter 8 Layer 2 Ethernet Technologies ......................................................................... 347 8.1 ARP ................................................................................................................347 8.2 MAC Address Table........................................................................................349 8.3 Link Aggregation ............................................................................................354 8.4 GVRP..............................................................................................................358 8.5 Example for Configuration.............................................................................360 Chapter 9 Layer 2 WAN Technologies .............................................................................. 401 9.1 PPP ................................................................................................................401 9.2 MP .................................................................................................................409 9.3 PPPoE.............................................................................................................412 9.4 Frame Relay ...................................................................................................417 2016-1-11
Huawei Confidential
Page 2 of 1210
HCIE-R&S Material
9.5
Confidentiality Level
Examples for Configuring of Layer 2 WAN Technologies ...............................426
Chapter 1 RIP 1.1 Principles RIP is based on the Distance-Vector (DV) algorithm. RIP uses hop count (HC) to measure the distance to the destination. The distance is called the metric value. In RIP, the default HC from a router to its directly connected network is 0, and the HC from a router to a reachable network through another router is 1, and so on. That is to say, the HC equals the number of routers passed from the local network to the destination network. To speed up network convergence, RIP defines the HC as an integer that ranges from 0 to 15. An HC 16 or greater is defined as infinity, that is, the destination network or the host is unreachable.
1.1.1 RIP Routing Table When RIP starts on a router, the RIP routing table contains only the routes to the directly connected interfaces. After neighboring routers on different network segments learn the routing entries from each other, they can communicate with each other.
Figure 1-1-1 RIP routing table generation As shown in Figure 1-1-1, the process of RIP routing table generation.
RIP starts, and then RouterA broadcasts Request packets to neighboring routers.
When receiving the Request packet, RouterB encapsulates its own routing table into the Response packet and broadcasts the Response packet to the network segment connected to the interface receiving the Request packet.
RouterA generates a routing table based on the Response packet sent from RouterB.
1.1.2 RIP Update and Maintenance RIP uses four timers to update and maintain routing information:
Update timer: When this timer expires, a router immediately sends an Update packet.
Age timer: If a RIP device does not receive an Update packet from a neighbor within the aging time, the RIP device considers the route to this neighbor unreachable. 2016-1-11
Huawei Confidential
Page 4 of 1210
HCIE-R&S Material
Confidentiality Level
Garbage-collect timer: If a RIP device does not receive an Update packet of an unreachable route within the timeout interval, the device deletes the routing entry from the routing table.
Suppress timer: When a RIP device receives an Update packet with the Cost field being 16 from a neighbor, the route is suppressed and the suppress timer starts. To avoid route flapping, the RIP device does not accept any Update packet before the suppress timer expires even if the Cost field in an Update packet is smaller than 16. After the suppress timer expires, the RIP device accepts new Update packets.
Relationships between RIP routes and timers:
The interval for sending Update packets is determined by the Update timer, which is 30 seconds by default.
Each routing entry has two timers: age timer and Garbage-collect timer. When a RIP device adds a learned route to the local routing table, the age timer starts for the routing entry. If the RIP device does not receive an Update packet from the neighbor within the age time, the RIP device sets the Cost value of the route to 16 (unreachable) and starts the Garbage-collect timer. If the RIP device still does not receive an Update packet within the Garbage-collect timer, the RIP device deletes the routing entry from the routing table.
1.1.2 Triggered Update When routing information changes, a device immediately sends an Update packet to its neighbors, without waiting for Update timer expiration. This function avoids loops.
Figure 1-1-2 Triggered update 2016-1-11
Huawei Confidential
Page 5 of 1210
HCIE-R&S Material
Confidentiality Level
As shown in Figure 1-1-2, RouterC first learns that network 11.4.0.0 is unreachable.
If RouterC does not support triggered update when detecting a link fault, it has to wait until the Update timer expires. If RouterC receives an Update packet from RouterB before its Update timer expires, RouterC learns a wrong route to network 11.4.0.0. In this case, the next hops of the routes from RouterB or RouterC to network 11.4.0.0 are RouterC and RouterB respectively. A routing loop is generated.
If RouterC supports triggered update when detecting a link fault, RouterC immediately sends an Update packet to RouterB so that a routing loop is prevented.
1.2 RIPv2 Enhanced Features Two versions are available for RIP: RIPv1 and RIPv2. RIPv2 is an extension to RIPv1.
1.2.1 Comparison between RIPv1 and RIPv2 RIP version 1 (RIPv1) is a classful (as opposed to classless) routing protocol. It supports the advertisement of protocol packets only in broadcast mode. Figure 1-2-1 shows the packet format. The RIPv1 protocol packet does not carry any mask, so it can identify only the routes of the natural network segment such as Class A, Class B, and Class C, and does not support route aggregation or discontinuous subnet. RIP version 2 (RIPv2), is a classless routing protocol. Figure 1-2-2 shows the packet format.
Figure 1-2-1 RIPv1 packet format
Figure 1-2-2 RIPv2 packet format Compared with RIPv1, RIPv2 has the following advantages:
Supports route tag and can flexibly control routes on the basis of the tag in the routing policy.
Has packets that contain mask information and supports route summarization and Classless Inter-domain Routing (CIDR). 2016-1-11
Huawei Confidential
Page 6 of 1210
HCIE-R&S Material
Confidentiality Level
Supports the next hop address and can select the optimal next hop address in the broadcast network.
Supports sending update packets in multicast mode. Only RIPv2 routers can receive protocol packets. This reduces resource consumption.
Provides two authentication modes to enhance security: plain-text authentication and MD5 authentication.
1.2.2 RIPv2 Route Summarization When different subnet routes in the same natural network segment are transmitted to other network segments, these routes are summarized into one route of the same segment. This process is called route summarization. RIPv1 packets do not carry mask information, so RIPv1 can advertise only the routes with natural masks. Because RIPv2 packets carry mask information, RIPv2 supports subnetting. RIPv2 route summarization improves extensibility and efficiency and minimizes the routing table size of a large-sized network. Route summarization is classified into two types:
RIP process-based classful summarization Summarized routes are advertised using nature masks. For example, route 10.1.1.0/24 (metric=2) and route 10.1.2.0/24 (metric=3) are summarized as a route 10.0.0.0/8 (metric=2) in the natural network segment. RIPv2 supports classful summarization to obtain the optimal metric.
Interface-based summarization A user can specify a summarized address. For example, a route 10.1.0.0/16 (metric=2) can be configured on the interface as a summarized route of route 10.1.1.0/24 (metric=2) and route 10.1.2.0/24 (metric=3).
1.3 Split Horizon and Poison Reverse 1.3.1 Split Horizon Split horizon ensures that a route learned by RIP on an interface is not sent to neighbors from the interface. This feature reduces bandwidth consumption and avoids routing loops. Split horizon provides two models for different networks: interface-based split horizon and neighbor-based split horizon. Broadcast, P2P, and P2MP networks use interface-based split horizon, as shown in Figure 1-3-1.
2016-1-11
Huawei Confidential
Page 7 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 1-3-1 Interface-based split horizon RouterA sends routing information destined for 10.0.0.0/8 to RouterB. If split horizon is not configured, RouterB sends the route learned from RouterA back to RouterA. Thus RouterA can learn two routes destined for 10.0.0.0/8: a direct route with hop count 0 and a route with the next hop RouterB and hop count 2. However, only the direct route in the RIP routing table on RouterA is active. When the route from RouterA to network 10.0.0.0 is unreachable, RouterB does not receive the unreachable message immediately and still notifies RouterA that network 10.0.0.0/8 is reachable. Therefore, RouterA receives incorrect routing information that network 10.0.0.0/8 is reachable through RouterB, and RouterB considers that network 10.0.0.0/8 is reachable through RouterA. A routing loop is thus generated. With the split horizon feature, RouterB does not send the route destined for 10.0.0.0/8 back to RouterA. Routing loops are avoided. On a Non-Broadcast Multiple Access (NBMA) network, an interface connects to multiple neighbors; therefore, split horizon is performed based on neighbors. Routes are advertised in unicast mode. The routes received by an interface are differentiated by neighbors. The route learned from a neighbor is not sent back through the same interface.
Figure 1-3-2 Neighbor-based split horizon As shown in Figure 1-3-2, after split horizon is configured on an NBMA network, RouterA sends route 10.0.0.0/8 learned from RouterB to RouterC, but does not send it to RouterB.
1.3.2 Poison Reverse Poison reverse ensures that RIP sets the cost of the route learned from an interface of a neighbor to 16 (unreachable) and then sends the route from the same interface back to the neighbor. This feature deletes useless routes from the routing table and avoids routing loops. 2016-1-11
Huawei Confidential
Page 8 of 1210
HCIE-R&S Material
Confidentiality Level
Poison reverse prevents loops, as shown in Figure 1-3-3.
Figure 1-3-3 Poison reverse After receiving a route from RouterA, RouterB sends an unreachable message (with the route Cost being 16) to RouterA. RouterA then does not learn the route from RouterB. A routing loop is avoided.
1.4 Multi-process and Multi-instance The multi-process feature associates a RIP process with multiple interfaces, ensuring that the specific process performs all the protocol-related operations only on these interfaces. With the multi-process feature, multiple RIP processes can run on a device independently. Route exchange between RIP processes is similar to route exchange between routing protocols. RIP multi-instance associates a VPN instance with a RIP process so that the VPN instance can be associated with all interfaces on this process.
1.5 RIP and BFD Association A link fault or topology change causes routers to recalculate routes. Therefore, route convergence must be quick enough to ensure network performance. A solution to speed up route convergence is to quickly detect faults and notify routing protocols of the faults. Bidirectional Forwarding Detection (BFD) detects faults on links between neighboring routers. Associated with a routing protocol, BFD can rapidly detect link faults and report the faults to the protocol so that the protocol quickly triggers route convergence. Traffic loss caused by topology changes is minimized. After RIP is associated with BFD, BFD rapidly detects link faults and reports the faults to RIP so that RIP quickly responds to network topology changes. Table 1-5-1 lists the link fault detection mechanisms and convergence speed before and after BFD is associated with RIP. Table 1-5-1 lists the features of RIP and BFD Association RIP and BFD Association Feature
Link Fault Detection Mechanism
Convergence Speed
Disabled
The RIP age timer expires. By default, the timeout Second-level interval is 180 seconds. seconds)
(>
180
Enabled
The BFD session goes Down.
(<
30
2016-1-11
Huawei Confidential
Second-level seconds)
Page 9 of 1210
HCIE-R&S Material
Confidentiality Level
1.5.1 Principle BFD is classified into static BFD and dynamic BFD:
Static BFD In static BFD, BFD session parameters (including local and remote discriminators) are set manually using commands, and BFD session setup requests are manually delivered.
Dynamic BFD In dynamic BFD, BFD session setup is triggered by routing protocols. The local discriminator is dynamically allocated and remote discriminator is obtained from the peer. A routing protocol notifies BFD of the neighbor parameters (including destination and source addresses), and then BFD sets up a session based on the received parameters. When a link fault occurs, the protocol associated with BFD quickly detects that the BFD session is Down, and switches traffic to the backup link. This feature minimizes data loss.
A device can implement static BFD even if the peer device does not support BFD. Dynamic BFD is more flexible than static BFD.
1.5.2 Application After RIP is associated with BFD, BFD reports link faults to RIP within several milliseconds. The RIP router then deletes the faulty links from the local routing table and starts the backup link. This feature increases route convergence speed.
Figure 1-5-1 RIP and BFD association network Implementation of RIP and BFD association:
As shown in Figure 1-5-1, RouterA, RouterB, RouterC, and RouterD set up RIP neighbor relationships. RouterB is the next hop on the route from RouterA to RouterD. RIP and BFD association is configured on RouterA and RouterB.
When the link between RouterA and RouterB has a faulty, BFD quickly detects the fault and notifies RouterA of the fault. RouterA deletes the route with RouterB as the next hop, and then recalculates a route. The new route passes RouterC and RouterB and reaches RouterD. 2016-1-11
Huawei Confidential
Page 10 of 1210
HCIE-R&S Material
Confidentiality Level
When the link between RouterA and RouterB recovers, a session is set up again. RouterA receives routing information from RouterB and selects the optimal route.
1.6 Hot Standby Devices with distributed architecture support the RIP hot standby feature. During hot standby, a device backs up RIP data from the active main board (AMB) to the standby main board (SMB). When the AMB becomes faulty, the SMB becomes active and takes over the AMB's tasks. This prevents RIP from being affected and ensures normal data forwarding.
1.7 Examples for Configuring RIP 1.7.1 Example for Configuring Basic RIP Functions
Networking Requirements As shown in Figure 1-7-1, RouterA, RouterB, RouterC, and RouterD are located on a small-sized network, and they need to communicate with each other.
Figure 1-7-1 Network diagram of basic RIP functions
Configuration Roadmap The network size is small, so RIPv2 is recommended. The configuration roadmap is as follows: 1.
Configure IP address for each interface to ensure network reachability.
2.
Enable RIP on each router to implement network connections between processes.
3.
Configure RIPv2 on each router to improve RIP performance.
Procedure 1.
Configure IP address for each interface.
2016-1-11
Huawei Confidential
Page 11 of 1210
HCIE-R&S Material
Confidentiality Level
# Configure RouterA. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 192.168.1.1 24 The configurations of RouterB, RouterC, and RouterD are similar to the configuration of RouterA, and are not mentioned here. 2.
The preceding display shows that the routes advertised by RIPv1 carry natural masks. 3.
Configure the RIP version.
2016-1-11
Huawei Confidential
Page 12 of 1210
HCIE-R&S Material
Confidentiality Level
# Configure RIPv2 on RouterA. [RouterA] rip [RouterA-rip-1] version 2 [RouterA-rip-1] quit # Configure RIPv2 on RouterB. [RouterB] rip [RouterB-rip-1] version 2 [RouterB-rip-1] quit # Configure RIPv2 on RouterC. [RouterC] rip [RouterC-rip-1] version 2 [RouterC-rip-1] quit # Configure RIPv2 on RouterD. [RouterD] rip [RouterD-rip-1] version 2 [RouterD-rip-1] quit 4.
Verify the configuration. # Check the RIP routing table of RouterA. [RouterA] display rip 1 route Route Flags: R - RIP A - Aging, S - Suppressed, G - Garbage-collect ------------------------------------------------------------------------Peer 192.168.1.2 on GigabitEthernet1/0/0 Destination/Mask
Nexthop
Cost
Tag
Flags
Sec
10.1.1.0/24
192.168.1.2
1
0
RA
32
172.16.1.0/24
192.168.1.2
1
0
RA
32
The preceding display shows that the routes advertised by RIPv2 carry subnet masks.
Configuration Files
Configuration file of RouterA # sysname RouterA # interface GigabitEthernet1/0/0 ip address 192.168.1.1 255.255.255.0 2016-1-11
Huawei Confidential
Page 13 of 1210
HCIE-R&S Material
Confidentiality Level
# rip 1 version 2 network 192.168.1.0 # return
Configuration file of RouterB # sysname RouterB # interface GigabitEthernet1/0/0 ip address 192.168.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 172.16.1.1 255.255.255.0 # interface GigabitEthernet3/0/0 ip address 10.1.1.1 255.255.255.0 # rip 1 version 2 network 192.168.1.0 network 172.16.0.0 network 10.0.0.0 # return
Configuration file of RouterC # sysname RouterC # interface GigabitEthernet2/0/0 ip address 172.16.1.2 255.255.255.0 # rip 1 version 2 network 172.16.0.0 # return 2016-1-11
Huawei Confidential
Page 14 of 1210
HCIE-R&S Material
Confidentiality Level
Configuration file of RouterD # sysname RouterD # interface GigabitEthernet1/0/0 ip address 10.1.1.2 255.255.255.0 # rip 1 version 2 network 10.0.0.0 # return
1.7.2 Example for Importing Routes to RIP
Networking Requirements As shown in Figure 1-7-2, two RIP processes, RIP100 and RIP200, run on RouterB. RouterA needs to communicate with network segment 192.168.3.0/24.
Figure 1-7-2 Network diagram of configuring RIP to import external routes
Configuration Roadmap The configuration roadmap is as follows: 1.
Enable RIP on each router to implement network connections between processes.
2.
Import routes between RIP100 and RIP200 on RouterB and set the default metric of routes imported from RIP200 to 3.
3.
Configure an ACL on RouterB to filter route 192.168.4.0/24 imported from RIP200 so that RouterA can only communicate with network segment 192.168.3.0/24.
2016-1-11
Huawei Confidential
Page 15 of 1210
HCIE-R&S Material
Confidentiality Level
Procedure 1.
Configure an IP address for each interface. # Configure RouterA. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 192.168.1.1 24 The configurations of RouterB, and RouterC are similar to the configuration of RouterA, and are not mentioned here.
2.
Configure the basic RIP functions. # Enable RIP process 100 on RouterA. [RouterA] rip 100 [RouterA-rip-100] network 192.168.0.0 [RouterA-rip-100] network 192.168.1.0 [RouterA-rip-100] quit # Enable RIP processes 100 and 200 on RouterB. [RouterB] rip 100 [RouterB-rip-100] network 192.168.1.0 [RouterB-rip-100] quit [RouterB] rip 200 [RouterB-rip-200] network 192.168.2.0 [RouterB-rip-200] quit # Enable RIP process 200 on RouterC. [RouterC] rip 200 [RouterC-rip-200] network 192.168.2.0 [RouterC-rip-200] network 192.168.3.0 [RouterC-rip-200] network 192.168.4.0 [RouterC-rip-200] quit # View the routing table on RouterA. [RouterA] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 7 Destination/Mask
Proto
Pre Cost
Direct
0
0
D
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct
0
0
D
127.0.0.1
InLoopBack0
127.0.0.0/8
2016-1-11
Routes : 7
Huawei Confidential
Flags NextHop
Interface
Page 16 of 1210
HCIE-R&S Material
Confidentiality Level
192.168.0.0/24 Direct
0
0
D
192.168.0.1
192.168.0.1/32 Direct
0
0
D
127.0.0.1
192.168.1.0/24 Direct
0
0
D
192.168.1.1
192.168.1.1/32 Direct
0
0
D
127.0.0.1
192.168.1.2/32 Direct
0
0
D
192.168.1.2
GigabitEthernet2/0/0 InLoopBack0
GigabitEthernet1/0/0 InLoopBack0
GigabitEthernet1/0/0 3.
Configure RIP to import external routes. # On RouterB, set the default metric of imported routes to 3 and configure the RIP processes to import routes into each other's routing table. [RouterB] rip 100 [RouterB-rip-100] default-cost 3 [RouterB-rip-100] import-route rip 200 [RouterB-rip-100] quit [RouterB] rip 200 [RouterB-rip-200] import-route rip 100 [RouterB-rip-200] quit # View the routing table of RouterA after the routes are imported. [RouterA] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 10 Destination/Mask
Configure RIP to filter imported routes. # Configure an ACL on RouterB and add a rule to the ACL. The rule denies the packets sent from 192.168.4.0/24. [RouterB] acl 2000 [RouterB-acl-basic-2000] rule deny source 192.168.4.0 0.0.0.255 [RouterB-acl-basic-2000] rule permit [RouterB-acl-basic-2000] quit # Configure RouterB to filter route 192.168.4.0/24 imported from RIP200. [RouterB] rip 100 [RouterB-rip-100] filter-policy 2000 export [RouterB-rip-100] quit
5.
Verify the configuration. # Display the RIP routing table of RouterA after the routes are filtered. [RouterA] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 9 Destination/Mask
Configuration file of RouterC # sysname RouterC # interface GigabitEthernet1/0/0 ip address 192.168.2.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 192.168.3.1 255.255.255.0 # interface GigabitEthernet3/0/0 ip address 192.168.4.1 255.255.255.0 # rip 200 network 192.168.2.0 network 192.168.3.0 network 192.168.4.0 # return
Chapter 2 IS-IS 2.1
IS-IS Basic Concepts 2.1.1 IS-IS Topology Structure IS-IS uses a two-level hierarchy (backbone area and non-backbone area) to support large-scale routing networks. Generally, Level-1 routers are deployed in non-backbone areas, whereas Level-2 and Level-1-2 routers are deployed in backbone areas. Each non-backbone area connects to the backbone area through a Level-1-2 router. Figure 2-1-1 shows a network that runs IS-IS. The network is similar to an OSPF network topology with multiple areas. The backbone area contains all the routers in Area 1 and Level-1-2 routers in other areas.
2016-1-11
Huawei Confidential
Page 20 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 2-1-1 IS-IS topology I Figure 2-1-2 shows another type of IS-IS topology. In this topology, Level-2 routers belong to different areas. All the physically contiguous Level-1-2 and Level-2 routers form the backbone area of IS-IS.
Figure 2-1-2 IS-IS topology II The two types of topologies show the differences between IS-IS and OSPF:
In IS-IS, each router belongs to only one area. In OSPF, different interfaces of a router may belong to different areas.
In IS-IS, no area is defined as the backbone area. In OSPF, Area 0 is defined as the backbone area.
In IS-IS, Level-1 and Level-2 routes are calculated using the SPF algorithm to generate the shortest path tree (SPT). In OSPF, the SPF algorithm is used only in the same area, and inter-area routes are forwarded by the backbone area.
2016-1-11
Huawei Confidential
Page 21 of 1210
HCIE-R&S Material
Confidentiality Level
2.1.2 IS-IS Router Types Level-1 router A Level-1 router manages intra-area routing. It establishes neighbor relationships with only the Level-1 and Level-1-2 routers in the same area and maintains a Level-1 link state database (LSDB). The LSDB contains intra-area routing information. A packet to a destination outside this area is forwarded to the nearest Level-1-2 router.
Level-2 router A Level-2 router manages inter-area routing. It can establish neighbor relationships with Level-2 or Level-1-2 routers in different areas and maintains a Level-2 LSDB. The LSDB contains inter-area routing information. All Level-2 routers form the backbone network of the routing domain. They establish Level-2 neighbor relationships and are responsible for inter-area communication. Level-2 routers in the routing domain must be physically contiguous to ensure the continuity of the backbone network. Only Level-2 routers can exchange data packets or routing information with routers outside the routing domain.
Level-1-2 router A router that belongs to both a Level-1 area and a Level-2 area is called a Level-1-2 router. It can establish Level-1 neighbor relationships with Level-1 and Level-1-2 routers in the same area. It can also establish Level-2 neighbor relationships with Level-2 and Level-1-2 routers in different areas. A Level-1 router must be connected to other areas through a Level-1-2 router. A Level-1-2 router maintains two LSDBs: a Level-1 LSDB and a Level-2 LSDB. The Level-1 LSDB saves for intra-area routing and the Level-2 LSDB saves for inter-area routing.
2.1.3 IS-IS Network Types IS-IS supports only two types of networks. In terms of physical links, IS-IS networks can be classified into the following link types:
Broadcast: such as Ethernet and Token-Ring
Point-to-point: such as PPP and HDLC
NOTE: For a Non-Broadcast Multi-Access (NBMA) network such as the ATM, you should configure its sub-interfaces as P2P interfaces. IS-IS cannot run on Point to MultiPoint (P2MP) networks.
2016-1-11
Huawei Confidential
Page 22 of 1210
HCIE-R&S Material
Confidentiality Level
DIS and Pseudonode In a broadcast network, IS-IS needs to elect a Designated Intermediate System (DIS) from all the routers. DISs are used to create and update pseudonodes and generate link state protocol data units (LSPs) of pseudonodes to describe available network devices. The pseudonode is used to simulate the virtual node in the broadcast network and is not an actual router. In IS-IS, a pseudonode is identified by the system ID of the DIS and the 1-byte Circuit ID (its value is not 0).
Figure 2-1-3 Pseudonode The use of pseudonodes simplifies the network topology and shortens LSPs. When the network changes, the number of generated LSPs is reduced, and the SPF consumes fewer resources. You can configure different priorities for DISs of different levels. The router with the highest priority is elected as the DIS. If there are multiple routers with the same highest priority on a broadcast network, the one with the highest MAC address is chosen. The DISs of different levels can be the same router or different routers. DIS election in IS-IS differs from designated router (DR) election in OSPF:
On an IS-IS broadcast network, the router with priority 0 also takes part in DIS election. In OSPF, the router with priority 0 does not take part in DR election.
In IS-IS, when a new router that meets the requirements of being a DIS connects to a broadcast network, the router is elected as the new DIS, and the previous pseudonode is deleted. This causes a new flooding of LSPs. In OSPF, when a new router connects to a network, it is not immediately elected as the DR even if it has the highest DR priority.
On an IS-IS broadcast network, routers (including non-DIS routers) of the same level on a network segment set up adjacencies. In OSPF, routers set up adjacencies with only the DR and backup designated router (BDR).
NOTE: 2016-1-11
Huawei Confidential
Page 23 of 1210
HCIE-R&S Material
Confidentiality Level
On an IS-IS broadcast network, although all the routers set up adjacencies with each other, the LSDBs are synchronized by the DISs.
2.1.4 IS-IS Address Structure The network service access point (NSAP) is an address defined by the OSI to locate resources. Figure 2-1-4 shows the NSAP address structure. The NSAP is composed of the initial domain part (IDP) and the domain specific part (DSP). The lengths of the IDP and the DSP are variable. The maximum length of the NSAP is 20 bytes and its minimum length is 8 bytes.
The IDP is similar to the network ID in an IP address. It is defined by the ISO and consists of the authority and format identifier (AFI) and the initial domain identifier (IDI). The AFI indicates the address allocation authority and address format, and the IDI identifies a domain.
The DSP is similar to the subnet ID and host address in an IP address. The DSP consists of the High Order DSP (HODSP), system ID, and NSAP Selector (SEL). The HODSP is used to divide areas, the system ID identifies a host, and the SEL indicates the service type.
Figure 2-1-4 IS-IS address structure
Area Address The IDP and the HODSP of the DSP identify a routing domain and the areas in a routing domain. Therefore, the combination of the IDP and HODSP is called an area address, which is similar to an area number in OSPF. The area addresses of routers in the same Level-1 area must be the same, while the area addresses of routers in the Level-2 area can be different. In general, a router can be configured with only one area address. The area address of all nodes in an area must be the same. In the implementation of a device, an IS-IS process can be configured with a maximum of three area addresses to support seamless combination, division, and transformation of areas.
System ID A system ID uniquely identifies a host or a router in an area. In the device, the fixed length of the system ID is 48 bits (6 bytes). In actual applications, a router ID corresponds to a system ID. If a router takes the IP address 168.10.1.1 of Loopback 0 as its router ID, its system ID used in IS-IS can be obtained in the following way: 2016-1-11
Huawei Confidential
Page 24 of 1210
HCIE-R&S Material
Confidentiality Level
Extend each part of IP address 168.10.1.1 to 3 bits and add 0 to the front of any part that is shorter than 3 bits. Then the IP address is extended as 168.010.001.001.
Divide the extended address 168.010.001.001 into three parts, each of which consists of four decimal digits. Then system ID 1680.1000.1001 is obtained.
You can specify a system ID in many ways. You need to ensure that the system ID uniquely identifies a host or a router.
SEL The role of an SEL is similar to that of the "protocol identifier" of IP. A transport protocol matches an SEL. The SEL is always "00" in IP. A network entity title (NET) indicates network layer information about an IS. A NET can be regarded as a special NSAP. The NET length is the same as the NSAP length. Its maximum length is 20 bytes and minimum length is 8 bytes. When configuring IS-IS on a router, you only need to configure a NET but not an NSAP. Assume that there is a NET: ab.cdef.1234.5678.9abc.00. In the NET, the area address is ab.cdef, the system ID is 1234.5678.9abc, and the SEL is 00.
2.1.5 IS-IS PDU Types IS-IS PDUs include Hello PDUs, link state PDUs (LSPs), and sequence number PDUs (SNPs).
Hello PDU Hello packets, also called IS-IS Hello PDUs (IIH), are used to set up and maintain neighbor relationships. Among them, Level-1 LAN IIHs apply to the Level-1 routers on broadcast LANs; Level-2 LAN IIHs apply to the Level-2 routers on broadcast LANs; and P2P IIHs apply to non-broadcast networks. Hello packets on different networks have different formats. Compared to a LAN IIH, a P2P IIH does not have the Priority and LAN ID fields, but has a Local Circuit ID field. The Priority field indicates the DIS priority on a broadcast network, the LAN ID field indicates the system ID of the DIS and pseudonode, and the Local Circuit ID indicates the local link ID.
LSP LSPs are used to exchange link-state information. There are two types of LSPs: Level-1 and Level-2. Level-1 IS-IS transmits Level-1 LSPs; Level-2 IS-IS transmits Level-2 LSPs; and Level-1-2 IS-IS can transmit both Level-1 and Level-2 LSPs. The meanings of major fields in an LSP are as follows:
2016-1-11
Huawei Confidential
Page 25 of 1210
HCIE-R&S Material
Confidentiality Level
ATT field: When a Level-1-2 IS-IS transmits Level-1 LSPs in a Level-1 area, Level-1 IS-IS in the area can communicate with devices in other areas through the Level-1-2 IS-IS if the ATT bit is set in the Level-1 LSPs.
OL field: indicates the LSDB overload. LSPs with the overload bit are still flooded on the network, but these LSPs are ignored during the calculation of the routes that pass through a router in overload state. After the overload bit is set on a router, other routers ignore the router when performing SPF calculation and consider only the direct routes of the router. For details, see "IS-IS Overload" in Principles.
IS Type field: indicates the type of IS-IS that generates the LSP. The value 01 indicates Level-1, and the value 11 indicates Level-2.
SNP SNPs describe the LSPs in all or some databases to help synchronize and maintain all LSDBs. SNPs include complete SNPs (CSNPs) and partial SNPs (PSNPs). They are further classified into Level-1 CSNPs, Level-2 CSNPs, Level-1 PSNPs, and Level-2 PSNPs. A CSNP contains the summary of all LSPs in an LSDB. This maintains LSDB synchronization between neighboring routers. On a broadcast network, the DIS periodically sends CSNPs. The default interval for sending CSNPs is 10 seconds. On a point-to-point link, CSNPs are sent only when the neighbor relationship is established for the first time. A PSNP lists only the sequence number of recently received LSPs. A PSNP can acknowledge multiple LSPs at one time. If an LSDB is not updated, the PSNP is also used to request a neighbor to send a new LSP. The variable length fields in an IS-IS PDU are multiple type-length-values (TLVs).
Figure 2-1-5
shows the TLV format. A TLV is also called a code-length-value (CLV).
Figure 2-1-5 TLV format TLVs vary according to PDU types, as shown in Table 2-1-1. Table 2-1-1 PDU types and TLV names TLV Type
Name
Applied PDU Type
1
Area Addresses
IIH, LSP
2
IS Neighbors (LSP)
LSP
2016-1-11
Huawei Confidential
Page 26 of 1210
HCIE-R&S Material
Confidentiality Level
Table 2-1-1 PDU types and TLV names TLV Type
Name
Applied PDU Type
4
Partition Designated Level2 IS
L2 LSP
6
IS Neighbors (MAC Address)
LAN IIH
7
IS Neighbors (SNPA Address)
LAN IIH
8
Padding
IIH
9
LSP Entries
SNP
10
Authentication Information
IIH, LSP, SNP
128
IP Internal Reachability Information
LSP
129
Protocols Supported
IIH, LSP
130
IP External Reachability Information
L2 LSP
131
Inter-Domain Routing Protocol Information
L2 LSP
132
IP Interface Address
IIH, LSP
TLVs with the type value ranging from 1 to 10 are defined in ISO 10589, and the other TLVs are defined in RFC 1195.
2.2
IS-IS Basic Principles IS-IS is a link-state routing protocol. Each router generates an LSP that contains link state information about all the IS-IS interfaces on the router. The router can establish IS-IS neighbor relationships with neighboring devices and update its LSDB to synchronize the local LSDB with the LSDBs of all the other devices on the IS-IS network. Based on the local LSDB, the router uses the SPF algorithm to calculate IS-IS routes. If the router finds that an IS-IS route is the optimal route to a destination, the router adds the route to the local IP routing table to guide packet forwarding.
2.2.1 Establishment of IS-IS Neighbor Relationship Two IS-IS routers need to establish a neighbor relationship before exchanging packets to implement routing. On different networks, the modes for establishing IS-IS neighbors are different.
Establishment of a neighbor relationship on a broadcast link Figure 2-2-1 uses Level-2 routers as an example to describe the process of establishing a neighbor relationship on a broadcast link. The process of establishing a neighbor relationship between Level-1 routers is the same as the process of establishing a neighbor relationship between Level-2 routers. 2016-1-11
Huawei Confidential
Page 27 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 2-2-1 Process of establishing a neighbor relationship on a broadcast link 1.
RouterA broadcasts a Level-2 LAN IS-IS Hello PDU (IIH) with no neighbor ID specified.
2.
RouterB receives this packet and sets the status of the neighbor relationship with RouterA to Initial. RouterB then responds to RouterA with a Level-2 LAN IIH, indicating that RouterA is a neighbor of RouterB.
3.
RouterA receives this packet and sets the status of the neighbor relationship with RouterB to Up. RouterA then sends RouterB a Level-2 LAN IIH indicating that RouterB is a neighbor of RouterA.
4.
RouterB receives this packet and sets the status of the neighbor relationship with RouterA to Up. RouterA and RouterB establish a neighbor relationship successfully.
The network is a broadcast network, so a DIS needs to be elected. After the neighbor relationship is established, routers wait for two intervals before sending Hello packets to elect the DIS. The IIH packets exchanged by the routers contain the Priority field. The router with the highest priority is elected as the DIS. If the routers have the same priority, the router with the largest interface MAC address is elected as the DIS.
Establishment of a neighbor relationship on a P2P link Unlike the establishment of a neighbor relationship on a broadcast link, the establishment of a neighbor relationship on a P2P link is classified into two modes: two-way mode and three-way mode.
Two-way mode Upon receiving a P2P IIH from a neighbor, a router considers the neighbor Up and establishes a neighbor relationship with the neighbor.
Three-way mode A neighbor relationship is established after P2P IIHs are sent for three times. The establishment of a neighbor relationship on a P2P link is similar to that on a broadcast link. 2016-1-11
Huawei Confidential
Page 28 of 1210
HCIE-R&S Material
Confidentiality Level
Two-way mode has distinct disadvantages. For example, when two or more links exist between two routers, the two routers can still establish a neighbor relationship if one link is Down and the other is Up in the same direction. The parameters of the link in Up state are used in SPF calculation. As a result, the router that does not detect the fault of the link in Down state still tries to forward packets over this link. Three-way mode addresses such problems on unreliable P2P links. In three-way mode, a router considers the neighbor Up only after confirming that the neighbor receives the packet sent by itself, and then establishes a neighbor relationship with the neighbor. Basic rules for establishing an IS-IS neighbor relationship are as follows:
Only neighboring routers of the same level can set up the neighbor relationship with each other.
For Level-1 routers, their area IDs must be the same
Network types of IS-IS interfaces on both ends of a link must be consistent.
NOTE: Ethernet interfaces can be simulated as P2P interfaces to establish a neighbor relationship on a P2P link.
IP addresses of IS-IS interfaces on both ends of a link must be on the same network segment. IS-IS runs on the data-link layer and was initially designed for CLNP. Therefore, the establishment of an IS-IS neighbor relationship is not related to IP addresses. In the implementation of a device, IS-IS runs only over IP. Therefore, IS-IS needs to check the IP address of its neighbor. If secondary IP addresses are assigned to the interfaces, the routers can still set up the IS-IS neighbor relationship, but only when either the primary IP addresses or secondary IP addresses are on the same network segment.
NOTE: When IP addresses of IS-IS interfaces on both ends of a link are on different network segments, a neighbor relationship can still be established on the two interfaces if the interfaces are configured not to check the IP addresses in received Hello packets. You can configure P2P interfaces not to check the IP addresses in received Hello packets. Before configuring Ethernet interfaces not to check the IP addresses, simulate Ethernet interfaces as P2P interfaces.
2.2.2 Process of Exchanging IS-IS LSPs Causes of LSP generation All routers in the IS-IS routing domain can generate LSPs. The following events trigger the generation of a new LSP:
Neighbor is Up or Down.
Related interface goes Up or Down.
Imported IP routes change.
Inter-area IP routes change.
Interface is assigned a new metric value. 2016-1-11
Huawei Confidential
Page 29 of 1210
HCIE-R&S Material
Confidentiality Level
Periodic updates occur.
Processing of a new LSP received from a neighbor 1.
The router installs the LSP to its LSDB and marks it for flooding.
2.
The router sends the LSP to all interfaces except the interface that initially received the LSP.
3.
The neighbors flood the LSP to their neighbors.
LSP flooding In LSP flooding, a router sends an LSP to its neighbors and then the neighbors send the received LSP to their respective neighbors except the router that first sends the LSP. In this manner, the LSP is flooded among the routers of the same level. LSP flooding allows each router of the same level to have the same LSP information and synchronize its LSDB with each other. Each LSP has a 4-byte sequence number. When a router is started, the sequence number of the first LSP sent by the router is 1. When a new LSP is generated, the sequence number of the LSP is equal to the sequence number of the previous LSP plus 1. The greater the sequence number, the newer the LSP.
Process of synchronizing LSDBs between a newly added router and DIS on a broadcast link
Figure 2-2-2 Process of updating LSDBs on a broadcast link 1.
A new router (RouterC) sends a Hello packet to establish neighbor relationships with the other routers in the broadcast domain.
2016-1-11
Huawei Confidential
Page 30 of 1210
HCIE-R&S Material
2.
Confidentiality Level
RouterC establishes neighbor relationships with RouterA and RouterB, waits for the timeout of the LSP refresh timer, and then sends its LSP to a multicast address (01-80-C2-00-00-1 in a Level-1 area and 01-80-C2-00-00-15 in a Level-2 area). All neighbors on the network can receive the LSP.
3.
The DIS on the network segment adds the received LSP to its LSDB. After the CSNP timer expires, the DIS sends CSNPs to synchronize the LSDBs on the network.
4.
RouterC receives the CSNPs from the DIS, checks its LSDB, and sends a PSNP to request the LSPs it does not have.
5.
The DIS receives the PSNP and sends RouterC the required LSPs for LSDB synchronization.
The process of updating the LSDB of the DIS is as follows: 1.
When the DIS receives an LSP, it searches the LSDB to check whether the same LSP exists. If the DIS does not find the same LSP in its LSDB, the DIS adds the LSP to its LSDB and broadcasts the content of the new LSDB.
2.
If the sequence number of the received LSP is greater than that of the corresponding LSP in the LSDB, the DIS replaces the existing LSP with the received LSP and broadcasts the contents of the new LSDB. If the sequence number of the received LSP is smaller than that of the corresponding LSP in the LSDB, the DIS sends its LSP in the LSDB through the inbound interface of the received LSP.
3.
If the sequence number of the received LSP is the same as that of the corresponding LSP in the LSDB, the DIS compares the remaining lifetime of the two LSPs. If the remaining lifetime of the received LSP is smaller than that of the corresponding LSP in the LSDB, the DIS replaces the existing LSP with the received LSP and broadcasts the contents of the new LSDB. If the remaining lifetime of the received LSP is greater than that of the corresponding LSP, the DIS sends its LSP in the LSDB through the inbound interface of the received LSP.
4.
If the sequence number and remaining lifetime of the received LSP are the same as those of the corresponding LSP in the LSDB, the DIS compares the checksum of the two LSPs. If the checksum of the received LSP is greater than that of the corresponding LSP in the LSDB, the DIS replaces the existing LSP with the received LSP and broadcasts the content of the new LSDB. If the checksum of the received LSP is smaller than that of the corresponding LSP, the DIS sends its LSP in the LSDB through the inbound interface of the received LSP.
5.
If the sequence number, remaining lifetime, and checksum of the received LSP are the same as those of the corresponding LSP in the LSDB, the DIS does not forward the received LSP.
2016-1-11
Huawei Confidential
Page 31 of 1210
HCIE-R&S Material
Confidentiality Level
Process of synchronizing the LSDB on a P2P link
Figure 2-2-3 Process of updating LSDBs on a P2P link 1.
RouterA establishes a neighbor relationship with RouterB.
2.
RouterA and RouterB send a CSNP to each other. If the LSDB of the neighbor and the received CSNP are not synchronized, the neighbor sends a PSNP to request the required LSP.
3.
Figure 2-2-3 assumes that RouterB requests the required LSP from RouterA. RouterA sends the required LSP to RouterB, starts the LSP retransmission timer, and waits for a PSNP from RouterB as an acknowledgement for the received LSP.
4.
If RouterA does not receive a PSNP from RouterB after the LSP retransmission timer expires, RouterA resends the LSP until it receives a PSNP from RouterB.
NOTE: A PSNP on a P2P link is used as follows:
An ACK packet to acknowledge the received LSP.
A request packet to acquire LSPs.
The process of updating LSDBs on a P2P link is as follows: 1.
If the sequence number of the received LSP is smaller than that of the corresponding LSP in the LSDB, the router directly sends its LSP to the neighbor and waits for a PSNP from the neighbor. If the sequence number of the received LSP is greater than that of the corresponding LSP in the LSDB, the router adds the received LSP to its LSDB, sends a PSNP to acknowledge the received LSP, and then sends the received LSP to all its neighbors except the neighbor that sends the LSP.
2.
If the sequence number of the received LSP is the same as that of the corresponding LSP in the LSDB, the router compares the remaining lifetime of the two LSPs. If the received LSP has a smaller remaining lifetime than that of the corresponding LSP in the LSDB, the router adds the received LSP to its LSDB, sends a PSNP to acknowledge the received LSP, and then sends the received LSP to all its neighbors except the neighbor that sends the LSP. If the received LSP has
2016-1-11
Huawei Confidential
Page 32 of 1210
HCIE-R&S Material
Confidentiality Level
a greater remaining lifetime than that of the corresponding LSP in the LSDB, the router directly sends its LSP to the neighbor and waits for a PSNP from the neighbor. 3.
If the sequence number and remaining lifetime of the received LSP are the same as those of the corresponding LSP in the LSDB, the router compares the checksum of the two LSPs. If the received LSP has a greater checksum than that of the corresponding LSP in the LSDB, the router adds the received LSP to its LSDB, sends a PSNP to acknowledge the received LSP, and then sends the received LSP to all its neighbors except the neighbor that sends the LSP. If the received LSP has a smaller checksum than that of the corresponding LSP in the LSDB, the router directly sends its LSP to the neighbor and waits for a PSNP from the neighbor.
4.
If the sequence number, remaining lifetime, and checksum of the received LSP and the corresponding LSP in the LSDB are the same, the router does not forward the received LSP.
2.3
IS-IS Authentication To ensure network security, IS-IS authentication encrypts IS-IS packets by adding the authentication field to packets. When a local router receives IS-IS packets from a remote router, the local router discards the packets if the authentication passwords do not match. This protects the local router.
Authentication Types Based on the types of packets, the authentication is classified as follows:
Interface authentication: authenticates Level-1 and Level-2 Hello packets sent and received on IS-IS interfaces using the specified authentication mode and password.
NOTE: You can configure a router to perform interface authentication in the following ways:
A router sends authentication packets carrying the authentication TLV and verifies the authentication information about the received packets.
A router sends authentication packets carrying the authentication TLV but does not verify the authentication information about the received packets.
Area authentication: authenticates Level-1 LSPs and Level-1 SNPs transmitted in an IS-IS area using the specified authentication mode and password.
Routing domain authentication: authenticates Level-2 LSPs and Level-2 SNPs transmitted in an IS-IS routing domain using the specified authentication mode and password.
NOTE: In area authentication and routing domain authentication, you can configure a router to authenticate LSPs and SNPs separately in the following ways:
A router sends LSPs and SNPs carrying the authentication TLV and verifies the authentication information about the received LSPs and SNPs.
2016-1-11
Huawei Confidential
Page 33 of 1210
HCIE-R&S Material
Confidentiality Level
A router sends LSPs carrying the authentication TLV and verifies the authentication information about the received LSPs. The router sends SNPs carrying the authentication TLV but does not verify the authentication information about the received SNPs.
A router sends LSPs carrying the authentication TLV and verifies the authentication information about the received LSPs. The router sends SNPs without the authentication TLV and does not verify the authentication information about the received SNPs.
A router sends LSPs and SNPs carrying the authentication TLV but does not verify the authentication information about the received LSPs and SNPs.
Based on the authentication modes of packets, authentication is classified into the following types:
Plain text authentication: is a simple authentication mode in which passwords are directly added to packets. This authentication is insecure.
MD5 authentication: uses the MD5 algorithm to encrypt passwords before they are added to packets, which improves password security.
Keychain authentication: further improves network security with configurable key chain that changes with time.
Mode in Which Authentication Information Is Carried IS-IS provides a TLV to carry authentication information, with the type of the TLV specified as 10.
Type: is defined by the ISO as 0, with a length of 1 byte.
Length: indicates the length of the authentication TLV, which is 1 byte.
Value: indicates the authentication contents of 1 to 254 bytes, including the authentication type and password. The authentication type is 1 byte:
2.4
Type 0 is reserved.
Type 1 indicates plain text authentication.
Type 54 indicates MD5 authentication.
Type 255 indicates routing domain private authentication methods.
IS-IS Route Leaking Normally, Level-1 routers manage routes in Level-1 areas. All Level-2 and Level-1-2 routers form a contiguous backbone area. Level-1 areas can only connect to the backbone area, but cannot connect to each other. A Level-1-2 router encapsulates learned Level-1 routing information into a Level-2 LSP and floods the Level-2 LSP to other Level-2 and Level-1-2 routers. Then Level-1-2 and Level-2 routers know routing information about the entire IS-IS routing domain. To reduce the size of routing tables, a Level-1-2 2016-1-11
Huawei Confidential
Page 34 of 1210
HCIE-R&S Material
Confidentiality Level
router, by default, does not advertise the learned routing information of other Level-1 areas and the backbone area to its Level-1 area. In this case, Level-1 routers cannot know routing information outside the local area. As a result, Level-1 routers cannot select the optimal route to the destination outside the local area. IS-IS route leaking can solve this problem. You can configure access control lists (ACLs) and routing policies and mark routes with tags on Level-1-2 routers to select eligible routes. Then a Level-1-2 router can advertise routing information of other Level-1 areas and backbone area to its Level-1 area.
Figure 2-4-1 IS-IS route leaking In Figure 2-4-1, RouterA sends a packet to RouterF. The selected optimal route should be RouterA->RouterB->RouterD->RouterE->RouterF. This is because the cost of this route is 40, which is smaller than the cost (70) of the other route (RouterA->RouterC->RouterE->RouterF). However, when you check the route on RouterA to view the path of the packets sent to RouterF, the selected route is RouterA->RouterC->RouterE->RouterF but not the optimal route from RouterA to RouterF. RouterA (Level-1 router) does not know routes outside its area, so it sends packets outside its area through the default route generated by the nearest Level-1-2 router. Therefore, the optimal route is not used to forward the packets. If route leaking is enabled on Level-1-2 routers (RouterC and RouterD), Level-1 routers in Area 10 can know routes outside Area 10 and passing through the two Level-1-2 routers. After route calculation, the forwarding path becomes RouterA->RouterB->RouterD->RouterE->RouterF, which is the optimal route from RouterA to RouterF.
2.5
IS-IS Overload IS-IS Overload allows a device to use the IS-IS overload bit to identify the overload state. The IS-IS overload bit is the OL field in an IS-IS LSP. After the overload bit is set on a device, other devices ignore this device when performing SPF calculation and consider only the direct routes of the device.
2016-1-11
Huawei Confidential
Page 35 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 2-5-1 IS-IS Overload As shown in Figure 2-5-1, RouterB forwards the packets sent from RouterA to network segment 1.1.1.0/24. If the overload bit in the LSP sent from RouterB is set to 1, RouterA considers the LSDB of RouterB incomplete and sends packets to 1.1.1.0/24 through RouterD and RouterE. This process does not affect the packets sent to the directly connected network segment of RouterB. If a device cannot store new LSPs and fails to synchronize the LSDB, the routes calculated by this device are incorrect. In this situation, the device enters the overload state and does not calculate the routes passing through this device; however, the direct routes of the device are still valid. A device may enter the overload state because of device abnormalities or is manually configured to enter the overload state. When an IS-IS device on the network needs to be upgraded or maintained, isolate this device from the network temporarily and set the overload bit on the device to prevent other devices from using this device to forward traffic. NOTE:
If the system enters the overload state because of an abnormality, the system deletes all the imported or leaked routes.
If the system is configured to enter the overload state, the system determines whether to delete all the imported or leaked routes based on the configuration.
2.6
IS-IS Route Management Fast convergence and priority-based convergence can improve IS-IS network convergence. Fast convergence speeds up network convergence by fast calculating routes, while priority-based convergence sets different convergence priorities for routes to improve network convergence.
2.6.1 Fast Convergence IS-IS fast convergence is an extended feature of IS-IS that is implemented to speed up the convergence of routes. Fast convergence includes the following:
Incremental SPF (I-SPF): recalculates only the routes of the changed nodes rather than all the nodes when the network topology changes. This speeds up the calculation of routes. In ISO 10589, the SPF algorithm is used to calculate routes. When a node changes on the network, this algorithm is used to recalculate all routes. The calculation takes a long time and consumes too many CPU resources, which affects the convergence speed. 2016-1-11
Huawei Confidential
Page 36 of 1210
HCIE-R&S Material
Confidentiality Level
I-SPF improves this algorithm. Except for the first time, only changed nodes instead of all nodes are involved in calculation. The shortest path tree (SPT) generated is the same as that generated by the previous algorithm. This decreases CPU usage and speeds up network convergence.
Partial Route Calculation (PRC): calculates only the changed routes when the routes on the network change. Similar to I-SPF, PRC calculates only the changed routes, but it does not calculate the shortest path. It updates routes based on the SPT calculated by I-SPF. In route calculation, a leaf represents a route, and a node represents a router. If the SPT changes after I-SPF calculation, PRC processes all the leaves only on the changed node. If the SPT remains unchanged, PRC processes only the changed leaves. For example, if IS-IS is enabled on an interface of a node, the SPT calculated by I-SPF remains unchanged. PRC updates only the routes of this interface, consuming less CPU resources. PRC working with I-SPF further improves the convergence performance of the network. It is an improvement of the original SPF algorithm.
Intelligent timer: applies to LSP generation and SPF calculation. The first timeout period of the intelligent timer is fixed. Before the intelligent timer expires, if an event that triggers the timer occurs, the next timeout period of the intelligent timer increases. Although the route calculation algorithm is improved, the long interval for triggering route calculation affects the convergence speed. Frequent network changes also consume too many CPU resources. The SPF intelligent timer addresses both of these problems. In general, an IS-IS network is stable under normal conditions. The probability of the occurrence of many network changes is very minimal, and IS-IS does not calculate routes frequently. The period for triggering the route calculation is very short (milliseconds). If the topology of the network changes very often, the intelligent timer increases the interval for the calculation times to avoid too much CPU consumption. The original mechanism uses a timer with uniform intervals, which makes fast convergence and low CPU consumption impossible to achieve. The LSP generation intelligent timer is similar to the SPF intelligent timer. When the LSP generation intelligent timer expires, the system generates a new LSP based on the current topology. The LSP generation timer is designed as an intelligent timer to respond to emergencies (such as the interface is Up or Down) quickly and speed up the network convergence.
LSP fast flooding: speeds up the flooding of LSPs. In most cases, when an IS-IS router receives new LSPs from other routers, it updates the LSPs in its LSDB and periodically floods the updated LSPs according to a timer. LSP fast flooding speeds up LSDB synchronization because it allows a device to flood fewer LSPs than the specified number before route calculation when the device receives one or more new LSPs. This mechanism also speeds up network convergence.
Priority-based Convergence Priority-based IS-IS convergence ensures that specific routes are converged first when a great number of routes need to be converged. You can assign a high convergence priority to routes for 2016-1-11
Huawei Confidential
Page 37 of 1210
HCIE-R&S Material
Confidentiality Level
key services so that these routes are converged quickly. This reduces the impact of route convergence on key services. Different routes can be set with different convergence priorities so that important routes can be converged first. This improves network reliability.
2.6.2 IS-IS Administrative Tag Administrative tags control the advertisement of IP prefixes in an IS-IS routing domain to simplify route management. You can use administrative tags to control the import of routes of different levels and different areas and control IS-IS multi-instances running on the same router.
Figure 2-6-1 IS-IS networking In Figure 2-6-1, RouterA in Area 4 needs to communicate with RouterB in Area 5, RouterC in Area 3, and RouterD in Area 2. To ensure information security, it is required that other routers in Level-1 areas (Areas 2, 3, and 5) should not receive the packets sent from RouterA. To meet this requirement, configure the same administrative tag for IS-IS interfaces on RouterB, RouterC, and RouterD and configure the Level-1-2 router in Area 4 to leak only the routes matching the configured administrative tag from Level-2 to Level-1 areas. This allows RouterA to communicate with only RouterB, RouterC, and RouterD. Figure 2-6-2 shows the topology formed on RouterA.
2016-1-11
Huawei Confidential
Page 38 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 2-6-2 IS-IS administrative tag application The value of an administrative tag is associated with certain attributes. If the cost style is wide, wide-compatible or compatible, when IS-IS advertises an IP address prefix with these attributes, IS-IS adds the administrative tag to the TLV in the prefix. The tag is flooded along with the prefix throughout the routing domain.
2.6.3 IS-IS Wide Metric In ISO 10589, the maximum IS-IS interface metric value can only be 63 and the IS-IS cost style is narrow. A small range of metrics cannot meet the requirements on large-scale networks. Therefore, in RFC 3784, the maximum IS-IS interface metric value can reach 16777215, and the maximum IS-IS route metric value can reach 4261412864; in this case, the IS-IS cost style is wide.
The following lists the TLVs used in narrow mode:
TLV 128 (IP Internal Reachability TLV): carries IS-IS routes in a routing domain.
TLV 135 (Extended IP Reachability TLV): replaces the earlier IP reachability TLV and carries IS-IS routing information. This TLV expands the route metric and carries sub-TLVs.
Table 2-6-1 lists the cost styles of received and sent IS-IS routing information. The cost styles of received and sent IS-IS routing information vary according to the cost style configured on a device.
2016-1-11
Huawei Confidential
Page 39 of 1210
HCIE-R&S Material
Confidentiality Level
Table 2-6-1 Cost styles of received and sent IS-IS routing information Cost Style Configured on a Device
Cost Style for Received IS-IS Routing Information
Cost Style for Sent IS-IS Routing Information
narrow
narrow
narrow
narrow-compatible
narrow&wide
narrow
compatible
narrow&wide
narrow&wide
wide-compatible
narrow&wide
wide
wide
wide
wide
NOTE: When the cost-style is set to compatible, IS-IS sends the information in narrow mode and then in wide mode. IS-IS in wide mode and IS-IS in narrow mode cannot communicate. If IS-IS in wide mode and IS-IS in narrow mode need to communicate, you must change the mode to enable all routers on the network to receive packets sent by other routers.
2.7
IS-IS LSP Fragment Extension When an IS-IS router needs to advertise the LSPs that contain much information, the IS-IS router generates multiple LSP fragments to carry more IS-IS information. IS-IS LSP fragments are identified by the LSP Number field in their LSP IDs. This field is of 1 byte. An IS-IS process can generate a maximum of 256 LSP fragments; therefore, only a limited number of routes can be carried. As defined in RFC 3786, virtual system IDs can be configured and virtual LSPs that carry routing information can be generated for IS-IS.
2.7.1 Concepts
Originating system: is a router that runs the IS-IS protocol. A single IS-IS process can function as multiple virtual routers to advertise LSPs, and the originating system refers to the IS-IS process.
Normal system ID: is the system ID of the originating system.
Virtual system: is the system identified by the additional system ID to generate extended LSP fragments. These fragments carry additional system IDs in their LSP IDs.
Additional system ID: is assigned by network administrators to identify a virtual system. A maximum of 256 extended LSP fragments can be generated for each additional system ID.
NOTE: Like a normal system ID, an additional system ID must be unique in a routing domain.
2016-1-11
Huawei Confidential
Page 40 of 1210
HCIE-R&S Material
Confidentiality Level
TLV 24 (IS Alias ID TLV): describes the relationship between the originating system and virtual system.
2.7.2 Principles In IS-IS, each system ID identifies a system, which can generate a maximum of 256 LSP fragments. With more additional system IDs (up to 50 virtual systems can be configured), an IS-IS process can generate a maximum of 13,056 LSP fragments. After LSP fragment extension is configured, the system prompts you to restart the IS-IS process if information is lost because LSPs overflow. After being restarted, the originating system loads as much routing information to LSPs, adds the overloaded information to the LSPs of the virtual system for transmission, and uses TLV 24 to notify other routers of its relationship with the virtual system.
Operating Modes An IS-IS router can run the LSP fragment extension feature in two modes.
Figure 2-7-1 IS-IS LSP fragment extension
Table 2-7-1 ISIS Routers Operating Modes
Operating Usage Mode Scenario
Mode-1
Some routers on the network do not support LSP fragment extension.
2016-1-11
Principles
Example
Precautions
Virtual systems participate in SPF calculation. The originating system advertises LSPs containing information about links to each virtual system. Similarly, each virtual system advertises LSPs containing information about links to the originating system.
In Figure 2-7-1, RouterB does not support LSP fragment extension, and RouterA is configured to support LSP fragment extension in mode-1. RouterA1 and RouterA2 are virtual systems of RouterA and send LSPs carrying some routing information of RouterA. After receiving LSPs from RouterA,
The LSP sent by a virtual system contains the same area address and overload bit as those in a common LSP. If the LSPs sent by a virtual system contain TLVs specified in other features, these TLVs must be the same as those in common LSPs. The virtual system carries neighbor
Huawei Confidential
Page 41 of 1210
HCIE-R&S Material
Confidentiality Level
Table 2-7-1 ISIS Routers Operating Modes
Operating Usage Mode Scenario
Mode-2
All the routers on the network support LSP fragment extension.
Principles
Example
Precautions
Virtual systems look like the physical routers that connect to the originating system. Mode-1 is a transitional mode for the earlier versions that do not support LSP fragment extension. In earlier versions, IS-IS cannot identify the IS Alias ID TLV and processes the received LSP that is advertised by a virtual system as an LSP advertised by an IS-IS process.
RouterA1, and RouterA2, RouterB considers that there are three individual routers at the remote end and calculates routes. Because the cost of the route from RouterA to RouterA1 and the cost of the route from RouterA to RouterA2 are both 0, the cost of the route from RouterB to RouterA is the same as the cost of the route from RouterB to RouterA1.
information indicating that the neighbor is the originating system, with the metric equal to the maximum value minus 1. The originating system carries neighbor information indicating that the neighbor is the virtual system, with the metric 0. This ensures that the virtual system is the downstream node of the originating system when other routers calculate routes.
Virtual systems do not participate in SPF calculation. All the routers on the network know that the LSPs generated by virtual systems actually belong to the originating system. An IS-IS router working in mode-2 can identify the IS Alias ID TLV, which is used as a reference for calculating the SPT and routes.
In Figure 2-7-1, RouterB supports LSP fragment extension, and RouterA is configured to support LSP fragment extension in mode-2. RouterA1 and RouterA2 are virtual systems of RouterA and send LSPs carrying some routing information of RouterA. When receiving LSPs from RouterA1 and RouterA2, RouterB obtains the IS Alias ID TLV and knows that the originating system of RouterA1 and RouterA2 is RouterA. RouterB then considers that information advertised by RouterA1 and RouterA2 belongs to RouterA.
NOTE: When the originating system and virtual system send the LSPs with fragment number 0, the LSPs must carry the IS Alias ID TLV to indicate the originating system regardless of the operation mode (mode-1 or mode-2).
2016-1-11
Huawei Confidential
Page 42 of 1210
HCIE-R&S Material
2.8
Confidentiality Level
IS-IS Host Name Mapping The IS-IS host name mapping mechanism maps host names to system IDs for IS-IS devices, including dynamic host name mapping and static host name mapping. Dynamic host name mapping takes precedence over static host name mapping. When both a dynamic host name and a static host name are configured, the dynamic host name takes effect. On an IS-IS router where host name exchange is disabled, information about IS-IS neighbors and LSDBs shows that each device in an IS-IS routing domain is identified by a system ID with 12-digit hexadecimal number, for example, aaaa.eeee.1234. This device identification method is complex and not easy to use. The host name exchange mechanism facilitates IS-IS network management and maintenance. The system ID is replaced by a host name in the following situations:
When an IS-IS neighbor is displayed, the system ID of the IS-IS neighbor is replaced by its host name. When the neighbor is the DIS, the system ID of the DIS is also replaced by its host name.
When an LSP in the IS-IS LSDB is displayed, the system ID in the LSP ID is replaced by the host name of the IS-IS device that advertises the LSP.
When details about the IS-IS LSDB are displayed, the Host Name field is added to the LSP generated by the device where dynamic host name exchange is enabled, and the system ID in the Host Name field is replaced by the dynamic host name of the device that generates the LSP.
Dynamic Host Name Mapping On a device where dynamic host name mapping is enabled, dynamic host name information is advertised as TLV 137 (Dynamic Hostname TLV) in LSPs. When you run IS-IS commands on other devices to view IS-IS information, the system ID of the local device is replaced by the configured host name. The host name is easier to identify and memorize than the system ID. The Dynamic Hostname TLV is optional and can be inserted anywhere in an LSP. The value of this TLV cannot be empty. A device can determine whether to send LSPs carrying TLV 137, while the device that receives LSPs can determine whether to ignore TLV 137 or whether to obtain TLV 137 for its mapping table.
Static Host Name Mapping Static host name mapping allows you to configure the mapping between host names and system IDs of other IS-IS devices on a device. Static host name mapping takes effect only on the local device and is not advertised using LSPs.
2.9
IS-IS Reliability As networks develop, services have higher network requirements. IS-IS provides high reliability to ensure uninterrupted service forwarding when a network fault occurs or when network devices need maintenance. 2016-1-11
Huawei Confidential
Page 43 of 1210
HCIE-R&S Material
Confidentiality Level
IS-IS reliability includes hot standby, non-stop routing (NSR), batch backup, and real-time backup, IS-IS GR, BFD for IS-IS, and IS-IS Auto FRR. In hot standby, IS-IS backs up data from the Active Main Board (AMB) to the Standby Main Board (SMB). Whenever the AMB fails, the SMB becomes active and takes over the tasks of the AMB to ensure normal IS-IS running. This improves IS-IS reliability. IS-IS information backup includes data backup and command line backup:
Data backup: The system backs up data of processes and interfaces. Data backup ensures the same IS-IS data on the AMB and SMB. When an AMB/SMB switchover occurs, neighbors do not detect the switchover.
Command line backup: The system backs up the command lines that are successfully executed on the AMB to the SMB. Whether to send command lines to the SMB for processing is determined by the the execution results of command lines on the AMB. If command lines are successfully executed on the AMB, the command lines are sent to the SMB for processing. Otherwise, the command lines are not sent to the SMB and the command line execution failure is logged. If the command lines fail to be executed on the SMB, this failure is logged. The AMB sends only the successfully executed command lines to the SMB for processing. If a fault occurs on the AMB, IS-IS neighbor relationships on the device need to be established again after the AMB/SMB switchover is performed.
Hot Standby Devices with distributed architecture support IS-IS hot standby. In IS-IS hot standby, IS-IS configurations on the AMB and SMB are consistent. When an AMB/SMB switchover occurs, the new AMB performs GR and resends a request for establishing neighbor relationships to neighbors to synchronize its LSDB. This prevents traffic transmission from being affected.
NSR NSR ensures continuous service forwarding on a device when a hardware or software failure occurs on the device. NSR uses data backup to ensure that a neighbor of a device does not detect the fault on the AMB of the device that provides the SMB. NSR ensures that the neighbor relationships established using routing protocols, MPLS, and other protocols that transmit services are not interrupted when a device fault occurs. IS-IS NSR ensures that data is synchronized in real time between the AMB and SMB. When the AMB/SMB switchover occurs, the SMB can rapidly take over services on the AMB. This ensures that neighbors do not detect device faults.
2016-1-11
Huawei Confidential
Page 44 of 1210
HCIE-R&S Material
Confidentiality Level
Batch Backup
Batch data backup When the SMB is installed, all data of the AMB is backed up to the SMB at a time. No configuration can be changed during batch backup.
Batch command line backup When the SMB is installed, all configurations of the AMB are backed up to the SMB at a time. No configuration can be changed during batch backup.
Real-time Backup
Real-time data backup Changed data of processes and interfaces are backed up in real time to the SMB.
Real-time command line backup The command lines that are executed successfully on the AMB are backed up to the SMB.
2.10
IS-IS GR IS-IS graceful restart (GR) is a high availability technology that implements non-stop data forwarding. After the master/slave switchover, no neighbor information is stored on the restarted router. The first Hello packets sent by the router after restart do not contain the neighbor list. After receiving the Hello packets, the neighbor checks the two-way neighbor relationship and detects that it is not in the neighbor list of the Hello packets sent by the router. The neighbor relationship is interrupted. The neighbor then generates new LSPs and floods the topology changes to all other routers in the area. Routers in the area calculate routes based on the new LSDBs, which leads to route interruption or routing loops. The IETF defined the GR standard, RFC 3847, for IS-IS. The restart of the protocol is processed for both the reserved FIB tables and unreserved FIB tables. Therefore, the route flapping and interruption of the traffic forwarding caused by the restart can be avoided.
2.10.1 Concepts IS-IS GR involves two roles, namely, GR restarter and GR helper.
GR restarter: is a device that has the GR capability and restarts in GR mode.
GR helper: is a device that has the GR capability and helps the GR restarter complete the GR process. The GR restarter must have the GR helper capability.
To implement GR, IS-IS uses TLV 211 (restart TLV) and three timers, T1, T2, and T3.
2016-1-11
Huawei Confidential
Page 45 of 1210
HCIE-R&S Material
Confidentiality Level
Restart TLV The restart TLV is an extended part of an IS-to-IS Hello (IIH) PDU. All IIH packets of the router that supports IS-IS GR contain the restart TLV. The restart TLV carries the parameters for the protocol restart. Figure 2-10-1 shows the format of the restart TLV.
Figure 2-10-1 Restart TLV Table 2-10-1 describes the fields of the restart TLV. Table 2-10-1 Restart TLV fields Field
Length
Description
Type
1 byte
TLV type. Type value 211 indicates the restart TLV.
Length
1 byte
Length of value in the TLV.
RR
1 bit
Restart request bit. A router sends an RR packet to notify the neighbors of its restarting or starting and to require the neighbors to retain the current IS-IS adjacency and return CSNPs.
RA
1 bit
Restart acknowledgement bit. A router sends an RA packet to respond to the RR packet.
SA
1 bit
Suppress adjacency advertisement bit. The starting router uses an SA packet to require its neighbors to suppress the broadcast of their neighbor relationships to prevent routing loops.
Remaining Time
2 bytes
Time during which the neighbor does not reset the adjacency. The length of the field is 2 bytes. The time is measured in seconds. When RA is reset, the value is mandatory.
2.10.2 Timers Three timers are introduced to enhance IS-IS GR: T1, T2, and T3.
T1: If the GR restarter has already sent an IIH packet with RR being set but does not receive any IIH packet that carries the restart TLV and the RA set from the GR helper even after the T1 timer expires, the GR restarter resets the T1 timer and continues to send the restart TLV. If the ACK packet is received or the T1 timer expires three times, the T1 timer is deleted. The default value of a T1 timer is 3 seconds.
2016-1-11
Huawei Confidential
Page 46 of 1210
HCIE-R&S Material
Confidentiality Level
Any interface enabled with IS-IS GR maintains a T1 timer. On a Level-1-2 router, broadcast interfaces maintain a T1 timer for Level-1 and Level-2 neighbor relationships.
T2: is the time from when the GR restarter restarts until the LSDBs of all devices of the same level are synchronized. T2 is the maximum time that the system waits for synchronization of all LSDBs. T2 is generally 60 seconds. Level-1 and Level-2 LSDBs maintain their respective T2 timers.
T3: is the maximum time during which the GR restarter performs GR. The T3 initial value is 65535 seconds. After the IIH packets that carry the RA are received from neighbors, the T3 value becomes the smallest value among the Remaining Time fields of the IIH packets. If the T3 timer expires, GR fails. The entire system maintains a T3 timer.
2.10.3 Session Mechanism For differentiation, GR triggered by the master/slave switchover or the restart of an IS-IS process is referred to as restarting. In restarting, the FIB table remains unchanged. GR triggered by router restart is referred to as starting. In starting, the FIB table is updated. The following describes the process of IS-IS GR in restarting and starting modes:
Figure 2-10-2 shows the process of IS-IS restarting.
Figure 2-10-2 IS-IS restarting 1.
After performing the protocol restart, the GR restarter performs the following actions:
2016-1-11
Starts T1, T2, and T3 timers. Huawei Confidential
Page 47 of 1210
HCIE-R&S Material
Confidentiality Level
Sends IIH packets that contain the restart TLV from all interfaces. In such a packet, RR is set to 1, and RA and SA are set to 0.
2.
After receiving an IIH packet, the GR helper performs the following actions:
Maintains the neighbor relationship and refreshes the current Holdtime.
Replies with an IIH packet containing the restart TLV. In the packet, RR is set to 0; RA is set to 1, and the value of the Remaining Time field indicates the period from the current moment to the timeout of the Holdtime.
Sends CSNPs and all LSPs to the GR restarter.
NOTE: On a P2P link, a neighbor must send CSNPs. On a LAN link, only the neighbor of the DIS sends CSNPs. If the DIS is restarted, a temporary DIS is elected from the other routers on the LAN. If the neighbor does not have the GR helper capability, it ignores the restart TLV and resets the adjacency with the GR restarter according to normal IS-IS processing. 3.
After the GR restarter receives the IIH response packet, in which RR is set to 0 and RA is set to 1, from the neighbor, it performs the following actions:
Compares the current value of the T3 timer with the value of the Remaining Time field in the packet. The smaller value is taken as the value of the T3 timer.
Deletes the T1 timer maintained by the interface that receives the ACK packet and CSNPs.
If the interface does not receive the ACK packet or CSNPs, the GR restarter constantly resets the T1 timer and resends the IIH packet that contains the restart TLV. If the number of timeouts of the T1 timer exceeds the threshold value, the GR restarter forcibly deletes the T1 timer and turns to the normal IS-IS processing to complete LSDB synchronization.
4.
After the GR restarter deletes the T1 timers on all interfaces, the synchronization with all neighbors is complete when the CSNP list is cleared and all LSPs are collected. The T2 timer is then deleted.
5.
After the T2 timer is deleted, the LSDB of the level is synchronized.
In the case of a Level-1 or Level-2 router, SPF calculation is triggered.
In the case of a Level-1-2 router, determine whether the T2 timer on the router of the other level is also deleted. If both T2 timers are deleted, SPF calculation is triggered. Otherwise, the router waits for the T2 timer of the other level to expire.
6.
After all T2 timers are deleted, the GR restarter deletes the T3 timer and updates the FIB table. The GR restarter re-generates the LSPs of each level and floods them. During LSDB synchronization, the GR restarter deletes the LSPs generated before restarting.
7.
At this point, the IS-IS restarting of the GR restarter is complete.
2016-1-11
Huawei Confidential
Page 48 of 1210
HCIE-R&S Material
Confidentiality Level
The starting device does not retain the FIB table. The starting device depends on the neighbors, whose adjacency with itself is Up before it starts, to reset their adjacency and suppress the neighbors from advertising their adjacency. The IS-IS starting process is different from the IS-IS restarting process, as shown in Figure 2-10-3.
Figure 2-10-3 IS-IS starting 1.
After the GR restarter is started, it performs the following actions:
Starts the T2 timer for the synchronization of LSDBs of each level.
Sends IIH packets that contain the restart TLV from all interfaces. If RR in the packet is set to 0, a router is started. If SA in the packet is set to 1, the router requests its neighbor to suppress the advertisement of their adjacency before the neighbor receives the IIH packet in which SA is set to 0.
2.
After the neighbor receives the IIH packet that carries the restart TLV, it performs the following actions depending on whether GR is supported:
GR is supported. Re-initiates the adjacency.
2016-1-11
Huawei Confidential
Page 49 of 1210
HCIE-R&S Material
Confidentiality Level
Deletes the description of the adjacency with the GR restarter from the sent LSP. The neighbor also ignores the link connected to the GR restarter when performing SPF calculation until it receives an IIH packet in which SA is set to 0.
GR is not supported. Ignores the restart TLV and resets the adjacency with the GR restarter. Replies with an IIH packet that does not contain the restart TLV. The neighbor then returns to normal IS-IS processing. In this case, the neighbor does not suppress the advertisement of the adjacency with the GR restarter. On a P2P link, the neighbor also sends a CSNP.
3.
After the adjacency is re-initiated, the GR restarter re-establishes the adjacency with the neighbors on each interface. When an adjacency set on an interface is in the Up state, the GR restarter starts the T1 timer for the interface.
4.
After the T1 timer expires, the GR restarter sends an IIH packet in which both RR and SA are set to 1.
5.
After the neighbor receives the IIH packet, it replies with an IIH packet, in which RR is set to 0 and RA is set to 1, and sends a CSNP.
6.
After the GR restarter receives the IIH ACK packet and CSNP from the neighbor, it deletes the T1 timer. If the GR restarter does not receive the IIH packet or CSNP, it constantly resets the T1 timer and resends the IIH packet in which RR and SA are set to 1. If the number of the timeouts of the T1 timer exceeds the threshold value, the GR restarter forcibly deletes the T1 timer and turns to the normal IS-IS processing to complete LSDB synchronization.
7.
After receiving the CSNP from the helper, the GR restarter synchronizes the LSDB.
8.
After the LSDB of this level is synchronized, the T2 timer is deleted.
9.
After all T2 timers are deleted, the SPF calculation is started and LSPs are regenerated and flooded.
10. At this point, the IS-IS starting of the GR restarter is complete.
2.11
BFD for IS-IS In IS-IS, the interval for sending Hello packets is 10s, and the holddown time for keeping the neighbor relationship is three times the interval for sending Hello packets. If a router does not receive a Hello packet from its neighbor within the holddown time, the router deletes the corresponding neighbor relationship. This indicates that the router detects neighbor faults in seconds. Second-level fault detection, however, may result in heavy packet loss on high-speed networks. Bidirectional forwarding detection (BFD) provides light-load and millisecond-level link fault detection to prevent heavy packet loss. BFD is not used to substitute the Hello mechanism of IS-IS but helps
2016-1-11
Huawei Confidential
Page 50 of 1210
HCIE-R&S Material
Confidentiality Level
IS-IS rapidly detect the faults on neighbors or links and instructs IS-IS to recalculate routes for packet forwarding. In Figure 2-11-1, basic IS-IS functions are configured on every router, and BFD for IS-IS is enabled on RouterA and RouterB.
Figure 2-11-1 BFD for IS-IS When a fault occurs on the primary link (RouterA->RouterD->RouterB), BFD fast detects the fault and reports it to IS-IS. IS-IS sets the neighbors of the interface on the faulty link to Down, which triggers topology calculation, and updates LSPs so that neighbors such as RouterC can receive the updated LSPs from RouterB. This process implements fast network convergence.
2.11.1 Classification of BFD for IS-IS BFD for IS-IS includes static BFD for IS-IS and dynamic BFD for IS-IS. Table 2-11-1 Two implementation modes for BFD for IS-IS Implementation Mode
Principles
Static BFD for BFD session parameters, including IS-IS local and remote discriminators, are manually configured using commands, and the requests for establishing BFD sessions are manually delivered.
Differences
Static BFD can be manually controlled and is easy to deploy. To save memory and ensure reliability of key links, deploy BFD on specified links.
Establishing and deleting BFD sessions need to be manually triggered and lack flexibility. Configuration errors may occur. For example, if an incorrect local or remote discriminator is configured, a BFD session cannot work properly.
Dynamic for IS-IS
BFD BFD sessions are dynamically Dynamic BFD is more flexible than static created but not manually configured. BFD. In dynamic BFD, routing protocols
2016-1-11
Huawei Confidential
Page 51 of 1210
HCIE-R&S Material
Confidentiality Level
Table 2-11-1 Two implementation modes for BFD for IS-IS Implementation Mode
Principles
Differences
When detecting faults, BFD informs IS-IS of the faults through the routing management (RM) module. IS-IS then turns the neighbors Down, rapidly advertises the changed LSPs, and performs incremental SPF. This implements fast route convergence.
trigger the setup of BFD sessions, preventing the configuration errors caused by manual configuration. Dynamic BFD is easy to configure and applies to the scenarios where BFD needs to be configured on the entire network.
NOTE: BFD uses local and remote discriminators to differentiate multiple BFD sessions between the same pair of systems. Because IS-IS establishes only single-hop neighbors, BFD for IS-IS detects only single-hop links between IS-IS neighbors.
2.11.2 Establishment and Deletion of BFD Sessions The RM module provides related services for association with the BFD module for IS-IS. Through RM, IS-IS prompts BFD to set up or tear down BFD sessions by sending notification messages. In addition, BFD events are transmitted to IS-IS through RM. Conditions for setting up a BFD session
Basic IS-IS functions are configured on each router and IS-IS is enabled on the interfaces of the routers.
BFD is globally enabled on each router, and BFD is enabled on a specified interface or process.
BFD is enabled on interfaces or processes, and the neighbors are Up. A DIS needs to be elected on a broadcast network.
Process of setting up a BFD session
P2P network After the conditions for setting up a BFD session are satisfied, IS-IS instructs BFD through RM to directly set up a BFD session between neighbors.
Broadcast network After the conditions for establishing BFD sessions are met, and the DIS is elected, IS-IS instructs BFD through RM to establish a BFD session between the DIS and each router. No BFD session is established between non-DISs.
NOTE: On a broadcast network, routers (including non-DIS routers) of the same level on a network segment can establish neighbor relationships. In the implementation of BFD for IS-IS, however, BFD sessions are established only between a DIS and a non-DIS. On a P2P network, BFD sessions are directly established between neighbors. 2016-1-11
Huawei Confidential
Page 52 of 1210
HCIE-R&S Material
Confidentiality Level
If a Level-1-2 neighbor relationship is set up between two routers on a link, IS-IS sets up two BFD sessions for the Level-1 and Level-2 neighbors on a broadcast network, but sets up only one BFD session on a P2P network. Conditions for tearing down a BFD session
P2P network When a neighbor relationship that was set up on P2P interfaces by IS-IS is down (that is, the neighbor relationship is not in the Up state) or when the IP protocol type of a neighbor is deleted, IS-IS tears down the BFD session.
Broadcast network When a neighbor relationship that was set up on P2P interfaces by IS-IS is torn down (that is, the neighbor relationship is not in the Up state), when the IP protocol type of a neighbor is deleted, or when the DIS is re-elected, IS-IS tears down the BFD session.
NOTE: After dynamic BFD is globally disabled in an IS-IS process, the BFD sessions on all the interfaces in this IS-IS process are deleted.
2.11.3 IS-IS Responding to BFD Session Down Event When detecting a link failure, BFD generates a Down event, and then notifies RM of the event. RM then instructs IS-IS to deletes the neighbor relationship. IS-IS recalculates routes to speed up route convergence on the entire network. When both the local router and its neighbor are Level-1-2 routers, they establish two neighbors of different levels. Then IS-IS establishes two BFD sessions for the Level-1 neighbor and Level-2 neighbor respectively. When BFD detects a link failure, it generates a Down event and informs the RM module of the event. The RM module then instructs IS-IS to delete the neighbor relationship of a specific level.
2.12
IS-IS Auto FRR With the development of networks, the services such as Voice over IP (VoIP) and online video services require high-quality real-time transmission. Nevertheless, if an IS-IS link fault occurs, traffic can be switched to a new link only after the processes, including fault detection, LSP update, LSP flooding, route calculation, and FIB entry delivery, are complete. As a result, it takes much more than 50ms to rectify the fault, which cannot meet the requirement for real-time transmission services on the network. Complying with RFC 5286 (Basic Specification for IP Fast Reroute Loop-Free Alternates), IS-IS Auto FRR protects traffic when links or nodes become faulty. IS-IS Auto FRR allows the forwarding system to rapidly detect such faults and take measures to restore services as soon as possible. In most cases, you can bind BFD to IS-IS Auto FRR to ensure that the fault recovery time is within 50ms. When BFD detects a link fault on an interface, the BFD session goes Down, triggering FRR on the interface. Subsequently, traffic is switched from the faulty link to the backup link, which protects services. 2016-1-11
Huawei Confidential
Page 53 of 1210
HCIE-R&S Material
Confidentiality Level
2.12.1 Principles IS-IS Auto FRR pre-computes a backup link by using the Loop-Free Alternate (LFA) algorithm, and then adds the backup link and the primary link to the forwarding table. In the case of an IS-IS network failure, IS-IS Auto FRR can fast switch traffic to the backup link before routes on the control plane converge. This ensures normal transmission of traffic and improves the reliability of the IS-IS network. The backup link is calculated through the LFA algorithm. With the neighbor that can provide the backup link being the root, the shortest path to the destination node is calculated by a device through the SPF algorithm. Then, the loop-free backup link is calculated according to the inequality defined in RFC 5286. IS-IS Auto FRR can filter backup routes that need to be added to the IP routing table. Only the backup routes matching the filtering policy are added to the IP routing table. In this manner, users can flexibly control the addition of IS-IS backup routes to the IP routing table.
2.12.2 Applications IS-IS Auto FRR support traffic engineering (TE) links, including the following types:
IP protecting TE As shown in Figure 2-12-1, the TE tunnel has the smallest IS-IS cost among the paths from Router S to Router D. Therefore, Router S selects the TE tunnel as the primary path to Router D. The path Router S->Router N->Router D has the second smallest cost. According to the LFA algorithm, Router S selects the path Router S->Router N->Router D as the backup path. The outbound interface of the backup path is the interface that connects Router S to Router N.
NOTE: If the outbound interface of the backup link is the actual outbound interface of the TE tunnel, IP protecting TE fails.
Figure 2-12-1 IP protecting TE
TE protecting IP 2016-1-11
Huawei Confidential
Page 54 of 1210
HCIE-R&S Material
Confidentiality Level
As shown in Figure 2-12-2, the physical path Router S-->Router N-->Router D has the smallest IS-IS metric among the paths from Router S to Router D. Therefore, Router S prefers the path Router S-->Router N-->Router D as the primary path from Router S to Router D. The IS-IS cost of the TE tunnel is 12, and the explicit path of the TE tunnel is the direct link from Router S to Router D. The IS-IS metric of the direct link from Router S to Router D is 13, which is greater than the IS-IS metric of the TE tunnel. Therefore, IS-IS selects the TE tunnel as the backup path. TE protecting IP is implemented.
Figure 2-12-2 TE protecting IP IS-IS Auto FRR traffic protection is classified into link protection and link-node dual protection.
Figure 2-12-3 IS-IS Auto FRR link protection
Figure 2-12-4 IS-IS Auto FRR link-node dual protection
2016-1-11
Huawei Confidential
Page 55 of 1210
HCIE-R&S Material
Confidentiality Level
Table 2-12-1 IS-IS Auto FRR traffic protection Traffic Object Protection Protected Type Link protection
Condition
Application Example
Traffic The link cost must satisfy the following passing inequality: through a Distance_opt(N,D) < Distance_opt(N,S) + specific Distance_opt(S,D) link
In Figure 2-12-3, traffic is transmitted from RouterS to RouterD. The link cost satisfies the link protection inequality. When the primary link fails, RouterS switches the traffic to the backup link RouterS->RouterN so that the traffic can be further transmitted along downstream paths. This ensures that the traffic interruption time is within 50 ms.
Link-node Next-hop Link-node dual protection must satisfy the dual node or following conditions: protection link from The link cost must satisfy the the local following inequality: node to the next-hop Distance_opt(N,D) < node. Distance_opt(N,S) + Node Distance_opt(S,D) protection The interface cost of the router must takes satisfy the following inequality: precedence over link Distance_opt(N,D) < protection. Distance_opt(N,E) + Distance_opt(E,D)
In Figure 2-12-3, traffic is transmitted along the path RouterS->RouterE->RouterD. The link cost satisfies the link protection inequality. When RouterE or the link between RouterS and RouterE fails, RouterS switches the traffic to the backup link RouterS->RouterN so that the traffic can be further transmitted along downstream paths. This ensures that the traffic interruption time is within 50 ms.
NOTE: In Table 2-12-1 Distance_opt(X,Y) indicates the cost of the optimal path between node X and node Y. S indicates the source node of traffic; E indicates the faulty node; N indicates the node on the backup link; D indicates the destination node of traffic.
2.13
IS-IS Multi-Instance and Multi-Process On a VPN-supporting device, you can associate multiple VPN instances with multiple IS-IS processes to implement IS-IS multi-instance. IS-IS multi-process allows you to create multiple IS-IS processes in the same VPN (or on the public network). These IS-IS processes are independent of each other. Route exchange between IS-IS processes is similar to route exchange between routing protocols. Each IS-IS process can be bound to a specified VPN instance. A typical application is as follows: In a VPN, IS-IS runs between PEs and CEs and also runs on the VPN backbone network. On the PEs, the two IS-IS processes are independent of each other. IS-IS multi-instance and multi-process have the following characteristics: 2016-1-11
Huawei Confidential
Page 56 of 1210
HCIE-R&S Material
Confidentiality Level
IS-IS multi-processes share an RM routing table. IS-IS multi-instances use the RM routing tables in VPNs, and each VPN has its own RM routing table.
IS-IS multi-process allows a set of interfaces to be associated with a specified IS-IS process. This ensures that the specified IS-IS process performs all the protocol operations only on this set of interfaces. In this manner, multiple IS-IS processes can work on a single router and each process is responsible for managing a unique set of interfaces.
When creating an IS-IS process, you can bind it to a VPN instance to associate the IS-IS process with the VPN instance. The IS-IS process accepts and processes only the events related to the VPN instance. When the bound VPN instance is deleted, the IS-IS process is also deleted.
2.14
IS-IS IPv6 IS-IS is a link-state dynamic routing protocol initially designed by the OSI. To support IPv4 routing, IS-IS is applied to IPv4 networks and called as Integrated IS-IS. As IPv6 networks are built, IS-IS also needs to provide accurate routing information for IPv6 packet forwarding. IS-IS has good scalability, supports IPv6 network layer protocols, and is capable of discovering, generating, and forwarding IPv6 routes. Extended IS-IS for IPv6 is defined in the draft-ietf-isis-ipv6-05.txt of the IETF. To process and calculate IPv6 routes, IS-IS uses two new TLVs and one network layer protocol identifier (NLPID). The two TLVs are as follows:
TLV 236 (IPv6 Reachability): describes network reachability by defining the route prefix and metric.
TLV 232 (IPv6 Interface Address): is similar to the IP Interface Address TLV of IPv4, except that it changes a 32-bit IPv4 address to a 128-bit IPv6 address.
The NLPID is an 8-bit field that identifies the protocol packets of the network layer. The NLPID of IPv6 is 142 (0x8E). If IS-IS supports IPv6, it advertises routing information through the NLPID value.
2.14.1 IS-IS MT During the transition from IPv4 networks to IPv6 networks, IPv4 topologies and IPv6 topologies must coexist for a long time. The IPv4/IPv6 dual stack is a widely used technology that is applicable to IPv4 networks and IPv6 networks. The function is that a router that supports only IPv4 or IPv6 can communicate with a router that supports both IPv4 and IPv6.
Background IS-IS implements IPv6 by extending TLV and complies with the rules for establishing and maintaining neighbor databases and topology databases as defined in ISO 10589 and RFC 1195. As a result, IPv4 networks and IPv6 networks have the same topology. The mixed topology of IPv4 and IPv6 is 2016-1-11
Huawei Confidential
Page 57 of 1210
HCIE-R&S Material
Confidentiality Level
considered as an integrated topology, which utilizes the SPT to perform the SPF calculation. This requires that IPv6 and IPv4 topology information should be consistent. In actual applications, the deployment of IPv4 and IPv6 may be different on the network; therefore, information about IPv4 topologies may be different from information about IPv6 topologies. Some routers and links in a mixed topology do not support IPv6. However, routers that support the IPv4/IPv6 dual stack in the mixed topology cannot sense the routers or links, and still forward IPv6 packets to them. As a result, the IPv6 packets are discarded. Similarly, when routers and links that do not support IPv4 exist in the topology, IPv4 packets cannot be forwarded. IS-IS multi-topology (MT) can be used to solve the preceding problems. IS-IS MT is an extension of IS-IS to support multiple topologies, complying with draft-ietf-IS-IS-wg-multi-topology. IS-IS MT defines new TLVs in IS-IS packets, transmits MT information, and performs separate SPF calculation in different topologies.
Principles IS-IS MT refers to multiple separate IP topologies that are run in an IS-IS AS, such as IPv4 topology and IPv6 topology. The separate IP topologies are not considered as an integrated and single topology. This is helpful for calculating IS-IS routes of separate IPv4 networks and IPv6 networks. Based on the IP protocols supported by links, separate SPF calculation is performed in different topologies to shield networks from each other. Figure 2-14-1 shows the IS-IS MT. Values in Figure 2-14-1 indicate link costs. RouterA, RouterC, and RouterD support the IPv4/IPv6 dual stack. RouterB supports only IPv4 and cannot forward IPv6 packets. If RouterA does not support IS-IS MT, only the single topology is considered during SPF calculation. The shortest path from RouterA to RouterC is RouterA->RouterB->RouterC. However, RouterB does not support IPv6. IPv6 packets sent from RouterA cannot be forwarded by RouterB to RouterC. If IS-IS MT is enabled on RouterA, RouterA performs SPF calculation in different topologies. When RouterA needs to send IPv6 packets to RouterC, RouterA chooses only IPv6 links to forward IPv6 packets. The shortest path from RouterA to RouterC changes to RouterA->RouterD->RouterC. IPv6 packets are then forwarded.
2016-1-11
Huawei Confidential
Page 58 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 2-14-1 IS-IS MT networking IS-IS MT is implemented as follows: 1.
Setting up topologies: Neighbors are set up by exchanging various packets for setting up MTs.
2.
2.15
Performing the SPF calculation: The SPF calculation is performed for different MTs.
Examples for Configuring of ISIS
2.15.1 Example for Configuring Basic IS-IS Functions
Networking Requirements As shown in Figure 2-15-1, there are four routers (RouterA, RouterB, RouterC, and RouterD) on the network. The four routers need to communicate with each other. RouterA and RouterB can only process a small amount of data because they have lower performance than the other two routers.
Figure 2-15-1 Networking diagram of configuring basic IS-IS functions
Configuration Roadmap The configuration roadmap is as follows: 1.
Enable IS-IS on each router so that the routers can be interconnected. Configure RouterA and RouterB as Level-1 routers to enable them to maintain less data.
Procedure 1.
Configure IP addresses for interfaces on each router.
2016-1-11
Huawei Confidential
Page 59 of 1210
HCIE-R&S Material
Confidentiality Level
# Configure RouterA. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 10.1.1.2 24 The configurations of RouterB, RouterC and RouterD are similar to the configuration of RouterA, and are not mentioned here. 2.
Verify the configuration. # View the IS-IS LSDB of each Router to check whether the IS-IS LSDBs of the Routers are synchronized. [RouterA] display isis lsdb Database information for ISIS(1) -------------------------------Level-1 Link State Database LSPID
Total LSP(s): 3 *(In TLV)-Leaking Route, *(By LSPID)-Self LSP, +-Self LSP(Extended), ATT-Attached, P-Partition, OL-Overload # View the IS-IS routing information of each Router. The routing table of a Level-1 router contains a default route with the next hop as a Level-1-2 router. The routing table of a Level-2 router contains all Level-1 and Level-2 routes. [RouterA] display isis route Route information for ISIS(1) ----------------------------ISIS(1) Level-1 Forwarding Table --------------------------------
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut, U-Up/Down Bit Set [RouterB] display isis route Route information for ISIS(1) -----------------------------
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut, U-Up/Down Bit Set [RouterC] display isis route Route information for ISIS(1) -----------------------------
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut, U-Up/Down Bit Set [RouterD] display isis route Route information for ISIS(1) -----------------------------
2.15.2 Example for Configuring IS-IS Route Summarization
Networking Requirements As shown in Figure 2-15-2, three routers run IS-IS to communicate with each other. RouterA is a Level-2 router, RouterB is a Level-1-2 router, and RouterC is a Level-1 router. RouterA is heavily loaded because there are too many routing entries on the IS-IS network. Therefore, system resource consumption of RouterA needs to be reduced.
Figure 2-15-2 Networking diagram of configuring IS-IS route summarization
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure IP addresses for interfaces and enable IS-IS on each router so that the routers can be interconnected.
2016-1-11
Huawei Confidential
Page 67 of 1210
HCIE-R&S Material
2.
Confidentiality Level
Configure route summarization on RouterB to reduce the routing table size of RouterA without affecting data forwarding so that the system resource consumption of RouterA can be reduced.
Procedure 1.
Configure IP addresses for interfaces on each router. # Configure RouterA. [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] ip address 172.2.1.1 24 The configurations of RouterB and RouterC are similar to the configuration of RouterA, and are not mentioned here.
[RouterC-GigabitEthernet1/0/0] quit The configurations of GigabitEthernet2/0/0, GigabitEthernet3/0/0, and GigabitEthernet4/0/0 are similar to the configuration of GigabitEthernet1/0/0, and are not mentioned here. 3.
Check the IS-IS routing table of RouterA. [RouterA] display isis route Route information for ISIS(1) ----------------------------ISIS(1) Level-2 Forwarding Table -------------------------------IPV4 Destination
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut, U-Up/Down Bit Set 4.
Configure route summarization on RouterB. # Summarize 172.1.1.0/24, 172.1.2.0/24, 172.1.3.0/24, and 172.1.4.0/24 into 172.1.0.0/16 on RouterB. [RouterB] isis 1 [RouterB-isis-1] summary 172.1.0.0 255.255.0.0 level-1-2 [RouterB-isis-1] quit
5.
Verify the configuration. # Check the routing table of RouterA, you can see that routes 172.1.1.0/24, 172.1.2.0/24, 172.1.3.0/24 and 172.1.4.0/24 are summarized into one route 172.1.0.0/16. [RouterA] display isis route Route information for ISIS(1) ----------------------------ISIS(1) Level-2 Forwarding Table -------------------------------IPV4 Destination
Networking Requirements As shown in Figure 2-15-3, four routers on the broadcast network communicate using IS-IS. RouterA and RouterB are Level-1-2 routers, RouterC is a Level-1 router, and RouterD is a Level-2 router. RouterA with high performance needs to be configured as a Level-2 DIS.
2016-1-11
Huawei Confidential
Page 71 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 2-15-3 Networking diagram of configuring IS-IS DIS election
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure IS-IS to enable network interconnectivity.
2.
Configure the DIS priority of RouterA to 100 so that RouterA can be elected as a Level-2 DIS.
Procedure 1.
Configure IP addresses for interfaces on each router. # Configure RouterA. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 10.1.1.1 24 The configurations of RouterB, RouterC, and RouterD are similar to the configuration of RouterA, and are not mentioned here.
2.
View the MAC address of the GE interface on each router. # View the MAC address of GigabitEthernet1/0/0 on RouterA. [RouterA] display arp interface gigabitethernet 1/0/0 IP ADDRESS
Total Peer(s): 4 # View IS-IS interface information on RouterA. [RouterA] display isis interface Interface information for ISIS(1) --------------------------------Interface 2016-1-11
Id
IPV4.State Huawei Confidential
IPV6.State
MTU Type DIS Page 74 of 1210
HCIE-R&S Material
GE1/0/0
Confidentiality Level
001
Up
Down
1497 L1/L2
No/No # View IS-IS interface information on RouterB. [RouterB] display isis interface Interface information for ISIS(1) --------------------------------Interface GE1/0/0
Id
IPV4.State
001
IPV6.State
Up
MTU Type DIS
Down
1497 L1/L2
Yes/No # View IS-IS interface information on RouterD. [RouterD] display isis interface Interface information for ISIS(1) --------------------------------Interface GE1/0/0
Id
IPV4.State
001
IPV6.State
Up
MTU Type DIS
Down
1497 L1/L2
No/Yes
NOTE: As shown in the preceding interface information, when the default DIS priority is used, the IS-IS interface on RouterB has the largest MAC address among all the interfaces on the Level-1 routers. Therefore, RouterB is elected as the Level-1 DIS. The IS-IS interface on RouterD has the largest MAC address among all the interfaces on Level-2 routers. Therefore, RouterD is elected as the Level-2 DIS. Level-1 and Level-2 pseudonodes are 0000.0000.0002.01 and 0000.0000.0004.01 respectively. 4.
Set the DIS priority of RouterA. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] isis dis-priority 100 # View IS-IS neighbor information on RouterA. [RouterA] display isis peer Peer information for ISIS(1) ---------------------------System Id
Verify the configuration. # View IS-IS interface information on RouterA. [RouterA] display isis interface Interface information for ISIS(1) --------------------------------Interface GE1/0/0
Id
IPV4.State
001
IPV6.State
Up
MTU Type DIS
Down
1497 L1/L2
Yes/Yes
NOTE: As shown in the preceding information, after the DIS priority of the IS-IS interface is changed, RouterA becomes a Level-1-2 DIS (DR) immediately and its pseudonode is 0000.0000.0001.01. # View IS-IS neighbor and interface information on RouterB. [RouterB] display isis peer Peer information for ISIS(1) ---------------------------System Id
Total Peer(s): 4 [RouterB] display isis interface Interface information for ISIS(1) --------------------------------Interface GE1/0/0
Id 001
IPV4.State
IPV6.State
Up
MTU Type DIS
Down
1497 L1/L2
No/No # View IS-IS neighbor and interface information on RouterD. [RouterD] display isis peer Peer information for ISIS(1) ---------------------------System Id
2.15.4 Example for Configuring IS-IS to Interact with BGP
Networking Requirements As shown in Figure 2-15-4, RouterA and RouterB belong to the same AS, and the IS-IS neighbor relationship is established between RouterA and RouterB. An EBGP connection is established between RouterB and RouterC. RouterA, RouterB, and RouterC need to communicate with each other. Besides, the metric of routes need to be changed when AS 65009 sends the routes to AS 65008.
2016-1-11
Huawei Confidential
Page 78 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 2-15-4 Networking diagram of configuring IS-IS to interact with BGP
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure IP addresses for interfaces, and enable IS-IS and BGP to ensure that there are reachable routes inside each AS.
2.
Configure IS-IS and BGP to import routes from each other on RouterB to ensure that there are routes on each network segment. Configure a route-policy to change the metric of imported routes when IS-IS imports BGP routes.
Procedure 1.
Configure IP addresses for interfaces on each router. # Configure RouterA. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 10.1.1.1 24 The configurations of RouterB and RouterC are similar to the configuration of RouterA, and are not mentioned here.
Configure IS-IS to import BGP routes. # Configure a static route on RouterC. [RouterC] ip route-static 200.1.1.1 32 NULL 0 # On RouterC, configure BGP to import the static route. [RouterC] bgp 65009 [RouterC-bgp] import-route static # On RouterB, configure IS-IS to import the BGP route. [RouterB] isis 1 [RouterB-isis-1] import-route bgp [RouterB-isis-1] quit # View the routing table of RouterA, and you can see that IS-IS successfully imports BGP route 200.1.1.1/32. [RouterA] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 6 Destination/Mask
2016-1-11
Proto
Routes : 6 Pre Cost Huawei Confidential
Flags NextHop
Interface Page 80 of 1210
HCIE-R&S Material
Confidentiality Level
10.1.1.0/24 Direct
0
0
D
10.1.1.1
10.1.1.1/32 Direct
0
0
D
127.0.0.1
10.1.1.1/32 Direct
0
0
D
127.0.0.1
Direct
0
0
D
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct
0
0
D
127.0.0.1
InLoopBack0
200.1.1.1/32 ISIS-L2 15 74
D
10.1.1.2
GigabitEthernet1/0/0 InLoopBack0
GigabitEthernet1/0/0 127.0.0.0/8
GigabitEthernet1/0/0 # On RouterB, configure the AS_Path filter, and apply the filter in route-policy RTC. [RouterB] ip as-path-filter 1 permit 65009 [RouterB] route-policy RTC permit node 0 [RouterB-route-policy] if-match as-path-filter 1 [RouterB-route-policy] apply cost 20 [RouterB-route-policy] quit # On RouterB, configure IS-IS to import the BGP route. [RouterB] isis 1 [RouterB-isis-1] import-route bgp route-policy RTC [RouterB-isis-1] quit # View the routing table of RouterA, and you can see that the AS_Path filter is successfully applied and the cost of imported route 200.1.1.1/32 changes from 74 to 94. [RouterA] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 6 Destination/Mask
Routes : 6
Proto
Pre Cost
10.1.1.0/24 Direct
Flags NextHop
Interface
0
0
D
10.1.1.1
0
0
D
127.0.0.1
0
0
D
127.0.0.1
Direct
0
0
D
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct
0
0
D
127.0.0.1
InLoopBack0
94
D
10.1.1.2
GigabitEthernet1/0/0 10.1.1.1/32 Direct GigabitEthernet1/0/0 10.1.1.1/32 Direct GigabitEthernet1/0/0 127.0.0.0/8
200.1.1.1/32 ISIS-L2 15 GigabitEthernet1/0/0 5.
Configure BGP to import IS-IS routes.
2016-1-11
Huawei Confidential
Page 81 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterB] bgp 65008 [RouterB-bgp] import-route isis 1 [RouterB-bgp] quit # View the routing table of RouterC, and you can see that BGP successfully imports IS-IS route 10.1.1.0/24. [RouterC] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 7 Destination/Mask
2.15.5 Example for Configuring IS-IS Fast Convergence
Networking Requirements As shown in Figure 2-15-5, two Routers are connected through a Layer 2 switch. The two routers communicate with each other through the IS-IS protocol. The convergence speed of the two routers need to be improved.
Figure 2-15-5 Networking diagram for configuring IS-IS fast convergence
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure the IP addresses of interfaces and the IS-IS route-policy on each router so that routes on the two routers are reachable.
2.
Configure BFD sessions on RouterA and RouterB to improve the link fault detection speed of the routers.
3.
Set the time parameters of fast convergence on RouterA and RouterB to implement IS-IS fast convergence.
2016-1-11
Huawei Confidential
Page 84 of 1210
HCIE-R&S Material
Confidentiality Level
Procedure 1.
Configure IP addresses for interfaces on each router. # Configure RouterA. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 100.1.1.1 24 The configuration of RouterB is similar to the configuration of RouterA, and is not mentioned here.
Set the time parameters of fast convergence. # Configure RouterA. [RouterA] isis 1 [RouterA-isis-1] flash-flood [RouterA-isis-1] timer spf 1 20 100 [RouterA-isis-1] timer lsp-generation 1 1 120 [RouterA-isis-1] quit # Configure RouterB. [RouterB] isis 1 [RouterB-isis-1] timer spf 1 20 100 [RouterB-isis-1] timer lsp-generation 1 1 120 [RouterB-isis-1] quit
NOTE:
In IS-IS, if the LSDB changes, routes are calculated and a new LSP is generated to report this change. Frequent route calculations consume a lot of system resources and decrease the system performance. Delaying SPF calculation and LSP generation and speeding up LSP flooding can improve the efficiency in route calculation and reduce the consumption of system resources.
The flash-flood command enables LSP fast flooding to speed up IS-IS network convergence.
The timer spf command sets the interval for SPF calculation. The default interval is 5 seconds.
The timer lsp-generation command sets the delay in generating an LSP. The default interval is 2 seconds.
5.
Verify the configuration.
2016-1-11
Huawei Confidential
Page 86 of 1210
HCIE-R&S Material
Confidentiality Level
# Run the shutdown command on GE1/0/0 of RouterB to shut down the link. [RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] shutdown # View the information about neighbors of RouterA. display isis peer Information about neighbors of RouterA does not exist. When BFD detects that the link goes Down, it notifies the routing management (RM) module immediately. IS-IS then deletes the neighbor relationship immediately and triggers route calculation. This implements fast convergence of the network.
2.15.6 Example for Configuring IS-IS Auto FRR (IP Protecting IP)
Networking Requirements As shown in Figure 2-15-6, four routers (RouterA, RouterB, RouterC, and RouterD) communicate using IS-IS. Reliability of data forwarding from RouterA to RouterD needs to be improved so that uninterrupted traffic transmission is ensured when a fault occurs on the network.
2016-1-11
Huawei Confidential
Page 88 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 2-15-6 Networking diagram of configuring IS-IS Auto FRR
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure IP addresses for interfaces and enable IS-IS on each router to ensure reachable routes between the routers.
2.
Set a larger link cost (in compliance with the traffic protection inequality of IS-IS Auto FRR) on GigabitEthernet2/0/0 of RouterA to ensure that Link T functions as the primary link to forward data from RouterA to RouterD.
3.
Configure IS-IS Auto FRR on RouterA to allow traffic to be fast switched to the backup link without waiting for route convergence when a fault occurs on Link T. This ensures uninterrupted traffic transmission.
Procedure 1.
Configure IP addresses for interfaces on each router. # Configure RouterA. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 1.0.0.1 24 [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet1/0/0] ip address 2.0.0.1 24 The configurations of RouterB, RouterC, and RouterD are similar to the configuration of RouterA, and are not mentioned here.
Set the cost of GigabitEthernet2/0/0 on RouterA to 30, and check routing information. # Set the cost of GigabitEthernet2/0/0 on RouterA to 30. [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] isis cost 30 [RouterA-GigabitEthernet2/0/0] quit # Check information about the link from RouterA to RouterD. Link T has a lower cost, and so IS-IS selects Link T to send traffic forwarded by RouterA. display isis route 100.1.1.1 verbose Route information for ISIS(1) -----------------------------
ISIS(1) Level-1 Forwarding Table -------------------------------IPV4 Dest
: 100.1.1.0/24
Admin Tag : Priority
: Low
NextHop
:
1.0.0.2
Int. Cost : 30 Src Count : 1 Interface :
Ext. Cost : NULL Flags
: A/-/L/-
ExitIndex :
GE1/0/0
0x00000003
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut, U-Up/Down Bit Set
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut, U-Up/Down Bit Set
# Run the display fib 100.1.1.1 verbose command on RouterA to check the forwarding entry of traffic from RouterA to RouterD. display fib 100.1.1.1 verbose Route Entry Count: 1 Destination: 100.1.1.0
As shown in the command output, traffic from RouterA to RouterD is only forwarded through Link T. 4.
Enable IS-IS Auto FRR on RouterA, and check routing information. # Enable IS-IS Auto FRR on RouterA. [RouterA] isis [RouterA-isis-1] frr [RouterA-isis-1-frr]loop-free-alternate # Check information about the routes from RouterA to RouterD. The information shows that IS-IS generates a backup link after IS-IS Auto FRR is enabled.
2016-1-11
Huawei Confidential
Page 92 of 1210
HCIE-R&S Material
Confidentiality Level
display isis route 100.1.1.1 verbose Route information for ISIS(1) ----------------------------ISIS(1) Level-1 Forwarding Table -------------------------------IPV4 Dest
: 100.1.1.0/24
Int. Cost : 30
Admin Tag : Priority
: Low
NextHop
:
Ext. Cost : NULL
Src Count : 1
Flags
Interface :
: A/-/L/-
ExitIndex :
1.0.0.2
GE1/0/0
0x00000003
(B)2.0.0.2
GE2/0/0
0x00000004
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut, U-Up/Down Bit Set
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut, U-Up/Down Bit Set
# Check the protection type for the traffic forwarded from RouterA to RouterD. display isis spf-tree systemid 0000.0000.0004 verbose Shortest Path Tree for ISIS(1) -----------------------------ISIS(1) Level-1 Shortest Path Tree ---------------------------------0000.0000.0004.00 Distance 2016-1-11
As shown in the preceding command output, link-node dual protection is performed on the traffic from RouterA to RouterD. 2016-1-11
Huawei Confidential
Page 94 of 1210
HCIE-R&S Material
Confidentiality Level
# Run the display fib 100.1.1.1 verbose command on RouterA to check the forwarding entry of traffic from RouterA to RouterD. display fib 100.1.1.1 verbose Route Entry Count: 1 Destination: 100.1.1.0 Nexthop
As shown in the command output, the primary link from RouterA to RouterD is Link T, the backup link follows the route with outbound interface GigabitEthernet2/0/0 and next hop 2.0.0.2. 5.
Verify the configuration. # Run the shutdown command on GigabitEthernet2/0/0 of RouterC to shut down the link. [RouterC] interface gigabitethernet 2/0/0 [RouterC-GigabitEthernet2/0/0] shutdown # Run the display fib 100.1.1.1 verbose command on RouterA to check information about the route from RouterA to RouterD. display fib 100.1.1.1 verbose Route Entry Count: 1 Destination: 100.1.1.0 Nexthop
As shown in the command output, the traffic forwarded by the RouterA is switched to the backup link with outbound interface GigabitEthernet2/0/0 and next hop 2.0.0.2.
2.15.7 Example for Configuring Static BFD for IS-IS
Networking Requirements As shown in Figure 2-15-7, three routers are interconnected using IS-IS, and RouterA and RouterB communicate with each other through a Layer 2 switch. When the link between RouterA and RouterB is faulty, the two routers need to rapidly respond to the fault and reestablish a neighbor relationship.
Figure 2-15-7 Networking diagram of configuring static BFD for IS-IS
NOTE: BFD for IS-IS cannot be used to detect the multi-hop link between RouterA and RouterC, because the IS-IS neighbor relationship cannot be established between RouterA and RouterC.
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure IP addresses for interfaces and enable IS-IS on each router to ensure reachable routes between the routers.
2016-1-11
Huawei Confidential
Page 98 of 1210
HCIE-R&S Material
2.
Confidentiality Level
Enable static BFD for IS-IS on RouterA and RouterB so that routers can rapidly detect link faults.
Procedure 1.
Configure IP addresses for interfaces on each router. # Configure RouterA. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 100.1.1.1 24 The configurations of RouterB and RouterC are similar to the configuration of RouterA, and are not mentioned here.
[RouterC-GigabitEthernet1/0/0] isis enable 1 [RouterC-GigabitEthernet1/0/0] quit # After the preceding configurations, you can see that the neighbor relationship is established between RouterA and RouterB. [RouterA] display isis peer Peer information for ISIS(1) ---------------------------System Id
Interface
Circuit Id
State
HoldTime Type
PRI 2222.2222.2222 GE1/0/0 L2
2222.2222.2222.00
Up
23s
64
The IS-IS routing table of RouterA contains the routes to RouterB and RouterC. [RouterA] display isis route Route information for ISIS(1) ----------------------------ISIS(1) Level-2 Forwarding Table -------------------------------IPV4 Destination
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut, U-Up/Down Bit Set 3.
Configure BFD. # Enable BFD on RouterA and configure a BFD session. [RouterA] bfd [RouterA-bfd] quit [RouterA] bfd atob bind peer-ip 100.1.1.2 interface gigabitethernet 1/0/0 [RouterA-bfd-session-atob] discriminator local 1 [RouterA-bfd-session-atob] discriminator remote 2 [RouterA-bfd-session-atob] commit [RouterA-bfd-session-atob] quit # Enable BFD on RouterB and configure a BFD session. [RouterB] bfd [RouterB-bfd] quit [RouterB] bfd btoa bind peer-ip 100.1.1.1 interface gigabitethernet 1/0/0 [RouterB-bfd-session-btoa] discriminator local 2
2016-1-11
Huawei Confidential
Page 100 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterB-bfd-session-btoa] discriminator remote 1 [RouterB-bfd-session-btoa] commit [RouterB-bfd-session-btoa] quit After the preceding configurations, run the display bfd session command on RouterA or RouterB, and you can see that the status of the BFD session is Up. The following uses the display on RouterA as an an example. [RouterA] display bfd session all -------------------------------------------------------------------------------Local Remote PeerIpAddr
Verify the configuration. # Enable log information display on RouterA. terminal logging terminal monitor # Run the shutdown command on GigabitEthernet1/0/0 on RouterB to simulate a link fault. [RouterB-GigabitEthernet1/0/0] shutdown # On RouterA, you can view the following log and debugging information, which indicates that IS-IS deletes the neighbor relationship with RouterB after being notified by BFD of the fault. ISIS/4/PEER_DOWN_BFDDOWN/1880166931 UL/R "ISIS 1 neighbor 2222.2222.2222 was Down on interface GE1/0/0 because the BFD node was down. The Hello packet was received at 11:32:10 last time; the maximum interval for sending Hello packets was 9247;the local router sent 426 Hello
2016-1-11
Huawei Confidential
Page 101 of 1210
HCIE-R&S Material
Confidentiality Level
packets and received 61 packets;the type of the Hello packet was Lan Level-2." Run the display isis route command or the display isis peer command on RouterA, and you can see that no information is displayed. This indicates that the IS-IS neighbor relationship between RouterA and RouterB is deleted.
2.15.8 Example for Configuring Dynamic BFD for IS-IS
Networking Requirements As shown in Figure 2-15-8, three routers are interconnected using IS-IS, and RouterA and RouterB communicate with each other through a Layer 2 switch. When the link that passes through the switch between RouterA and RouterB fails, the two routers need to rapidly respond to the fault, and traffic can be switched to the link that passes through RouterC for forwarding.
2016-1-11
Huawei Confidential
Page 103 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 2-15-8 Networking diagram of configuring dynamic BFD for IS-IS
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure IP addresses for interfaces and enable IS-IS on each router to ensure reachable routes between the routers.
2.
Set the IS-IS interface cost to control route selection of the routers to make the link that passes through the switch from RouterA to RouterB as the primary link and the link that passes through RouterC as the backup link.
3.
Configure dynamic BFD for IS-IS on RouterA, RouterB, and RouterC so that link faults can be detected rapidly and traffic can be switched to the backup link for forwarding.
Procedure 1.
Configure IP addresses for interfaces on each router. # Configure RouterA. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 1.1.1.1 24 [RouterA-isis-1] quit [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet1/0/0] ip address 3.3.3.1 24 The configurations of RouterB and RouterC are similar to the configuration of RouterA, and are not mentioned here.
[RouterA-isis-1] network-entity 10.0000.0000.0001.00 [RouterA-isis-1] quit [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] isis enable 1 [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] isis enable 1 [RouterA-GigabitEthernet2/0/0] quit # Configure RouterB. [RouterB] isis [RouterB-isis-1] is-level level-2 [RouterB-isis-1] network-entity 10.0000.0000.0002.00 [RouterB-isis-1] quit [RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] isis enable 1 [RouterB-GigabitEthernet1/0/0] quit [RouterB] interface gigabitethernet 2/0/0 [RouterB-GigabitEthernet1/0/0] isis enable 1 [RouterB-GigabitEthernet1/0/0] quit [RouterB] interface gigabitethernet 3/0/0 [RouterB-GigabitEthernet3/0/0] isis enable 1 [RouterB-GigabitEthernet3/0/0] quit # Configure RouterC. [RouterC] isis [RouterC-isis-1] is-level level-2 [RouterC-isis-1] network-entity 10.0000.0000.0003.00 [RouterC-isis-1] quit [RouterC] interface gigabitEthernet 1/0/0 [RouterC-GigabitEthernet1/0/0] isis enable 1 [RouterC-GigabitEthernet1/0/0] quit [RouterC] interface gigabitethernet 2/0/0 [RouterC-GigabitEthernet2/0/0] isis enable 1 [RouterC-GigabitEthernet2/0/0] quit # After the preceding configurations, run the display isis peer command. You can see that the neighbor relationships are established between RouterA and RouterB, and between RouterA and RouterC. The following uses the configuration of RouterA as an example. [RouterA] display isis peer Peer information for ISIS(1) 2016-1-11
Huawei Confidential
Page 105 of 1210
HCIE-R&S Material
Confidentiality Level
---------------------------System Id
Interface
Circuit Id
State HoldTime Type
PRI
0000.0000.0002 GE2/0/0
0000.0000.0002.01 Up
9s
L2
64
0000.0000.0003 GE1/0/0
0000.0000.0001.02 Up
21s
L2
64
Total Peer(s): 2 # Routers have learned routes from each other. The following uses the routing table of RouterA as an example. [RouterA] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 8 Destination/Mask
Routes : 9
Proto
Pre Cost
1.1.1.0/24 Direct
Flags NextHop
Interface
0
0
D
1.1.1.1
1.1.1.1/32 Direct
0
0
D
127.0.0.1
1.1.1.1/32 Direct
0
0
D
127.0.0.1
20
D
1.1.1.2
0
0
D
3.3.3.1
3.3.3.1/32 Direct
0
0
D
127.0.0.1
3.3.3.1/32 Direct
0
0
D
127.0.0.1
Direct
0
0
D
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct
0
0
D
127.0.0.1
InLoopBack0
20
D
3.3.3.2
GigabitEthernet1/0/0 InLoopBack0
GigabitEthernet1/0/0 2.2.2.0/24 ISIS-L2 15 GigabitEthernet1/0/0 3.3.3.0/24 Direct GigabitEthernet2/0/0 InLoopBack0
GigabitEthernet2/0/0 127.0.0.0/8
172.16.1.0/24 ISIS-L2 15 GigabitEthernet2/0/0
As shown in the routing table, the next-hop address of the route to 172.16.1.0/24 is 3.3.3.2, and traffic is transmitted on the primary link RouterA→RouterB. 3.
Configure BFD for IS-IS processes. # Enable BFD for IS-IS on RouterA. [RouterA] bfd [RouterA-bfd] quit [RouterA] isis [RouterA-isis-1] bfd all-interfaces enable [RouterA-isis-1] quit # Enable BFD for IS-IS on RouterB. [RouterB] bfd [RouterB-bfd] quit [RouterB] isis [RouterB-isis-1] bfd all-interfaces enable [RouterB-isis-1] quit # Enable BFD for IS-IS on RouterC. [RouterC] bfd [RouterC-bfd] quit [RouterC] isis [RouterC-isis-1] bfd all-interfaces enable [RouterC-isis-1] quit # After the preceding configurations, run the display isis bfd session all command on RouterA, RouterB, and RouterC. You can see that the BFD session status is Up. The following uses the display on RouterA as an example. [RouterA] display isis bfd session all BFD session information for ISIS(1) ----------------------------------Peer System ID : 0000.0000.0002 RX : 1000 Multiplier : 3
Interface : GE2/0/0
LocDis : 8193 RemDis : 8192
Local IP Address: 3.3.3.1 Type : L2
Diag : No diagnostic information Peer System ID : 0000.0000.0003
Interface : GE1/0/0
Multiplier : 3
Type : L2
RemDis : 8192
Diag : No diagnostic information Total BFD session(s): 2 As shown in the preceding display, the status of the BFD session between RouterA and RouterB and that between RouterA and RouterC is Up. 2016-1-11
Huawei Confidential
Page 107 of 1210
HCIE-R&S Material
5.
Confidentiality Level
Configure BFD for IS-IS interfaces. # Configure BFD on GE2/0/0 of RouterA, set the minimum interval for sending packets to 100 ms, the minimum interval for receiving packets to 100 ms, and the local detection multiplier to 4. [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] isis bfd enable [RouterA-GigabitEthernet2/0/0] isis bfd min-tx-interval 100 min-rx-interval 100 detect-multiplier 4 [RouterA-GigabitEthernet2/0/0] quit # Configure BFD on GE2/0/0 of RouterB, set the minimum interval for sending packets to 100 ms, the minimum interval for receiving packets to 100 ms, and the local detection multiplier to 4. [RouterB] bfd [RouterB-bfd] quit [RouterB] interface gigabitethernet 2/0/0 [RouterB-GigabitEthernet2/0/0] isis bfd enable [RouterB-GigabitEthernet2/0/0] isis bfd min-tx-interval 100 min-rx-interval 100 detect-multiplier 4 [RouterB-GigabitEthernet2/0/0] quit # After the preceding configurations, run the display isis bfd session all command on RouterA or RouterB. You can see that the BFD parameters have taken effect. The following uses the display on RouterB as an example. [RouterB] display isis bfd session all BFD session information for ISIS(1) ----------------------------------Peer System ID : 0000.0000.0001
Interface : GE2/0/0
TX : 100
BFD State : up
Peer IP Address : 3.3.3.1
RX : 100
LocDis : 8192
Local IP Address: 3.3.3.2
Multiplier : 4
RemDis : 8192
Type : L2
Diag : No diagnostic information Peer System ID : 0000.0000.0003 TX : 100
BFD State : up
RX : 100
LocDis : 8192
Multiplier : 3
RemDis : 8193
Interface : GE1/0/0 Peer IP Address : 2.2.2.1 Local IP Address: 2.2.2.2 Type : L2
Diag : No diagnostic information Total BFD session(s): 2 6.
Verify the configuration.
2016-1-11
Huawei Confidential
Page 108 of 1210
HCIE-R&S Material
Confidentiality Level
# Run the shutdown command on GigabitEthernet2/0/0 of RouterB to simulate a primary link failure. [RouterB] interface gigabitethernet 2/0/0 [RouterB-GigabitEthernet2/0/0] shutdown 7.
# View the routing table of RouterA. [RouterA] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 8 Destination/Mask
Routes : 8
Proto
Pre Cost
1.1.1.0/24 Direct
Flags NextHop
Interface
0
0
D
1.1.1.1
1.1.1.1/32 Direct
0
0
D
127.0.0.1
1.1.1.1/32 Direct
0
0
D
127.0.0.1
20
D
1.1.1.2
0
0
D
3.3.3.1
3.3.3.1/32 Direct
0
0
D
127.0.0.1
3.3.3.1/32 Direct
0
0
D
127.0.0.1
Direct
0
0
D
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct
0
0
D
127.0.0.1
InLoopBack0
172.16.1.0/24 ISIS-L2 15
20
GigabitEthernet1/0/0 InLoopBack0
GigabitEthernet1/0/0 2.2.2.0/24 ISIS-L2 15 GigabitEthernet1/0/0 3.3.3.0/24 Direct GigabitEthernet1/0/0 InLoopBack0
GigabitEthernet1/0/0 127.0.0.0/8
D 1.1.1.2
GigabitEthernet1/0/0
As shown in the routing table, the backup link RouterA→RouterC→RouterB takes effect after the primary link fails, and the next-hop address of the route to 172.16.1.0/24 becomes 1.1.1.2. # Run the display isis bfd session all command on RouterA. You can see that the status of the BFD session between RouterA and RouterC is Up. [RouterA] display isis bfd session all BFD session information for ISIS(1) ----------------------------------Peer System ID : 0000.0000.0003
Chapter 3 OSPF 3.1 OSPF Summary The Open Shortest Path First (OSPF) protocol, developed by the Internet Engineering Task Force (IETF), is a link-state Interior Gateway Protocol (IGP). As a link-state protocol, OSPF can solve many problems encountered by RIP. Additionally, OSPF features the following advantages:
Receives or sends packets in multicast mode to reduce load on the router that does not run OSPF.
Supports Classless Inter-domain Routing (CIDR).
Supports load balancing among equal-cost routes.
Supports packet encryption.
3.2 Fundamentals of OSPF OSPF has the following functions:
Divides an Autonomous System (AS) into one or multiple logical areas.
Advertises routes by sending Link State Advertisements (LSAs).
Exchanges OSPF packets between devices in an OSPF area to synchronize routing information.
Encapsulates OSPF packets into IP packets and sends the packets in unicast or multicast mode.
3.2.1 Packet Type
Table 3-2-1 Packet type Packet Type
Function
Hello packet
Sends periodically to discover and maintain OSPF neighbor relationships.
Database Description (DD) packet
Contains brief information about the local link-state database (LSDB) and synchronizes the LSDBs on two devices.
Link State Request (LSR) packet
Requests the required LSAs from neighbors. LSR packets are sent only after DD packets are exchanged successfully.
Link State Update (LSU) packet
Sends the required LSAs to neighbors.
Link State Acknowledgement (LSAck) Acknowledges the receipt of a LSA. packet
2016-1-11
Huawei Confidential
Page 112 of 1210
HCIE-R&S Material
Confidentiality Level
3.2.2 LSA Type
Table 3-2-2 LSA type LSA Type
Function
Router-LSA (Type 1)
Describes the link status and link cost of a router. It is generated by every router and advertised in the area to which the router belongs.
Network-LSA (Type 2)
Describes the link status of all routers on the local network segment. Network-LSAs are generated by a designated router (DR) and advertised in the area to which the DR belongs.
Network-summary-LSA 3)
(Type Describes routes to a specific network segment in an area. Network-summary-LSAs are generated by an Area Border Router (ABR) and advertised in all areas except totally stub areas and Not-So-Stubby Areas (NSSA Areas).
ASBR-summary-LSA (Type 4)
Describes routes to an Autonomous System Boundary Router (ASBR). ASBR-summary-LSAs are generated by an ABR and advertised to all related areas except the area to which the ASBR belongs.
AS-external-LSA (Type 5)
Describes routes to a destination outside the AS. AS-external-LSAs are generated by an ASBR and advertised to all areas except stub areas and NSSA areas.
NSSA-LSA (Type7)
Describes routes to a destination outside the AS. Generated by an ASBR and advertised in NSSAs only.
Opaque-LSA 10/Type 11)
(Type
9/Type Provides a universal mechanism for OSPF extension.
Type 9 LSAs are advertised only on the network segment where the interface originating Type 9 LSAs resides. Grace LSAs used to support GR are a type of Type 9 LSAs.
Type 10 LSAs are advertised inside an OSPF area. LSAs used to support TE are a type of Type 10 LSAs.
Type 11 LSAs are advertised within an AS. At present, there are no applications of Type 11 LSAs.
3.2.3 Router Type Figure 3-2-1 lists common Router types used in OSPF.
2016-1-11
Huawei Confidential
Page 113 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 3-2-1 Router type
Table 3-2-3 Router type Router Type
Description
Internal router
All interfaces on an internal router belong to the same OSPF area.
Area Border Router (ABR)
An ABR belongs to two or more than two areas, one of which must be the backbone area. An ABR is used to connect the backbone area and non-backbone areas. It can be physically or logically connected to the backbone area.
Backbone router
At least one interface on a backbone router belongs to the backbone area. Internal routers in Area 0 and all ABRs are backbone routers.
ASBR (AS Boundary Router)
An ASBR exchanges routing information with other ASs. An ASBR does not necessarily reside on the border of an AS. It can be an internal router or an ABR. An OSPF device that has imported external routing information will become an ASBR.
3.2.4 Route Type Inter-area and intra-area routes in an AS describe the AS's network structure. AS external routes describe the routes to destinations outside an AS. OSPF classifies the imported AS external routes into Type 1 and Type 2 external routes. Table 3-2-4 lists route types in descending priority order. Table 3-2-4 Route type Route Type Intra-area route 2016-1-11
Description Indicates routes within an area. Huawei Confidential
Page 114 of 1210
HCIE-R&S Material
Confidentiality Level
Table 3-2-4 Route type Route Type
Description
Inter-area route
Indicates routes between areas.
Type 1 external route
Type 1 external routes have high reliability. Cost of a Type 1 external route = Cost of the route from a local router to an ASBR + Cost of the route from the ASBR to the destination of the Type 1 external route
Type 2 external route
Type 2 external routes have low reliability, and therefore OSPF considers that the cost of the route from an ASBR to the destination of a Type 2 external route is much greater than the cost of any internal route to the ASBR. Cost of a Type 2 external route = Cost of the route from the ASBR to the destination of the Type 2 external route
3.2.5 OSPF Network Type Table 3-2-5 lists four OSPF network types that are classified based on link layer protocols. Table 3-2-5 OSPF network type Network Type Broadcast
Description A network with the link layer protocol of Ethernet or Fiber Distributed Data Interface (FDDI) is a broadcast network by default. On a broadcast network:
Hello packets, LSU packets, and LSAck packets are usually transmitted in multicast mode. 224.0.0.5 is an IP multicast address reserved for an OSPF device. 224.0.0.6 is an IP multicast address reserved for an OSPF DR or backup designated router (BDR).
DD and LSR packets are transmitted in unicast mode.
Non-Broadcast Multi-Access (NBMA)
A network with the link layer protocol of frame relay (FR), X.25 is an NBMA network by default. On an NBMA network, protocol packets such as Hello packets, DD packets, LSR packets, LSU packets, and LSAck packets are sent in unicast mode.
Point-to-Multipoint (P2MP)
No network is a P2MP network by default, no matter what type of link layer protocol is used on the network. A network can be changed to a P2MP network. The common practice is to change a non-fully meshed NBMA network to a P2MP network. On a P2MP network:
Hello packets are transmitted in multicast mode using the multicast address 224.0.0.5.
2016-1-11
Huawei Confidential
Page 115 of 1210
HCIE-R&S Material
Confidentiality Level
Table 3-2-5 OSPF network type Network Type
Description
Other types of protocol packets, such as DD packets, LSR packets, LSU packets, and LSAck packets are sent in unicast mode.
Point-to-point (P2P)
By default, a network where the link layer protocol is PPP, HDLC, or LAPB is a P2P network. On a P2P network, protocol packets such as Hello packets, DD packets, LSR packets, LSU packets, and LSAck packets are sent in multicast mode using the multicast address 224.0.0.5.
3.2.6 Area Type
Table 3-2-6 Area type Area Type Common area
Function OSPF areas are common areas by default. Common areas include standard areas and backbone areas.
A standard area is the most common area and transmits intra-area routes, inter-area routes, and external routes.
A backbone area connects all the other OSPF areas. It is usually named Area 0.
Stub area
A stub area does not advertise AS external routes, but only intra-area and inter-area routes. Compared with a non-stub area, the Router in a stub area maintains fewer routing entries and transmits less routing information. To ensure the reachability of AS external routes, the ABR in a stub area advertises Type 3 default routes to the entire stub area. All AS external routes must be advertised by the ABR.
Totally stub area
A totally stub area does not advertise AS external routes or inter-area routes, but only intra-area routes. Compared with a non-stub area, the Router in a totally stub area maintains fewer routing entries and transmits less routing information. To ensure the reachability of AS external routes, the ABR in a totally stub area advertises Type 3 default routes to the entire totally stub area. All AS external routes must be advertised by the ABR.
NSSA area
An NSSA area can import AS external routes. An ASBR uses Type 7 LSAs to advertise the imported AS external routes to the entire NSSA area. These Type 7 LSAs are translated into Type 5 LSAs on an ABR, and are then flooded in the entire OSPF AS. An NSSA area has the characteristics of the stub areas in an AS. An ABR in an NSSA area advertises Type 3 default routes to the entire NSSA area. All inter-area routes must be advertised by the ABR.
2016-1-11
Huawei Confidential
Page 116 of 1210
HCIE-R&S Material
Confidentiality Level
Table 3-2-6 Area type Area Type Totally NSSA area
Function A totally NSSA area can import AS external routes. An ASBR uses Type 7 LSAs to advertise the imported AS external routes to the entire NSSA area. These Type 7 LSAs are translated into Type 5 LSAs on an ABR, and are then flooded in the entire OSPF AS. A totally NSSA area has the characteristics of the totally stub areas in an AS. An ABR in a totally NSSA area advertises Type 3 default routes to the entire totally NSSA area. All inter-area routes must be advertised by the ABR.
Stub Area Stub areas are specific areas where ABRs do not flood the received AS external routes. In stub areas, Routers maintain fewer routing entries and less routing information. Configuring a stub area is optional. Not every area can be configured as a stub area. A stub area is usually a non-backbone area with only one ABR and is located at the AS border. To ensure the reachability of the routes to destinations outside an AS, the ABR in the stub area generates a default route and advertises the route to the non-ABRs in the same stub area. Note the following points when configuring a stub area:
The backbone area cannot be configured as a stub area.
Before configuring an area as a stub area, you must configure stub area attributes on all Routers in the area.
There should be no ASBR in a stub area, meaning that AS external routes cannot be transmitted in the stub area.
Virtual connections cannot cross a stub area.
NSSA Area NSSA areas are a special type of OSPF areas. There are many similarities between an NSSA area and a stub area. Both of them do not advertise the external routes received from the other OSPF areas. The difference is that a stub area cannot import AS external routes, whereas an NSSA area can import AS external routes and advertise the imported routes to the entire AS. After an area is configured as an NSSA area, an ABR in the NSSA area generates a default route and advertises the route to the other Routers in the NSSA area. This is to ensure the reachability of the routes to the destinations outside an AS. Note the following points when configuring an NSSA area:
The backbone area cannot be configured as an NSSA area. 2016-1-11
Huawei Confidential
Page 117 of 1210
HCIE-R&S Material
Confidentiality Level
Before configuring an area as an NSSA area, you must configure NSSA area attributes on all Routers in the area.
Virtual connections cannot cross an NSSA area.
3.2.7 Neighbor State Machine OSPF has eight state machines: Down, Attempt, Init, 2-way, Exstart, Exchange, Loading and Full.
Down: It is in the initial stage of setting up sessions between neighbors. The state machine is Down when a router fails to receive Hello packets from its neighbor before the dead interval expires.
Attempt: It occurs only on an NBMA network. The state machine is Attempt when a neighbor does not reply with Hello packets after the dead interval has expired. The local router, however, keeps sending Hello packets to the neighbor at every poll interval.
Init: The state machine is Init after a router receives Hello packets.
2-way: The state machine is 2-way when the Hello packets received by a router contain its own router ID. The state machine will remain in the 2-way state if no neighbor relationship is established, and will become Exstart if a neighbor relationship is established.
Exstart: The state machine changes from Init to Exstart when the neighbor relationship is established. The two neighbors then start to negotiate the master/slave status and determine the sequence numbers of DD packets.
Exchange: The state machine is Exchange when a router starts to exchange DD packets with its neighbor after the master/slave status negotiation is completed.
Loading: The state machine is Loading after a router has finished exchanging DD packets with its neighbor.
Full: The state machine is Full when the LSA retransmission list is empty.
3.2.8 OSPF Packet Authentication OSPF supports packet authentication. Only the OSPF packets that have been authenticated can be received. If OSPF packets are not authenticated, a neighbor relationship cannot be established. The Router supports two authentication methods:
Area-based authentication
Interface-based authentication
When both area-based and interface-based authentication methods are configured, interface-based authentication takes effect.
3.2.9 OSPF Route Summarization Route summarization means that an ABR in an area summarizes the routes with the same prefix into one route and advertises the summarized route to the other areas. 2016-1-11
Huawei Confidential
Page 118 of 1210
HCIE-R&S Material
Confidentiality Level
Route summarization between areas reduces the amount of routing information to be transmitted, reducing the size of routing tables and improving device performance. Route summarization can be carried out by an ABR or an ASBR:
Route summarization on an ABR:
When an ABR in an area advertises routing information to other areas, it generates Type 3 LSAs by network segment. If this area contains consecutive network segments, you can run a command to summarize these network segments into one network segment. The ABR only needs to send one summarized LSA, and will not send the LSAs that belong to the summarized network segment specified in the command.
Route summarization on an ASBR:
If the local device is an ASBR and route summarization is configured, the ASBR will summarize the imported Type 5 LSAs within the aggregated address range. After an NSSA area is configured, the ASBR needs to summarize the imported Type 7 LSAs within the aggregated address range. If the local device is an ASBR and ABR, the device will summarize the Type 5 LSAs that are translated from Type 7 LSAs.
3.2.10 OSPF Default Route A default route is a route of which the destination address and mask are all 0s. If a router cannot find a route in its routing table for forwarding packets, it can forward packets using a default route. Due to hierarchical management of OSPF routes, the priority of default Type 3 routes is higher than the priority of default Type 5 or Type 7 routes. OSPF default routes are usually used in the following cases:
An ABR advertises default Type 3 Summary LSAs to instruct routers within an area to forward packets between areas.
An ASBR advertises default Type 5 ASE LSAs or default Type 7 NSSA area LSAs to instruct routers in an AS to forward packets to other ASs.
Principles for advertising OSPF default routes are described below:
An OSPF router can advertise LSAs carrying default route information only when it has an interface connected to an upper-layer network.
If an OSPF router has advertised an LSA carrying information about a type of default route, the OSPF router does not learn this type of default routes advertised by other routers. This means that the OSPF router no longer calculates routes based on the LSAs carrying information about the same type of the default routes advertised by other routers, but stores these LSAs in its LSDB.
The route on which default external route advertisement depends cannot be a route in the local OSPF AS. This means that the route cannot be the one learned by the local OSPF process. This is because default external routes are used to guide packet forwarding outside an AS, whereas the routes within an AS have the next hop pointing to the devices within the AS. 2016-1-11
Huawei Confidential
Page 119 of 1210
HCIE-R&S Material
Confidentiality Level
Table 3-2-7 Principles for advertising OSPF default routes Area Type
Function
Common area
By default, devices in a common OSPF area do not automatically generate default routes, even if the common OSPF area has default routes. When a default route on the network is generated by another routing process (not OSPF process), the device that generates the default route must advertise the default route in the entire OSPF AS. (Run a command on an ASBR to configure the ASBR to generate a default route. After the configuration, the ASBR generates a default Type 5 ASE LSA and advertises the LSA to the entire OSPF AS.)
STUB area
A stub area does not allow AS external routes (Type 5 LSAs) to be transmitted within the area. All routers within the stub area must learn AS external routes from the ABR. The ABR automatically generates a default Summary LSA (Type 3 LSA) and advertises it to the entire stub area. Then all routes to destinations outside an AS can be learned from the ABR.
Totally STUB area
A totally stub area does not allow AS external routes (Type 5 LSAs) or inter-area routes (Type 3 LSAs) to be transmitted within the area. All routers within the totally stub area must learn AS external routes and other areas' routes from the ABR. The ABR automatically generates a default Summary LSA (Type 3 LSA) and advertises it to the entire totally stub area. Then, all routes to destinations outside an AS and to destinations in other areas can be learned from the ABR.
NSSA area
An NSSA area allows its ASBRs to import a small number of AS external routes, but does not advertise ASE LSAs received from other areas within the NSSA area. This means that AS external routes can be learned only from ASBRs in the NSSA area. Devices in an NSSA area do not automatically generate default routes. Use either of the following methods as required:
To advertise some external routes using the ASBR in the NSSA area and advertise other external routes through other areas, configure a default Type 7 LSA on the ABR and advertise this LSA in the entire NSSA area.
To advertise all the external routes using the ASBR in the NSSA area, configure a default Type 7 LSA on the ASBR and advertise this LSA in the entire NSSA area.
The difference between these two configurations is described below:
An ABR will generate a default Type 7 LSA regardless of whether the routing table contains the default route 0.0.0.0.
An ASBR will generate a default Type 7 LSA only when the routing table contains the default route 0.0.0.0.
A default route is flooded only in the local NSSA area and is not flooded in the entire OSPF AS. If Routers in the local NSSA area cannot find routes to 2016-1-11
Huawei Confidential
Page 120 of 1210
HCIE-R&S Material
Confidentiality Level
the outside of the AS, the Routers can forward packets to the outside of the AS through an ASBR. Packets of other OSPF areas, however, cannot be sent to the outside of the AS through this ASBR. Default Type 7 LSAs will not be translated into default Type 5 LSAs and flooded in the entire OSPF AS. Totally NSSA area
A totally NSSA area does not allow AS external routes (Type 5 LSAs) or inter-area routes (Type 3 LSAs) to be transmitted within the area. All Routers within the totally NSSA area must learn AS external routes from the ABR. The ABR automatically generates a default Summary LSAs and advertises it to the entire totally NSSA area. Then all external routes received from other areas and inter-area routes can be advertised within the totally NSSA area.
3.2.11 OSPF Route Filtering OSPF supports route filtering using routing policies. By default, OSPF does not filter routes. Routing policies used by OSPF include the route-policy, access-list, and prefix-list. OSPF route filtering can be used for:
Importing routes
OSPF can import routes learned by other routing protocols. You can configure routing policies to filter the imported routes to allow OSPF to import only the routes that match specific conditions.
Advertising imported routes
OSPF advertises the imported routes to its neighbors. You can configure filtering rules to filter the routes to be advertised. The filtering rules can be configured only on ASBRs.
Learning routes
Filtering rules can be configured to allow OSPF to filter the received intra-area, inter-area, and AS external routes. After receiving routes, an OSPF device adds only the routes that match the filtering rules to the local routing table, but can still advertise all routes from the OSPF routing table.
Learning inter-area LSAs
You can run a command to configure an ABR to filter the incoming Summary LSAs. This configuration takes effect only on ABRs because only ABRs can advertise Summary LSAs. Table 3-2-8 Differences between inter-area LSA learning and route learning Inter-area LSA Learning Directly filters incoming LSAs.
2016-1-11
Route Learning
the Filters the routes that are calculated based on LSAs, but does not filter LSAs. This means that all incoming LSAs are learned.
Huawei Confidential
Page 121 of 1210
HCIE-R&S Material
Confidentiality Level
Advertising inter-area LSAs
You can run a command to configure an ABR to filter the outgoing Summary LSAs. This configuration takes effect only on ABRs.
3.2.12 OSPF Multi-Process OSPF supports multi-process. Multiple OSPF processes can run on the same Router, and they are independent of each other. Route exchanges between different OSPF processes are similar to route exchanges between different routing protocols. Each interface on the Router belongs to only one OSPF process. A typical application of OSPF multi-process is that OSPF runs between PEs and CEs in a VPN, whereas OSPF is used as an IGP on the backbone of the VPN. Two OSPF processes on the same PE are independent of each other.
3.2.13 OSPF RFC 1583 Compatibility RFC 1583 is an earlier version of OSPFv2. When OSPF calculates external routes, routing loops may occur because RFC 2328 and RFC 1583 define different route selection rules. To prevent routing loops, both communication ends must use the same route selection rules.
After RFC 1583 compatibility is enabled, OSPF use the route selection rules defined in RFC 1583.
When RFC 1583 compatibility is disabled, OSPF uses the route selection rules defined in RFC 2328.
OSPF calculates external routes based on Type 5 LSAs. If the Router enabled with RFC 1583 compatibility receives a Type 5 LSA:
The Router selects a route to the ASBR that originates the LSA, or to the forwarding address (FA) described in the LSA.
The Router selects external routes to the same destination.
By default, OSPF uses the route selection rules defined in RFC 1583.
3.3 BFD for OSPF 3.3.1 Definition Bidirectional Forwarding Detection (BFD) is a mechanism to detect communication faults between forwarding engines. To be specific, BFD detects connectivity of a data protocol on a path between two systems. The path can be a physical link, a logical link, or a tunnel.
2016-1-11
Huawei Confidential
Page 122 of 1210
HCIE-R&S Material
Confidentiality Level
In BFD for OSPF, a BFD session is associated with OSPF. The BFD session quickly detects a link fault and then notifies OSPF of the fault. This speeds up OSPF's response to the change of the network topology.
3.3.2 Purpose The link fault or the topology change may cause devices to re-calculate routes. Therefore, the convergence of routing protocols must be as quick as possible to improve the network performance. Link faults are unavoidable. Therefore, a feasible solution is required to detect faults faster and notify the faults to routing protocols immediately. If BFD is associated with OSPF, once a fault occurs on a link between neighbors, BFD can speed up the OSPF convergence. Table 3-3-1 Comparison before and after BFD for OSPF is enabled Associated with BFD or Not
Link Fault Detection Mechanism
Convergence Speed
Not associated An OSPF Dead timer expires. By default, the timeout At the second level with BFD period of the timer is 40s. Associated BFD
with A BFD session goes Down.
At the millisecond level
3.3.3 Principle
Figure 3-3-1 BFD for OSPF The principle of BFD for OSPF is shown in Figure 3-3-1. 1.
OSPF neighbor relationships are established between these three routers.
2.
After a neighbor relationship becomes Full, this triggers BFD to establish a BFD session.
3.
The outbound interface on RouterA connected to RouterB is GE 2/0/0. If the link fails, BFD detects the fault and then notifies RouterA of the fault.
2016-1-11
Huawei Confidential
Page 123 of 1210
HCIE-R&S Material
4.
Confidentiality Level
RouterA processes the event that a neighbor relationship becomes Down and re-calculates routes. After calculation, the outbound interface is GE1 /0/0 passes through RouterC and then reaches RouterB.
3.4 OSPF GTSM 3.4.1 Definition GTSM is short for Generalized TTL Security Mechanism, a mechanism that protects the services over the IP layer by checking whether the TTL value in the IP packet header is within a pre-defined range.
3.4.2 Purpose On the network, an attacker may simulate valid OSPF packets and keeps sending them to a device. After receiving these packets, the device identifies the destination of the packets. The forwarding plane of the device then directly sends the packets to the control plane for processing without checking the validity of the packets. As a result, the device is busy processing these "valid" packets, resulting in high CPU usage. In applications, the GTSM is mainly used to protect the TCP/IP-based control plane from CPU-utilization based attacks, for example, attacks that cause CPU overload.
3.4.3 Principle Devices enabled with GTSM check the TTL values in all the received packets according to the configured policies. The packets that fail to pass the policies are discarded or sent to the control plane. This prevents devices from possible CPU-utilization based attacks. A GTSM policy involves the following items:
Source address of the IP packet sent to the device
VPN instance to which the packet belongs
Protocol number of the IP packet (89 for OSPF, and 6 for BGP)
Source interface number and destination interface number of protocols above TCP/UDP
Valid TTL range
The method of implementing GTSM is as follows:
For the directly connected OSPF neighbors, the TTL value of the unicast protocol packets to be sent is set to 255.
For multi-hop neighbors, a reasonable TTL range is defined.
The applicability of GTSM is as follows:
GTSM is effective with unicast packets rather than multicast packets. This is because the TTL file of multicast packets can only be 255, and therefore GTSM is not needed to protect against multicast packets.
2016-1-11
Huawei Confidential
Page 124 of 1210
HCIE-R&S Material
Confidentiality Level
GTSM does not support tunnel-based neighbors.
3.5 OSPF Smart-discover 3.5.1 Definition Generally, Routers periodically send Hello packets through OSPF interfaces. That is, a Router sends Hello packets at the Hello interval set by a Hello timer. Because Hello packets are sent at a fixed interval, the speed at which OSPF neighbor relationship is established is lowered. Enabling Smart-discover can speed up the establishment of OSPF neighbor relationships in specific scenarios. Table 3-5-1 OSPF Smart-discover Smart-discover Configured or Not Smart-discover is not configured
Processing
Hello packets are sent only when the Hello timer expires.
The gap between the sending of two Hello packets is the Hello interval.
Neighbors keep waiting to receive Hello packets within the Hello interval.
Smart-discover is configured
Hello packets are sent directly regardless of whether the Hello timer expires.
Neighbors can receive packets rapidly and perform status transition immediately.
3.5.2 Principle In the following scenarios, the interface enabled with Smart-discover can send Hello packets to neighbors without having to wait for the Hello timer to expire:
The neighbor status becomes 2-way for the first time.
The neighbor status changes from 2-way or a higher state to Init.
3.6 OSPF VPN 3.6.1 Definition As an extension of OSPF, OSPF VPN multi-instance enables Provider Edges (PEs) and Customer Edges (CEs) in VPNs to run OSPF for interworking and use OSPF to learn and advertise routes.
2016-1-11
Huawei Confidential
Page 125 of 1210
HCIE-R&S Material
Confidentiality Level
3.6.2 Purpose As a widely used IGP, in most cases, OSPF runs in VPNs. If OSPF runs between PEs and CEs, and PEs advertise VPN routes to CEs using OSPF, CEs do not need to support other routing protocols for interworking with PEs. This simplifies management and configuration of CEs.
3.6.3 Running OSPF between PEs and CEs In BGP/MPLS VPN, routing information is transmitted between PEs using Multi-Protocol BGP (MP-BGP), whereas routes are learned and advertised between PEs and CEs using OSPF. Running OSPF between PEs and CEs has the following benefits:
OSPF is used in a site to learn routes. Running OSPF between PEs and CEs can reduce the protocol types that CEs must support, reducing the requirements for CEs.
Similarly, running OSPF both in a site and between PEs and CEs simplifies the workload of network administrators. In this manner, network administrators do not have to be familiar with multiple protocols.
When a network using OSPF but not VPN on the backbone network begins to use BGP/MPLS VPN, running OSPF between PEs and CEs facilitates the transition.
As shown in Figure 3-6-1, CE1, CE3, and CE4 belong to VPN 1, and the numbers following OSPF refer to the process IDs of multiple OSPF instances running on PEs.
Figure 3-6-1 Running OSPF between PEs and CEs The process of advertising routes of CE1 to CE3 and CE4 is as follows: 1.
PE1 imports OSPF routes of CE1 into BGP and forms BGP VPNv4 routes.
2.
PE1 advertises BGP VPNv4 routes to PE2 using MP-BGP.
3.
PE2 imports BGP VPNv4 routes into OSPF, and then advertises these routes to CE3 and CE4.
The process of advertising routes of CE4 or CE3 to CE1 is the same as the preceding process. 2016-1-11
Huawei Confidential
Page 126 of 1210
HCIE-R&S Material
Confidentiality Level
3.6.4 Configuring OSPF Areas between PEs and CEs OSPF areas between PEs and CEs can be either non-backbone areas or backbone areas (Area 0). A PE can only be an area border router (ABR). In the extended application of OSPF VPN, the MPLS VPN backbone network serves as Area 0. OSPF requires that Area 0 be contiguous. Therefore, Area 0 of all VPN sites must be connected to the MPLS VPN backbone network. If a VPN site has OSPF Area 0, the PEs that CEs access must be connected to the backbone area of this VPN site through Area 0. If no physical link is available to directly connect PEs to the backbone area, a virtual link can be used to implement logical connection between the PEs and the backbone area, as shown in Figure 3-6-2.
Figure 3-6-2 Configuring OSPF areas between PEs and CEs A non-backbone area (Area 1) is configured between PE1 and CE1, and a backbone area (Area 0) is configured in Site 1. As a result, the backbone area in Site 1 is separated from the VPN backbone area. Therefore, a virtual link is configured between PE1 and CE1 to ensure that the backbone area is contiguous.
3.6.5 OSPF Domain ID If inter-area routes are advertised between local and remote OSPF areas, these areas are considered to be in the same OSPF domain.
Domain IDs identify and differentiate different domains.
Each OSPF domain has one or more domain IDs, one of which is a primary ID with the others being secondary IDs.
If an OSPF instance does not have a specific domain ID, its ID is considered as null.
Before advertising the remote routes sent by BGP to CEs, PEs need to determine the type of OSPF routes (Type 3, Type 5 or Type 7) to be advertised to CEs according to domain IDs.
If local domain IDs are the same as or compatible with remote domain IDs in BGP routes, PEs advertise Type 3 routes.
Otherwise, PEs advertise Type 5 or Type 7 routes.
2016-1-11
Huawei Confidential
Page 127 of 1210
HCIE-R&S Material
Confidentiality Level
Table 3-6-1 Domain ID Comparison between Local and Remote Domain IDs
Both the local and remote domain IDs are null.
Local and Remote Domain IDs the Same Or Not
Route Type
The same
Inter-area route
The remote domain ID is the same as the local The same primary domain ID or one of the local secondary domain IDs.
Inter-area route
The remote domain ID is different from the local Not the same primary domain ID or any of the local secondary domain IDs.
If the local area is a non-NSSA, external routes are generated. If the local area is an NSSA, NSSA routes are generated.
3.6.6 Disabling Routing Loop Prevention CAUTION: Disabling routing loop prevention may cause routing loops. Exercise caution when performing this operation. During BGP or OSPF route exchanges, routing loop prevention prevents OSPF routing loops in VPN sites. In the inter-AS VPN Option A scenario, if OSPF is running between ASBRs to transmit VPN routes, the remote ASBR may be unable to learn the OSPF routes sent by the local ASBR due to the routing loop prevention mechanism. As shown in Figure 3-6-3, inter-AS VPN Option A is deployed. OSPF is running between PE1 and CE1. CE1 sends VPN routes to CE2.
2016-1-11
Huawei Confidential
Page 128 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 3-6-3 Networking diagram for inter-AS VPN Option A 1.
PE1 learns routes to CE1 using the OSPF process in a VPN instance, and imports these routes into MP-BGP, and sends the MP-BGP routes to ASBR1.
2.
After having received the MP-BGP routes, ASBR1 imports the routes into the OSPF process in a VPN instance and generates Type 3, Type 5, or Type 7 LSAs in which the DN bit is set to 1.
3.
ASBR2 learns these LSAs using OSPF and checks the DN bit of each LSA. After learning that the DN bit in each LSA is set to 1, ASBR2 does not add the routing information carried in these LSAs to its routing table.
Due to the routing loop prevention mechanism, ASBR2 cannot learn the OSPF routes sent from ASBR1, causing CE1 to be unable to communicate with CE3. To address the preceding problem, use either of the following methods:
A device does not set the DN bit to 1 in the LSAs when importing BGP routes into OSPF. For example, ASBR1 does not set the DN bit to 1 when importing MP-BGP routes into OSPF. After ASBR2 receives these routes and checks that the DN bit in the LSAs carrying these routes is 0, ASBR2 adds the routes to its routing table.
A device does not check the DN bit after having received LSAs. For example, ASBR1 sets the DN bit to 1 in LSAs when importing MP-BGP routes into OSPF. ASBR2, however, does not check the DN bit after having received these LSAs.
The preceding methods can be used more flexibly based on specific types of LSAs. For Type 3 LSAs, you can configure a sender to determine whether to set the DN bit to 1 or configure a receiver to determine whether to check the DN bit in the Type 3 LSAs based on the router ID of the device that generates the Type 3 LSAs. In the inter-AS VPN Option A scenario shown in Figure 3-6-4, the four ASBRs are fully meshed and run OSPF. ASBR2 may receive the Type 3, Type 5, or Type 7 LSAs generated on ASBR4. If ASBR2 is not configured to check the DN bit in the LSAs, ASBR2 will accept the Type 3 LSAs, and routing loops will occur, as described in Figure 3-6-4. ASBR2 will deny the Type 5 or Type 7 LSAs, because 2016-1-11
Huawei Confidential
Page 129 of 1210
HCIE-R&S Material
Confidentiality Level
the VPN route tags carried in the LSAs are the same as the default VPN route tag of the OSPF process on ASBR2. To address the routing loop problem caused by Type 3 LSAs, configure ASBR2 not to check the DN bit in the Type 3 LSAs that are generated by devices with the router ID 1.1.1.1 and the router ID 3.3.3.3. After the configuration is complete, if ASBR2 receives Type 3 LSAs sent by ASBR4 with the router ID 4.4.4.4, ASBR2 will check the DN bit and deny these Type 3 LSAs because the DN bit is set to 1.
Figure 3-6-4 Networking diagram for full-mesh ASBRs in the inter-AS VPN Option A scenario
3.6.7 Routing Loop Prevention Between PEs and CEs, routing loops may occur when OSPF and BGP learn routes from each other.
Figure 3-6-5 OSPF VPN routing loops As shown in Figure 3-6-5, on PE1, OSPF imports a BGP route whose destination address is 10.1.1.1/32, and then generates and advertises a Type 5 or Type 7 LSA to CE1. Then, CE1 learns an OSPF route with the destination address and next hop being 10.1.1.1/32 and PE1 respectively, and advertises the route to PE2. In this manner, PE2 learns an OSPF route with the destination address and next hop being 10.1.1.1/32 and CE1 respectively. Similarly, CE1 also learns an OSPF route with the destination address and next hop being 10.1.1.1/32 and PE2 respectively. PE1 learns an OSPF route with the destination address and next hop being 10.1.1.1/32 and CE1 respectively.
2016-1-11
Huawei Confidential
Page 130 of 1210
HCIE-R&S Material
Confidentiality Level
As a result, CE1 has two equal-cost routes with next hops being PE1 and PE2 respectively, and the next hops of the routes from PE1 and PE2 to 10.1.1.1/32 are CE1. Thus, a routing loop occurs. In addition, the preference of an OSPF route is higher than that of a BGP route. Therefore, on PE1 and PE2, BGP routes to 10.1.1.1/32 are replaced by the OSPF route. That is, the OSPF route with the destination address and next hop being 10.1.1.1/32 and CE1 respectively is active in the routing tables of PE1 and PE2. The BGP route then becomes inactive, and thus the LSA generated when this route is imported by OSPF is deleted. This causes the OSPF route to be withdrawn. As a result, there is no OSPF route in the routing table, and the BGP route becomes active again. This cycle causes route flapping. OSPF VPN provides a solution to this problem, as shown in Table 3-6-2. Table 3-6-2 Routing loop prevention Feature
Definition
Function
DN-bit
To prevent routing loops, an OSPF When advertising the generated multi-instance process uses one bit as a flag Type 3, Type 5, or Type 7 LSAs bit, which is called the DN-bit. to CEs, PEs set the DN-bit of these LSAs to 1 and the DN-bit of other LSAs to 0. When calculating routes, the OSPF multi-instance process of a PE ignores the LSAs with the DN-bit being 1. This avoids routing loops that occur when PEs learn the self-originated LSAs from CEs.
VPN Route Tag
The VPN route tag is carried in Type 5 or Type 7 LSAs generated by PEs according to the received BGP private route. Not transmitted in BGP extended community attributes, the VPN route tag is valid only on the PEs that receive BGP routes and generate OSPF LSAs.
Default Route
A route with the destination address and PEs do not calculate default mask being all 0s is a default route. routes. Default routes are used to forward the traffic from CEs or the sites where CEs reside to the VPN backbone network.
When a PE detects that the VPN route tag in the incoming LSA is the same as that in the local LSA, the PE ignores this LSA. Consequently, routing loops are avoided.
3.6.8 Multi-VPN-Instance CE OSPF multi-instance generally runs on PEs. The devices that run OSPF multi-instance within the LANs of users are called Multi-VPN-Instance CEs (MCEs), that is, multi-instance CEs. Compared with OSPF multi-instance running on PEs, MCEs have the following characteristics: 2016-1-11
Huawei Confidential
Page 131 of 1210
HCIE-R&S Material
Confidentiality Level
MCEs do not need to support OSPF-BGP synchronization.
MCEs establish different OSPF instances for different services. Different virtual CEs transmit different services. This solves the security issue of the LAN at a low cost.
MCEs implement different OSPF multi-instances on a CE. The key to implementing MCEs is to disable loop detection and calculate routes directly. MCEs also need to use the received LSAs with the ND-bit for route calculation.
3.7 OSPF NSSA 3.7.1 Definition As defined in OSPF, stub areas cannot import external routes. This prevents a large number of external routes from consuming bandwidth and storage resources of the Routers in stub areas. To import external routes and to prevent external routes from consuming resources, NSSAs are used, because stub areas cannot meet requirements. NSSAs are a new type of OSPF areas. There are many similarities between NSSAs and stub areas. The difference between NSSAs and stub areas is that NSSAs can import AS external routes into the entire OSPF AS and advertise the imported routes in the OSPF AS, but do not learn external routes from other areas on the OSPF network.
Figure 3-7-1 NSSA
N-bit All Routers in an area must be configured with the same area type. In OSPF, the N-bit is carried in a Hello packet and is used to identify the area type supported by the Router. OSPF neighbor relationships cannot be established between Routers configured with different area types. Some manufacturers do not comply with the standard and set the N-bit in both OSPF Hello and DD packets. To allow Huawei devices to interwork with these manufacturers' devices, set the N-bit in OSPF DD packets on Huawei devices.
Type 7 LSA
Type 7 LSAs are a new type of LSAs that can only be used in NSSAs and describe the imported external routes.
2016-1-11
Huawei Confidential
Page 132 of 1210
HCIE-R&S Material
Confidentiality Level
Type 7 LSAs are generated by ASBRs in an NSSA and flooded only in the NSSA where the ASBRs reside.
When the ABRs in the NSSA receive these Type 7 LSAs, they translate some of the Type 7 LSAs into Type 5 LSAs to advertise AS external routes to the other areas on the OSPF network.
Translating Type 7 LSAs into Type 5 LSAs To advertise the external routes imported by an NSSA to other areas, Type 7 LSAs need to be translated into Type 5 LSAs so that the external routes can be advertised on the entire OSPF network.
The Propagate bit (P-bit) in a Type 7 LSA is used to instruct the Router whether to translate Type 7 LSAs into Type 5 LSAs.
By default, the ABR with the largest router ID in an NSSA is responsible for translating Type 7 LSAs into Type 5 LSAs.
Only the Type 7 LSAs in which the P-bit is set to 1 and the FA is not 0 can be translated into Type 5 LSAs. The FA indicates that the packet to a specific destination address will be forwarded to the address specified by the FA.
The P-bit in the Type 7 LSAs generated by ABRs is not set to 1.
Preventing Loops Caused by Default Routes There may be multiple ABRs in an NSSA. To prevent routing loops, these ABRs not to calculate default routes advertised by each other.
3.8 OSPF Fast Convergence OSPF fast convergence is an extended feature of OSPF to speed up route convergence. The characteristics of OSPF fast convergence are as follows:
Priority-based OSPF Convergence
When certain routes on the network change, only the changed routes are recalculated. This is called Partial Route Calculation (PRC).
An intelligent timer is used to implement LSA management (the generating and receiving of LSAs). With the intelligent timer, infrequent changes are responded to quickly, whereas frequent changes are suppressed as desired. To avoid excessive consumption of device resources by network connections or due to frequent route flapping, RFC 2328 maintains that:
After an LSA is generated, it cannot be generated again in five seconds. That is, the interval for updating LSAs is one second.
The interval for receiving LSAs is one second.
2016-1-11
Huawei Confidential
Page 133 of 1210
HCIE-R&S Material
Confidentiality Level
On a stable network where routes need to be fast converged, you can use the intelligent timer to set the interval for receiving LSAs to 0 seconds. This ensures that topology or route changes can be advertised to the network or be immediately sensed, thus speeding up route convergence on the network.
Route calculation is controlled through the intelligent timer. When the network topology changes, devices need to recalculate routes according to OSPF. This means that frequent changes in the network topology affect the performance of devices. To address issue, RFC 2328 requires the use of a delay timer in route calculation so that route calculation is performed only after the specified delay. But the delay suggested by RFC is a fixed value, and cannot ensure both fast response to topology changes and effective suppression of flapping. By means of the intelligent timer, the delay in route calculation can be flexibly set as desired. As a result, infrequent changes are responded to quickly, whereas frequent changes are suppressed as desired.
OSPF Smart-discover
3.8.1 OSPF NSR Non-Stop Routing (NSR) is a routing technique that prevents a neighbor from sensing the fault on the control plane of a device that provides a slave control plane. With NSR, when the control plane of the device becomes faulty, the neighbor relationship set up through specific routing protocols, MPLS, and other protocols that carry services are not interrupted. As networks develop at a fast pace, operators are having increasingly higher requirements for reliability of IP networks. NSR, as a high availability (HA) solution, is introduced to ensure that services transmitted by a device are not affected when a hardware or software failure occurs on the device. OSPF NSR synchronizes the protocol data on the master MPU/SRU to the slave MPU/SRU in real time. When the master MPU/SRU becomes faulty or needs to be upgraded, the slave MPU/SRU rapidly takes over services from the master MPU/SRU without being sensed by the neighbor. OSPF NSR synchronizes the real-time data between the master and slave MPUs/SRUs in the following manners:
OSPF backs up configuration data and dynamic data, including information about interfaces, neighbors, and LSDBs.
OSPF does not back up routes, shortest path trees (SPTs), and Traffic Engineering DataBases (TEDBs). All these can be restored through the source data by using the database backup process.
When the master-slave switchover occurs, the new master MPU/SRU restores the operation data and takes over services from the former master MPU/SRU without being sensed by the neighbor.
3.8.2 Priority-based OSPF Convergence Priority-based OSPF convergence ensures that specific routes converge first when a great number of routes need to converge. Different routes can be set with different convergence priorities. This allows important routes to converge first and therefore improves network reliability. 2016-1-11
Huawei Confidential
Page 134 of 1210
HCIE-R&S Material
Confidentiality Level
By using priority-based OSPF convergence, you can assign a higher convergence priority to routes for key services so that those routes can converge fast. By so doing, the impact on key services is reduced.
3.9 OSPF IP FRR OSPF IP Fast Reroute (FRR) is dynamic IP FRR in which a backup link is pre-computed by an OSPF based on the LSDBs on the entire network. The backup link is stored in the forwarding table to protect traffic in the case of failures. In this manner, the failure recovery time can be reduced to less than 50ms. OSPF IP FRR complies with RFC 5286, that is, Basic Specification for IP Fast Reroute Loop-Free Alternates, which protects traffic when links or nodes become faulty.
3.9.1 Background With the development of networks, Voice over IP (VoIP) and online video services require high-quality real-time transmission. Nevertheless, if an OSPF fault occurs, multiple processes, including fault detection, LSP update, LSP flooding, route calculation, and FIB entry delivery, must be performed to switch traffic to a new link. As a result, the fault recovery time is much greater than 50 ms, the time for users to sense traffic interruption, which cannot meet the requirement for real-time services.
3.9.2 Implementation Principle OSPF IP FRR pre-computes a backup link by using the Loop-Free Alternate (LFA) algorithm, and then adds the backup link and the primary link to the forwarding table. In the case of failures, OSPF IP FRR can fast switch traffic to the backup link before routes on the control plane converge. This prevents traffic interruption and thus protects traffic and improves reliability of an OSPF network. The Router supports IPv4 OSPF IP FRR. In the LFA algorithm, considering a neighbor that can provide a backup link as the root node, the neighbor computes the shortest path from itself to the destination of the primary link by using the SPF algorithm. The neighbor then computes a loop-free backup link with the smallest cost by using the inequality defined in RFC 5286. OSPF IP FRR can filter backup routes that need to be added to the IP routing table. Only the backup routes that are filtered through the filtering policy are added to the IP routing table. In this manner, users can flexibly manage the addition of OSPF backup routes to the IP routing table.
3.9.3 Application Environment OSPF IP FRR is classified into link protection and link-node dual protection. Distance_opt(X,Y) indicates the shortest path between node X and node Y. Link protection: indicates that the object to be protected is the traffic passing through an OSPF IP FRR-enabled link. The link cost must satisfy the inequality Distance_opt(N, D) < Distance_opt(N, S) +
2016-1-11
Huawei Confidential
Page 135 of 1210
HCIE-R&S Material
Confidentiality Level
Distance_opt(S, D). S indicates the source node of traffic; N indicates the node on the backup link; D indicates the destination node of traffic. As shown in Figure 3-9-1, traffic is transmitted from Router S to RouterD. The link cost satisfies the link protection inequality. When the primary link fails, Router S switches the traffic to the backup link Router S -> Router N so that the traffic can be further transmitted along downstream paths. This ensures that traffic interruption is less than 50ms.
Figure 3-9-1 OSPF IP FRR link protection Link-node dual protection: Figure 3-9-2 shows link-node dual protection of OSPF IP FRR. Node protection takes precedence over link protection. Link-node dual protection must satisfy the following situations: The link cost must satisfy the inequality Distance_opt(N, D) < Distance_opt(N, S) + Distance_opt(S, D). The interface cost of the router must satisfy the inequality Distance_opt(N, D) < Distance_opt(N, E) + Distance_opt(E, D). S indicates the source node of traffic; E indicates the faulty node; N indicates the node on the backup link; D indicates the destination node of traffic.
Figure 3-9-2 OSPF IP FRR link-node dual protection
3.10 Advertising Host Routes Unlike in a data communication network, in an optical network, IP addresses of the same network can be configured as belonging to different physical networks. As a result of this kind of IP address planning, some host addresses may become unreachable. By configuring OSPF to advertise the corresponding host routes (routes whose destinations are hosts) of interfaces in addition to advertising network segment routes (routes whose destinations are network segments), you can ensure that these host addresses are reachable. 2016-1-11
Huawei Confidential
Page 136 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 3-10-1 IP address planning on a typical optical network As shown in Figure 3-10-1, if the function of advertising host routes is not enabled, all routes are advertised on the network in the form of 10.0.0.0/24. The next hop of the route from RouterG to 10.0.0.0/24 is RouterE. As a result, 10.0.0.3, 10.0.0.4, and 10.0.0.6 become unreachable. To solve this problem, you can configure OSPF to advertise host routes so that routes are advertised as host addresses (such as 10.0.0.1/32).
3.11 OSPF-BGP Association 3.11.1 Definition When a new device is deployed in the network or a device is restarted, network traffic may be lost during BGP convergence. This is because IGP convergence is faster than BGP convergence. This problem can be solved through the synchronization between OSPF and BGP.
3.11.2 Purpose If a backup link exists, during traffic switchback, BGP traffic is lost because BGP route convergence is slower than OSPF route convergence. As shown in Figure 3-11-1, RouterA, RouterB, RouterC and RouterD run OSPF and establish IBGP connections. RouterC functions as the backup of RouterB. When the network is stable, BGP and OSPF routes converge completely on the device. Normally, traffic from RouterA to 10.3.1.0/30 passes through RouterB. When RouterB becomes faulty, traffic is switched to RouteC. After RouterB recovers, traffic is switched back to RouterB. During this process, packet loss occurs. This is because when traffic is switched back to RouterB, IGP route convergence is faster than BGP route convergence. Consequently, convergence of OSPF routes is already complete when BGP route convergence is still going on. As a result, RouterB does not know the route to 10.3.1.0/30. Therefore, when packets from RouterA to 10.3.1.0/30 arrive at RouterB, they are discarded because RouterB does not have the route to 10.3.1.0/30.
2016-1-11
Huawei Confidential
Page 137 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 3-11-1 OSPF-BGP synchronization
3.11.3 Principle The device enabled with OSPF-BGP synchronization remains as a stub router within the set synchronization period. That is, the link metric in the LSA advertised by the device is the maximum value 65535. Therefore, the device instructs other OSPF devices not to use it for data forwarding. As shown in Figure 3-11-1, OSPF-BGP synchronization is enabled on RouterB. In this situation, before BGP route convergence is complete, RouterA continues to use the backup link RouterC rather than forward traffic to RouterB until BGP route convergence on RouterB is complete.
3.12 OSPF GR Routers generally operate with separation of the control plane and forwarding plane. When the network topology remains stable, a restart of the control plane does not affect the forwarding plane, and the forwarding plane can still forward data properly. This separation ensures non-stop service forwarding. In graceful restart (GR) mode, the forwarding plane continues to direct data forwarding after a restart occurs. The actions on the control plane, such as re-establishment of neighbor relationships and route calculation, do not affect the forwarding plane. Network reliability is improved because service interruption caused by route flapping is prevented.
3.12.1 Basic Concepts of OSPF GR As mentioned in chapter 4, Graceful Restart (GR) is a technology used to ensure normal traffic forwarding and non-stop forwarding of key services during the restart of routing protocols. Unless otherwise stated, GR described in this section refers to the GR technology defined in RFC 3623. GR is one of the high availability (HA) technologies, which comprise a set of comprehensive technologies, such as fault-tolerant redundancy, link protection, faulty node recovery, and traffic engineering. As a fault-tolerant redundancy technology, GR is widely used to ensure non-stop forwarding of key services during master/slave switchover and system upgrade. The following concepts are involved in GR: 2016-1-11
Huawei Confidential
Page 138 of 1210
HCIE-R&S Material
Confidentiality Level
Grace-LSA OSPF supports GR by flooding grace LSAs. Grace LSAs are used to inform the neighbor of the GR time, cause, and interface address when the GR starts and ends. Role of a router during GR
Restarter: is the router that restarts. The Restarter can be configured to support totally GR or partly GR.
Helper: is the router that helps the Restarter. The Helper can be configured to support planned GR or unplanned GR or to selectively support GR through the configured policies.
Conditions that cause GR
Unknown: indicates that GR is triggered for an unknown reason.
Software restart: indicates that GR is triggered by commands.
Software reload/upgrade: indicates that GR is triggered by software restart or upgrade.
Switch to redundant control processor: indicates that GR is triggered by the abnormal master/slave switchover.
GR period The GR period cannot exceed 1800 seconds. OSPF routers can exit from GR regardless of whether GR succeeds or fails, without waiting for GR to expire.
3.12.2 Classification of OSPF GR Totally GR: indicates that when a neighbor of a router does not support GR, the router exits from GR. Partly GR: indicates that when a neighbor does not support GR, only the interface associated with this neighbor exits from GR, whereas the other interfaces perform GR normally. Planned GR: indicates that a router restarts or performs the master/slave switchover using a command. The Restarter sends a grace LSA before restart or master/slave switchover. Unplanned GR: indicates that a router restarts or performs the master/slave switchover because of faults. A router performs the master/slave switchover, without sending a grace LSA, and then enters GR after the slave board goes Up. The process of unplanned GR is the same as that of planned GR.
3.12.3 GR Process
A router starts GR. In planned GR mode, after master/slave switchover is triggered through a command, the Restarter sends a grace LSA to all neighbors to notify them of the start, period, and cause of GR, and then performs the master/slave switchover. In unplanned GR, the Restarter does not send the grace LSA. 2016-1-11
Huawei Confidential
Page 139 of 1210
HCIE-R&S Material
Confidentiality Level
In unplanned GR mode, the Restarter sends a grace LSA immediately after the slave board goes Up, informing neighbors of the start, period, and cause of GR. The Restarter then sends a grace LSA to each neighbor five times consecutively. This ensures that neighbors receive the grace LSA. This operation is proposed by manufacturers but not defined by the OSPF protocol. The Restarter sends a grace LSA to notify neighbors that it enters GR. During GR, neighbors keep neighbor relationships with the Restarter so that other routers cannot detect the switchover of the Restarter.
The GR process runs, as shown in Figure 3-12-1
Figure 3-12-1 OSPF GR process
The router exits from GR. Table 3-12-1 Reasons that a router exits GR Execution of GR GR succeeds.
GR fails.
Restarter
Before GR expires, the Restarter re-establishes After the Helper receives the grace neighbor relationships with all neighbors before LSA with the Age being 3600s from master/slave switchover. the Restarter, the neighbor relationship between the Helper and Restarter enters the Full state.
GR expires, and neighbor relationships do
Helper does not receive the
not recover completely.
grace LSA from Restarter before
Router LSA or network LSA sent by the
the neighbor relationship
Helper causes Restarter to fail to perform
expires.
bidirectional check. 2016-1-11
Helper
Huawei Confidential
Status of the interface that Page 140 of 1210
HCIE-R&S Material
Confidentiality Level
Table 3-12-1 Reasons that a router exits GR Execution of GR
Restarter
Helper
Status of the interface that functions as the
Restarter changes.
Helper receives the LSA that is
Restarter receives the one-way Hello
inconsistent with the LSA in the
packet from the Helper.
local LSDB from another router.
The Restarter receives the grace LSA that
This situation can be excluded
is generated by another router on the same
after the Helper is configured
network segment. Only one router can
not to perform strict LSA check.
perform GR on the same network segment.
functions as the Helper changes.
Helper receives grace LSAs
On the same network segment, neighbors
from two routers on the same
of the Restarter have different DRs or
network segment at the same
BDRs because of the topology changes.
time.
Neighbor relationships between Helper and other neighbors change.
3.12.4 Comparison between GR Mode and Non-GR Mode
Table 3-12-2 Comparison of master/slave switchover in the GR mode and non-GR mode Switchover in Non-GR Mode
OSPF neighbor relationships are
Switchover in GR Mode
re-established.
OSPF neighbor relationships are re-established.
Routes are recalculated.
Routes are recalculated.
Forwarding table changes.
Forwarding table remains unchanged.
Entire network detects route changes, and
Except for neighbors of the device where
route flapping occurs for a short period of
master/slave switchover occurs, other routers
time.
do not detect route changes.
Packets are lost during forwarding, and services are interrupted.
No packets are lost during forwarding, and services are not affected.
3.13 OSPF-LDP Association 3.13.1 Definition In the networking that uses primary and backup links, when the faulty primary link recovers, traffic is switched from the backup link back to the primary link. 2016-1-11
Huawei Confidential
Page 141 of 1210
HCIE-R&S Material
Confidentiality Level
IGP route convergence completes before an LDP session is established. Consequently, the old LSP is deleted before the new LSP is established and LSP traffic is interrupted.
3.13.2 Purpose As shown in Figure 3-13-1, the primary link adopts the path PE1→P1→P2→P3→PE2, and the backup link adopts the path PE1→P1→P4→P3→PE2. When the primary link is faulty, traffic is switched to the backup link. After the primary link recovers, traffic is switched back to the primary link. During this process, traffic is interrupted for a long period of time.
Figure 3-13-1 OSPF-LDP association Synchronizing LDP and IGP on P1 and P2 can shorten traffic interruption caused by traffic switchover from the backup link to the primary link. Table 3-13-1 OSPF-LDP association Enabling Status of OSPF-LDP Association
Traffic Interruption Time
Not enabled.
Seconds level
Enabled.
Milliseconds level
3.13.3 Principle The principle of LDP-IGP synchronization is to delay route switchback by suppressing the establishment of IGP neighbor relationships until LDP convergence is complete. That is, before an LSP on the primary link is established, the backup link continues to forward traffic. Then the link is deleted after the LSP is established. 2016-1-11
Huawei Confidential
Page 142 of 1210
HCIE-R&S Material
Confidentiality Level
Synchronization of LDP and IGP involves three timers:
Hold-down
Hold-max-cost
Delay
After the primary link recovers, a router responds as follows: 1.
Starts the hold-down timer. The IGP interface does not establish IGP neighbors but waits for establishment of an LDP session. The Hold-down timer specifies the period that the IGP interface waits.
2.
Starts the hold-max-cost timer after the hold-down timer expires. The hold-max-cost timer specifies the interval for advertising the maximum link metric of the interface in the Link State Advertisement (LSA) to the primary link.
3.
Starts the Delay timer to allow time for establishment of an LSP after an LDP session is re-established for the faulty link. After the Delay timer expires, LDP notifies IGP that synchronization is complete regardless of the status of IGP.
3.14 OSPF Database Overflow 3.14.1 Definition OSPF requires that routers in the same area have the same Link State Database (LSDB). With the continuous increase in routes on the network, some routers fail to carry the additional routing information because of limited system resources. This situation is called OSPF database overflow.
3.14.2 Purpose You can configure stub areas or NSSAs to solve the problem of the continuous increase in routing information that causes the exhaustion of system resources of routers. However, configuring stub areas or NSSAs cannot solve the problem when the unexpected increase in dynamic routes causes database overflow. Setting the maximum number of external LSAs in the LSDB can dynamically limit the LSDB capacity, to avoid the problems caused by database overflow.
3.14.3 Principle To prevent database overflow, you can set the maximum number of non-default external routes on a router. All routers on the OSPF network must be set with the same upper limit. If the number of external routes on a router reaches the upper limit, the router enters the Overflow state and starts an overflow timer. The router automatically exits from the overflow state after the timer expires, By default, it is 5 seconds. 2016-1-11
Huawei Confidential
Page 143 of 1210
HCIE-R&S Material
Confidentiality Level
Table 3-14-1 OSPF database overflow Overflow Phase Entering overflow state Staying in overflow state
OSPF Processing A router deletes all non-default external routes that is generated.
Router does not generate non-default external routes.
Router discards the newly received, non-default external routes, and does not reply with an LSAck packet.
When the overflow timer expires, the router checks whether the number of external routes still exceeds the upper limit.
Exiting from the overflow state
If so, the router restarts the timer.
If not, the router exits from overflow state.
Router deletes the overflow timer.
Router generates non-default routes.
Router learns the newly received non-default routes, and replies with an LSAck packet.
Router prepares to enter Overflow state for the next time it occurs.
3.15 OSPF Mesh-Group 3.15.1 Definition In the scenario where there are multiple concurrent links, you can deploy OSPF mesh-group to classify links into a mesh group. Then, OSPF floods LSAs to only a link selected from the mesh group. Using OSPF mesh-group prevents unnecessary burden on the system caused by repetitive flooding. The mesh-group feature is disabled by default.
3.15.2 Purpose After receiving or generating an LSA, an OSPF process floods the LSA. When there are multiple concurrent links, OSPF floods the LSA to each link and sends Update messages. In this scenario, if there are 2000 concurrent links, OSPF floods each LSA 2000 times. Only one flooding, however, is valid. The other 1999 times are useless repetition. To prevent burden on the system caused by repetitive flooding, you can enable mesh-group to classify multiple concurrent links between a router and its neighbor into a group and then select a primary link to use for flooding.
2016-1-11
Huawei Confidential
Page 144 of 1210
HCIE-R&S Material
Confidentiality Level
3.15.3 Principles As shown in Figure 3-15-1, RouterA and RouterB, which are connected through three links, establish an OSPF neighbor relationship. After receiving a new LSA from interface 4, RouterA floods the LSA to RouterB through interfaces 1, 2, and 3. This flooding causes a heavy load on the concurrent links. For the neighbor with concurrent links, only a primary link is selected to flood the LSA.
Figure 3-15-1 LSA flooding with OSPF mesh-group disabled When multiple concurrent links exist between a device enabled with OSPF mesh-group and its neighbor, the device selects primary link to flood the received LSAs, as shown in Figure 3-15-2. As defined in OSPF, LSAs can be flooded to a link only when the neighbor status is not lower than Exchange. In this case, when the status of the interface on the primary link is lower than Exchange, OSPF reselects a primary link from the concurrent links and then floods the LSA. After receiving the LSA flooded by RouterA from link 1, RouterB no longer floods the LSA to RouterA through interfaces 2 and 3.
Figure 3-15-2 LSA flooding with OSPF mesh-group enabled As defined by the mesh-group feature, the Router ID of a neighbor uniquely identifies the mesh group. Interfaces connected to the same neighbor that have a status greater than Exchange belong to the same mesh group. In Figure 3-15-3, a mesh group of RouterA resides in Area 0, which contains the links of interface 1 and interface 2. More than one neighbor of interface 3 resides on the broadcast link. Therefore, interface 3 cannot be defined as part of the mesh group.
2016-1-11
Huawei Confidential
Page 145 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 3-15-3 Interface not added to mesh group
NOTE: After a router is enabled with mesh-group, if the Router IDs of the router and its directly connected neighbor are the same, LSDBs cannot be synchronized and routes cannot be calculated correctly. In this case, you need to reconfigure the Router ID of the neighbor.
3.16 Example for Configuring of OSPF 3.16.1 Example for Configuring Basic OSPF Functions
Networking Requirements As shown in Figure 3-16-1, all routers run OSPF, and the entire AS is divided into three areas. RouterA and RouterB serve as ABRs to forward routes between areas. After the configuration, each router should learn the routes from the AS to all network segments.
2016-1-11
Huawei Confidential
Page 146 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 3-16-1 Networking diagram of configuring basic OSPF functions
Configuration Roadmap The configuration roadmap is as follows: 1.
Enable OSPF on each router.
2.
Specify network segments in different areas.
Procedure 1.
Configure an IP address for each interface. The configuration details are not mentioned here.
[RouterA-ospf-1] area 1 [RouterA-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.1] quit # Configure RouterB. [RouterB] router id 2.2.2.2 [RouterB] ospf [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] area 2 [RouterB-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.2] quit # Configure RouterC. [RouterC] router id 3.3.3.3 [RouterC] ospf [RouterC-ospf-1] area 1 [RouterC-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.1] network 172.16.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.1] quit # Configure RouterD. [RouterD] router id 4.4.4.4 [RouterD] ospf [RouterD-ospf-1] area 2 [RouterD-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255 [RouterD-ospf-1-area-0.0.0.2] network 172.17.1.0 0.0.0.255 [RouterD-ospf-1-area-0.0.0.2] quit # Configure RouterE. [RouterE] router id 5.5.5.5 [RouterE] ospf [RouterE-ospf-1] area 1 [RouterE-ospf-1-area-0.0.0.1] network 172.16.1.0 0.0.0.255 [RouterE-ospf-1-area-0.0.0.1] quit # Configure RouterF. [RouterF] router id 6.6.6.6 [RouterF] ospf [RouterF-ospf-1] area 2 [RouterF-ospf-1-area-0.0.0.2] network 172.17.1.0 0.0.0.255 2016-1-11
Huawei Confidential
Page 148 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterF-ospf-1-area-0.0.0.2] quit 3.
Verify the configuration. # View OSPF neighbors of RouterA. [RouterA] display ospf peer OSPF Process 1 with Router ID 1.1.1.1 Neighbors Area 0.0.0.0 interface 192.168.0.1(GigabitEthernet1/0/0)'s neighbors Address: 192.168.0.2
Router ID: 2.2.2.2
Mode:Nbr is Master
State: Full
Priority: 1
DR: 192.168.0.2 BDR: 192.168.0.1
MTU: 0
Dead timer due in 36 sec Retrans timer interval: 5 Neighbor is up for 00:15:04 Authentication Sequence: [ 0 ] Neighbors Area 0.0.0.1 interface 192.168.1.1(GigabitEthernet2/0/0)'s neighbors Address: 192.168.1.2
Router ID: 3.3.3.3
Mode:Nbr is Master
State: Full
Priority: 1
DR: 192.168.1.2 BDR: 192.168.1.1
MTU: 0
Dead timer due in 39 sec Retrans timer interval: 5 Neighbor is up for 00:07:32 Authentication Sequence: [ 0 ] # View the OSPF routing information of RouterA. [RouterA] display ospf routing OSPF Process 1 with Router ID 1.1.1.1 Routing Tables Routing for Network Destination
Cost Type
NextHop 192.168.1.2
AdvRouter
172.16.1.0/24
2
Transit
172.17.1.0/24
3
Inter-area
192.168.0.0/24
1
Transit
192.168.0.1
1.1.1.1
0.0.0.0
192.168.1.0/24
1
Transit
192.168.1.1
1.1.1.1
0.0.0.1
192.168.2.0/24
2
Inter-area
192.168.0.2
192.168.0.2
3.3.3.3
Area
2.2.2.2
2.2.2.2
0.0.0.1 0.0.0.0
0.0.0.0
Total Nets: 5 Intra Area: 3 Inter Area: 2
ASE: 0 NSSA: 0
# View the LSDB of RouterA. 2016-1-11
Huawei Confidential
Page 149 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterA] display ospf lsdb OSPF Process 1 with Router ID 1.1.1.1 Link State Database Area: 0.0.0.0 Type
LinkState ID
AdvRouter
Age Len
Sequence
Metric
Router
2.2.2.2
2.2.2.2
317 48
80000003
1
Router
1.1.1.1
1.1.1.1
316 48
80000002
1
Network
192.168.0.2
2.2.2.2
399 32
800000F8
0
Sum-Net
172.16.1.0
1.1.1.1
250 28
80000001
2
Sum-Net
172.17.1.0
2.2.2.2
203 28
80000001
2
Sum-Net
192.168.2.0
2.2.2.2
237 28
80000002
1
Sum-Net
192.168.1.0
1.1.1.1
295 28
80000002
1
Area: 0.0.0.1 Type
LinkState ID
AdvRouter
Age Len
Sequence
Metric
Router
5.5.5.5
5.5.5.5
214 36
80000004
1
Router
3.3.3.3
3.3.3.3
217 60
80000008
1
Router
1.1.1.1
1.1.1.1
289 48
80000002
1
Network
192.168.1.1
1.1.1.1
202 28
80000002
0
Network
172.16.1.1
3.3.3.3
670 32
80000001
0
Sum-Net
172.17.1.0
1.1.1.1
202 28
80000001
3
Sum-Net
192.168.2.0
1.1.1.1
242 28
80000001
2
Sum-Net
192.168.0.0
1.1.1.1
300 28
80000001
1
# View the routing table of RouterD and test connectivity by using the ping command. [RouterD] display ospf routing OSPF Process 1 with Router ID 4.4.4.4 Routing Tables Routing for Network Destination
Cost
Type
NextHop
172.16.1.0/24
4 Inter-area 192.168.2.1
172.17.1.0/24
1 Transit
192.168.0.0/24
2 Inter-area 192.168.2.1
2.2.2.2
0.0.0.2
192.168.1.0/24
3 Inter-area 192.168.2.1
2.2.2.2
0.0.0.2
192.168.2.0/24
1 Transit
172.17.1.1
192.168.2.2
AdvRouter 2.2.2.2 4.4.4.4
4.4.4.4
Area 0.0.0.2 0.0.0.2
0.0.0.2
Total Nets: 5 Intra Area: 2 Inter Area: 3 ASE: 0 NSSA: 0 [RouterD] ping 172.16.1.1 PING 172.16.1.1: 56 data bytes, press CTRL_C to break Reply from 172.16.1.1: bytes=56 Sequence=1 ttl=253 time=62 ms Reply from 172.16.1.1: bytes=56 Sequence=2 ttl=253 time=16 ms 2016-1-11
Huawei Confidential
Page 150 of 1210
HCIE-R&S Material
Confidentiality Level
Reply from 172.16.1.1: bytes=56 Sequence=3 ttl=253 time=62 ms Reply from 172.16.1.1: bytes=56 Sequence=4 ttl=253 time=94 ms Reply from 172.16.1.1: bytes=56 Sequence=5 ttl=253 time=63 ms --- 172.16.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 16/59/94 ms
Configuration Files
Configuration file of RouterA # sysname RouterA # interface GigabitEthernet1/0/0 ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 192.168.1.1 255.255.255.0 # ospf 1 area 0.0.0.0 network 192.168.0.0 0.0.0.255 area 0.0.0.1 network 192.168.1.0 0.0.0.255 # return
Configuration file of RouterB # sysname RouterB # router id 2.2.2.2 # interface GigabitEthernet1/0/0 ip address 192.168.0.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 192.168.2.1 255.255.255.0 2016-1-11
Huawei Confidential
Page 151 of 1210
HCIE-R&S Material
Confidentiality Level
# ospf 1 area 0.0.0.0 network 192.168.0.0 0.0.0.255 area 0.0.0.2 network 192.168.2.0 0.0.0.255 # return
Configuration file of RouterC # sysname RouterC # router id 3.3.3.3 # interface GigabitEthernet1/0/0 ip address 192.168.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 172.16.1.1 255.255.255.0 # ospf 1 area 0.0.0.1 network 192.168.1.0 0.0.0.255 network 172.16.1.0 0.0.0.255 # return
Configuration file of RouterD # sysname RouterD # router id 4.4.4.4 # interface GigabitEthernet1/0/0 ip address 192.168.2.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 172.17.1.1 255.255.255.0 # 2016-1-11
Configuration file of RouterE # sysname RouterE # router id 5.5.5.5 # interface GigabitEthernet2/0/0 ip address 172.16.1.2 255.255.255.0 # ospf 1 area 0.0.0.1 network 172.16.1.0 0.0.0.255 # return
Configuration file of RouterF # sysname RouterF # router id 6.6.6.6 # interface GigabitEthernet2/0/0 ip address 172.17.1.2 255.255.255.0 # ospf 1 area 0.0.0.2 network 172.17.1.0 0.0.0.255 # return
2016-1-11
Huawei Confidential
Page 153 of 1210
HCIE-R&S Material
Confidentiality Level
3.16.2 Example for Configuring OSPF Virtual Links
Networking Requirements As shown in Figure 3-16-2, Area 2 does not connect to the backbone area directly. Area 1 serves as a transit area to connect Area 2 and Area 0. A virtual link is configured between RouterA and RouterB.
Figure 3-16-2 Configuring OSPF virtual links
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure basic OSPF functions on each router.
2.
Configure virtual connections on RouterA and RouterB to connect the backbone area with the non-backbone area.
Procedure 1.
Configure an IP address for each interface. The configuration details are not mentioned here.
NOTE: The routing table of RouterA does not contain routes in Area 2 because Area 2 is not directly connected to Area 0. [RouterA] display ospf routing OSPF Process 1 with Router ID 1.1.1.1 Routing Tables Routing for Network Destination
Cost
Type
NextHop
AdvRouter
Area
10.0.0.0/8
1 Transit
10.1.1.1
1.1.1.1
0.0.0.0
192.168.1.0/24
1 Transit
192.168.1.1
1.1.1.1
0.0.0.1
Total Nets: 2 Intra Area: 2 Inter Area: 0 ASE: 0 NSSA: 0 3.
Verify the configuration. # View the OSPF routing table of RouterA. [RouterA] display ospf routing OSPF Process 1 with Router ID 1.1.1.1 Routing Tables Routing for Network Destination
Cost
Type
NextHop
AdvRouter
Area
172.16.0.0/16
2
Inter-area 192.168.1.2
2.2.2.2
0.0.0.2
10.0.0.0/8
1
Transit
10.1.1.1
1.1.1.1
0.0.0.0
192.168.1.0/24
1
Transit
192.168.1.1
1.1.1.1
0.0.0.1
Total Nets: 3 Intra Area: 2 Inter Area: 1 ASE: 0 NSSA: 0
Configuration Files
Configuration file of RouterA # sysname RouterA # interface GigabitEthernet1/0/0 ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 10.1.1.1 255.0.0.0 # ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 10.0.0.0 0.255.255.255 area 0.0.0.1 2016-1-11
Configuration file of RouterB # sysname RouterB # interface GigabitEthernet1/0/0 ip address 192.168.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 172.16.1.1 255.255.0.0 # ospf 1 router-id 2.2.2.2 area 0.0.0.1 network 192.168.1.0 0.0.0.255 vlink-peer 1.1.1.1 area 0.0.0.2 network 172.16.0.0 0.0.255.255 # return
Configuration file of RouterC # sysname RouterC # interface GigabitEthernet2/0/0 ip address 10.1.1.2 255.0.0.0 # ospf 1 router-id 3.3.3.3 area 0.0.0.0 network 10.0.0.0 0.255.255.255 # return
Configuration file of RouterD # sysname RouterD # 2016-1-11
Huawei Confidential
Page 157 of 1210
HCIE-R&S Material
Confidentiality Level
interface GigabitEthernet2/0/0 ip address 172.16.1.2 255.255.0.0 # ospf 1 router-id 4.4.4.4 area 0.0.0.2 network 172.16.0.0 0.0.255.255 # return
3.16.3 Example for Configuring DR Election of OSPF
Networking Requirements As shown in Figure 3-16-3, RouterA has the highest priority (100) in the network and is elected as the DR. RouterC has the second highest priority, and is elected as the BDR. The priority of RouterB is 0, and RouterB cannot be elected as the DR or BDR. The priority of RouterD is not configured and its default value is 1.
Figure 3-16-3 Configuring DR election of OSPF
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure the router ID on each router, enable OSPF, and specify the network segment.
2.
Check the DR/BDR status of each router with the default priority.
3.
Configure the DR priority of the interface and check the DR/BDR status.
2016-1-11
Huawei Confidential
Page 158 of 1210
HCIE-R&S Material
Confidentiality Level
Procedure 1.
Configure an IP address for each interface. The configuration details are not mentioned here.
2.
Configure basic OSPF functions. # Configure RouterA. [RouterA] router id 1.1.1.1 [RouterA] ospf [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit # Configure RouterB. [RouterB] router id 2.2.2.2 [RouterB] ospf [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit # Configure RouterC. [RouterC] router id 3.3.3.3 [RouterC] ospf [RouterC-ospf-1] area 0 [RouterC-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] quit # Configure RouterD. [RouterD] router id 4.4.4.4 [RouterD] ospf [RouterD-ospf-1] area 0 [RouterD-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [RouterD-ospf-1-area-0.0.0.0] quit # View the DR/BDR status. [RouterA] display ospf peer OSPF Process 1 with Router ID 1.1.1.1 Neighbors Area 0.0.0.0 interface 192.168.1.1(GigabitEthernet1/0/0)'s neighbors Router ID: 2.2.2.2 State: Full
2016-1-11
Address: 192.168.1.2
Mode:Nbr is Master
Priority: 1
Huawei Confidential
Page 159 of 1210
HCIE-R&S Material
Confidentiality Level
DR: 192.168.1.4 BDR: 192.168.1.3
MTU: 0
Dead timer due in 32 sec Retrans timer interval: 5 Neighbor is up for 00:04:21 Authentication Sequence: [ 0 ] Router ID: 3.3.3.3 State: Full
Address: 192.168.1.3
Mode:Nbr is Master
DR: 192.168.1.4 BDR: 192.168.1.3
Priority: 1 MTU: 0
Dead timer due in 37 sec Retrans timer interval: 5 Neighbor is up for 00:04:06 Authentication Sequence: [ 0 ] Router ID: 4.4.4.4 State: Full
Address: 192.168.1.4
Mode:Nbr is Master
DR: 192.168.1.4 BDR: 192.168.1.3
Priority: 1 MTU: 0
Dead timer due in 37 sec Retrans timer interval: 5 Neighbor is up for 00:03:53 Authentication Sequence: [ 0 ] # View the neighbor information of RouterA. You can see the priority of DR and the neighbor status. The RouterD is the DR, and RouterC is the BDR.
NOTE: When the priority is the same, the router with a higher router ID is elected as the DR. If a new router is added after the DR/BDR election is complete, the new router cannot become the DR even if it has the highest priority. 3.
# View the DR/BDR status. [RouterD] display ospf peer OSPF Process 1 with Router ID 4.4.4.4 Neighbors Area 0.0.0.0 interface 192.168.1.4(GigabitEthernet1/0/0)'s neighbors Router ID: 1.1.1.1 State: Full
Address: 192.168.1.1
Mode:Nbr is Slave Priority: 100
DR: 192.168.1.4 BDR: 192.168.1.3
MTU: 0
Dead timer due in 31 sec Retrans timer interval: 5 Neighbor is up for 00:11:17 Authentication Sequence: [ 0 ] Router ID: 2.2.2.2 State: Full
Address: 192.168.1.2
Mode:Nbr is Slave Priority: 0
DR: 192.168.1.4 BDR: 192.168.1.3
MTU: 0
Dead timer due in 35 sec Retrans timer interval: 5 Neighbor is up for 00:11:19 Authentication Sequence: [ 0 ] Router ID: 3.3.3.3 State: Full
Address: 192.168.1.3
Mode:Nbr is Slave Priority: 2
DR: 192.168.1.4 BDR: 192.168.1.3
MTU: 0
Dead timer due in 33 sec Retrans timer interval: 5 Neighbor is up for 00:11:15 Authentication Sequence: [ 0 ] 4.
Restart OSPF processes. In the user view of each router, run the reset ospf 1 process command to restart the OSPF process.
5.
View the configuration. # View the status of OSPF neighbors. [RouterD] display ospf peer OSPF Process 1 with Router ID 4.4.4.4 Neighbors Area 0.0.0.0 interface 192.168.1.4(GigabitEthernet1/0/0)'s neighbors Router ID: 1.1.1.1 State: Full
Address: 192.168.1.1
Mode:Nbr is Slave Priority: 100
DR: 192.168.1.1 BDR: 192.168.1.3 2016-1-11
MTU: 0
Huawei Confidential
Page 161 of 1210
HCIE-R&S Material
Confidentiality Level
Dead timer due in 35 sec Retrans timer interval: 5 Neighbor is up for 00:07:19 Authentication Sequence: [ 0 ] Router ID: 2.2.2.2
Address: 192.168.1.2
Mode:Nbr is Master
State: Full
Priority: 0
DR: 192.168.1.1 BDR: 192.168.1.3
MTU: 0
Dead timer due in 35 sec Retrans timer interval: 5 Neighbor is up for 00:07:19 Authentication Sequence: [ 0 ] Router ID: 3.3.3.3
Address: 192.168.1.3
Mode:Nbr is Slave Priority: 2
State: Full
DR: 192.168.1.1 BDR: 192.168.1.3
MTU: 0
Dead timer due in 37 sec Retrans timer interval: 5 Neighbor is up for 00:07:17 Authentication Sequence: [ 0 ] # View the status of the OSPF interface. [RouterA] display ospf interface OSPF Process 1 with Router ID 1.1.1.1 Interfaces Area: 0.0.0.0 IP Address
Type
State
192.168.1.1
Broadcast
Cost 1
DR
Pri
DR
BDR
100 192.168.1.1 192.168.1.3
[RouterB] display ospf interface OSPF Process 1 with Router ID 2.2.2.2 Interfaces Area: 0.0.0.0 IP Address
Type
State
192.168.1.2
Broadcast
Cost
DROther
1
Pri
DR
BDR
0 192.168.1.1 192.168.1.3
If all neighbors are in the Full state, it indicates that RouterA establishes the neighbor relationship with its neighbor. If the neighbor stays "2-Way", it indicates both of them are not the DR or BDR. They need not exchange LSAs. If the status of the OSPF interface is DROther, it indicates that it is neither DR nor BDR.
Configuration Files
Configuration file of RouterA 2016-1-11
Huawei Confidential
Page 162 of 1210
HCIE-R&S Material
Confidentiality Level
# sysname RouterA # router id 1.1.1.1 # interface GigabitEthernet1/0/0 ip address 192.168.1.1 255.255.255.0 ospf dr-priority 100 # ospf 1 area 0.0.0.0 network 192.168.1.0 0.0.0.255 # return
Configuration file of RouterB # sysname RouterB # router id 2.2.2.2 # interface GigabitEthernet1/0/0 ip address 192.168.1.2 255.255.255.0 ospf dr-priority 0 # ospf 1 area 0.0.0.0 network 192.168.1.0 0.0.0.255 # return
Configuration file of RouterC # sysname RouterC # router id 3.3.3.3 # interface GigabitEthernet1/0/0 ip address 192.168.1.3 255.255.255.0 ospf dr-priority 2 2016-1-11
Configuration file of RouterD # sysname RouterD # router id 4.4.4.4 # interface GigabitEthernet1/0/0 ip address 192.168.1.4 255.255.255.0 # ospf 1 area 0.0.0.0 network 192.168.1.0 0.0.0.255 # return
3.16.4 Example for Configuring OSPF Stub Areas
Networking Requirements As shown in Figure 3-16-4, all routers run OSPF, and the entire AS is divided into three areas. RouterA and RouterB serve as ABRs to forward routes between areas. RouterD serves as an ASBR to import external routes (static routes). It is required to configure Area 1 as a stub area to reduce the LSAs advertised to this area without affecting the route reachability.
2016-1-11
Huawei Confidential
Page 164 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 3-16-4 Configuring OSPF stub areas
Configuration Roadmap The configuration roadmap is as follows: 1.
Enable OSPF on each router, and configure basic OSPF functions.
2.
Configure static routes on RouterD, and import them into OSPF.
3.
Configure Area 1 as a stub area, and check the OSPF routing information on RouterC.
4.
Stop RouterA from advertising Type 3 LSAs to the stub area, and check the OSPF routing information on RouterC.
Procedure 1.
Configure an IP address for each interface. The configuration details are not mentioned here.
2.
Configure basic OSPF functions (see Example for Configuring Basic OSPF Functions).
3.
Configure RouterD to import static routes. [RouterD] ip route-static 200.0.0.0 8 null 0
2016-1-11
Huawei Confidential
Page 165 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterD] ospf [RouterD-ospf-1] import-route static type 1 [RouterD-ospf-1] quit # View ABR/ASBR information on RouterC. [RouterC] display ospf abr-asbr OSPF Process 1 with Router ID 3.3.3.3 Routing Table to ABR and ASBR RtType
Destination
Area
Cost
Nexthop
Type
Intra-area
1.1.1.1
0.0.0.1
1
192.168.1.1
ABR
Inter-area
4.4.4.4
0.0.0.1
3
192.168.1.1
ASBR
# View the OSPF routing table of RouterC.
NOTE: When RouterC is in a common area, there are AS external routes in the routing table. [RouterC] display ospf routing OSPF Process 1 with Router ID 3.3.3.3 Routing Tables Routing for Network Destination
Cost
Type
NextHop
172.16.1.0/24
1
Transit
172.17.1.0/24
4
Inter-area 192.168.1.1
1.1.1.1
0.0.0.1
192.168.0.0/24
2
Inter-area 192.168.1.1
1.1.1.1
0.0.0.1
192.168.1.0/24
1
Transit
192.168.2.0/24
3
Inter-area 192.168.1.1
172.16.1.1
192.168.1.2
AdvRouter 3.3.3.3
3.3.3.3 1.1.1.1
Area 0.0.0.1
0.0.0.1 0.0.0.1
Routing for ASEs Destination
Cost
Type
Tag
NextHop
200.0.0.0/8
4
Type1
1
192.168.1.1
AdvRouter 4.4.4.4
Total Nets: 6 Intra Area: 2 Inter Area: 3 ASE: 1 NSSA: 0 4.
Configure Area 1 as a stub area. # Configure RouterA. [RouterA] ospf [RouterA-ospf-1] area 1 [RouterA-ospf-1-area-0.0.0.1] stub [RouterA-ospf-1-area-0.0.0.1] quit # Configure RouterC. [RouterC] ospf [RouterC-ospf-1] area 1
2016-1-11
Huawei Confidential
Page 166 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterC-ospf-1-area-0.0.0.1] stub [RouterC-ospf-1-area-0.0.0.1] quit # Configure RouterE. [RouterE] ospf [RouterE-ospf-1] area 1 [RouterE-ospf-1-area-0.0.0.1] stub [RouterE-ospf-1-area-0.0.0.1] quit # View the routing table of RouterC.
NOTE: After the area where RouterC resides is configured as a stub area, AS external routes are invisible. Instead, there is a default route. [RouterC] display ospf routing OSPF Process 1 with Router ID 3.3.3.3 Routing Tables Routing for Network Destination
Cost
Type
NextHop
0.0.0.0/0
2
Inter-area 192.168.1.1
1.1.1.1
0.0.0.1
172.16.1.0/24
1
Transit
3.3.3.3
0.0.0.1
172.17.1.0/24
4
Inter-area
192.168.1.1
1.1.1.1
0.0.0.1
192.168.0.0/24
2
Inter-area
192.168.1.1
1.1.1.1
0.0.0.1
192.168.1.0/24
1
Transit
192.168.2.0/24
3
Inter-area
172.16.1.1
192.168.1.2 192.168.1.1
AdvRouter
3.3.3.3 1.1.1.1
Area
0.0.0.1 0.0.0.1
Total Nets: 6 Intra Area: 2 Inter Area: 4 ASE: 0 NSSA: 0 5.
# Stop RouterA from advertising Type 3 LSAs to the stub area. [RouterA] ospf [RouterA-ospf-1] area 1 [RouterA-ospf-1-area-0.0.0.1] stub no-summary [RouterA-ospf-1-area-0.0.0.1] quit
6.
Verify the configuration. # View the OSPF routing table of RouterC. [RouterC] display ospf routing OSPF Process 1 with Router ID 3.3.3.3 Routing Tables Routing for Network Destination
Cost
0.0.0.0/0
2
2016-1-11
Type Inter-area
NextHop 192.168.1.1
Huawei Confidential
AdvRouter 1.1.1.1
Area 0.0.0.1 Page 167 of 1210
HCIE-R&S Material
Confidentiality Level
172.16.1.0/24
1
Transit
172.16.1.1
3.3.3.3
0.0.0.1
192.168.1.0/24
1
Transit
192.168.1.2
3.3.3.3
0.0.0.1
Total Nets: 3 Intra Area: 2 Inter Area: 1 ASE: 0 NSSA: 0
NOTE: After the advertisement of summary LSAs to a stub area is disabled, the routing entries of the stub router are further reduced, and only the default route to a destination outside the AS is reserved.
Configuration Files NOTE: The configuration files of RouterB and RouterF are the same as those in the Example for Configuring Basic OSPF Functions, and are not mentioned here.
Configuration file of RouterA # sysname RouterA # router id 1.1.1.1 # interface GigabitEthernet1/0/0 ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 192.168.1.1 255.255.255.0 # ospf 1 area 0.0.0.0 network 192.168.0.0 0.0.0.255 area 0.0.0.1 network 192.168.1.0 0.0.0.255 stub no-summary # return
Configuration file of RouterC # sysname RouterC # router id 3.3.3.3 2016-1-11
Huawei Confidential
Page 168 of 1210
HCIE-R&S Material
Confidentiality Level
# interface GigabitEthernet1/0/0 ip address 192.168.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 172.16.1.1 255.255.255.0 # ospf 1 area 0.0.0.1 network 192.168.1.0 0.0.0.255 network 172.16.1.0 0.0.0.255 stub # return
Configuration file of RouterD # sysname RouterD # router id 4.4.4.4 # interface GigabitEthernet1/0/0 ip address 192.168.2.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 172.17.1.1 255.255.255.0 # ospf 1 import-route static type 1 area 0.0.0.2 network 192.168.2.0 0.0.0.255 network 172.17.1.0 0.0.0.255 # ip route-static 200.0.0.0 255.0.0.0 NULL0 # return
Configuration file of RouterE # sysname RouterE 2016-1-11
Huawei Confidential
Page 169 of 1210
HCIE-R&S Material
Confidentiality Level
# router id 5.5.5.5 # interface GigabitEthernet2/0/0 ip address 172.16.1.2 255.255.255.0 # ospf 1 area 0.0.0.1 network 172.16.1.0 0.0.0.255 stub # return
3.16.5 Example for Configuring OSPF NSSAs
Networking Requirements As shown in Figure 3-16-5, all routers run OSPF, and the entire AS is divided into two areas. RouterA and RouterB serve as ABRs to forward routes between areas. RouterD serves as an ASBR to import external routes (static routes). It is required to configure Area 1 as an NSSA. Configure RouterA and RouterB as translators in the NSSA, configure RouterD as an ASBR to import external routes (static routes) and correctly transmit routing information inside the AS.
Figure 3-16-5 Configuring an OSPF NSSA 2016-1-11
Huawei Confidential
Page 170 of 1210
HCIE-R&S Material
Confidentiality Level
Configuration Roadmap The configuration roadmap is as follows: 1.
Enable OSPF on each router, and configure basic OSPF functions.
2.
Configure Area 1 as an NSSA (run the nssa command on all routers in Area 1), and check the OSPF routing information and LSDB of RouterC.
3.
Configure static routes on RouterD, and import them into OSPF.
4.
Configure translators in the NSSA.
Procedure 1.
Configure an IP address for each interface. The configuration details are not mentioned here.
2.
Configure basic OSPF functions (see Example for Configuring Basic OSPF Functions).
3.
Configure Area 1 as an NSSA. # Configure RouterA. [RouterA] ospf [RouterA-ospf-1] area 1 [RouterA-ospf-1-area-0.0.0.1] nssa [RouterA-ospf-1-area-0.0.0.1] quit # Configure RouterB. [RouterB] ospf [RouterB-ospf-1] area 1 [RouterB-ospf-1-area-0.0.0.1] nssa [RouterB-ospf-1-area-0.0.0.1] quit # Configure RouterD. [RouterD] ospf [RouterD-ospf-1] area 1 [RouterD-ospf-1-area-0.0.0.1] nssa [RouterD-ospf-1-area-0.0.0.1] quit
4.
Configure RouterD to import static routes. [RouterD] ip route-static 100.0.0.0 8 null 0 [RouterD] ospf [RouterD-ospf-1] import-route static [RouterD-ospf-1] quit
2016-1-11
Huawei Confidential
Page 171 of 1210
HCIE-R&S Material
Confidentiality Level
# Display the OSPF routing table of RouterC. NOTE:
On RouterC, you can view that the router ID of the advertising router that imports AS external routes in the NSSA, that is, the router ID of RouterB is 2.2.2.2.
OSPF selects the ABR with larger router ID as a translator.
[RouterC] display ospf routing OSPF Process 1 with Router ID 3.3.3.3 Routing Tables
Routing for Network Destination
Cost
Type
NextHop
AdvRouter
192.168.3.0/24
2
Inter-area 192.168.0.1
1.1.1.1
0.0.0.0
192.168.4.0/24
2
Inter-area 192.168.2.1
2.2.2.2
0.0.0.0
192.168.0.0/24
1
Transit
192.168.1.0/24
2
Inter-area 192.168.0.1
1.1.1.1
0.0.0.0
192.168.1.0/24
2
Inter-area 192.168.2.1
2.2.2.2
0.0.0.0
192.168.2.0/24
1
Transit
192.168.0.2
192.168.2.2
3.3.3.3
Area
0.0.0.0
3.3.3.3
0.0.0.0
Routing for ASEs Destination
Cost
Type
100.0.0.0/8
1
Type2
Tag 1
NextHop
AdvRouter
192.168.2.1
2.2.2.2
Total Nets: 7 Intra Area: 2 Inter Area: 4 ASE: 1 NSSA: 0 # Display the OSPF LSDB of RouterC. [RouterC] display ospf lsdb OSPF Process 1 with Router ID 3.3.3.3 Link State Database
Area: 0.0.0.0 Type
LinkState ID
AdvRouter
Age Len
Sequence
Metric
Router
3.3.3.3
3.3.3.3
345 72
80000004
1
Router
2.2.2.2
2.2.2.2
346 48
80000005
1
Router
1.1.1.1
1.1.1.1
193 48
80000006
1
Network
192.168.0.2
3.3.3.3
385 32
80000007
0
Network
192.168.2.2
3.3.3.3
387 32
80000008
0
Sum-Net
192.168.4.0
2.2.2.2
393 28
80000001
1
2016-1-11
Huawei Confidential
Page 172 of 1210
HCIE-R&S Material
Confidentiality Level
Sum-Net
192.168.4.0
1.1.1.1
189 28
80000001
2
Sum-Net
192.168.3.0
1.1.1.1
189 28
80000002
1
Sum-Net
192.168.3.0
2.2.2.2
192 28
80000002
2
Sum-Net
192.168.1.0
2.2.2.2
393 28
80000001
1
Sum-Net
192.168.1.0
1.1.1.1
189 28
80000002
1
AS External Database Type
LinkState ID
External 100.0.0.0 5.
AdvRouter
Age Len
2.2.2.2
257 36
Sequence 80000002
Metric 1
Configure RouterA as a translator. [RouterA] ospf [RouterA-ospf-1] area 1 [RouterA-ospf-1-area-0.0.0.1] nssa default-route-advertise no-summary translator-always [RouterA-ospf-1-area-0.0.0.1] quit [RouterA-ospf-1] quit
6.
Verify the configuration. # Display the OSPF routing table of RouterC.
NOTE: On RouterC, an AS external route is imported. [RouterC] display ospf routing OSPF Process 1 with Router ID 3.3.3.3 Routing Tables
Routing for Network Destination
Cost
Type
NextHop
192.168.3.0/24
2
Inter-area 192.168.0.1
1.1.1.1
0.0.0.0
192.168.4.0/24
2
Inter-area 192.168.2.1
2.2.2.2
0.0.0.0
192.168.0.0/24
1
Transit
192.168.1.0/24
2
Inter-area 192.168.2.1
2.2.2.2
0.0.0.0
192.168.1.0/24
2
Inter-area 192.168.0.1
1.1.1.1
0.0.0.0
192.168.2.0/24
1
Transit
192.168.0.2
192.168.2.2
AdvRouter
3.3.3.3
3.3.3.3
Area
0.0.0.0
0.0.0.0
Routing for ASEs Destination
Cost
Type
100.0.0.0/8
1
Type2
2016-1-11
Huawei Confidential
Tag 1
NextHop 192.168.0.1
AdvRouter 1.1.1.1
Page 173 of 1210
HCIE-R&S Material
Confidentiality Level
Total Nets: 7 Intra Area: 2 Inter Area: 4 ASE: 1 NSSA: 0
NOTE:
On RouterC, the router ID of the advertising router that imports AS external routes to the NSSA changes to 1.1.1.1. That is, RouterA becomes the translator.
By default, the new translator, together with the former translator, acts as the translator for 40s. After 40s, only the new translator continues to work as a translator.
# Display the OSPF LSDB of RouterC. [RouterC] display ospf lsdb OSPF Process 1 with Router ID 3.3.3.3 Link State Database Area: 0.0.0.0 Type
LinkState ID
AdvRouter
Age Len
Sequence
Metric
Router
3.3.3.3
3.3.3.3
493 72
80000004
1
Router
2.2.2.2
2.2.2.2
494 48
80000005
1
Router
1.1.1.1
1.1.1.1
341 48
80000006
1
Network
192.168.0.2
3.3.3.3
501 32
80000007
0
Network
192.168.2.2
3.3.3.3
503 32
80000008
0
Sum-Net
192.168.4.0
2.2.2.2
541 28
80000001
1
Sum-Net
192.168.4.0
1.1.1.1
337 28
80000001
2
Sum-Net
192.168.3.0
1.1.1.1
337 28
80000002
1
Sum-Net
192.168.3.0
2.2.2.2
340 28
80000002
2
Sum-Net
192.168.1.0
2.2.2.2
541 28
80000001
1
Sum-Net
192.168.1.0
1.1.1.1
337 28
80000002
1
AS External Database Type
LinkState ID
External 100.0.0.0
AdvRouter 1.1.1.1
Age Len 248 36
Sequence 80000001
Metric 1
Configuration Files
Configuration file of RouterA # sysname RouterA # router id 1.1.1.1 2016-1-11
Huawei Confidential
Page 174 of 1210
HCIE-R&S Material
Confidentiality Level
# interface GigabitEthernet1/0/0 ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 192.168.3.1 255.255.255.0 # interface GigabitEthernet3/0/0 ip address 192.168.1.1 255.255.255.0 # ospf 1 area 0.0.0.0 network 192.168.0.0 0.0.0.255 area 0.0.0.1 network 192.168.1.0 0.0.0.255 network 192.168.3.0 0.0.0.255 nssa default-route-advertise no-summary translator-always # return
Configuration file of RouterB # sysname RouterB # router id 2.2.2.2 # interface GigabitEthernet1/0/0 ip address 192.168.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 192.168.2.1 255.255.255.0 # interface GigabitEthernet3/0/0 ip address 192.168.4.2 255.255.255.0 # ospf 1 area 0.0.0.0 network 192.168.2.0 0.0.0.255 area 0.0.0.1 network 192.168.1.0 0.0.0.255 2016-1-11
Huawei Confidential
Page 175 of 1210
HCIE-R&S Material
Confidentiality Level
network 192.168.4.0 0.0.0.255 nssa # return
Configuration file of RouterC # sysname RouterC # router id 3.3.3.3 # interface GigabitEthernet1/0/0 ip address 192.168.0.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 192.168.2.2 255.255.255.0 # ospf 1 area 0.0.0.0 network 192.168.0.0 0.0.0.255 network 192.168.2.0 0.0.0.255 # return
Configuration file of RouterD # sysname RouterD # router id 4.4.4.4 # interface GigabitEthernet1/0/0 ip address 192.168.3.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 192.168.4.1 255.255.255.0 # ospf 1 import-route static area 0.0.0.1 network 192.168.3.0 0.0.0.255 2016-1-11
Networking Requirements When a fault occurs on the network, OSPF IP FRR can fast switch traffic to the backup link without waiting for route convergence. This ensures uninterrupted traffic transmission. As shown in Figure 3-16-6:
OSPF runs on the four routers in the same area.
If the link between RouterA and RouterC becomes faulty, the traffic forwarded by RouterA is rapidly switched to the backup link and forwarded through RouterB.
Figure 3-16-6 Networking diagram for configuring OSPF IP FRR
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure basic OSPF functions on each router.
2.
Set the cost to ensure that the link from RouterA to RouterC is preferred.
3.
Enable OSPF IP FRR on RouterA to protect the traffic forwarded by RouterA.
2016-1-11
Huawei Confidential
Page 177 of 1210
HCIE-R&S Material
Confidentiality Level
Procedure 1.
Configure an IP address and the cost for each interface. This example assumes that you know the configuration method and no details are provided here.
Enable OSPF IP FRR on RouterA. # Enable OSPF IP FRR on RouterA. [RouterA] ospf [RouterA-ospf-1] frr [RouterA-ospf-1-frr] loop-free-alternate
4.
Verify the configuration.
2016-1-11
Huawei Confidential
Page 178 of 1210
HCIE-R&S Material
Confidentiality Level
# View information about the route from RouterA to RouterD. You can find that OSPF generates a backup route because OSPF IP FRR is enabled. display ospf routing router-id 4.4.4.4 OSPF Process 1 with Router ID 1.1.1.1 Destination : 4.4.4.4 Area
: 0.0.0.1
Type
: Normal
URT Cost
: 59
NextHop
: 1.3.1.3
Route Type : Intra-area AdvRouter Age
: 4.4.4.4 : 00h31m27s
Interface : GigabitEthernet1/0/2
Backup Nexthop : 1.2.1.2
Backup Interface : GigabitEthernet1/0/1
Backup Type : LFA LINK The preceding display shows that a backup route is generated on RouterA.
Configuration file of RouterD # sysname RouterD # router-id 4.4.4.4 # interface GigabitEthernet1/0/1 ip address 3.4.1.4 255.255.255.0 ospf cost 55 # ospf 1 area 0.0.0.1 network 3.4.1.0 0.0.0.255 # return
3.16.7 Example for Configuring BFD for OSPF
Networking Requirements As shown in Figure 3-16-7, it is required as follows:
Run OSPF between RouterA, RouterB, and RouterC.
Enable BFD of the OSPF process on RouterA, RouterB, and RouterC.
Traffic is transmitted on the active link RouterA → RouterB. The link RouterA → RouterC → RouterB acts as the standby link.
BFD of the interface is configured on the link between RouterA and RouterB. When a fault occurs on the link, BFD can quickly detect the fault and notify OSPF of the fault; therefore, the traffic is transmitted on the standby link.
2016-1-11
Huawei Confidential
Page 181 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 3-16-7 Networking diagram for configuring BFD for OSPF
Configuration Roadmap The configuration roadmap is as follows: 1.
Enable the basic OSPF functions on each router.
2.
Enable global BFD.
3.
Enable the detection mechanism on RouterA and RouterB.
Procedure 1.
Assign an IP address to each router interface. The detailed configuration is not mentioned here.
2.
Configure the basic OSPF functions. # Configure RouterA. [RouterA] router id 1.1.1.1 [RouterA] ospf [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 1.1.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] network 3.3.3.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit [RouterA-ospf-1] quit # Configure RouterB. [RouterB] router id 2.2.2.2
2016-1-11
Huawei Confidential
Page 182 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterB] ospf [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 2.2.2.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] network 3.3.3.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] quit # Configure RouterC. [RouterC] router id 3.3.3.3 [RouterC] ospf [RouterC-ospf-1] area 0 [RouterC-ospf-1-area-0.0.0.0] network 1.1.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] network 2.2.2.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] quit [RouterC-ospf-1] quit # After the preceding configurations are complete, run the display ospf peer command. You can view that the neighboring relationship is set up between RouterA, RouterB, and RouterC. Take the display of RouterA as an example: display ospf peer OSPF Process 1 with Router ID 1.1.1.1 Neighbors Area 0.0.0.0 interface 1.1.1.1(GigabitEthernet1/0/0)'s neighbors Router ID: 3.3.3.3 State: Full
Address: 1.1.1.2
Mode:Nbr is Master
Priority: 1
DR: 1.1.1.1 BDR: 1.1.1.2 MTU: 0 Dead timer due in 38 sec Retrans timer interval: 5 Neighbor is up for 00:00:15 Authentication Sequence: [ 0 ] Neighbors Area 0.0.0.0 interface 3.3.3.1(GigabitEthernet2/0/0)'s neighbors Router ID: 2.2.2.2 State: Full
Address: 3.3.3.2
Mode:Nbr is Master
Priority: 1
DR: 3.3.3.1 BDR: 3.3.3.2 MTU: 0 Dead timer due in 25
sec
Retrans timer interval: 5 Neighbor is up for 00:00:59 Authentication Sequence: [ 0 ] 2016-1-11
Huawei Confidential
Page 183 of 1210
HCIE-R&S Material
Confidentiality Level
# Display the information in the OSPF routing table on RouterA. You can view the routing entries to RouterB and RouterC. The next hop address of the route to 172.16.1.0/24 is 3.3.3.2 and traffic is transmitted on the active link RouterA → RouterB. display ospf routing OSPF Process 1 with Router ID 1.1.1.1 Routing Tables Routing for Network Destination
Cost
Type
NextHop
AdvRouter
Area
172.16.1.0/24
2
Transit
3.3.3.2
2.2.2.2
0.0.0.0
3.3.3.0/24
1
Transit
3.3.3.1
1.1.1.1
0.0.0.0
2.2.2.0/24
2
Transit
3.3.3.2
2.2.2.2
0.0.0.0
2.2.2.0/24
2
Transit
1.1.1.2
2.2.2.2
0.0.0.0
1.1.1.0/24
1
Transit
1.1.1.1
1.1.1.1
0.0.0.0
Total Nets: 5 Intra Area: 5 Inter Area: 0 ASE: 0 NSSA: 0 3.
Configure OSPF BFD. # Enable global BFD on RouterA. [RouterA] bfd [RouterA-bfd] quit [RouterA] ospf [RouterA-ospf-1] bfd all-interfaces enable [RouterA-ospf-1] quit # Enable global BFD on RouterB. [RouterB] bfd [RouterB-bfd] quit [RouterB] ospf [RouterB-ospf-1] bfd all-interfaces enable [RouterB-ospf-1] quit # Enable global BFD on RouterC. [RouterC] bfd [RouterC-bfd] quit [RouterC] ospf [RouterC-ospf-1] bfd all-interfaces enable [RouterC-ospf-1] quit # After the preceding configurations are complete, run the display ospf bfd session all command on RouterA or RouterB. You can view that the status of the BFD session is Up. Take the display of RouterA as an example:
2016-1-11
Huawei Confidential
Page 184 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterA] display ospf bfd session all OSPF Process 1 with Router ID 1.1.1.1 Area 0.0.0.0 interface 1.1.1.1(GigabitEthernet1/0/0)'s BFD Sessions NeighborId:3.3.3.3 BFDState:up
AreaId:0.0.0.0 rx
Multiplier:3
:1000
Interface:GigabitEthernet1/0/0 tx
BFD Local Dis:8195
RemoteIpAdd:1.1.1.2
:1000 LocalIpAdd:1.1.1.1
Diagnostic Info:No diagnostic information
Area 0.0.0.0 interface 3.3.3.1(GigabitEthernet2/0/0)'s BFD Sessions NeighborId:2.2.2.2 BFDState:up
Configure BFD of the interface. # Configure BFD on GE 2/0/0 of RouterA, set the minimum interval for sending the packets and the minimum interval for receiving the packets to 500 ms, and set the local detection time multiple to 4. [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] ospf bfd enable [RouterA-GigabitEthernet2/0/0] ospf bfd min-tx-interval 500 min-rx-interval 500 detect-multiplier 4 [RouterA-GigabitEthernet2/0/0] quit # Configure BFD on GE 2/0/0 of RouterB, set the minimum interval for sending the packets and the minimum interval for receiving the packets to 500 ms, and set the local detection time multiple to 4. [RouterB] interface gigabitethernet 2/0/0 [RouterB-GigabitEthernet2/0/0] ospf bfd enable [RouterB-GigabitEthernet2/0/0] ospf bfd min-tx-interval 500 min-rx-interval 500 detect-multiplier 4 [RouterB-GigabitEthernet2/0/0] quit # After the preceding configurations are complete, run the display ospf bfd session all command on RouterA or RouterB. You can view that the status of the BFD session is Up. Take the display of RouterB as an example: [RouterB] display ospf bfd session all OSPF Process 1 with Router ID 2.2.2.2 Area 0.0.0.0 interface 3.3.3.2(GigabitEthernet2/0/0)'s BFD Sessions NeighborId:1.1.1.1 BFDState:up
2016-1-11
AreaId:0.0.0.0 rx
:500
Huawei Confidential
Interface: GigabitEthernet2/0/0 tx
:500 Page 185 of 1210
HCIE-R&S Material
Confidentiality Level
Multiplier:4
BFD Local Dis:8198
RemoteIpAdd:3.3.3.1 5.
LocalIpAdd:3.3.3.2
Diagnostic Info:No diagnostic information
Verify the configuration. # Run the shutdown command on GE 2/0/0 of RouterB to simulate the active link failure. [RouterB] interface gigabitethernet 2/0/0 [RouterB-GigabitEthernet2/0/0] shutdown # Display the routing table on RouterA. The standby link RouterA → RouterC → RouterB takes effect after the active link fails. The next hop address of the route to 172.16.1.0/24 becomes 1.1.1.2. display ospf routing OSPF Process 1 with Router ID 1.1.1.1 Routing Tables Routing for Network Destination
Cost
Type
NextHop
AdvRouter
172.16.1.0/24
3
Transit
1.1.1.2
3.3.3.0/24
1
Transit
3.3.3.1
1.1.1.1
0.0.0.0
2.2.2.0/24
2
Transit
1.1.1.2
2.2.2.2
0.0.0.0
1.1.1.0/24
1
Transit
1.1.1.1
1.1.1.1
0.0.0.0
2.2.2.2
Area 0.0.0.0
Total Nets: 4 Intra Area: 4 Inter Area: 0 ASE: 0 NSSA: 0
Configuration Files
Configuration file of RouterA # sysname RouterA # router id 1.1.1.1 # bfd # interface GigabitEthernet1/0/0 ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 3.3.3.1 255.255.255.0 ospf bfd enable ospf bfd min-tx-interval 500 min-rx-interval 500 detect-multiplier 4 2016-1-11
Configuration file of RouterC # sysname RouterC 2016-1-11
Huawei Confidential
Page 187 of 1210
HCIE-R&S Material
Confidentiality Level
# router id 3.3.3.3 # bfd # interface GigabitEthernet1/0/0 ip address 1.1.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 2.2.2.1 255.255.255.0 # ospf 1 bfd all-interface enable area 0.0.0.0 network 1.1.1.0 0.0.0.255 network 2.2.2.0 0.0.0.255 # return
3.16.8 Example for Configuring OSPF GTSM
Networking Requirements As shown on the network shown in Figure 3-16-8, routers run OSPF and GTSM is enabled on RouterA, RouterB and RouterC
Figure 3-16-8 Networking diagram of OSPF GTSM 2016-1-11
Huawei Confidential
Page 188 of 1210
HCIE-R&S Material
Confidentiality Level
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure OSPF.
2.
Enable GTSM on each router and specify a valid TTL range for packets.
Procedure 1.
Configure an IP address for each interface. The configuration details are not mentioned here.
2.
Configure basic OSPF functions (see Example for Configuring Basic OSPF Functions).
3.
Configure OSPF GTSM. # On RouterA, set the maximum valid TTL range for packets from RouterA to other routers is 255 to 255. [RouterA] ospf valid-ttl-hops 1 # On RouterB, set the maximum valid TTL range for packets from RouterB to other routers is 254 to 255. [RouterB] ospf valid-ttl-hops 2 # On RouterC, set the maximum valid TTL range for packets from RouterC to other routers is 254 to 255. [RouterC] ospf valid-ttl-hops 2
4.
Verify the configuration. # Check whether OSPF neighbor relationships between routers are successfully established. Take the display on RouterC as an example. The neighbor relationship is Full, indicating that the neighbor relationship is successfully established. [RouterC] display ospf peer OSPF Process 1 with Router ID 3.3.3.3 Neighbors Area 0.0.0.0 interface 192.168.2.2(GigabitEthernet2/0/0)'s neighbors Router ID: 1.1.1.1 State: Full
Address: 192.168.2.1
Mode:Nbr is Master
DR: 192.168.2.2
Priority: 1
BDR: 192.168.2.1
MTU: 0
Dead timer due in 36 sec Retrans timer interval: 5 Neighbor is up for 00:15:04 Authentication Sequence: [ 0 ] 2016-1-11
Huawei Confidential
Page 189 of 1210
HCIE-R&S Material
Confidentiality Level
# On RouterC, run the display gtsm statistics all command. You can view GTSM statistics on RouterC. The default behavior is pass, no illegal packets exist, and the number of discarded packets is 0. display gtsm statistics all GTSM Statistics Table ---------------------------------------------------------------SlotId Protocol
Configuration file of RouterD # sysname RouterD # router id 4.4.4.4 # interface GigabitEthernet1/0/0 ip address 10.1.1.2 255.0.0.0 # ospf 1 area 0.0.0.0 network 10.0.0.0 0.255.255.255 # return
Chapter 4 BGP 4.1
BGP Concepts This section describes BGP concepts to help you better understand BGP functions.
4.1.1 Autonomous System An Autonomous System (AS) is a group of Internet Protocol (IP) networks that are controlled by one entity, typically an Internet Service Provider (ISP), and that have the same routing policy. Each AS is assigned a unique AS number, which identifies an AS on a BGP network. Two types of AS numbers are available: 2-byte AS numbers and 4-byte AS numbers. A 2-byte AS number ranges from 1 to 65535, and a 4-byte AS number ranges from 1 to 4294967295. Devices supporting 4-byte AS numbers are compatible with devices supporting 2-byte AS numbers.
2016-1-11
Huawei Confidential
Page 192 of 1210
HCIE-R&S Material
Confidentiality Level
4.1.2 BGP Classification As shown in Figure 4-1-1, BGP is classified into two types according to where it runs: Internal BGP (IBGP) and External BGP (EBGP). When BGP runs between two peers in the same AS, BGP is called IBGP. When BGP runs between ASs, BGP is called EBGP.
Figure 4-1-1 BGP operating mode
EBGP: runs between ASs. To prevent routing loops between ASs, a BGP device discards the routes with the local AS number when receiving the routes from EBGP peers.
IBGP: runs within an AS. To prevent routing loops within an AS, a BGP device does not advertise the routes learned from an IBGP peer to the other IBGP peers and establishes full-mesh connections with all the IBGP peers. To address the problem of too many IBGP connections between IBGP peers, BGP uses Route Reflector and BGP Confederation.
NOTE: If a BGP device needs to advertise the route received from an EBGP peer outside an AS through another BGP device, IBGP is recommended. 4.1.3 Device Roles in BGP Message Exchange There are two device roles in BGP message exchange:
Speaker: The device that sends BGP messages is called a BGP speaker. The speaker receives and generates new routes, and advertises the routes to other BGP speakers. 2016-1-11
Huawei Confidential
Page 193 of 1210
HCIE-R&S Material
Confidentiality Level
Peer: The speakers that exchange messages with each other are called BGP peers. A group of peers sharing the same policies can form a peer group.
4.1.4 BGP Router ID The BGP router ID is a 32-bit value that is often represented by an IPv4 address to identify a BGP device. It is carried in the Open message sent during the establishment of a BGP session. When two BGP peers need to establish a BGP session, they each require a unique router ID. Otherwise, the two peers cannot establish a BGP session. The BGP router ID of a device must be unique on a BGP network. It can be manually configured or selected from IPv4 addresses on the device. By default, an IPv4 address of a loopback interface on a device is used as the BGP router ID. If no loopback interface is configured on the device, the system selects the largest IPv4 address from all IPv4 addresses of interfaces as the BGP router ID. Once the BGP router ID is selected, the system retains this router ID even if a larger IPv4 address is configured on the device later. The system changes the BGP router ID only when the corresponding IPv4 address is deleted.
4.2
BGP Working Principles BGP peer establishment, update, and deletion involve five types of messages, six state machine, and five route exchange rules.
4.2.1 BGP Messages BGP peers exchange the following messages, among which Keepalive messages are periodically sent and other messages are triggered by events.
Open message: is used to establish BGP peer relationships.
Update message: is used to exchange routes between BGP peers.
Notification message: is used to terminate BGP connections.
Keepalive message: is used to maintain BGP connections.
Route-refresh message: is used to request the peer to resend routes if routing policies are changed. Only the BGP devices supporting route-refresh can send and respond to Route-refresh messages.
4.2.2 BGP State Machine As shown in Figure 4-2-1, a BGP device uses a finite state machine (FSM) to determine its operations with peers. The FSM has six states: Idle, Connect, Active, OpenSent, OpenConfirm, and Established. Three common states are involved in BGP peer establishment: Idle, Active, and Established.
2016-1-11
Huawei Confidential
Page 194 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 4-2-1 BGP state machine 1.
The Idle state is the initial BGP state. In Idle state, the BGP device refuses all connection requests from neighbors. The BGP device initiates a TCP connection with its BGP peer and changes its state to Connect only after receiving a Start event from the system.
NOTE:
The Start event occurs when an operator configures a BGP process or resets an existing BGP process or when the router software resets a BGP process.
If an error occurs at any state of the FSM, for example, the BGP device receives a Notification packet or TCP connection termination notification, the BGP device returns to the Idle state.
2.
In Connect state, the BGP device starts the ConnectRetry timer and waits to establish a TCP connection.
If the TCP connection is established, the BGP device sends an Open message to the peer and changes to the OpenSent state.
If the TCP connection fails to be established, the BGP device moves to the Active state.
2016-1-11
Huawei Confidential
Page 195 of 1210
HCIE-R&S Material
Confidentiality Level
If the BGP device does not receive a response from the peer before the ConnectRetry timer expires, the BGP device attempts to establish a TCP connection with another peer and stays in Connect state.
3.
In Active state, the BGP device keeps trying to establish a TCP connection with the peer.
If the TCP connection is established, the BGP device sends an Open message to the peer, closes the ConnectRetry timer, and changes to the OpenSent state.
If the TCP connection fails to be established, the BGP device stays in the Active state.
If the BGP device does not receive a response from the peer before the ConnectRetry timer expires, the BGP device returns to the Connect state.
4.
In OpenSent state, the BGP device waits an Open message from the peer and then checks the validity of the received Open message, including the AS number, version, and authentication password.
If the received Open message is valid, the BGP device sends a Keepalive message and changes to the OpenConfirm state.
If the received Open message is invalid, the BGP device sends a Notification message to the peer and returns to the Idle state.
5.
In OpenConfirm state, the BGP device waits for a Keepalive or Notification message from the peer. If the BGP device receives a Keepalive message, it transitions to the Established state. If it receives a Notification message, it returns to the Idle state.
6.
In Established state, the BGP device exchanges Update, Keepalive, Route-refresh, and Notification messages with the peer.
If the BGP device receives a valid Update or Keepalive message, it considers that the peer is working properly and maintains the BGP connection with the peer.
If the BGP device receives a valid Update or Keepalive message, it sends a Notification message to the peer and returns to the Idle state.
If the BGP device receives a Route-refresh message, it does not change its status.
If the BGP device receives a Notification message, it returns to the Idle state.
If the BGP device receives a TCP connection termination notification, it terminates the TCP connection with the peer and returns to the Idle state.
4.2.3 Route Exchange Rules A BGP device adds optimal routes to the BGP routing table to generate BGP routes. After establishing a BGP peer relationship with a neighbor, the BGP device follows the following rules to exchange routes with the peer:
Advertises the BGP routes received from IBGP peers only to its EBGP peers. 2016-1-11
Huawei Confidential
Page 196 of 1210
HCIE-R&S Material
Confidentiality Level
Advertises the BGP routes received from EBGP peers to its EBGP peers and IBGP peers.
Advertises the optimal route to its peers when there are multiple valid routes to the same destination.
Sends only updated BGP routes when BGP routes change.
Accepts all the routes sent from its peers.
4.3
Interaction between BGP and an IGP BGP and IGPs use different routing tables. To enable different ASs to communicate, you need to configure interaction between BGP and IGPs so that BGP routes can be imported into IGP routing tables and IGP routes can also be imported to BGP routing tables.
4.3.1 Importing IGP Routes to BGP Routing Tables BGP does not discover routes and so needs to import the routes discovered by IGPs to BGP routing tables so that different ASs can communicate. When an AS needs to advertise routes to another AS, an Autonomous System Boundary Router (ASBR) imports IGP routes to its BGP routing table. To better plan the network, you can use routing policies to filter routes and set route attributes when BGP imports IGP routes. Alternatively, you can set the multi-exit discriminator (MED) to help EBGP peers select the best path for traffic entering an AS. BGP imports routes in either import or network mode:
In import mode, BGP imports IGP routes, including RIP, OSPF, and IS-IS routes, into BGP routing tables based on protocol type. To ensure the validity of imported IGP routes, BGP can also import static routes and direct routes in import mode.
In network mode, BGP imports the routes in the IP routing table one by one to BGP routing tables. The network mode is more accurate than the import mode.
4.3.2 Importing BGP Routes to IGP Routing Tables When an AS needs to import routes from another AS, an ASBR imports BGP routes to its IGP routing table. To prevent a large number of BGP routes from affecting devices within the AS, IGPs can use routing policies to filter routes and set route attributes when importing BGP routes.
4.3.3 Applications As shown in Figure 4-3-1, an OSPF network is deployed in AS 100 where the Overseas Market Department of a company resides, and an IS-IS network is deployed in AS 200 where the Domestic R&D Department of the company resides. AS 100 and AS 200 communicate using BGP. The company requires that the Overseas Market Department can send files to the Domestic R&D Department but the Domestic R&D Department cannot send files to the Overseas Market Department.
2016-1-11
Huawei Confidential
Page 197 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 4-3-1 IGPs importing BGP routes According to the preceding requirement of the company, devices in AS 100 must know routes of AS 200, but devices in AS 200 do not know routes of AS 100. To meet this requirement, configure BGP to import IS-IS routes on RouterC. Then RouterC has routes of AS 200 in the BGP routing table and advertises these routes to RouterB. In addition, configure OSPF to import BGP routes on RouterB. Devices in AS 100 can know routes of AS 200, but devices in AS 200 do not know routes of AS 100.
4.4
BGP Security BGP uses authentication and Generalized TTL Security Mechanism (GTSM) to ensure exchange security between BGP peers.
4.4.1 BGP Authentication BGP authentication includes Message Digest 5 (MD5) authentication and keychain authentication, which improves communication security between BGP peers. In MD5 authentication, you can only set the authentication password for a TCP connection. In keychain authentication, you can set the authentication password for a TCP connection and authenticate BGP messages.
4.4.2 BGP GTSM BGP GTSM checks whether the time-to-live (TTL) value in the IP packet header is within a predefined range and permits or discards the packets of which the TTL values are out of the predefined range to protect services above the IP layer. BGP GTSM enhances system security. Assume that the TTL value range of packets from BGP peers is set to 254-255. When an attacker forges valid BGP packets and keeps sending these packets to attack a device, the TTL values of these packets are smaller than 254. If BGP GTSM is not enabled on the device, the device finds that these packets are destined for itself and sends the packets to the control plane for processing. Then the control layer needs to process a large number of such attack packets, causing high CPU usage. If BGP GTSM is enabled on the device, the system checks the TTL values in all BGP packets and discards the attack packets of which the TTL values are smaller than 254. This prevents network attack packets from consuming CPU resources.
2016-1-11
Huawei Confidential
Page 198 of 1210
HCIE-R&S Material
4.5
Confidentiality Level
BGP Route Selection Rules and Load Balancing There may be multiple routes to the same destination in a BGP routing table. BGP will select one route as the optimal route and advertise it to peers. To select the optimal route among these routes, BGP compares the BGP attributes of the routes in sequence based on route selection rules.
4.5.1 BGP Attributes Route attributes describe routes. BGP route attributes are classified into the following types. Table 4-5-1 lists common BGP attributes.
Well-known mandatory attribute All BGP devices can identify this type of attributes, which must be carried in Update messages. Without this type of attributes, errors occur in routing information.
Well-known discretionary attribute All BGP devices can identify this type of attributes, which are optional in Update messages. Without this type of attributes, errors do not occur in routing information.
Optional transitive attribute BGP devices may not identify this type of attributes but still accepts them and advertises them to peers.
Optional non-transitive attribute BGP devices may not identify this type of attributes. If a BGP device does not identify this type of attributes, it ignores them and does not advertise them to peers.
Table 4-5-1 Common BGP attributes Attribute
Type
Origin
Well-known mandatory
AS_Path
Well-known mandatory
Next_Hop
Well-known mandatory
Local_Pref
Well-known discretionary
Community
Optional transitive
MED
Optional non-transitive
2016-1-11
Huawei Confidential
Page 199 of 1210
HCIE-R&S Material
Confidentiality Level
Table 4-5-1 Common BGP attributes Attribute
Type
Originator_ID
Optional non-transitive
Cluster_List
Optional non-transitive
The following describes common BGP route attributes:
Origin The Origin attribute defines the origin of a route and marks the path of a BGP route. The Origin attribute is classified into three types:
IGP A route with IGP as the Origin attribute is of the highest priority. The Origin attribute of the routes imported into a BGP routing table using the network command is IGP.
EGP A route with EGP as the Origin attribute is of the secondary highest priority. The Origin attribute of the routes obtained through EGP is EGP.
Incomplete A route with Incomplete as the Origin attribute is of the lowest priority. The Origin attribute of the routes learned by other means is Incomplete. For example, the Origin attribute of the routes imported by BGP using the import-route command is Incomplete.
AS_Path The AS_Path attribute records all the ASs that a route passes through from the source to the destination in the vector order. To prevent inter-AS routing loops, a BGP device does not receive the routes of which the AS_Path list contains the local AS number. When a BGP speaker advertises an imported route:
If the route is advertised to EBGP peers, the BGP speaker creates an AS_Path list containing the local AS number in an Update message.
If the route is advertised to IBGP peers, the BGP speaker creates an empty AS_Path list in an Update message.
When a BGP speaker advertises a route learned in the Update message sent by another BGP speaker:
If the route is advertised to EBGP peers, the BGP speaker adds the local AS number to the leftmost of the AS_Path list. According to the AS_Path list, the BGP speaker that receives the route can learn about the ASs through which the route passes to reach the destination. The number of the AS that is nearest to the local AS is placed on the top of the AS_Path
2016-1-11
Huawei Confidential
Page 200 of 1210
HCIE-R&S Material
Confidentiality Level
list. The other AS numbers are listed according to the sequence in which the route passes through ASs.
If the route is advertised to IBGP peers, the BGP speaker does not change the AS_Path attribute of the route.
Next_Hop The Next_Hop attribute records the next hop that a route passes through. The Next_Hop attribute of BGP is different from that of an IGP because it may not be the neighbor IP address. A BGP speaker processes the Next_Hop attribute based on the following rules:
When advertising a route to an EBGP peer, a BGP speaker sets the Next_Hop attribute of the route to the address of the local interface through which the BGP peer relationship is established with the peer.
When advertising a locally originated route to an IBGP peer, the BGP speaker sets the Next_Hop attribute of the route to the address of the local interface through which the BGP peer relationship is established with the peer.
When advertising a route learned from an EBGP peer to an IBGP peer, the BGP speaker does not change the Next_Hop attribute of the route.
Local_Pref The Local_Pref attribute indicates the BGP preference of a device and helps determine the optimal route when traffic leaves an AS. When a BGP device obtains multiple routes to the same destination address but with different next hops from different IBGP peers, the BGP device prefers the route with the highest Local_Pref. The Local_Pref attribute is exchanged only between IBGP peers and is not advertised to other ASs. The Local_Pref attribute can be manually configured. If no Local_Pref attribute is configured for a route, the Local_Pref attribute of the route uses the default value 100.
MED The multi-exit discriminator (MED) attribute helps determine the optimal route when traffic enters an AS. When a BGP device obtains multiple routes to the same destination address but with different next hops from EBGP peers, the BGP device selects the route with the smallest MED value as the optimal route. The MED attribute is exchanged only between two neighboring ASs. The AS that receives the MED attribute does not advertise it to any other ASs. The MED attribute can be manually configured. If no MED attribute is configured for a route, the MED attribute of the route uses the default value 0.
Community The Community attribute identifies the BGP routes with the same characteristics, simplifies the applications of routing policies, and facilitates route maintenance and management. The Community attribute includes self-defined community attributes and well-known community attributes. Table 4-5-2 lists well-known community attributes. 2016-1-11
Huawei Confidential
Page 201 of 1210
HCIE-R&S Material
Confidentiality Level
Table 4-5-2 Well-known community attributes Community Attribute
Value
Description
Internet
0 (0x00000000)
A BGP device can advertise the received route with the Internet attribute to all peers.
No_Advertise
4294967042 (0xFFFFFF02)
A BGP device does not advertise the received route with the No_Advertise attribute to any peer.
No_Export
4294967041 (0xFFFFFF01)
A BGP device does not advertise the received route with the No_Export attribute to devices outside the local AS.
No_Export_Subconfed
4294967043 (0xFFFFFF03)
A BGP device does not advertise the received route with the No_Export_Subconfed attribute to devices outside the local AS or to devices outside the local sub-AS.
Originator_ID and Cluster_List The Originator_ID attribute and Cluster_List attribute help eliminate loops in route reflector scenarios. For details, see Route Reflector.
4.5.2 BGP Route Selection Policies When there are multiple routes to the same destination, BGP compares the following attributes in sequence to select the optimal route: 1.
Prefers the route with the largest PrefVal value. The PrefVal attribute is a Huawei proprietary attribute and is valid only on the device where it is configured.
2.
Prefers the route with the highest Local_Pref. If a route does not have the Local_Pref attribute, the Local_Pref attribute of the route uses the default value 100.
3.
Prefers the manually summarized route, automatically summarized route, route imported using the network command, route imported using the import-route command, and route learned from peers. These routes are in descending order of priority.
4.
Prefers the route with the shortest AS_Path.
5.
Prefers the route with the lowest origin type. IGP is lower than EGP, and EGP is lower than Incomplete.
6.
Prefers the route with the lowest MED if routes are received from the same AS.
7.
Prefers EBGP routes, IBGP routes, LocalCross routes, and RemoteCross routes, which are listed in descending order of priority.
2016-1-11
Huawei Confidential
Page 202 of 1210
HCIE-R&S Material
Confidentiality Level
LocalCross allows a PE to add the VPNv4 route of a VPN instance to the routing table of the VPN instance if the export RT of the VPNv4 route matches the import RT of another VPN instance on the PE. RemoteCross allows a local PE to add the VPNv4 route learned from a remote PE to the routing table of a VPN instance on this local PE if the export RT of the VPNv4 route matches the import RT of the VPN instance. 8.
Prefers the route with the lowest IGP metric to the BGP next hop.
NOTE: If there are multiple routes to the same destination, an IGP calculates the route metric using its routing algorithm. 9.
Prefers the route with the shortest Cluster_List.
10. Prefers the route advertised by the device with the smallest router ID.
NOTE: If a route carries the Originator_ID attribute, BGP prefers the route with the smallest Originator_ID without comparing the router ID. 11. Prefers the route learned from the peer with the lowest IP address.
4.5.3 BGP Load Balancing When there are multiple equal-cost routes to the same destination, you can perform load balancing among these routes to load balance traffic. Equal-cost BGP routes can be generated for traffic load balancing only when the first eight route attributes described in "BGP Route Selection Policies" are the same.
4.6
Examples for Configuring of BGP
4.6.1 Example for Configuring Basic BGP Functions
Networking Requirements As shown in Figure 4-6-1, BGP runs between Routers; an EBGP connection is established between RouterA and RouterB; IBGP full-mesh connections are established between RouterB, RouterC, and RouterD.
2016-1-11
Huawei Confidential
Page 203 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 4-6-1 Networking diagram of configuring basic BGP functions
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure IBGP connections between RouterB, RouterC, and RouterD.
2.
Configure an EBGP connection between RouterA and RouterB.
Procedure 1.
Configure an IP address for each interface. # Configure RouterA. system-view [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 8.1.1.1 8 The configurations of RouterB, RouterC, and RouterD are similar to the configuration of RouterA, and are not mentioned here.
Configure an EBGP connection. # Configure RouterA. [RouterA] bgp 65008 [RouterA-bgp] router-id 1.1.1.1 [RouterA-bgp] peer 200.1.1.1 as-number 65009 # Configure RouterB. [RouterB-bgp] peer 200.1.1.2 as-number 65008 # View the status of BGP peers. [RouterB] display bgp peer BGP local router ID : 2.2.2.2 Local AS number : 65009 Total number of peers : 3 Peer
V
Peers in established state : 3
AS MsgRcvd MsgSent
OutQ Up/Down
State
PrefRcv 9.1.1.2
4 65009
49
62
0 00:44:58 Established
0
9.1.3.2
4 65009
56
56
0 00:40:54 Established
0
200.1.1.2
4 65008
49
65
0 00:44:03 Established
1
The preceding command output shows that BGP connections have been established between RouterB and other Routers. 4.
Configure RouterA to advertise route 8.0.0.0/8. # Configure RouterA to advertise a route. [RouterA-bgp] ipv4-family unicast [RouterA-bgp-af-ipv4] network 8.0.0.0 255.0.0.0 # View the routing table of RouterA. [RouterA] display bgp routing-table BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history,
i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete 2016-1-11
Huawei Confidential
Page 205 of 1210
HCIE-R&S Material
Confidentiality Level
Total Number of Routes: 1 Network
NextHop
MED
LocPrf
PrefVal
Path/Ogn *>
8.0.0.0
0.0.0.0
0
0
i
# View the routing table of RouterB. [RouterB] display bgp routing-table BGP Local router ID is 2.2.2.2 Status codes: * - valid, > - best, d - damped, h - history,
i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 1 Network
NextHop
MED
LocPrf
PrefVal
Path/Ogn
*>
8.0.0.0
200.1.1.2
0
0
65008i
# View the routing table of RouterC. [RouterC] display bgp routing-table BGP Local router ID is 3.3.3.3 Status codes: * - valid, > - best, d - damped, h - history,
i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 1 Network
NextHop
MED
LocPrf
PrefVal
Path/Ogn
i
8.0.0.0
200.1.1.2
0
100
0
65008i
NOTE: The preceding command output shows that RouterC has learned the route to destination 8.0.0.0 in AS 65008. The route, however, is invalid because the next hop 200.1.1.2 of this route is unreachable. 5.
Configure BGP to import direct routes.
2016-1-11
Huawei Confidential
Page 206 of 1210
HCIE-R&S Material
Confidentiality Level
# Configure RouterB. [RouterB-bgp] ipv4-family unicast [RouterB-bgp-af-ipv4] import-route direct # View the BGP routing table of RouterA. [RouterA] display bgp routing-table BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history,
i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 4 Network
NextHop
MED
LocPrf
PrefVal
Path/Ogn
*>
8.0.0.0
0.0.0.0
0
0
i
*>
9.1.1.0/24
200.1.1.1
0
0
65009?
*>
9.1.3.0/24
200.1.1.1
0
0
65009?
200.1.1.0
200.1.1.1
0
0
65009?
# View the BGP routing table of RouterC. [RouterC] display bgp routing-table BGP Local router ID is 3.3.3.3 Status codes: * - valid, > - best, d - damped, h - history,
i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 4 Network
NextHop
MED
LocPrf
PrefVal
Path/Ogn
*>i
8.0.0.0
*>i 9.1.1.0/24
200.1.1.2
0
100
0
65008i
9.1.3.1
0
100
0
?
9.1.3.0/24
9.1.3.1
0
100
0
?
*>i 200.1.1.0
9.1.3.1
0
100
0
?
i
The preceding command output shows that the route to destination 8.0.0.0 becomes valid because the next-hop address of this route is the address of RouterA. 2016-1-11
Huawei Confidential
Page 207 of 1210
HCIE-R&S Material
Confidentiality Level
# Run the ping command on RouterC. [RouterC] ping 8.1.1.1 PING 8.1.1.1: 56 data bytes, press CTRL_C to break Reply from 8.1.1.1: bytes=56 Sequence=1 ttl=254 time=31 ms Reply from 8.1.1.1: bytes=56 Sequence=2 ttl=254 time=47 ms Reply from 8.1.1.1: bytes=56 Sequence=3 ttl=254 time=31 ms Reply from 8.1.1.1: bytes=56 Sequence=4 ttl=254 time=16 ms Reply from 8.1.1.1: bytes=56 Sequence=5 ttl=254 time=31 ms --- 8.1.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 16/31/47 ms
4.6.2 Example for Configuring BGP to Interact with an IGP
Networking Requirements The network shown in Figure 4-6-2 is divided into AS 65008 and AS 65009. In AS 65009, an IGP is used to calculate routes. In this example, OSPF is used as an IGP. The two ASs need to communicate with each other.
2016-1-11
Huawei Confidential
Page 210 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 4-6-2 Networking diagram for configuring BGP to interact with an IGP
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure OSPF on Routers B and C so that these devices can access each other.
2.
Establish an EBGP connection between Routers A and B so that these devices can exchange routing information.
3.
Configure BGP and OSPF to import routes from each other on RouterB so that the two ASs can communicate with each other.
4.
(Optional) Configure BGP route summarization on RouterB to simplify the BGP routing table.
Procedure 1.
Configure an IP address for each interface. Configure an IP address to each interface as shown in Figure 4-6-2. For details about the configuration, see the following configuration files.
Configure BGP to interact with an IGP # On RouterB, configure BGP to import OSPF routes. [RouterB-bgp] ipv4-family unicast [RouterB-bgp-af-ipv4] import-route ospf 1 [RouterB-bgp-af-ipv4] quit [RouterB-bgp] quit # View the routing table of RouterA. [RouterA] display bgp routing-table BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history,
i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete Total Number of Routes: 3 Network
NextHop
MED
LocPrf
PrefVal
Path/Ogn *>
8.1.1.0/24
0.0.0.0
0
0
i
*>
9.1.1.0/24
3.1.1.1
0
0
65009?
*>
9.1.2.0/24
3.1.1.1
2
0
65009?
# On RouterB, configure OSPF to import BGP routes. [RouterB] ospf [RouterB-ospf-1] import-route bgp 2016-1-11
Huawei Confidential
Page 212 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterB-ospf-1] quit # View the routing table of RouterC. [RouterC] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 7
Destination/Mask
Routes : 7
Proto Pre Cost
Flags NextHop
8.1.1.0/24 O_ASE 150 1
Interface
D 9.1.1.1
GigabitEthernet1/0/0 9.1.1.0/24 Direct 0
0
D 9.1.1.2
0
D 127.0.0.1
0
D 9.1.2.1
0
D 127.0.0.1
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
GigabitEthernet1/0/0 9.1.1.2/32 Direct 0 GigabitEthernet1/0/0 9.1.2.0/24 Direct 0 GigabitEthernet2/0/0 9.1.2.1/32 Direct 0 GigabitEthernet2/0/0 127.0.0.0/8
5.
(Optional) Configure automatic route summarization. BGP is used to transmit routing information on large-scale networks. BGP route summarization can be configured to simplify routing tables of devices on these networks. # Configure RouterB. [RouterB] bgp 65009 [RouterB-bgp] ipv4-family unicast [RouterB-bgp-af-ipv4] summary automatic # View the BGP routing table of RouterA. [RouterA] display bgp routing-table BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history,
i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete Total Number of Routes: 2 Network
NextHop
MED
LocPrf
PrefVal
Path/Ogn 2016-1-11
Huawei Confidential
Page 213 of 1210
HCIE-R&S Material
Confidentiality Level
*>
8.1.1.0/24
0.0.0.0
*>
9.0.0.0
3.1.1.1
0
0
i
0
65009?
# Run the ping -a 8.1.1.1 9.1.2.1 command on RouterA. [RouterA] ping -a 8.1.1.1 9.1.2.1 PING 9.1.2.1: 56 data bytes, press CTRL_C to break Reply from 9.1.2.1: bytes=56 Sequence=1 ttl=254 time=15 ms Reply from 9.1.2.1: bytes=56 Sequence=2 ttl=254 time=31 ms Reply from 9.1.2.1: bytes=56 Sequence=3 ttl=254 time=47 ms Reply from 9.1.2.1: bytes=56 Sequence=4 ttl=254 time=46 ms Reply from 9.1.2.1: bytes=56 Sequence=5 ttl=254 time=47 ms --- 9.1.2.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 15/37/47 ms
Configuration file of RouterC # sysname RouterC # interface GigabitEthernet1/0/0 ip address 9.1.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 9.1.2.1 255.255.255.0 # ospf 1 area 0.0.0.0 network 9.1.1.0 0.0.0.255 2016-1-11
Huawei Confidential
Page 215 of 1210
HCIE-R&S Material
Confidentiality Level
network 9.1.2.0 0.0.0.255 # return
4.6.3 Example for Configuring AS_Path Filters
Networking Requirements On the network shown in Figure 4-6-3, RouterB establish EBGP connections with Routers A and C. The user wants to disable the devices in AS 10 from communicating with devices in AS 30.
Figure 4-6-3 Networking diagram for configuring AS_Path filters
Configuration Roadmap The configuration roadmap is as follows: 1.
Establish EBGP connections between Routers A and B and between Routers B and C and configure these devices to import direct routes so that the ASs can communicate with each other through these EBGP connections.
2.
Configure AS_Path filters on RouterB and use filtering rules to prevent AS 20 from advertising routes of AS 30 to AS 10 or routes of AS 10 to AS 30.
Procedure 1.
Configure an IP address for each interface. The configuration details are not provided here.
2016-1-11
Huawei Confidential
Page 216 of 1210
HCIE-R&S Material
2.
Confidentiality Level
Establish EBGP connections. # Configure RouterA. [RouterA] bgp 10 [RouterA-bgp] router-id 1.1.1.1 [RouterA-bgp] peer 200.1.2.2 as-number 20 [RouterA-bgp] import-route direct # Configure RouterB. [RouterB] bgp 20 [RouterB-bgp] router-id 2.2.2.2 [RouterB-bgp] peer 200.1.2.1 as-number 10 [RouterB-bgp] peer 200.1.3.2 as-number 30 [RouterB-bgp] import-route direct [RouterB-bgp] quit # Configure RouterC. [RouterC] bgp 30 [RouterC-bgp] router-id 3.3.3.3 [RouterC-bgp] peer 200.1.3.1 as-number 20 [RouterC-bgp] import-route direct [RouterC-bgp] quit # View routes advertised by RouterB. Routes advertised by RouterB to RouterC are used as an example. You can see that RouterB advertises the direct route imported by AS 10. display bgp routing-table peer 200.1.3.2 advertised-routes BGP Local router ID is 2.2.2.2 Status codes: * - valid, > - best, d - damped, h - history,
i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 5 Network
NextHop
MED
LocPrf
PrefVal
Path/Ogn
*>
9.1.1.0/24
*>
10.1.1.0/24
200.1.3.1
*>
200.1.2.0
200.1.3.1
*>
200.1.2.1/32
*>
200.1.3.0/24
2016-1-11
0
200.1.3.1
20 10? 0
20 30?
0
0
20?
200.1.3.1
0
0
20?
200.1.3.1
0
0
20?
Huawei Confidential
Page 217 of 1210
HCIE-R&S Material
Confidentiality Level
View the routing table of RouterC. You can see that RouterC has learned the direct route from RouterB. display bgp routing-table BGP Local router ID is 3.3.3.3 Status codes: * - valid, > - best, d - damped, h - history,
i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 9 Network
NextHop
MED
LocPrf
PrefVal
Path/Ogn *>
9.1.1.0/24
200.1.3.1
*>
10.1.1.0/24
0.0.0.0
0
0
?
*>
10.1.1.1/32
0.0.0.0
0
0
?
*>
127.0.0.0
0.0.0.0
0
0
?
*>
127.0.0.1/32
0.0.0.0
0
0
?
*>
200.1.2.0
200.1.3.1
0
0
20?
*>
200.1.3.0/24
0.0.0.0
0
0
?
* *>
3.
0
200.1.3.1 200.1.3.2/32
0.0.0.0
20 10?
0 0
0 0
20? ?
Configure AS_Path filters on RouterB and apply the AS_Path filters to routes to be advertised by RouterB. # Create AS_Path filter 1 to deny the routes carrying AS number 30. The regular expression "_30_" indicates any AS list that contains AS 30 and "*" matches any character. [RouterB] ip as-path-filter path-filter1 deny _30_ [RouterB] ip as-path-filter path-filter1 permit .* # Create AS_Path filter 2 to deny the routes carrying AS 10. [RouterB] ip as-path-filter path-filter2 deny _10_ [RouterB] ip as-path-filter path-filter2 permit .* # Apply the AS_Path filters to routes to be advertised by RouterB. [RouterB] bgp 20 [RouterB-bgp] peer 200.1.2.1 as-path-filter path-filter1 export [RouterB-bgp] peer 200.1.3.2 as-path-filter path-filter2 export [RouterB-bgp] quit
2016-1-11
Huawei Confidential
Page 218 of 1210
HCIE-R&S Material
4.
Confidentiality Level
# View routes advertised by RouterB. # View routes advertised by RouterB to AS 30. You can see that RouterB does not advertise the direct route imported by AS 10. display bgp routing-table peer 200.1.3.2 advertised-routes BGP Local router ID is 2.2.2.2 Status codes: * - valid, > - best, d - damped, h - history,
i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 2 Network
NextHop
MED
LocPrf
PrefVal
Path/Ogn
*>
200.1.2.0
200.1.3.1
0
0
20?
*>
200.1.3.0/24
200.1.3.1
0
0
20?
The route does not exist in the BGP routing table of RouterC. display bgp routing-table BGP Local router ID is 3.3.3.3 Status codes: * - valid, > - best, d - damped, h - history,
i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 8 Network
NextHop
MED
LocPrf
PrefVal
Path/Ogn *>
10.1.1.0/24
0.0.0.0
0
0
?
*>
10.1.1.1/32
0.0.0.0
0
0
?
*>
127.0.0.0
0.0.0.0
0
0
?
*>
127.0.0.1/32
0.0.0.0
0
0
?
*>
200.1.2.0
200.1.3.1
0
0
20?
*>
200.1.3.0/24
0.0.0.0
0
0
?
200.1.3.1
0
0
20?
0.0.0.0
0
0
?
* *>
200.1.3.2/32
# View routes advertised by RouterB to AS 10. You can see that RouterB does not advertise the direct route imported by AS 30. 2016-1-11
Huawei Confidential
Page 219 of 1210
HCIE-R&S Material
Confidentiality Level
display bgp routing-table peer 200.1.2.1 advertised-routes BGP Local router ID is 2.2.2.2 Status codes: * - valid, > - best, d - damped, h - history,
i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 2 Network
NextHop
MED
LocPrf
PrefVal
Path/Ogn
*>
200.1.2.0
200.1.2.2
0
0
20?
*>
200.1.3.0/24
200.1.2.2
0
0
20?
The route does not exist in the BGP routing table of RouterA. display bgp routing-table BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history,
i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 8 Network
NextHop
MED
LocPrf
PrefVal
Path/Ogn *>
9.1.1.0/24
0.0.0.0
0
0
?
*>
9.1.1.1/32
0.0.0.0
0
0
?
*>
127.0.0.0
0.0.0.0
0
0
?
*>
127.0.0.1/32
0.0.0.0
0
0
?
*>
200.1.2.0
0.0.0.0
0
0
?
*
200.1.2.2
0
0
20?
*>
200.1.2.1/32
0.0.0.0
0
0
?
*>
200.1.3.0/24
200.1.2.2
0
0
20?
Configuration Files
Configuration file of RouterA # sysname RouterA 2016-1-11
4.6.4 Example for Configuring MED Attributes to Control BGP Route Selection
Networking Requirements As shown in Figure 4-6-4, BGP is configured on all routeres; RouterA resides in AS 65008; RouterB and RouterC reside in AS 65009. EBGP connections are established between RouterA and RouterB, and between RouterA and RouterC. An IBGP connection is established between RouterB and RouterC. After a period, traffic from AS 65008 to AS 65009 needs to first pass through RouterC.
2016-1-11
Huawei Confidential
Page 222 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 4-6-4 Networking diagram for configuring MED attributes of routes to control route selection
Configuration Roadmap The configuration roadmap is as follows: 1.
Establish EBGP connections between RouterA and RouterB and between RouterA and RouterC, and establish an IBGP connection between RouterB and RouterC.
2.
Apply a routing policy to increase the MED value of the route sent by RouterB to RouterA so that RouterA will send traffic to AS 65009 through RouterC.
Procedure 1.
Configure an IP address for each interface. The configuration details are not provided here.
BGP routing table entry information of 9.1.1.0/24: From: 200.1.1.1 (2.2.2.2) Route Duration: 00h00m56s Direct Out-interface: GigabitEthernet1/0/0 Original nexthop: 200.1.1.1 Qos information : 0x0 AS-path 65009, origin igp, MED 0, pref-val 0, valid, external, best, select, pre 255 Advertised to such 2 peers: 200.1.1.1 200.1.2.1
BGP routing table entry information of 9.1.1.0/24: From: 200.1.2.1 (3.3.3.3) Route Duration: 00h00m06s Direct Out-interface: GigabitEthernet2/0/0 Original nexthop: 200.1.2.1 Qos information : 0x0
2016-1-11
Huawei Confidential
Page 224 of 1210
HCIE-R&S Material
Confidentiality Level
AS-path 65009, origin igp, MED 0, pref-val 0, valid, external, pre 255, not preferred for router ID Not advertised to any peer yet The preceding command output shows that there are two valid routes to destination 9.1.1.0/24. The route with the next-hop address of 200.1.1.1 is the optimal route because the router ID of Router is smaller. 3.
Set MED attributes for routes. # Apply a routing policy to set an MED value for the route advertised by RouterB to RouterA (the default MED value of a route is 0). [RouterB] route-policy policy10 permit node 10 [RouterB-route-policy] apply cost 100 [RouterB-route-policy] quit [RouterB] bgp 65009 [RouterB-bgp] peer 200.1.1.2 route-policy policy10 export # View the routing table of RouterA. [RouterA] display bgp routing-table 9.1.1.0 24 BGP local router ID : 1.1.1.1 Local AS number : 65008 Paths:
2 available, 1 best, 1 select
BGP routing table entry information of 9.1.1.0/24: From: 200.1.2.1 (3.3.3.3) Route Duration: 00h07m45s Direct Out-interface: GigabitEthernet2/0/0 Original nexthop: 200.1.2.1 Qos information : 0x0 AS-path 65009, origin igp, MED 0, pref-val 0, valid, external, best, select, pre 255 Advertised to such 2 peers: 200.1.1.1 200.1.2.1 BGP routing table entry information of 9.1.1.0/24: From: 200.1.1.1 (2.2.2.2) Route Duration: 00h00m08s Direct Out-interface: GigabitEthernet1/0/0 Original nexthop: 200.1.1.1 Qos information : 0x0
2016-1-11
Huawei Confidential
Page 225 of 1210
HCIE-R&S Material
Confidentiality Level
AS-path 65009, origin igp, MED 100, pref-val 0, valid, external, pre 255, not preferred for MED Not advertised to any peer yet The preceding command output shows that the MED value of the route with the next-hop address of 200.1.2.1 (RouterB) is 100 and the MED value of the route with the next-hop address of 200.1.1.1 is 0. The route with the smaller MED value is selected.
Networking Requirements On the network shown in Figure 4-6-5, BGP is configured on all routers. RouterA is in AS 100. RouterB and RouterC are in AS 300. RouterD is in AS 200. Network congestion from RouterA to destination address 8.1.1.0/24 needs to be relieved and network resources need to be fully utilized.
Figure 4-6-5 Networking diagram of configuring BGP load balancing
Configuration Roadmap The configuration roadmap is as follows: 1.
Establish EBGP connections between RouterA and RouterB and between RouterA and RouterC, between RouterD and RouterB and between RouterD and RouterC to enable ASs to communicate with each other using BGP.
2016-1-11
Huawei Confidential
Page 228 of 1210
HCIE-R&S Material
2.
Confidentiality Level
Configuring load balancing on RouterA so that RouterA can send traffic to RouterD through either RouterB or RouterC.
Procedure 1.
Configure an IP address for each interface. The configuration details are not provided here.
BGP local router ID : 1.1.1.1 Local AS number : 100 Paths : 2 available, 1 best, 1 select BGP routing table entry information of 8.1.1.0/24: From: 200.1.1.2 (2.2.2.2) Route Duration: 00h00m50s Direct Out-interface: GigabitEthernet1/0/0 Original nexthop: 200.1.1.2 Qos information : 0x0 AS-path 300 200, origin igp, pref-val 0, valid, external, best, select, active, pre 255 Advertised to such 2 peers: 200.1.1.2 200.1.2.2
BGP routing table entry information of 8.1.1.0/24: From: 200.1.2.2 (3.3.3.3) Route Duration: 00h00m51s Direct Out-interface: GigabitEthernet2/0/0 Original nexthop: 200.1.2.2 Qos information : 0x0 AS-path 300 200, origin igp, pref-val 0, valid, external, pre 255, not preferred for router ID Not advertised to any peer yet The preceding command output shows that there are two valid routes from RouterA to destination 8.1.1.0/24. The route with the next-hop address of 200.1.1.2 is the optimal route because the router ID of RouterB is smaller. 3.
Verify the configuration. # View the routing table of RouterA. [RouterA] display bgp routing-table 8.1.1.0 24 BGP local router ID : 1.1.1.1
2016-1-11
Huawei Confidential
Page 230 of 1210
HCIE-R&S Material
Confidentiality Level
Local AS number : 100 Paths : 2 available, 1 best, 2 select BGP routing table entry information of 8.1.1.0/24: From: 200.1.1.2 (2.2.2.2) Route Duration: 00h03m55s Direct Out-interface: GigabitEthernet1/0/0 Original nexthop: 200.1.1.2 Qos information : 0x0 AS-path 300 200, origin igp, pref-val 0, valid, external, best, select, active, pre 255 Advertised to such 2 peers 200.1.1.2 200.1.2.2 BGP routing table entry information of 8.1.1.0/24: From: 200.1.2.2 (3.3.3.3) Route Duration: 00h03m56s Direct Out-interface: GigabitEthernet2/0/0 Original nexthop: 200.1.2.2 Qos information : 0x0 AS-path 300 200, origin igp, pref-val 0, valid, external, select, active, pre 255, not preferred for router ID Not advertised to any peer yet The preceding command output shows that BGP route 8.1.1.0/24 has two next hops: 200.1.1.2 and 200.1.2.2. Both of them are optimal routes.
Configuration Files
Configuration file of RouterA # sysname RouterA # interface GigabitEthernet1/0/0 ip address 200.1.1.1 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 200.1.2.1 255.255.255.0 # interface LoopBack0 ip address 1.1.1.1 255.255.255.255 2016-1-11
Route Reflector To ensure connectivity between IBGP peers, you need to establish full-mesh connections between IBGP peers. If there are n devices in an AS, n(n-1)/2 IBGP connections need to be established. When there are a large number of devices, many network resources and CPU resources are consumed. A Route Reflector (RR) can be used between IBGP peers to solve this problem.
5.1.1 Roles in RR As shown in Figure 5-1-1, the following roles are involved in RR scenarios in an AS.
Figure 5-1-1 Networking diagram of the RR
2016-1-11
Huawei Confidential
Page 234 of 1210
HCIE-R&S Material
Confidentiality Level
Route reflector (RR): a BGP device that can reflect the routes learned from an IBGP peer to other IBGP peers. An RR is similar to a Designated Router (DR) on an OSPF network.
Client: an IBGP device of which routes are reflected by the RR to other IBGP devices. In an AS, clients only need to directly connect to the RR.
Non-client: an IBGP device that is neither an RR nor a client. In an AS, a non-client must establish full-mesh connections with the RR and all the other non-clients.
Originator: is a device that originates routes in an AS. The Originator_ID attribute helps eliminate routing loops in a cluster.
Cluster: is a set of the RR and clients. The Cluster_List attribute helps eliminate routing loops between clusters.
5.1.2 RR Principles Clients in a cluster only need to exchange routing information with the RR in the same cluster. Therefore, clients only need to establish IBGP connections with the RR. This reduces the number of IBGP connections in the cluster. As shown in Figure 5-1-1, in AS 65000, Cluster1 is comprised of an RR and three clients. The number of IBGP connections in AS 65000 is then reduced from 10 to 4, which simplifies the device configuration and reduces the loads on the network and CPU. The RR allows a BGP device to advertise the BGP routes learned from an IBGP peer to other IBGP peers, and uses the Cluster_List and Originator_ID attributes to eliminate routing loops. The RR advertises routes to IBGP peers based on the following rules:
The RR advertises the routes learned from a non-client to all the clients.
The RR advertises the routes learned from a client to all the other clients and all the non-clients.
The RR advertises the routes learned from an EBGP peer to all the clients and non-clients.
5.1.3 Cluster_List Attribute An RR and its clients form a cluster, which is identified by a unique cluster ID in an AS. To prevent routing loops between clusters, an RR uses the Cluster_List attribute to record the cluster IDs of all the clusters that a route passes through.
When a route is reflected by an RR for the first time, the RR adds the local cluster ID to the top of the cluster list. If there is no cluster list, the RR creates a Cluster_List attribute.
When receiving an updated route, the RR checks the cluster list of the route. If the cluster list contains the local cluster ID, the RR discards the route. If the cluster list does not contain the local cluster ID, the RR adds the local cluster ID to the cluster list and then reflects the route.
5.1.4 Originator_ID Attribute The originator ID identifies the originator of a route and is generated by an RR to prevent routing loops in a cluster. Its value is the same as the router ID. 2016-1-11
Huawei Confidential
Page 235 of 1210
HCIE-R&S Material
Confidentiality Level
When a route is reflected by an RR for the first time, the RR adds the Originator_ID attribute to this route. The Originator_ID attribute identifies the originator of the route. If the route contains the Originator_ID attribute, the RR retains this Originator_ID attribute.
When a device receives a route, the device compares the originator ID of the route with the local router ID. If they are the same, the device discards the route.
5.1.5 Backup RR To ensure network reliability and prevent single points of failures, redundant RRs are required in a cluster. An RR allows a BGP device to advertise the routes received from an IBGP peer to other IBGP peers. Therefore, routing loops may occur between RRs in the same cluster. To solve this problem, all the RRs in the cluster must use the same cluster ID.
Figure 5-1-2 Backup RR As shown in Figure 5-1-2, RR1 and RR2 reside in the same cluster and have the same cluster ID configured.
When Client1 receives an updated route from an EBGP peer, Client1 advertises this route to RR1 and RR2 using IBGP.
After RR1 and RR2 receive this route, they add the local cluster ID to the top of the cluster list of the route and then reflect the route to other clients (Client2 and Client3) and to each other.
After RR1 and RR2 receive the reflected route from each other, they check the cluster list of the route, finding that the cluster list contains their local cluster IDs. RR1 and RR2 discard this route to prevent routing loops.
5.1.6 RRs of Multiple Clusters in an AS There may be multiple clusters in an AS. RRs of the clusters establish IBGP peer relationships. When RRs reside at different network layers, an RR at the lower network layer can be configured as a client to implement hierarchical RR. When RRs reside at the same network layer, RRs of different clusters can establish full-mesh connections to implement flat RR. 2016-1-11
Huawei Confidential
Page 236 of 1210
HCIE-R&S Material
Confidentiality Level
5.1.7 Hierarchical RR
Figure 5-1-3 Hierarchical RR In practice, hierarchical RR is often used. As shown in Figure 5-1-3, the ISP provides Internet routes to AS 100. AS 100 is divided into two clusters, Cluster1 and Cluster2. Four devices in Cluster1 are core routers and use a backup RR to ensure reliability.
2016-1-11
Huawei Confidential
Page 237 of 1210
HCIE-R&S Material
Confidentiality Level
5.1.8 Flat RR
Figure 5-1-4 Flat RR As shown in Figure 5-1-4, the backbone network is divided into multiple clusters. RRs of the clusters are non-clients and establish full-mesh connections with each other. Although each client only establishes an IBGP connection with its RR, all the RRs and clients can receive all routing information.
5.2
BGP Confederation In addition to a route reflector, the confederation is another method that reduces the number of IBGP connections in an AS. A confederation divides an AS into sub-ASs. Full-mesh IBGP connections are established in each sub-AS. EBGP connections are established between sub-ASs. ASs outside a confederation still consider the confederation as an AS. After a confederation divides an AS into sub-ASs, it assigns a confederation ID (the AS number) to each router within the AS. This brings two benefits. First, original IBGP attributes are retained, including the Local_Pref attribute, MED attribute, and Next_Hop attribute. Secondly, confederation-related attributes are automatically deleted when being advertised outside a confederation. Therefore, the administrator does not need to configure the rules for filtering information such as sub-AS numbers at the egress of a confederation.
2016-1-11
Huawei Confidential
Page 238 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 5-2-1 Networking diagram of a confederation As shown in Figure 5-2-1, AS 100 is divided into three sub-ASs after a confederation is configured: AS65001, AS65002, and AS65003. The AS number AS 100 is used as the confederation ID. The number of IBGP connections in AS 100 is then reduced from 10 to 4, which simplifies the device configuration and reduces the loads on the network and CPU. In addition, BGP devices outside AS 100 only know the existence of AS 100 but not the confederation within AS 100. Therefore, the confederation does not increase the CPU load.
5.2.1 Comparisons between a Route Reflector and a Confederation Table 5-2-1 compares a route reflector and a confederation in terms of the configuration, device connection, and applications. Table 5-2-1 Comparisons between a route reflector and a confederation Route Reflector
Confederation
Retains the existing network topology and ensures Requires the logical topology to be changed. compatibility. Requires only a route reflector to be configured Requires all devices to be reconfigured. because clients do not need to know that they are clients of a route reflector. Requires full-mesh connections between clusters.
Does not require full-mesh connections between sub-ASs of a confederation because the sub-ASs are special EBGP peers.
Applies to medium and large networks.
Applies to large networks.
2016-1-11
Huawei Confidential
Page 239 of 1210
HCIE-R&S Material
5.3
Confidentiality Level
Route Summarization The BGP routing table of each device on a large network is large. This burdens devices, increases the route flapping probability, and affects network stability. Route summarization is a mechanism that combines multiple routes into one route. This mechanism allows a BGP device to advertise only the summarized route but not all the specific routes to peers, therefore reducing the size of the BGP routing table. If the summarized route flaps, the network is not affected, so network stability is improved. BGP supports automatic summarization and manual summarization on IPv4 networks, and supports only manual summarization on IPv6 networks.
Automatic summarization: summarizes the routes imported by BGP. After automatic summarization is configured, BGP summarizes routes based on the natural network segment and advertises only the summarized route to peers. For example, BGP summarizes 10.1.1.1/24 and 10.2.1.1/24 (two Class A addresses with non-natural mask) into 10.0.0.0/8 (Class A address with natural mask).
Manual summarization: summarizes routes in the local BGP routing table. Manual summarization can help control the attributes of the summarized route and determine whether to advertise specific routes.
To prevent routing loops caused by route summarization, BGP uses the AS_Set attribute. The AS_Set attribute is an unordered set of all ASs that a route passes through. When the summarized route enters an AS in the AS_Set attribute again, BGP finds that the local AS number has been recorded in the AS_Set attribute of the route and discards this route to prevent a routing loop.
5.4
Route Dampening When BGP is used on complex networks, route flapping occurs frequently. To prevent frequent route flapping, BGP uses route dampening to suppress unstable routes. Route flapping is a process of adding a route to an IP routing table and then withdrawing this route. When route flapping occurs, a BGP device sends an Update message to its neighbors. The devices that receive the Update message need to recalculate routes and modify routing tables. Frequent route flapping consumes lots of bandwidths and CPU resources and even affects normal network operation.
2016-1-11
Huawei Confidential
Page 240 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 5-4-1 Diagram of BGP route dampening Route dampening measures the stability of a route using a penalty value. A larger penalty value indicates a less stable route. As shown in Figure 5-4-1, each time route flapping occurs, BGP increases the penalty of this route by a value of 1000. When the penalty value of a route exceeds the suppression threshold, BGP suppresses this route, and does not add it to the IP routing table or advertise any Update message to peers. After a route is suppressed for a period of time (half-life), the penalty value is reduced by half. When the penalty value of a route decreases to the suppression threshold, the route is reusable and is added to the routing table. At the same time, BGP advertises an Update message to peers. The suppression time is the period from when a route is suppressed to when the route is reusable. Route dampening applies only to EBGP routes but not IBGP routes. IBGP routes may include the routes of the local AS, and an IGP network requires that the routing tables of devices within an AS be the same. If IBGP routes were dampened, routing tables on devices are inconsistent when these devices have different dampening parameters. Therefore, route dampening does not apply to IBGP routes.
5.5
Association between BGP and BFD BGP periodically sends messages to peers to detect the status of the peers. It takes more than 1 minute for this detection mechanism to detect a fault. When data is transmitted at gigabit rates, long-time fault detection will cause packet loss. This cannot meet high reliability requirements of networks. Association between BGP and bidirectional forwarding detection (BFD) uses the millisecond-level fault detection of BFD to improve network reliability.
2016-1-11
Huawei Confidential
Page 241 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 5-5-1 Networking diagram of association between BGP and BFD As shown in Figure 5-5-1, RouterA belongs to AS 100 and RouterB belongs to AS 200. RouterA and RouterB are directly connected and establish the EBGP peer relationship. Association between BGP and BFD is configured on RouterA and RouterB. When a fault occurs on the link between RouterA and RouterB, BFD can rapidly detect that the BFD session changes from Up to Down and notify this fault to RouterA and RouterB. RouterA and RouterB process the neighbor Down event and select routes again using BGP.
5.6
BGP Tracking BGP tracking provides fast link fault detection to speed up network convergence. When a fault occurs on the link between BGP peers that have BGP tracking configured, BGP tracking can quickly detect peer unreachability and instruct the routing management module to notify BGP of the fault, implementing rapid network convergence. Compared to BFD, BGP tracking is easy to configure because it needs to be configured only on the local device. BGP tracking is a fault detection mechanism at the routing layer, whereas BFD is a fault detection mechanism at the link layer. BGP route convergence on a network where BGP tracking is configured is slower than that on a network where BFD is configured. Therefore, BGP tracking cannot meet the requirements of voice services that require fast convergence.
5.6.1 Applications As shown in Figure 5-6-1, RouterA and RouterB, and RouterB and RouterC establish IGP connections. RouterA and RouterC establish an IBGP peer relationship. BGP tracking is configured on RouterA. When a fault occurs on the link between RouterA and RouterB, IGP performs fast convergence. Subsequently, BGP tracking detects the unreachability of the route to RouterC and notifies the fault to BGP on RouterA, which then interrupts the BGP connection with RouterC.
Figure 5-6-1 Networking diagram of BGP tracking
NOTE: If establishing an IBGP peer relationship requires IGP routes, the interval between peer unreachability discovery and connection interruption needs to be configured, and this interval must be longer than the IGP route convergence time. Otherwise, the BGP peer relationship may have been interrupted before IGP route flapping caused by transient interruption is suppressed, causing unnecessary BGP 2016-1-11
Huawei Confidential
Page 242 of 1210
HCIE-R&S Material
Confidentiality Level
convergence.
5.7
BGP Auto FRR BGP Auto Fast Reroute (FRR) is a protection measure against link failures. It applies to the network topology with primary and backup links and provides sub-second-level switching between two BGP peers or two next hops. After BGP Auto FRR is enabled on a device, the device selects the optimal route from the routes that carry the same prefix and are learned from multiple peers as the primary link to forward packets, and uses the second optimal route as the backup link. When the primary link becomes faulty, the system rapidly responds to the notification that the BGP route becomes unreachable, and then switches traffic from the primary link to the backup link. After BGP convergence is complete, BGP Auto FRR uses the optimal route selected by BGP to guide traffic forwarding.
5.7.1 Applications As shown in Figure 5-7-1, RouterD advertises a learned BGP route to RouterB and RouterC in AS 100; RouterB and RouterC then advertise the BGP route to RouterA through a route reflector. RouterA receives two routes whose next hops are RouterB and RouterC respectively. Then RouterA selects a route according to the configured policy. Assume that the route sent from RouterB, namely LinkB, is preferred. The route sent from RouterC, namely LinkC, then functions as the backup link.
Figure 5-7-1 Networking diagram of BGP Auto FRR When a router along LinkB fails or faults occur on LinkB, the next hop of the route from RouterA to RouterB becomes invalid. If BGP Auto FRR is enabled on RouterA, the forwarding plane quickly switches traffic sent from RouterA to RouterD to LinkC. This prevents traffic loss. In addition, RouterA reselects the route sent from RouterC and updates the FIB table.
2016-1-11
Huawei Confidential
Page 243 of 1210
HCIE-R&S Material
5.8
Confidentiality Level
BGP GR and NSR BGP graceful restart (GR) and non-stop routing (NSR) are high availability solutions that minimize the impact of device failures on user services.
5.8.1 BGP GR BGP GR ensures that the forwarding plane continues to guide data forwarding during a device restart or active/standby switchover. The operations on the control plane, such as reestablishing peer relationships and performing route calculation, do not affect the forwarding plane. This mechanism prevents service interruptions caused by route flapping and improves network reliability. GR concepts are as follows:
GR restarter: is the device that is restarted by the administrator or triggered by failures to perform GR.
GR helper: is the neighbor that helps the GR restarter to perform GR.
GR time: is the time during which the GR helper retains forwarding information after detecting the restart or active/standby switchover of the GR restarter.
BGP GR process is as follows: 1.
Using the BGP capability negotiation mechanism, the GR restarter and helper know each other's GR capability and establish a GR session.
2.
When detecting the restart or active/standby switchover of the GR restarter, the GR helper does not delete the routing information and forwarding entries of the GR restarter or notify other neighbors of the restart or switchover, but waits to reestablish a BGP connection with the GR restarter.
3.
The GR restarter reestablishes neighbor relationships with all GR helpers before the GR time expires.
5.8.2 BGP NSR NSR is a reliability technique that prevents neighbors from detecting the control plane switchover. It applies to the devices that have the active and standby MPUs configured. Compared to GR, NSR does not require the help of neighbors and does not need to deal with interoperability issues. Table 5-8-1 Comparisons between active/standby switchovers with and without GR and NSR Active/Standby Switchover Without GR and NSR
Active/Standby Switchover in GR Mode
Active/Standby Switchover in NSR Mode
The BGP peer relationship is The BGP peer relationship is The BGP peer relationship is reestablished. reestablished. reestablished.
2016-1-11
Huawei Confidential
Page 244 of 1210
HCIE-R&S Material
Confidentiality Level
Table 5-8-1 Comparisons between active/standby switchovers with and without GR and NSR Active/Standby Switchover Without GR and NSR
Active/Standby Switchover in GR Mode
Active/Standby Switchover in NSR Mode
Routes are recalculated.
Routes are recalculated.
Routes are recalculated.
The forwarding table changes.
The forwarding table remains The forwarding table remains unchanged. unchanged.
Traffic is lost during forwarding, No traffic is lost during No traffic is lost during and services are interrupted. forwarding, and services are not forwarding, and services are not affected. affected. The network detects route Except the neighbors of the The network does not detect changes, and route flapping device where the active/standby route changes. occurs for a short period of time. switchover occurs, other routers do not detect route changes. -
5.9
The GR restarter requires Neighbors do not need neighbors to support the GR support the NSR function. helper function. The GR helper function does not allow multiple neighbors to perform active/standby switchovers in GR mode simultaneously.
to
Dynamic Update Peer-Groups Currently, the rapid growth in the size of the routing table and the complexity of the network topology require BGP to support more peers. Especially in the case of a large number of peers and routes, high-performance grouping and forwarding are required when a router needs to send routes to a large number of BGP peers, most of which share the same outbound policies. The dynamic update peer-groups feature treats all the BGP peers with the same outbound policies as an update-group. In this case, routes are grouped uniformly and then sent separately. That is, each route to be sent is grouped once and then sent to all peers in the update-group, improving grouping efficiency exponentially. For example, a route reflector (RR) has 100 clients and needs to reflect 100,000 routes to these clients. If the RR sends the routes grouped per peer to 100 clients, the total number of times that all routes are grouped is 10,000,000 (100,000 x 100). After the dynamic update peer-groups feature is used, the total number of grouping times changes to 100,000 (100,000 x 1), improving grouping performance by a factor of 100.
2016-1-11
Huawei Confidential
Page 245 of 1210
HCIE-R&S Material
Confidentiality Level
5.9.1 Applications BGP uses the dynamic update peer-groups technology when a large number of peers and routes exist and most peers share the same outbound policies, improving BGP route grouping and forwarding performance. The dynamic update peer-groups feature applies to the following scenarios:
International gateway As shown in Figure 5-9-1, the Internet gateway (IGW) router sends routes to all neighboring ASs. If the IGW router supports the dynamic update peer-groups feature, its BGP route forwarding performance will be greatly improved.
Figure 5-9-1 Networking diagram of the international gateway
RR As shown in Figure 5-9-2, RRs send routes to all clients. If the RRs support the dynamic update peer-groups feature, their BGP route forwarding performance will be greatly improved.
2016-1-11
Huawei Confidential
Page 246 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 5-9-2 Networking diagram of RRs
ASBR As shown in Figure 5-9-3, RouterB, as an Autonomous System Boundary Router (ASBR), sends all the routes received from an EBGP neighbor RouterA to all IBGP neighbors. If RouterB supports the dynamic update peer-groups feature, its BGP route forwarding performance will be greatly improved.
Figure 5-9-3 Networking diagram of a PE connecting to multiple IBGP neighbors
2016-1-11
Huawei Confidential
Page 247 of 1210
HCIE-R&S Material
5.10
Confidentiality Level
Examples for Configuring of BGP Extension Technique
5.10.1 Example for Configuring a BGP Route Reflector
Networking Requirements As shown in Figure 5-10-1, eight Routers need to form an IBGP network. Full-mesh BGP connections have been established between RouterB, RouterD, and RouterE. Users require that the IBGP network be formed without interrupting full-mesh BGP connections between RouterB, RouterD, and RouterE and require simplified device configuration and management.
Figure 5-10-1 Networking diagram of configuring a BGP RR Device
Interface
IP address
Device
Interface
IP address
RouterA
GE 1/0/0
10.1.1.2/24
RouterC
GE 4/0/0
10.1.8.1/24
GE 2/0/0
10.1.3.2/24
RouterD
GE 1/0/0
10.1.4.2/24
GE 3/0/0
9.1.1.1/24
GE 2/0/0
10.1.6.1/24
GE 1/0/0
10.1.1.1/24
GE 2/0/0
10.1.6.2/24
GE 2/0/0
10.1.4.1/24
GE 3/0/0
10.1.5.2/24
GE 3/0/0
10.1.5.1/24
RouterF
GE 1/0/0
10.1.7.2/24
GE 4/0/0
10.1.2.1/24
RouterG
GE 1/0/0
10.1.8.2/24
Router B
2016-1-11
RouterE
Huawei Confidential
Page 248 of 1210
HCIE-R&S Material
RouterC
Confidentiality Level
GE 1/0/0
10.1.2.2/24
GE 2/0/0
10.1.3.1/24
GE 3/0/0
10.1.7.1/24
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure RouterB as the route reflector of Cluster1 and RouterD and RouterE as the clients of RouterB. Prohibit communication between the clients to form an IBGP network without interrupting full-mesh BGP connections between RouterB, RouterD, and RouterE.
2.
Configure RouterC as the route reflector of Cluster2 and RouterF and RouterG as the clients of RouterC to simplify device configuration and management.
Procedure 1.
Configure an IP address for each interface. The configuration details are not mentioned here.
2.
Configure the IBGP connections between the clients and the RR and between the non-clients and the RR. The configuration details are not mentioned here.
3.
Configure the RR. # Configure RouterB. [RouterB] bgp 65010 [RouterB–bgp] router-id 2.2.2.2 [RouterB–bgp] group in_rr internal [RouterB–bgp] peer 10.1.4.2 group in_rr [RouterB–bgp] peer 10.1.5.2 group in_rr [RouterB–bgp] ipv4-family unicast [RouterB–bgp-af-ipv4] peer in_rr reflect-client [RouterB–bgp-af-ipv4] undo reflect between-clients [RouterB–bgp-af-ipv4] reflector cluster-id 1 [RouterB–bgp-af-ipv4] quit # Configure RouterC. [RouterC] bgp 65010 [RouterC-bgp] router-id 3.3.3.3 [RouterC-bgp] group in_rr internal [RouterC-bgp] peer 10.1.7.2 group in_rr [RouterC-bgp] peer 10.1.8.2 group in_rr
2016-1-11
Huawei Confidential
Page 249 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterC-bgp] ipv4-family unicast [RouterC-bgp-af-ipv4] peer in_rr reflect-client [RouterC-bgp-af-ipv4] reflector cluster-id 2 [RouterC-bgp-af-ipv4] quit # Display the routing table of RouterD. [RouterD] display bgp routing-table 9.1.1.0 BGP local router ID : 4.4.4.4 Local AS number : 65010 Paths:
1 available, 0 best, 0 select
BGP routing table entry information of 9.1.1.0/24: From: 10.1.4.1 (2.2.2.2) Route Duration: 00h00m14s Relay IP Nexthop: 0.0.0.0 Relay IP Out-Interface: Original nexthop: 10.1.1.2 Qos information : 0x0 AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, internal, pre 255 Originator: 1.1.1.1 Cluster list: 0.0.0.1 Not advertised to any peer yet You can view that RouterD has learned the route advertised by RouterA from RouterB. For details, see the Originator and Cluster_ID attributes of the route.
Configuration Files
Configuration file of RouterA # sysname RouterA # interface GigabitEthernet1/0/0 ip address 10.1.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 10.1.3.2 255.255.255.0 # interface GigabitEthernet3/0/0 ip address 9.1.1.1 255.255.255.0 # 2016-1-11
NOTE: The configuration file of other routers is similar to that of RouterD and is omitted here.
2016-1-11
Huawei Confidential
Page 253 of 1210
HCIE-R&S Material
Confidentiality Level
5.10.2 Example for Configuring a BGP Confederation
Networking Requirements As shown in Figure 5-10-2, there are multiple BGP routers in AS 200. It is required that the number of IBGP connections be reduced.
Figure 5-10-2 Networking diagram of configuring the confederation
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure a BGP confederation on each router in AS 200 to divide AS 200 into three sub-ASs: AS 65001, AS 65002, and AS 65003. Three routers in AS 65001 establish full-mesh IBGP connections to reduce the number of IBGP connections.
Procedure 1.
Configure an IP address to each interface. The configuration details are not mentioned here.
2.
Configure the BGP confederation. # Configure RouterA. [RouterA] bgp 65001
Configure the EBGP connection between AS 100 and AS 200. # Configure RouterA. [RouterA] bgp 65001 [RouterA-bgp] peer 200.1.1.2 as-number 100 [RouterA-bgp] quit # Configure RouterF. [RouterF] bgp 100 [RouterF-bgp] router-id 6.6.6.6 [RouterF-bgp] peer 200.1.1.1 as-number 200 [RouterF-bgp] ipv4-family unicast [RouterF-bgp-af-ipv4] network 9.1.1.0 255.255.255.0 [RouterF-bgp-af-ipv4] quit
5.
Verify the configuration. # Check the routing table of RouterB. [RouterB] display bgp routing-table BGP Local router ID is 2.2.2.2 Status codes: * - valid, > - best, d - damped, h - history,
i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete Total Number of Routes: 1 Network
NextHop
MED
LocPrf
PrefVal
Path/Ogn *>i 9.1.1.0/24
10.1.1.1
0
100
0
(65001)
100i [RouterB] display bgp routing-table 9.1.1.0 BGP local router ID : 2.2.2.2 Local AS number : 65002 Paths: 2016-1-11
1 available, 1 best, 1 select Huawei Confidential
Page 256 of 1210
HCIE-R&S Material
Confidentiality Level
BGP routing table entry information of 9.1.1.0/24: From: 10.1.1.1 (1.1.1.1) Route Duration: 00h12m29s Relay IP Nexthop: 0.0.0.0 Relay IP Out-Interface: GigabitEthernet1/0/0 Original nexthop: 10.1.1.1 Qos information : 0x0 AS-path (65001) 100, origin igp, MED 0, localpref 100, pref-val 0, valid, external-confed, best, select, active, pre 255 Not advertised to any peer yet # Check the BGP routing table of RouterD. [RouterD] display bgp routing-table BGP Local router ID is 4.4.4.4 Status codes: * - valid, > - best, d - damped, h - history,
i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete Total Number of Routes: 1 Network
NextHop
MED
LocPrf
PrefVal
Path/Ogn *>i 9.1.1.0/24
10.1.3.1
0
100
0
100i
[RouterD] display bgp routing-table 9.1.1.0 BGP local router ID : 4.4.4.4 Local AS number : 65001 Paths:
1 available, 1 best, 1 select
BGP routing table entry information of 9.1.1.0/24: From: 10.1.3.1 (1.1.1.1) Route Duration: 00h23m57s Relay IP Nexthop: 0.0.0.0 Relay IP Out-Interface: GigabitEthernet1/0/0 Original nexthop: 10.1.3.1 Qos information : 0x0 AS-path 100, origin igp, MED 0, localpref 100, pref-val 0, valid, internal-confed, best, select, pre 255 Not advertised to any peer yet
Networking Requirements As shown in Figure 5-10-3, RouterA belongs to AS 100, RouterB and RouterC belong to AS 200. EBGP connections are established between RouterA and RouterB, and between RouterA and RouterC. Service traffic is transmitted along the primary link RouterA→RouterB. The link RouterA→RouterC→RouterB functions as the backup link. Fast fault detection is required to allow traffic to be fast switched from the primary link to the backup link.
2016-1-11
Huawei Confidential
Page 260 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 5-10-3 Networking diagram of configuring BFD for BGP
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure basic BGP functions on each router.
2.
Configure the MED attribute to control route selection.
3.
Enable BFD on RouterA and RouterB.
NOTE: If two routers establish an EBGP peer relationship over a direct link, BFD for BGP does not need to be configured. This is because the ebgp-interface-sensitive command is enabled by default for directly-connected EBGP peers.
Procedure 1.
Configure an IP address for each interface. Configure an IP address to each interface as shown in Figure 5-10-3. For details about the configuration, see the following configuration files.
2.
Configure basic BGP functions. Establish EBGP peer relationships between RouterA and RouterB, and between RouterA and RouterC and an IBGP peer relationship between RouterB and RouterC. # Configure RouterA. [RouterA] bgp 100 [RouterA-bgp] router-id 1.1.1.1
2016-1-11
Huawei Confidential
Page 261 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterA-bgp] peer 200.1.1.2 as-number 200 [RouterA-bgp] peer 200.1.1.2 ebgp-max-hop [RouterA-bgp] peer 200.1.2.2 as-number 200 [RouterA-bgp] peer 200.1.2.2 ebgp-max-hop [RouterA-bgp] quit # Configure RouterB. [RouterB] bgp 200 [RouterB-bgp] router-id 2.2.2.2 [RouterB-bgp] peer 200.1.1.1 as-number 100 [RouterB-bgp] peer 200.1.1.1 ebgp-max-hop [RouterB-bgp] peer 9.1.1.2 as-number 200 [RouterB-bgp] network 172.16.1.0 255.255.255.0 [RouterB-bgp] quit # Configure RouterC. [RouterC] bgp 200 [RouterC-bgp] router-id 3.3.3.3 [RouterC-bgp] peer 200.1.2.1 as-number 100 [RouterC-bgp] peer 200.1.2.1 ebgp-max-hop [RouterC-bgp] peer 9.1.1.1 as-number 200 [RouterC-bgp] quit # Check the status of BGP peer relationships on RouterA. The command output shows that the BGP peer relationships are in the Established state. display bgp peer BGP local router ID : 1.1.1.1 Local AS number : 100 Total number of peers : 2 Peer
V
Peers in established state : 2 AS MsgRcvd MsgSent
OutQ Up/Down
State
PrefRcv
3.
200.1.1.2
4
200
2
5
0 00:01:25 Established
0
200.1.2.2
4
200
2
4
0 00:00:55 Established
0
Configure the MED attribute. Set the MED value for the route sent from RouterC or RouterB to RouterA by using a routing policy. # Configure RouterB. [RouterB] route-policy 10 permit node 10
2016-1-11
Huawei Confidential
Page 262 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterB-route-policy] apply cost 100 [RouterB-route-policy] quit [RouterB] bgp 200 [RouterB-bgp] peer 200.1.1.1 route-policy 10 export # Configure RouterC. [RouterC] route-policy 10 permit node 10 [RouterC-route-policy] apply cost 150 [RouterC-route-policy] quit [RouterC] bgp 200 [RouterC-bgp] peer 200.1.2.1 route-policy 10 export # Check BGP routing information on RouterA. display bgp routing-table BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history,
i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete Total Number of Routes: 2 Network
NextHop
MED
LocPrf
PrefVal
Path/Ogn *>
172.16.1.0/24
*
200.1.1.2
100
200.1.2.2
150
0
200i 0
200i
As shown in the BGP routing table, the next-hop address of the route to 172.16.1.0/24 is 200.1.1.2, and service traffic is transmitted on the primary link between RouterA and RouterB. 4.
Configure BFD, and set the interval for transmitting BFD packets, the interval for receiving BFD packets, and the local detection multiplier. # Enable BFD on RouterA. Set the minimum intervals for transmitting and receiving BFD packets to 100ms and the local detection multiplier to 4. [RouterA] bfd [RouterA-bfd] quit [RouterA] bgp 100 [RouterA-bgp] peer 200.1.1.2 bfd enable [RouterA-bgp] peer 200.1.1.2 bfd min-tx-interval 100 min-rx-interval 100 detect-multiplier 4 # Enable BFD on RouterB. Set the minimum intervals for transmitting and receiving BFD packets to 100ms and the local detection multiplier to 4. [RouterB] bfd
Verify the configuration. # Run the shutdown command on GE 2/0/0 of RouterB to simulate a fault on the primary link. [RouterB] interface gigabitethernet 2/0/0 [RouterB-Gigabitethernet2/0/0] shutdown # Check the BGP routing table on RouterA. display bgp routing-table BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history,
i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete Total Number of Routes: 1 Network
NextHop
MED
LocPrf
PrefVal
Path/Ogn *>
172.16.1.0/24
200.1.2.2
150
0
200i
As shown in the BGP routing table, the backup link of RouterA -> RouterC -> RouterB takes effect after the primary link fails, and the next-hop address of the route to 172.16.1.0/24 is 200.1.2.2.
Configuration Files
Configuration file of RouterA # sysname RouterA 2016-1-11
Routing Policy 6.1.1 Summary Routing policies are used to filter routes and set attributes for routes. By changing route attributes (including reachability), a route policy changes the path that network traffic passes through.
Purpose When advertising, receiving, and importing routes, routing protocols implement certain policies based on actual networking requirements to filter routes and change the attributes of the routes. Routing policies serve the following purposes:
To control route receiving and advertising Only the required and valid routes are received or advertised. This reduces the size of the routing table and improves network security.
To control route importing A routing protocol may import routes discovered by other routing protocols. Only routes that satisfy certain conditions are imported to meet the requirements of the protocol.
To modify attributes of specified routes Attributes of the routes that are filtered by a routing policy are modified to meet the requirements of the local device.
Benefits This feature brings the following benefits:
Controls the size of the routing table, saving system resources.
Controls route receiving, advertising and importing, improving network security. 2016-1-11
Huawei Confidential
Page 267 of 1210
HCIE-R&S Material
Confidentiality Level
Modifies attributes of routes for proper traffic planning, improving network performance.
6.1.2 Principle A routing policy uses different matching rules and modes to select routes and change route attributes. Six filters in the routing policy can be used independently to filter routes in special scenarios. If the device supports the BGP to IGP function, the private attributes of BGP can serve as matching rules when the IGP imports BGP routes.
Figure 6-1-1 Working mechanism of the routing policy As shown in Figure 6-1-1, a routing policy consists of N nodes (N ≥ 1). The system checks routes in the nodes of a routing policy with the node ID in ascending order. The If-match clauses define matching rules related to route attributes and six filters. When a route matches all If-match clauses in a node, the route enters the matching mode without being checked in other nodes. The following two matching modes are supported:
permit: A route is permitted, and actions defined by the Apply clauses are performed on the route to set its attributes.
deny: A route is denied.
If a route does not match one If-match clause in a node, the route enters to the next node. If a route does not match any one of the nodes, the route is filtered out.
6.1.3 Filters The six filters specified in If-match clauses in a routing policy are access control list (ACL), IP prefix list, AS_Path filter, community filter, extended community filter, and RD filter. The six filters have their own matching rules and modes. Therefore, they can be used independently to filter routes in some special situations. 2016-1-11
Huawei Confidential
Page 268 of 1210
HCIE-R&S Material
Confidentiality Level
ACL ACLs check inbound interface, source or destination IP address, source or destination port number, and protocol of packets to filter routes. ACLs can be used independently when routing protocols advertise and receive routes. The If-match clauses in a routing policy support only basic ACLs. ACLs can be used in not only a routing policy but other scenarios. For details, see the Feature Description - Security - ACL.
IP prefix list IP prefix lists check IP prefixes of the source IP address, destination IP address, and next hop address to filter routes. They can be used independently when routing protocols advertise and receive routes. Each IP prefix list consists of multiple indexes, and each index matches a node. An IP prefix list checks routes in all nodes with the indexes in ascending order. If a route matches one node, the route is no longer checked by other nodes. If a route does not match any one of the nodes, the route is filtered out. The IP prefix list supports exact matching or matching within a specified mask length.
NOTE: When the IP address is 0.0.0.0, a wildcard address, all routes in the mask length range are permitted or denied.
AS_Path filter The AS_Path filter uses the AS_Path attribute of BGP to filter routes. It can be used independently when BGP advertises and receives routes. The AS_Path attribute records all ASs that a route passes through. For details about the AS_Path attribute, see "Introduction to BGP" in the Feature Description - IP Routing - BGP.
Community filter The community filter uses the community attribute of BGP to filter routes. It can be used independently when BGP advertises and receives routes. The community attribute identifies a group of routes with the same properties. For details about the community attribute, see "Introduction to BGP" in the Feature Description - IP Routing - BGP.
Extended community filter The extended community filter uses the extended community attribute of BGP to filter routes. It can be used independently when VPN targets are used to identify routes in a VPN.
2016-1-11
Huawei Confidential
Page 269 of 1210
HCIE-R&S Material
Confidentiality Level
Currently, the extended community filter applies only to the VPN target attribute in a VPN. On a BGP/MPLS IP VPN, VPN targets are used to control the advertising and receiving of VPN routing information between sites. For details about the VPN target attribute, see "Introduction to BGP/MPLS IP VPN" in the Feature Description - VPN - BGP/MPLS IP VPN.
Route Distinguisher (RD) filter The RD filter uses the RD attribute in a VPN to filter routes. It can be used independently when the RD attribute is used to identify routes in a VPN. A VPN instance uses RDs to separate address spaces and distinguish the IP prefixes with the same address space. For details about the RD attribute, see "Introduction to BGP/MPLS IP VPN" in the Feature Description - VPN - BGP/MPLS IP VPN.
6.1.4 BGP to IGP function The BGP to IGP function enables IGP to identify private attributes of BGP such as the community, extended community, and AS-Path attributes. Routing policies can be used when an IGP imports BGP routes. BGP private attributes can be used as matching rules in routing policies only when the device supports the BGP to IGP function. When the device does not support the BGP to IGP function, the IGP cannot identify private attributes of BGP routes. Therefore, the matching rule does not take effect.
6.2
Policy-based Routing 6.2.1 Summary Policy-based routing (PBR) is a mechanism that makes routing decisions based on user-defined policies. PBR includes local PBR, interface PBR, and smart policy routing (SPR).
NOTE: The differences between PBR and routing policy are as follows: PBR implements routing based on packets. It routes data packets based on user-defined policies instead of following the routes in the existing routing table. Routing policies implement routing based on routing information. Routing policies are used to filter routes and set route attributes. You can change route attributes (including reachability) to change a route over which network traffic is transmitted.
Purpose Traditionally, devices searches routing tables for routes of packets based on their destination addresses and then forward the packets. Currently, more users require that devices route packets based on user-defined policies. PBR allows network administrators to make user-defined policies to change 2016-1-11
Huawei Confidential
Page 270 of 1210
HCIE-R&S Material
Confidentiality Level
packet routes based on source addresses, packet size, and link quality in addition to destination addresses.
Benefits PBR has the following advantages:
Allows network administrators to make user-defined policies for routing packets, which improves flexibility of route selection.
Allows different data flows to be forwarded on different links, which increases link usage.
Uses cost-effective links to transmit service data without affecting service quality, which reduces the cost of enterprise data services.
6.2.2 Local PBR Local PBR applies only to locally generated packets, such as ping packets. Local PBR on a device can have multiple local PBR nodes. Each local PBR node has a priority. The device attempts to match locally generated packets with rules bound with local PBR nodes in descending order of priority.
Implementation When sending locally generated packets, a device attempts to match the packets with rules bound with local PBR nodes in descending order of priority. Local PBR supports rules based on access control list (ACL) and packet length.
If the device finds a matching local PBR node, it performs the following steps: 1.
Checks whether the priority of the packets has been set.
If so, the device applies the configured priority to the packets and performs the next step.
2.
3.
If not, the device performs the next step.
Checks whether an outbound interface has been configured for local PBR.
If so, the device sends the packets through the outbound interface.
If not, the device performs the next step.
Checks whether next hops have been configured for local PBR.
NOTE: Two next hops can be configured for load balancing.
If a next hop is configured for packet forwarding in PBR and the next hop is reachable, the device checks whether association between next hop and route is configured.
2016-1-11
Huawei Confidential
Page 271 of 1210
HCIE-R&S Material
Confidentiality Level
If association between next hop and route is configured, the device detects whether the configured IP address of the route associated with the next hop in PBR is reachable.
If the IP address is reachable, the configured next hop takes effect, and the device forwards packets to the next hop.
If the IP address is unreachable, the configured next hop does not take effect, and the device checks whether a backup next hop has been configured. If a backup next hop has been configured and is reachable, the device forwards packets to the backup next hop. If no backup next hop is configured or the configured backup next hop is unreachable, the device searches the routing table for a route according to the destination of packets. If no route is available, the device performs the next step.
If association between next hop and route is not configured, the device sends packets to the next hop.
If a next hop is configured in PBR but the next hop is unreachable, the device checks whether a backup next hop has been configured. If a backup next hop has been configured and is reachable, the device forwards packets to the backup next hop. If no backup next hop is configured or the configured backup next hop is unreachable, the device searches the routing table for a route according to the destination of packets. If no route is available, the device performs the next hop.
If a next hop is configured for packet forwarding in PBR and the next hop is reachable, the device sends packets to the next hop.
If the next hop is not configured, the device searches the routing table for a route based on the destination addresses of the packets. If no route is available, the device performs the next hop.
4.
5.
6.
Checks whether a default outbound interface has been configured for local PBR.
If so, the device sends the packets through the default outbound interface.
If not, the device performs the next hop.
Checks whether default next hops have been configured for local PBR.
If so, the device sends the packets to the default next hops.
If not, the device performs the next hop.
Discards the packets and generates ICMP_UNREACH messages.
If the device does not find a matching local PBR node, it searches the routing table for a route based on the destination addresses of the packets and then sends the packets.
6.2.3 Interface PBR Interface PBR applies only to packets received from other devices, but not to locally generated packets such as local ping packets. 2016-1-11
Huawei Confidential
Page 272 of 1210
HCIE-R&S Material
Confidentiality Level
Implementation Interface PBR is implemented based on the redirect action configured in a traffic behavior and takes effect only on the inbound packets. By default, a device forwards packets to the next hop found in the routing table. If interface PBR is configured, the device forwards packets to the next hop specified by interface PBR. When the device forwards packets to the next hop specified by interface PBR, the device triggers ARP learning if it has no ARP entry corresponding to the IP address of the specified next hop. If the device cannot learn this ARP entry, it forwards packets to the next hop found in the routing table. If the device has this ARP entry, it forwards packets to the next hop specified by interface PBR.
6.3
Examples for Configuring of Route Import and Control 6.3.1 Example for Filtering Received and Advertised Routes Networking Requirements As shown in Figure 6-3-1, on the network where OSPF runs, RouterA receives routes from the Internet, and provides these routes for the OSPF network. Users want devices on the OSPF network to access only the network segments 172.1.17.0/24, 172.1.18.0/24, and 172.1.19.0/24, and RouterC to access only the network segment 172.1.18.0/24.
Figure 6-3-1 Networking diagram for filtering received and advertised routes
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure a routing policy on RouterA and apply the routing policy during route advertisement. When routes are advertised, the routing policy allows RouterA to provide routes from network segments 172.1.17.0/24, 172.1.18.0/24, and 172.1.19.0/24 for RouterB, and allows devices on the OSPF network to access these three network segments.
2016-1-11
Huawei Confidential
Page 273 of 1210
HCIE-R&S Material
2.
Confidentiality Level
Configure a routing policy on RouterC and apply the routing policy during route importing. When routes are imported, the routing policy allows RouterC to receive only the routes from the network segment 172.1.18.0/24 and access this network segment.
Procedure 1.
Assign an IP address to each interface. The configuration details are not mentioned here.
Configure five static routes on RouterA and import these routes to OSPF. [RouterA] ip route-static 172.1.16.0 24 NULL 0 [RouterA] ip route-static 172.1.17.0 24 NULL 0
2016-1-11
Huawei Confidential
Page 274 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterA] ip route-static 172.1.18.0 24 NULL 0 [RouterA] ip route-static 172.1.19.0 24 NULL 0 [RouterA] ip route-static 172.1.20.0 24 NULL 0 [RouterA] ospf [RouterA-ospf-1] import-route static [RouterA-ospf-1] quit # Check the IP routing table on RouterB. You can view that the five static routes are imported to OSPF. [RouterB] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 16 Destination/Mask 127.0.0.0/8
Routes : 16
Proto
Pre Cost
Flags NextHop
Interface
Direct 0
0
D
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D
127.0.0.1
InLoopBack0
172.1.16.0/24
O_ASE 150 1
D
192.168.1.1
D
192.168.1.1
D
192.168.1.1
D
192.168.1.1
D
192.168.1.1
GigabitEthernet1/0/0 172.1.17.0/24
O_ASE 150 1
GigabitEthernet1/0/0 172.1.18.0/24
O_ASE 150 1
GigabitEthernet1/0/0 172.1.19.0/24
O_ASE 150 1
GigabitEthernet1/0/0 172.1.20.0/24
O_ASE 150 1
GigabitEthernet1/0/0 192.168.1.0/24 Direct 0
0
D
192.168.1.2
0
D
192.168.1.1
192.168.1.2/32 Direct 0
0
D
127.0.0.1
192.168.2.0/24 Direct 0
0
D
192.168.2.1
192.168.2.1/32 Direct 0
0
D
127.0.0.1
192.168.2.2/32 Direct 0
0
D
192.168.2.2
0
D
192.168.3.1
0
D
127.0.0.1
GigabitEthernet1/0/0 192.168.1.1/32 Direct 0 GigabitEthernet1/0/0 InLoopBack0
GigabitEthernet3/0/0 InLoopBack0
GigabitEthernet3/0/0 192.168.3.0/24 Direct 0 GigabitEthernet2/0/0 192.168.3.1/32 Direct 0
2016-1-11
Huawei Confidential
InLoopBack0
Page 275 of 1210
HCIE-R&S Material
Confidentiality Level
192.168.3.2/32 Direct 0
0
D
192.168.3.2
GigabitEthernet2/0/0 4.
Configure the policy for advertising routes. # Configure the IP prefix list named a2b on RouterA. [RouterA] ip ip-prefix a2b index 10 permit 172.1.17.0 24 [RouterA] ip ip-prefix a2b index 20 permit 172.1.18.0 24 [RouterA] ip ip-prefix a2b index 30 permit 172.1.19.0 24 # Configure the policy for advertising routes on RouterA and use the IP prefix list named a2b to filter routes. [RouterA] ospf [RouterA-ospf-1] filter-policy ip-prefix a2b export static # Check IP routing table on RouterB, and you can view the three routes received by RouterB from a2b. [RouterB] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 14 Destination/Mask 127.0.0.0/8
Routes : 14
Proto Pre Cost
Flags NextHop
Interface
Direct 0
0
D
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D
127.0.0.1
InLoopBack0
172.1.17.0/24
O_ASE 150 1
D
192.168.1.1
D
192.168.1.1
D
192.168.1.1
GigabitEthernet1/0/0 172.1.18.0/24
O_ASE 150 1
GigabitEthernet1/0/0 172.1.19.0/24
O_ASE 150 1
GigabitEthernet1/0/0 192.168.1.0/24 Direct 0
0
D
192.168.1.2
0
D
192.168.1.1
192.168.1.2/32 Direct 0
0
D
127.0.0.1
192.168.2.0/24 Direct 0
0
D
192.168.2.1
192.168.2.1/32 Direct 0
0
D
127.0.0.1
192.168.2.2/32 Direct 0
0
D
192.168.2.2
GigabitEthernet1/0/0 192.168.1.1/32 Direct 0 GigabitEthernet1/0/0 InLoopBack0
GigabitEthernet3/0/0 InLoopBack0
GigabitEthernet3/0/0
2016-1-11
Huawei Confidential
Page 276 of 1210
HCIE-R&S Material
Confidentiality Level
192.168.3.0/24 Direct 0
0
D
192.168.3.1
192.168.3.1/32 Direct 0
0
D
127.0.0.1
192.168.3.2/32 Direct 0
0
D
192.168.3.2
GigabitEthernet2/0/0 InLoopBack0
GigabitEthernet2/0/0 5.
Configure the policy for receiving routes. # Configure the IP prefix list named in on RouterC. [RouterC] ip ip-prefix in index 10 permit 172.1.18.0 24 # Configure the policy for receiving routes on RouterC, and use IP prefix list named in to filter routes. [RouterC] ospf [RouterC-ospf-1] filter-policy ip-prefix in import # Check the IP routing table on RouterC, and you can find that RouterC in the local core routing table receives only one route from the IP prefix list named in. [RouterC] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 6 Destination/Mask
Routes : 6
Proto
Pre Cost
Direct
0
0
D
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct
0
0
D
127.0.0.1
InLoopBack0
127.0.0.0/8
172.1.18.0/24
Flags NextHop
O_ASE 150 1
D
Interface
192.168.2.1
GigabitEthernet1/0/0 192.168.2.0/24
Direct
0
0
D
192.168.2.2
192.168.2.1/32 Direct
0
0
D
192.168.2.1
0
0
D
127.0.0.1
GigabitEthernet1/0/0 GigabitEthernet1/0/0 192.168.2.2/32 Direct
InLoopBack0
# Check the IP routing table on RouterD, and you can find that RouterD in the local core routing table receives all the routes advertised by RouterB. [RouterD] display ip routing-table Route Flags: R - relay, D - download to fib -----------------------------------------------------------------------------Routing Tables: Public Destinations : 10 Destination/Mask 2016-1-11
GigabitEthernet1/0/0 192.168.3.1/32 Direct GigabitEthernet1/0/0 192.168.3.2/32 Direct GigabitEthernet1/0/0 # Check the OSPF routing table of RouterC. You can find that three routes defined by the IP prefix list named a2b are in the OSPF routing table. In the link state protocol, you can run the filter-policy import command to filter the routes that join the local core routing table from the protocol routing table. [RouterC] display ospf routing OSPF Process 1 with Router ID 192.168.2.2 Routing Tables
Routing for Network Destination
Cost
Type
NextHop
AdvRouter
Area
192.168.2.0/24
1
Stub
192.168.2.2
192.168.2.2
0.0.0.0
192.168.1.0/24
2
Stub
192.168.2.1
192.168.2.1
0.0.0.0
192.168.3.0/24
2
Stub
192.168.2.1
192.168.2.1
0.0.0.0
Routing for ASEs Destination
Cost
Type
Tag
NextHop
172.1.17.0/24
1
Type2
1
192.168.2.1
192.168.1.1
172.1.18.0/24
1
Type2
1
192.168.2.1
192.168.1.1
172.1.19.0/24
1
Type2
1
192.168.2.1
192.168.1.1
AdvRouter
2016-1-11
Huawei Confidential
Page 278 of 1210
HCIE-R&S Material
Confidentiality Level
Total Nets: 6 Intra Area: 3 Inter Area: 0 ASE: 3 NSSA: 0
Configuration Files
Configuration file of RouterA # sysname RouterA # interface GigabitEthernet1/0/0 ip address 192.168.1.1 255.255.255.0 # ospf 1 filter-policy ip-prefix a2b export static import-route static area 0.0.0.0 network 192.168.1.0 0.0.0.255 # ip ip-prefix a2b index 10 permit 172.1.17.0 24 ip ip-prefix a2b index 20 permit 172.1.18.0 24 ip ip-prefix a2b index 30 permit 172.1.19.0 24 # ip route-static 172.1.16.0 255.255.255.0 NULL0 ip route-static 172.1.17.0 255.255.255.0 NULL0 ip route-static 172.1.18.0 255.255.255.0 NULL0 ip route-static 172.1.19.0 255.255.255.0 NULL0 ip route-static 172.1.20.0 255.255.255.0 NULL0 # return
Configuration file of RouterB # sysname RouterB # interface GigabitEthernet1/0/0 ip address 192.168.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 192.168.3.1 255.255.255.0 # 2016-1-11
Configuration file of RouterC # sysname RouterC # interface GigabitEthernet1/0/0 ip address 192.168.2.2 255.255.255.0 # ospf 1 filter-policy ip-prefix in import area 0.0.0.0 network 192.168.2.0 0.0.0.255 # ip ip-prefix in index 10 permit 172.1.18.0 24 # return
Configuration file of RouterD # sysname RouterD # interface GigabitEthernet1/0/0 ip address 192.168.3.2 255.255.255.0 # ospf 1 area 0.0.0.0 network 192.168.3.0 0.0.0.255 # return
2016-1-11
Huawei Confidential
Page 280 of 1210
HCIE-R&S Material
Confidentiality Level
6.3.2 Example for Applying a Routing Policy for Importing Routes Networking Requirements As shown in Figure 6-3-2, RouterB exchanges routing information with RouterA through OSPF and with RouterC through IS-IS. Users want RouterB to import IS-IS routes into the OSPF network. Users also want that the route to 172.17.1.0/24 on the OSPF network has a low preference and the route to 172.17.2.0/24 has a tag, which makes it easy to reference by a routing policy.
Figure 6-3-2 Networking diagram for applying a routing policy for importing routes
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure a routing policy on RouterB, set the cost of the route to 172.17.1.0/24 to 100, and apply the routing policy when OSPF imports IS-IS routes. The routing policy allows the route to 172.17.1.0/24 have a low preference.
2.
Configure a routing policy on RouterB, set the tag of the route to 172.17.2.0/24 is 20, and apply the routing policy when OSPF imports IS-IS routes. In this way, the tag of the route to 172.17.2.0/24 can take effect, which makes it easy to reference by a routing policy.
Procedure 1.
Assign an IP address to each interface. The configuration details are not mentioned here.
Configure OSPF and import routes. # Configure RouterA and enable OSPF. [RouterA] ospf [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit [RouterA-ospf-1] quit # Configure RouterB. Enable OSPF and import IS-IS routes. [RouterB] ospf [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] import-route isis 1 [RouterB-ospf-1] quit # Check the OSPF routing table of RouterA. You can view the imported routes. [RouterA] display ospf routing OSPF Process 1 with Router ID 192.168.1.1 Routing Tables
2016-1-11
Huawei Confidential
Page 282 of 1210
HCIE-R&S Material
Confidentiality Level
Routing for Network Destination
Cost
Type
192.168.1.0/24
1 Stub
NextHop 192.168.1.1
AdvRouter 192.168.1.1
Area 0.0.0.0
Routing for ASEs Destination
Cost
Type
Tag
NextHop
AdvRouter 172.17.1.0/24
1
Type2
1
192.168.1.2
192.168.1.2
172.17.2.0/24
1
Type2
1
192.168.1.2
192.168.1.2
172.17.3.0/24
1
Type2
1
192.168.1.2
192.168.1.2
192.168.2.0/24
1
Type2
1
192.168.1.2
192.168.1.2
Total Nets: 5 Intra Area: 1 Inter Area: 0 ASE: 4 NSSA: 0 4.
Configure the filtering list. # Configure ACL 2002 to match 172.17.2.0/24. [RouterB] acl number 2002 [RouterB-acl-basic-2002] rule permit source 172.17.2.0 0.0.0.255 [RouterB-acl-basic-2002] quit # Configure the IP prefix list named prefix-a to match 172.17.1.0/24. [RouterB] ip ip-prefix prefix-a index 10 permit 172.17.1.0 24
Apply the Route-Policy when the route is imported. # Configure RouterB and apply the Route-Policy as the route is imported. [RouterB] ospf [RouterB-ospf-1] import-route isis 1 route-policy isis2ospf [RouterB-ospf-1] quit
2016-1-11
Huawei Confidential
Page 283 of 1210
HCIE-R&S Material
Confidentiality Level
# Check the OSPF routing table of RouterA. You can view the cost of the route with the destination address as 172.17.1.0/24 is 100. The tag of the route with the destination address as 172.17.2.0/24 is 20. Other routing attributes do not change. [RouterA] display ospf routing OSPF Process 1 with Router ID 192.168.1.1 Routing Tables Routing for Network Destination
Cost
Type
192.168.1.0/24
1 Stub
NextHop 192.168.1.1
AdvRouter 192.168.1.1
Area 0.0.0.0
Routing for ASEs Destination
Cost
Type
Tag
NextHop
172.17.1.0/24
100
Type2
1
192.168.1.2
192.168.1.2
172.17.2.0/24
1
Type2
20
192.168.1.2
192.168.1.2
172.17.3.0/24
1
Type2
1
192.168.1.2
192.168.1.2
192.168.2.0/24
1
Type2
1
192.168.1.2
192.168.1.2
AdvRouter
Total Nets: 5 Intra Area: 1 Inter Area: 0 ASE: 4 NSSA: 0
Configuration Files
Configuration file of RouterA # sysname RouterA # interface GigabitEthernet1/0/0 ip address 192.168.1.1 255.255.255.0 # ospf 1 area 0.0.0.0 network 192.168.1.0 0.0.0.255 # return
Configuration file of RouterB # sysname RouterB # acl number 2002 rule 5 permit source 172.17.2.0 0.0.0.255 2016-1-11
ip address 172.17.1.1 255.255.255.0 isis enable 1 # interface GigabitEthernet2/0/0 ip address 172.17.2.1 255.255.255.0 isis enable 1 # interface GigabitEthernet3/0/0 ip address 172.17.3.1 255.255.255.0 isis enable 1 # interface GigabitEthernet4/0/0 ip address 192.168.2.1 255.255.255.0 isis enable 1 # return
6.3.3 Example for Configuring Local PBR Networking Requirements As shown in Figure 6-3-3, RouterA and RouterB are connected by two links. Users want locally generated packets with different lengths to be sent to different next hop addresses.
Packets with 64 to 1400 bytes are sent to next hop address 192.168.1.2.
Packets with 1401 to 1500 bytes are sent to next hop address 192.168.2.2.
Packets with other lengths are routed based on destination addresses.
Figure 6-3-3 Networking diagram of configuring local PBR
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure a matching rule of IP packet length on RouterA so that locally generated packets with different lengths match different PBR nodes.
2016-1-11
Huawei Confidential
Page 286 of 1210
HCIE-R&S Material
2.
Confidentiality Level
Configure actions of the local PBR on RouterA so that locally generated packets with different lengths are sent to different next hop addresses.
3.
Enable local PBR.
Procedure 1.
Configure IP addresses for interfaces. # Configure IP addresses for all interfaces of RouterA. system-view [Huawei] sysname RouterA [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 192.168.1.1 255.255.255.0 [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] ip address 192.168.2.1 255.255.255.0 [RouterA-GigabitEthernet2/0/0] quit [RouterA] interface loopback 0 [RouterA-LoopBack0] ip address 10.1.1.1 255.255.255.0 [RouterA-LoopBack0] quit # Configure IP addresses for all interfaces of RouterB. system-view [Huawei] sysname RouterB [RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] ip address 192.168.1.2 255.255.255.0 [RouterB-GigabitEthernet1/0/0] quit [RouterB] interface gigabitethernet 2/0/0 [RouterB-GigabitEthernet2/0/0] ip address 192.168.2.2 255.255.255.0 [RouterB-GigabitEthernet2/0/0] quit [RouterB] interface loopback 0 [RouterB-LoopBack0] ip address 10.1.2.1 255.255.255.0 [RouterB-LoopBack0] quit
2.
Configure static routes. # Configure a static route on RouterA. [RouterA] ip route-static 10.1.2.0 24 192.168.1.2 [RouterA] ip route-static 10.1.2.0 24 192.168.2.2 # Configure a static route on RouterB.
2016-1-11
Huawei Confidential
Page 287 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterB] ip route-static 10.1.1.0 24 192.168.1.1 [RouterB] ip route-static 10.1.1.0 24 192.168.2.1 3.
Configure a PBR route. # Configure a PBR route named lab1. [RouterA] policy-based-route lab1 permit node 10 [RouterA-policy-based-route-lab1-10] if-match packet-length 64 1400 [RouterA-policy-based-route-lab1-10] apply ip-address next-hop 192.168.1.2 [RouterA-policy-based-route-lab1-10] quit [RouterA] policy-based-route lab1 permit node 20 [RouterA-policy-based-route-lab1-20] if-match packet-length 1401 1500 [RouterA-policy-based-route-lab1-20] apply ip-address next-hop 192.168.2.2 [RouterA-policy-based-route-lab1-20] quit # Enable local PBR. [RouterA] ip local policy-based-route lab1
4.
Verify the configurations. # Clear interface statistics on RouterB. reset counters interface gigabitethernet 1/0/0 reset counters interface gigabitethernet 2/0/0 # View interface statistics on RouterB. display interface gigabitethernet 1/0/0 GigabitEthernet1/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2012-07-30 11:23:24 Description:HUAWEI, AR Series, GigabitEthernet1/0/0 Interface Route Port,The Maximum Transmit Unit is 1500 Internet Address is 192.168.1.2/24 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0819-a6ce-7d4c Last physical up time
: 2012-07-30 11:23:24
Last physical down time : 2012-07-24 16:54:19 Current system time: 2012-07-30 14:57:28 Port Mode: COMMON COPPER Speed : 1000, Duplex: FULL, Mdi
Loopback: NONE Negotiation: ENABLE
: AUTO
Last 300 seconds input rate 40 bits/sec, 0 packets/sec 2016-1-11
Input bandwidth utilization threshold : 100.00% Output bandwidth utilization threshold: 100.00% Input bandwidth utilization : 0.01% Output bandwidth utilization : 0.00% display interface gigabitethernet 2/0/0 GigabitEthernet2/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2012-07-30 11:23:29 Description:HUAWEI, AR Series, GigabitEthernet2/0/0 Interface Route Port,The Maximum Transmit Unit is 1500 Internet Address is 192.168.2.2/24 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0819-a6ce-7d4d Last physical up time
: 2012-07-30 11:23:29
Last physical down time : 2012-07-30 11:09:17 Current system time: 2012-07-30 14:58:24 2016-1-11
Huawei Confidential
Page 289 of 1210
HCIE-R&S Material
Confidentiality Level
Port Mode: COMMON COPPER Speed : 1000, Duplex: FULL, Mdi
Input bandwidth utilization threshold : 100.00% Output bandwidth utilization threshold: 100.00% Input bandwidth utilization : 0.00% Output bandwidth utilization : 0.00% # On RouterA, ping the IP address of Loopback0 on RouterB and set the packet length to 80 bytes. ping -s 80 10.1.2.1 PING 10.1.2.1: 80 data bytes, press CTRL_C to break Reply from 10.1.2.1: bytes=80 Sequence=1 ttl=255 time=2 ms Reply from 10.1.2.1: bytes=80 Sequence=2 ttl=255 time=2 ms 2016-1-11
Huawei Confidential
Page 290 of 1210
HCIE-R&S Material
Confidentiality Level
Reply from 10.1.2.1: bytes=80 Sequence=3 ttl=255 time=2 ms Reply from 10.1.2.1: bytes=80 Sequence=4 ttl=255 time=2 ms Reply from 10.1.2.1: bytes=80 Sequence=5 ttl=255 time=2 ms --- 10.1.2.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/2 ms # View interface statistics on RouterB. display interface gigabitethernet 1/0/0 GigabitEthernet1/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2012-07-30 11:23:24 Description:HUAWEI, AR Series, GigabitEthernet1/0/0 Interface Route Port,The Maximum Transmit Unit is 1500 Internet Address is 192.168.1.2/24 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0819-a6ce-7d4c Last physical up time
: 2012-07-30 11:23:24
Last physical down time : 2012-07-24 16:54:19 Current system time: 2012-07-30 15:00:15 Port Mode: COMMON COPPER Speed : 1000, Duplex: FULL, Mdi
Input bandwidth utilization threshold : 100.00% Output bandwidth utilization threshold: 100.00% Input bandwidth utilization : 0.00% Output bandwidth utilization : 0.00% display interface gigabitethernet 2/0/0 GigabitEthernet2/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2012-07-30 11:23:29 Description:HUAWEI, AR Series, GigabitEthernet2/0/0 Interface Route Port,The Maximum Transmit Unit is 1500 Internet Address is 192.168.2.2/24 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0819-a6ce-7d4d Last physical up time
: 2012-07-30 11:23:29
Last physical down time : 2012-07-30 11:09:17 Current system time: 2012-07-30 15:01:02 Port Mode: COMMON COPPER Speed : 1000, Duplex: FULL, Mdi
Input bandwidth utilization threshold : 100.00% Output bandwidth utilization threshold: 100.00% Input bandwidth utilization : 0.00% Output bandwidth utilization : 0.00% Compare statistics about interfaces of RouterB before and after you run the ping -s 80 10.1.2.1 command on RouterA. You can find that GigabitEthernet 1/0/0 of RouterB sends five packets, that is, GigabitEthernet 1/0/0 of RouterB sends five ICMP reply packets to RouterA after receiving five ICMP requests from RouterA. RouterA determines that the next hop address is 192.168.1.2 based on the PBR. # Clear interface statistics on RouterB. reset counters interface gigabitethernet 1/0/0 reset counters interface gigabitethernet 2/0/0 # View interface statistics on RouterB. display interface gigabitethernet 1/0/0 GigabitEthernet1/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2012-07-30 11:23:24 Description:HUAWEI, AR Series, GigabitEthernet1/0/0 Interface Route Port,The Maximum Transmit Unit is 1500 Internet Address is 192.168.1.2/24 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0819-a6ce-7d4c Last physical up time 2016-1-11
: 2012-07-30 11:23:24 Huawei Confidential
Page 293 of 1210
HCIE-R&S Material
Confidentiality Level
Last physical down time : 2012-07-24 16:54:19 Current system time: 2012-07-30 16:04:14 Port Mode: COMMON COPPER Speed : 1000, Duplex: FULL, Mdi
Input bandwidth utilization threshold : 100.00% Output bandwidth utilization threshold: 100.00% Input bandwidth utilization : 0.00% Output bandwidth utilization : 0.00% display interface gigabitethernet 2/0/0 GigabitEthernet2/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2012-07-30 11:23:29 2016-1-11
Huawei Confidential
Page 294 of 1210
HCIE-R&S Material
Confidentiality Level
Description:HUAWEI, AR Series, GigabitEthernet2/0/0 Interface Route Port,The Maximum Transmit Unit is 1500 Internet Address is 192.168.2.2/24 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0819-a6ce-7d4d Last physical up time
: 2012-07-30 11:23:29
Last physical down time : 2012-07-30 11:09:17 Current system time: 2012-07-30 16:04:19 Port Mode: COMMON COPPER Speed : 1000, Duplex: FULL, Mdi
Output bandwidth utilization : 0.00% # On RouterA, ping the IP address of Loopback0 on RouterB and set the packet length to 1401 bytes. ping -s 1401 10.1.2.1 PING 10.1.2.1: 1401 data bytes, press CTRL_C to break Reply from 10.1.2.1: bytes=1401 Sequence=1 ttl=255 time=1 ms Reply from 10.1.2.1: bytes=1401 Sequence=2 ttl=255 time=1 ms Reply from 10.1.2.1: bytes=1401 Sequence=3 ttl=255 time=1 ms Reply from 10.1.2.1: bytes=1401 Sequence=4 ttl=255 time=1 ms Reply from 10.1.2.1: bytes=1401 Sequence=5 ttl=255 time=2 ms --- 10.1.2.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/1/2 ms # View interface statistics on RouterB. display interface gigabitethernet 1/0/0 GigabitEthernet1/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2012-07-30 11:23:24 Description:HUAWEI, AR Series, GigabitEthernet1/0/0 Interface Route Port,The Maximum Transmit Unit is 1500 Internet Address is 192.168.1.2/24 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0819-a6ce-7d4c Last physical up time
: 2012-07-30 11:23:24
Last physical down time : 2012-07-24 16:54:19 Current system time: 2012-07-30 16:04:50 Port Mode: COMMON COPPER Speed : 1000, Duplex: FULL, Mdi
Input bandwidth utilization threshold : 100.00% Output bandwidth utilization threshold: 100.00% Input bandwidth utilization : 0.01% Output bandwidth utilization : 0.00% display interface gigabitethernet 2/0/0 GigabitEthernet2/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2012-07-30 11:23:29 Description:HUAWEI, AR Series, GigabitEthernet2/0/0 Interface Route Port,The Maximum Transmit Unit is 1500 Internet Address is 192.168.2.2/24 IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0819-a6ce-7d4d Last physical up time
: 2012-07-30 11:23:29
Last physical down time : 2012-07-30 11:09:17 Current system time: 2012-07-30 16:04:55 Port Mode: COMMON COPPER Speed : 1000, Duplex: FULL, Mdi
Loopback: NONE Negotiation: ENABLE
: AUTO
Last 300 seconds input rate 200 bits/sec, 0 packets/sec 2016-1-11
Input bandwidth utilization threshold : 100.00% Output bandwidth utilization threshold: 100.00% Input bandwidth utilization : 0.00% Output bandwidth utilization : 0.00% Compare statistics about interfaces of RouterB before and after you run the ping -s 1401 10.1.2.1 command on RouterA. You can find that GigabitEthernet 2/0/0 of RouterB sends five packets, that is, GigabitEthernet 2/0/0 of RouterB sends five ICMP reply packets to RouterA after receiving ICMP requests from RouterA. RouterA determines that the next hop address is 192.168.2.2 based on the PBR.
Configuration Files
Configuration file of RouterA # sysname RouterA
2016-1-11
Huawei Confidential
Page 298 of 1210
HCIE-R&S Material
Confidentiality Level
# interface GigabitEthernet1/0/0 ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 192.168.2.1 255.255.255.0 # interface LoopBack0 ip address 10.1.1.1 255.255.255.0 # ip route-static 10.1.2.0 255.255.255.0 192.168.1.2 ip route-static 10.1.2.0 255.255.255.0 192.168.2.2 # policy-based-route lab1 permit node 10 if-match packet-length 64 1400 apply ip-address next-hop 192.168.1.2 policy-based-route lab1 permit node 20 if-match packet-length 1401 1500 apply ip-address next-hop 192.168.2.2 # ip local policy-based-route lab1
Configuration file of RouterB # sysname RouterB # interface GigabitEthernet1/0/0 ip address 192.168.1.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 192.168.2.2 255.255.255.0 # interface LoopBack0 ip address 10.1.2.1 255.255.255.0 # ip route-static 10.1.1.0 255.255.255.0 192.168.1.1 ip route-static 10.1.1.0 255.255.255.0 192.168.2.1
2016-1-11
Huawei Confidential
Page 299 of 1210
HCIE-R&S Material
Confidentiality Level
6.3.4 Example for Configuring Interface PBR Networking Requirements As shown in Figure 6-3-4, two departments VLAN 10 and VLAN 20 connect to GE1/0/0 and GE2/0/0 of RouterA. HOSTA at 192.168.1.2/24 and HOSTB at 192.168.1.3/24 belong to one department and are located on network segment 192.168.1.0/24. HOSTC at 192.168.2.2/24 and HOSTD at 192.168.2.3/24 belong to another department and are located on network segment 192.168.2.0/24. RouterA can connect to the Internet through the link RouterA→RouterB→RouterD or RouterA→RouterC→RouterD. The requirements are as follows:
Packets from the two departments reach the Internet through the two links when the two links are running properly.
When a link is faulty, packets from the two departments are forwarded on the other link. This prevents service interruption for a long time.
When the link fault is rectified, packets reach the Internet through the two links.
Figure 6-3-4 Networking diagram of configuring interface PBR Device RouterA
RouterB RouterC RouterD
2016-1-11
Interface
IP Address
GE1/0/0
192.168.1.1/24
GE2/0/0
192.168.2.1/24
GE3/0/0
192.168.3.1/24
GE4/0/0
192.168.4.1/24
GE1/0/0
192.168.3.2/24
GE2/0/0
192.168.5.2/24
GE1/0/0
192.168.4.2/24
GE2/0/0
192.168.6.2/24
GE1/0/0
192.168.5.1/24
GE2/0/0
192.168.6.1/24
Huawei Confidential
Page 300 of 1210
HCIE-R&S Material
Confidentiality Level
GE3/0/0
192.168.7.1/24
Configuration Roadmap Association between redirection and an NQA test instance is used to implement PBR. The configuration roadmap is as follows: 1.
Configure IP addresses and routing protocols for interfaces so that users can access the Internet through RouterA.
2.
Configure an NQA test instance to detect whether the links RouterA→RouterB→RouterD and RouterA→RouterC→RouterD are running properly.
3.
Configure association between NQA and static routes so that traffic can be switched to the other link when one link is faulty.
4.
Configure traffic classifiers and configure matching rules based on the source IP address of packets.
5.
Configure traffic behaviors in which redirection is associated with an NQA test instance. When the NQA test instance detects that the link RouterA→RouterB→RouterD is running properly, packets matching the traffic classifier are redirected to 192.168.3.2/24. When the NQA test instance detects that the link RouterA→RouterC→RouterD is running properly, packets matching the traffic classifier are redirected to 192.168.4.2/24.
6.
Configure traffic policies, bind the traffic classifier and traffic behavior to the traffic policies, and apply the traffic policies to an interface to implement interface PBR.
Procedure 1.
Configure devices to communicate with each other. # Configure IP addresses for all interfaces of the Router. This example describes the configuration on RouterA. Configurations of other device are similar to that of RouterA. For details, see corresponding configuration files. system-view [Huawei] sysname RouterA [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 192.168.1.1 24 [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] ip address 192.168.2.1 24 [RouterA-GigabitEthernet2/0/0] quit [RouterA] interface gigabitethernet 3/0/0 [RouterA-GigabitEthernet3/0/0] ip address 192.168.3.1 24 [RouterA-GigabitEthernet3/0/0] quit [RouterA] interface gigabitethernet 4/0/0
2016-1-11
Huawei Confidential
Page 301 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterA-GigabitEthernet4/0/0] ip address 192.168.4.1 24 [RouterA-GigabitEthernet4/0/0] quit
NOTE: Configure SwitchA and SwitchB so that they can communicate with RouterA. # Configure static routes. [RouterA] ip route-static 192.168.7.0 255.255.255.0 192.168.3.2 [RouterA] ip route-static 192.168.7.0 255.255.255.0 192.168.4.2 [RouterA] ip route-static 192.168.5.0 255.255.255.0 192.168.3.2 [RouterA] ip route-static 192.168.6.0 255.255.255.0 192.168.4.2 [RouterB] ip route-static 192.168.7.0 255.255.255.0 192.168.5.1 [RouterB] ip route-static 192.168.1.0 255.255.255.0 192.168.3.1 [RouterB] ip route-static 192.168.2.0 255.255.255.0 192.168.3.1 [RouterC] ip route-static 192.168.7.0 255.255.255.0 192.168.6.1 [RouterC] ip route-static 192.168.1.0 255.255.255.0 192.168.4.1 [RouterC] ip route-static 192.168.2.0 255.255.255.0 192.168.4.1 [RouterD] ip route-static 192.168.1.0 255.255.255.0 192.168.5.2 [RouterD] ip route-static 192.168.1.0 255.255.255.0 192.168.6.2 [RouterD] ip route-static 192.168.2.0 255.255.255.0 192.168.6.2 [RouterD] ip route-static 192.168.2.0 255.255.255.0 192.168.5.2 [RouterD] ip route-static 192.168.3.0 255.255.255.0 192.168.5.2 [RouterD] ip route-static 192.168.4.0 255.255.255.0 192.168.6.2 2.
Configure NQA test instances. # Configure an NQA test instance on RouterA. [RouterA] nqa test-instance admin vlan10 [RouterA-nqa-admin-vlan10] test-type icmp [RouterA-nqa-admin-vlan10] destination-address ipv4 192.168.5.1 [RouterA-nqa-admin-vlan10] frequency 10 [RouterA-nqa-admin-vlan10] probe-count 2 [RouterA-nqa-admin-vlan10] start now [RouterA-nqa-admin-vlan10] quit [RouterA] nqa test-instance admin vlan20 [RouterA-nqa-admin-vlan20] test-type icmp [RouterA-nqa-admin-vlan20] destination-address ipv4 192.168.6.1 [RouterA-nqa-admin-vlan20] frequency 10 [RouterA-nqa-admin-vlan20] probe-count 2 [RouterA-nqa-admin-vlan20] start now [RouterA-nqa-admin-vlan20] quit
2016-1-11
Huawei Confidential
Page 302 of 1210
HCIE-R&S Material
Confidentiality Level
# Configure a NQA test instance on RouterD. [RouterD] nqa test-instance admin vlan10 [RouterD-nqa-admin-vlan10] test-type icmp [RouterD-nqa-admin-vlan10] destination-address ipv4 192.168.3.1 [RouterD-nqa-admin-vlan10] frequency 10 [RouterD-nqa-admin-vlan10] probe-count 2 [RouterD-nqa-admin-vlan10] start now [RouterD-nqa-admin-vlan10] quit [RouterD] nqa test-instance admin vlan20 [RouterD-nqa-admin-vlan20] test-type icmp [RouterD-nqa-admin-vlan20] destination-address ipv4 192.168.4.1 [RouterD-nqa-admin-vlan20] frequency 10 [RouterD-nqa-admin-vlan20] probe-count 2 [RouterD-nqa-admin-vlan20] start now [RouterD-nqa-admin-vlan20] quit 3.
Configure association between NQA and static routes. # Configure association between NQA and static routes on RouterA. [RouterA] ip route-static 192.168.7.1 255.255.255.0 192.168.3.2 track nqa admin vlan10 [RouterA] ip route-static 192.168.7.1 255.255.255.0 192.168.4.2 track nqa admin vlan20 [RouterA] quit # Configure association between NQA and static routes on RouterD. [RouterD] ip route-static 192.168.1.0 255.255.255.0 192.168.5.2 track nqa admin vlan10 [RouterD] ip route-static 192.168.1.0 255.255.255.0 192.168.6.2 track nqa admin vlan20 [RouterD] ip route-static 192.168.2.0 255.255.255.0 192.168.5.2 track nqa admin vlan10 [RouterD] ip route-static 192.168.2.0 255.255.255.0 192.168.6.2 track nqa admin vlan20 [RouterD] quit
4.
Configure traffic classifiers. # Create traffic classifiers vlan10 and vlan20 on RouterA to match packets with source IP addresses on network segments 192.168.1.0/24 and 192.168.2.0/24. [RouterA] acl number 2000 [RouterA-acl-basic-2000] rule 10 permit source 192.168.1.0 0.0.0.255 [RouterA-acl-basic-2000] quit [RouterA] acl number 2001 [RouterA-acl-basic-2001] rule 20 permit source 192.168.2.0 0.0.0.255 [RouterA-acl-basic-2001] quit
2016-1-11
Huawei Confidential
Page 303 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterA] traffic classifier vlan10 [RouterA-classifier-vlan10] if-match acl 2000 [RouterA-classifier-vlan10] quit [RouterA] traffic classifier vlan20 [RouterA-classifier-vlan20] if-match acl 2001 [RouterA-classifier-vlan20] quit # Create traffic classifiers vlan10 and vlan20 on RouterD to match packets with destination IP addresses on network segments 192.168.1.0/24 and 192.168.2.0/24. [RouterD] acl number 3000 [RouterD-acl-adv-3000] rule 10 permit ip destination 192.168.1.0 0.0.0.255 [RouterD-acl-adv-3000] quit [RouterD] acl number 3001 [RouterD-acl-adv-3001] rule 20 permit ip destination 192.168.2.0 0.0.0.255 [RouterD-acl-adv-3001] quit [RouterD] traffic classifier vlan10 [RouterD-classifier-vlan10] if-match acl 3000 [RouterD-classifier-vlan10] quit [RouterD] traffic classifier vlan20 [RouterD-classifier-vlan20] if-match acl 3001 [RouterD-classifier-vlan20] quit 5.
Configure traffic behaviors. # Create traffic behavior vlan10 on RouterA and associate the NQA test instance admin vlan10 with redirection to the next hop 192.168.3.2/24. When the NQA test instance detects that the link is running properly, redirection takes effect. When the NQA test instance detects a link fault, packets are forwarded along the original path. [RouterA] traffic behavior vlan10 [RouterA-behavior-vlan10] redirect ip-nexthop 192.168.3.2 track nqa admin vlan10 [RouterA-behavior-vlan10] quit # Create traffic behavior vlan20 on RouterA and associate the NQA test instance admin vlan20 with redirection to the next hop 192.168.4.2/24. When the NQA test instance detects that the link is running properly, redirection takes effect. When the NQA test instance detects a link fault, packets are forwarded along the original path. [RouterA] traffic behavior vlan20 [RouterA-behavior-vlan20] redirect ip-nexthop 192.168.4.2 track nqa admin vlan20 [RouterA-behavior-vlan20] quit # Create traffic behavior vlan10 on RouterD and associate the NQA test instance admin vlan10 with redirection to the next hop 192.168.5.2/24. When the NQA test instance detects
2016-1-11
Huawei Confidential
Page 304 of 1210
HCIE-R&S Material
Confidentiality Level
that the link is running properly, redirection takes effect. When the NQA test instance detects a link fault, packets are forwarded along the original path. [RouterD] traffic behavior vlan10 [RouterD-behavior-vlan10] redirect ip-nexthop 192.168.5.2 track nqa admin vlan10 [RouterD-behavior-vlan10] quit # Create traffic behavior vlan20 on RouterD and associate the NQA test instance admin vlan20 with redirection to the next hop 192.168.6.2/24. When the NQA test instance detects that the link is running properly, redirection takes effect. When the NQA test instance detects a link fault, packets are forwarded along the original path. [RouterD] traffic behavior vlan20 [RouterD-behavior-vlan20] redirect ip-nexthop 192.168.6.2 track nqa admin vlan20 [RouterD-behavior-vlan20] quit 6.
Configure traffic policies and apply the traffic policies. # Create traffic policies vlan10 and vlan20 on RouterA and bind the traffic classifier and the traffic behavior to the traffic policy. [RouterA] traffic policy vlan10 [RouterA-trafficpolicy-vlan10] classifier vlan10 behavior vlan10 [RouterA-trafficpolicy-vlan10] quit [RouterA] traffic policy vlan20 [RouterA-trafficpolicy-vlan20] classifier vlan20 behavior vlan20 [RouterA-trafficpolicy-vlan20] quit # Apply the traffic policy vlan10 to GE1/0/0 in the inbound direction and the traffic policy vlan20 to GE2/0/0 in the inbound direction. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] traffic-policy vlan10 inbound [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] traffic-policy vlan20 inbound [RouterA-GigabitEthernet2/0/0] quit # Create traffic policy vlan10 on RouterD and bind the traffic classifier and the traffic behavior to the traffic policy. [RouterD] traffic policy vlan10 [RouterD-trafficpolicy-vlan10] classifier vlan10 behavior vlan10 [RouterD-trafficpolicy-vlan10] classifier vlan20 behavior vlan20 [RouterD-trafficpolicy-vlan10] quit # Apply the traffic policy vlan10 to GE3/0/0 in the inbound direction.
interface GigabitEthernet1/0/0 ip address 192.168.5.1 255.255.255.0 interface GigabitEthernet2/0/0 ip address 192.168.6.1 255.255.255.0 interface GigabitEthernet3/0/0 ip address 192.168.7.1 255.255.255.0 traffic-policy vlan10 inbound # ip route-static 192.168.1.0 255.255.255.0 192.168.5.2 track nqa admin vlan10 ip route-static 192.168.1.0 255.255.255.0 192.168.6.2 track nqa admin vlan20 ip route-static 192.168.2.0 255.255.255.0 192.168.5.2 track nqa admin vlan10 ip route-static 192.168.2.0 255.255.255.0 192.168.6.2 track nqa admin vlan20 ip route-static 192.168.3.0 255.255.255.0 192.168.5.2 ip route-static 192.168.4.0 255.255.255.0 192.168.6.2 # return
Chapter 7 VLAN 7.1 Basic Concepts of VLAN 7.1.1 VLAN frame format A conventional Ethernet frame is encapsulated with the Length/Type field for an upper-layer protocol following the Destination address and Source address fields, as shown in Figure 7-1-1.
Figure 7-1-1 Conventional Ethernet frame format IEEE 802.1Q is an Ethernet networking standard for a specified Ethernet frame format. It adds a 4-byte field between the Source address and the Length/Type fields of the original frame, as shown in Figure 7-1-2.
Figure 7-1-2 802.1Q frame format Table 7-1-1 describes the fields contained in a 802.1Q tag. 2016-1-11
Huawei Confidential
Page 310 of 1210
HCIE-R&S Material
Confidentiality Level
Table 7-1-1 Fields contained in an 802.1Q tag Field Length
Name
Description
TPID
2 bytes
Tag Protocol Identifier indicating the frame type.
(TPID), The value 0x8100 indicates an 802.1Q-tagged frame. If an 802.1Q-incapable device receives an 802.1Q frame, it will discard the frame.
PRI
3 bits
Priority (PRI), indicating the frame The value ranges from 0 to 7. The greater the priority. value, the higher the priority. These values can be used to prioritize different classes of traffic to ensure that frames with high priorities are transmitted first when traffic is heavy.
CFI
1 bit
Canonical Format Indicator (CFI), If the value is 0, the MAC address is in the indicating whether the MAC address canonical format. CFI is used to ensure is in canonical format. compatibility between Ethernet networks and Token Ring networks. It is always set to zero for Ethernet switches.
VID
12 bits
VLAN ID (VID), indicating the VLAN IDs range from 0 to 4095. The values VLAN to which the frame belongs. 0 and 4095 are reserved, and therefore VLAN IDs range from 1 to 4094.
Each frame sent by an 802.1Q-capable switch carries a VLAN ID. In a VLAN, Ethernet frames are classified into the following types:
Tagged frames: frames with 4-byte 802.1Q tags.
Untagged frames: frames without 4-byte 802.1Q tags.
7.1.2 Link Types As shown in Figure 7-1-3, there are the following types of VLAN links:
Access link: connects a host to a switch. Generally, a host does not know which VLAN it belongs to, and host hardware cannot distinguish frames with VLAN tags. Therefore, hosts send and receive only untagged frames.
Trunk link: connects a switch to another switch or to a router. Data of different VLANs are transmitted along a trunk link. The two ends of a trunk link must be able to distinguish frames with VLAN tags. Therefore, only tagged frames are transmitted along trunk links.
2016-1-11
Huawei Confidential
Page 311 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 7-1-3 Link types
NOTE:
A host does not need to know the VLAN to which it belongs. It sends only untagged frames.
After receiving an untagged frame from a host, a switching device determines the VLAN to which the frame belongs. The determination is based on the configured VLAN assignment method such as port information, and then the switching device processes the frame accordingly.
If the frame needs to be forwarded to another switching device, the frame must be transparently transmitted along a trunk link. Frames transmitted along trunk links must carry VLAN tags to allow other switching devices to properly forward the frame based on the VLAN information.
Before sending the frame to the destination host, the switching device connected to the destination host removes the VLAN tag from the frame to ensure that the host receives an untagged frame.
Generally, only tagged frames are transmitted on trunk links; only untagged frames are transmitted on access links. In this manner, switching devices on the network can properly process VLAN information and hosts are not concerned about VLAN information.
7.1.3 Port Types After the 802.1Q defines VLAN frames, some ports on the device can identify VLAN frames, while others cannot. According to whether VLAN frames can be identified, ports can be classified into four types: 2016-1-11
Huawei Confidential
Page 312 of 1210
HCIE-R&S Material
Confidentiality Level
Access port As shown in Figure 7-1-3, the access port on a switch connects to the port on a host. The access port can only connect to an access link. Only the VLAN whose ID is the same as the default VLAN ID is allowed on the access port. Ethernet frames sent from the access port are untagged frames.
Trunk port As shown in Figure 7-1-3, a trunk port on a switch connects to another switch. It can only connect to a trunk link. Multiple tagged VLAN frames are allowed on the trunk port.
Hybrid port As shown in Figure 7-1-4, a hybrid port on a switch can connect either to a host or to another switch. A hybrid port can connect either to an access link or to a trunk link. The hybrid port allows multiple VLAN frames and removes tags from some VLAN frames on the outbound port.
Figure 7-1-4 Port types
QinQ port QinQ ports are enabled with the IEEE 802.1 QinQ protocol. A QinQ port adds a tag to a single-tagged frame and supports a maximum of 4094 x 4094 VLAN tags (Different products support different specifications), which meets the requirement for the VLAN quantity. Figure 7-1-5 shows the format of a QinQ frame. The outer tag usually called the public tag carries the public VLAN ID. The inner tag usually called the private tag carries the private VLAN ID.
Figure 7-1-5 Format of a QinQ frame
2016-1-11
Huawei Confidential
Page 313 of 1210
HCIE-R&S Material
Confidentiality Level
7.1.4 Default VLAN Each port can be configured with a default VLAN with a port default VLAN ID (PVID). The meaning of the default VLAN varies according to the port type.
7.2 VLAN Assignment VLANs can be assigned based on ports, MAC addresses, IP subnets, network protocols, and matching policies. Table 7-2-1 describes differences between VLAN assignment modes. Table 7-2-1 Differences between VLAN assignment modes VLAN Assignment Mode
Principle
Advantage
Disadvantage
VLAN In this mode, VLANs are classified It is simple to define VLANs must assignment based on the numbers of ports on a VLAN members. be based on port switching device. re-configured numbers when VLAN The network administrator configures members a port default VLAN ID (PVID), that change is, the default VLAN ID, for each locations. port on the switching device. That is, a port belongs to a VLAN by default.
When a data frame reaches a port, it is marked with the PVID if the data frame carries no VLAN tag and the port is configured with a PVID.
If the data frame carries a VLAN tag, the switching device will not add a VLAN tag to the data frame even if the port is configured with a PVID.
Different types of ports process VLAN frames in different manners. VLAN assignment based on MAC addresses
2016-1-11
In this mode, VLANs are classified based on the MAC addresses of network interface cards (NICs). The network administrator configures the mappings between MAC addresses and VLAN IDs. In this case, when a switching device receives an untagged packet, it searches the MAC-VLAN table for a VLAN tag to be added to the packet according to the MAC address of the Huawei Confidential
When the physical locations of users change, you do not need to re-configure VLANs for the users. This improves the security of users and increases the flexibility of user access.
This mode is applicable to only a simple networkin g environm
Page 314 of 1210
HCIE-R&S Material
Confidentiality Level
Table 7-2-1 Differences between VLAN assignment modes VLAN Assignment Mode
Principle
Advantage
Disadvantage
packet.
ent where the NIC seldom changes.
In addition, all members on the network must be pre-define d.
VLAN assignment based on subnets
When receiving an untagged packet, a switching device adds a VLAN tag IP to the packet based on the IP address of the packet.
Packets sent from specified network segments or IP addresses are transmitted in specific VLANs. This decreases burden on the network administrator and facilitates management.
VLAN assignment based protocols
VLAN IDs are allocated to packets received on an interface according to on the protocol (suite) type and encapsulation format of the packets. The network administrator configures the mappings between types of protocols and VLAN IDs. In this case, when a switching device receives an untagged packet, it searches the Protocol-VLAN table for a VLAN tag to be added to the packet according to the protocol of the packet.
The classification of VLANs based on protocols binds the type of services to VLANs. This facilitates management and maintenance.
This mode is applicable to the networking environment where users are distributed in an orderly manner and multiple users are on the same network segment.
The network administr ator must initially configure the mappings between types of protocols and VLAN IDs.
2016-1-11
Huawei Confidential
Page 315 of 1210
HCIE-R&S Material
Confidentiality Level
Table 7-2-1 Differences between VLAN assignment modes VLAN Assignment Mode
Principle
Advantage
Disadvantage
The switch needs to analyze protocol address formats and convert between them. This slows down switch response.
VLAN assignment based on policies (MAC addresses, IP addresses, and interfaces)
In this mode, VLANs are classified based on MAC addresses and IP addresses configured on switched and associated with VLANs. Only users matching a policy can be added to a specific VLAN. After users are added to the VLAN, if their IP addresses or MAC addresses are changed, they no longer belong to the VLAN.
Policy-based VLAN assignment is of high security.
Each policy needs to be manually configured.
Do not change MAC addresses or IP addresses of users that have been added to VLANs based on MAC addresses and IP addresses.
Compared with other VLAN assignment modes, MAC address and IP address-based VLAN assignment has the highest priority.
2016-1-11
Huawei Confidential
Page 316 of 1210
HCIE-R&S Material
Confidentiality Level
If the switch supports multiple VLAN assignment modes, the priority is of policy-based VLAN assignment, MAC address-based VLAN assignment, IP subnet-based VLAN assignment, protocol-based VLAN assignment, and port-based VLAN assignment in a descending order.
MAC address-based VLAN assignment and IP subnet-based VLAN assignment have the same priority. By default, MAC address-based VLAN assignment is preferentially adopted. Alternatively, you can run commands to change priorities of these two VLAN assignment modes to select a VLAN assignment mode.
Port-based VLAN assignment has the lowest priority and is the most common VLAN assignment mode.
Policy-based VLAN assignment has the highest priority and is the least useful VLAN assignment mode.
Figure 7-2-1 shows the process of classifying VLANs.
2016-1-11
Huawei Confidential
Page 317 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 7-2-1 Process of assigning VLANs
7.3 Principle of VLAN Communication 7.3.1 Basic Principle of VLAN Communication To improve the efficiency in processing frames, frames within a switch all carry VLAN tags for uniform processing. When a data frame reaches a port of the switch, if the frame carries no VLAN tag 2016-1-11
Huawei Confidential
Page 318 of 1210
HCIE-R&S Material
Confidentiality Level
and the port is configured with a PVID, the frame is marked with the port's PVID. If the frame has a VLAN tag, the switch will not mark a VLAN tag for the frame regardless of whether the port is configured with a PVID. The switch processes frames differently according to the type of port receiving the frames. The following describes the frame processing according to the port type. Table 7-3-1 Frame processing based on the port type Port Type
Untagged Frame Processing
Tagged Frame Processing
Access port
Accepts an untagged frame and adds a tag with the default VLAN ID to the frame.
Accepts the tagged frame if the frame's
Frame Transmission After the PVID tag is stripped, the frame is transmitted.
VLAN ID matches the default VLAN ID.
Discards the tagged frame if the frame's VLAN ID differs from the default VLAN ID.
Trunk port
Adds a tag with the
Accepts the tagged
If the frame's
default VLAN ID to the
frame if the frame's
VLAN ID matches
untagged frame and then
VLAN ID is permitted
the default VLAN
transmits it if the default
by the port.
ID and the VLAN
Discards the tagged
ID is permitted by
by the port
frame if the frame's
the port, the switch
Adds a tag with the
VLAN ID is denied by
removes the tag
default VLAN ID to the
the port.
and transmits the
VLAN ID is permitted
frame.
untagged frame and then
discards it if the default
If the frame's
VLAN ID is denied by
VLAN ID differs
the port.
from the default VLAN ID, but the VLAN ID is still permitted by the port, the switch will directly transmit the frame.
Hybrid port
Adds a tag with the
default VLAN ID to an untagged frame and accepts the frame if the port permits the default
2016-1-11
Accepts a tagged frame If the frame's VLAN ID is permitted by the port, if the VLAN ID carried the frame is transmitted. in the frame is The port can be configured whether to permitted by the port. transmit frames with Discards a tagged
Huawei Confidential
Page 319 of 1210
HCIE-R&S Material
Confidentiality Level
Table 7-3-1 Frame processing based on the port type Port Type
Untagged Frame Processing
Tagged Frame Processing
VLAN ID.
frame if the VLAN ID
Adds a tag with the
carried in the frame is
default VLAN ID to an
denied by the port.
Frame Transmission tags.
untagged frame and discards the frame if the port denies the default VLAN ID. QinQ port QinQ ports are enabled with the IEEE 802.1 QinQ protocol. A QinQ port adds a tag to a single-tagged frame, and supports a maximum of 4094 x 4094 VLAN tags(Different products support different specifications), which meets the requirement on the number of VLANs.
7.3.2 Intra-VLAN Communication Sometimes VLAN hosts are connected to different switches, in which case the VLAN spans multiple switches. Since ports between these switches must recognize and send packets belonging to the VLAN, the trunk link technology becomes helpful in simplifying this solution. The trunk link plays the following two roles:
Trunk line The trunk link transparently transmits VLAN packets between switches.
Backbone line The trunk link transmits packets belonging to multiple VLANs.
Figure 7-3-1 Trunk link communication As shown in Figure 7-3-1, the trunk link between DeviceA and DeviceB must both support the intra-communication of VLAN 2 and the intra-communication of VLAN 3. Therefore, the ports at both 2016-1-11
Huawei Confidential
Page 320 of 1210
HCIE-R&S Material
Confidentiality Level
ends of the trunk link must be configured to belong to both VLANs. That is, Port2 on DeviceA and Port1 on DeviceB must belong to both VLAN 2 and VLAN 3. Host A sends a frame to Host B in the following process: 1.
The frame is first sent to Port4 on DeviceA.
2.
A tag is added to the frame on Port4. The VID field of the tag is set to 2, that is, the ID of the VLAN to which Port4 belongs.
3.
DeviceA queries its MAC address table for the MAC forwarding entry with the destination MAC address of Host B.
If this entry exists, DeviceA sends the frame to the outbound interface Port2.
If this entry does not exist, DeviceA sends the frame to all interfaces bound to VLAN 2 except for Port4.
4.
Port2 sends the frame to DeviceB.
5.
After receiving the frame, DeviceB queries its MAC address table for the MAC forwarding entry with the destination MAC address of Host B.
If this entry exists, DeviceB sends the frame to the outbound interface Port3.
If this entry does not exist, DeviceB sends the frame to all interfaces bound to VLAN 2 except for Port1.
6.
Port3 sends the frame to Host B.
The intra-communication of VLAN 3 is similar, and is not mentioned here.
7.3.3 Inter-VLAN Communication After VLANs are configured, hosts in different VLANs cannot directly communicate with each other. To implement communication between VLANs, use either of the following methods:
Sub-interface As shown in Figure 7-3-2, DeviceA is a Layer 3 switch supporting sub-interface, and DeviceB is a Layer 2 switch. LANs are connected using the switched Ethernet interface on DeviceB and the routed Ethernet interface on DeviceA. User hosts are assigned to VLAN2 and VLAN3. To implement inter-VLAN communication, configure as follows:
On DeviceA, create two sub-interfaces Port1.1 and Port2.1 on the Ethernet interface connecting to DeviceB, and configure 802.1Q encapsulation on sub-interfaces corresponding to VLAN2 and VLAN3.
Configure IP addresses for sub-interfaces.
Set types of Ethernet interfaces connecting DeviceB and DeviceA to Trunk or Hybrid, to allow VLAN2 and VLAN3 frames.
2016-1-11
Huawei Confidential
Page 321 of 1210
HCIE-R&S Material
Confidentiality Level
Set the default gateway address to the IP address of the sub-interface mapping the VLAN to which the user host belongs.
Figure 7-3-2 Inter-VLAN communication using sub-interfaces Host A communicates with Host C as follows:
Host A checks the IP address of Host C and determines that Host C is in another VLAN.
Host A sends an ARP request packet to DeviceA to request DeviceA's MAC address.
After receiving the ARP request packet, DeviceA returns an ARP reply packet in which the source MAC address is the MAC address of the sub-interface mapping VLAN2.
Host A obtains DeviceA's MAC address.
Host A sends a packet whose destination MAC address is the MAC address of the sub-interface and destination IP address is Host C's IP address to DeviceA.
After receiving the packet, DeviceA forwards the packet and detects that the route to Host C is a direct route. The packet is forwarded by the sub-interface mapping VLAN3.
Functioning as the gateway of hosts in VLAN3, DeviceA broadcasts an ARP packet requesting Host C's MAC address.
After receiving the packet, Host C returns an ARP reply packet.
After receiving the reply packet, DeviceA sends the packet from Host A to Host C. All packets sent from Host A to Host C are sent to DeviceA first to implement Layer 3 forwarding.
VLANIF interface Layer 3 switching combines routing and switching techniques to implement routing on a switch, improving the overall performance of the network. After sending the first data flow, a Layer 3 switch generates a mapping table on which it records the mapping between the MAC address and the IP address for the data flow. If the switch needs to send the same data flow again, it directly 2016-1-11
Huawei Confidential
Page 322 of 1210
HCIE-R&S Material
Confidentiality Level
sends the data flow at Layer 2 based on the mapping table. In this manner, network delays caused by route selection are eliminated, and data forwarding efficiency is improved. In order for new data flows to be correctly forwarded, the routing table must have the correct routing entries. Therefore, VLANIF interfaces are used to configure routing protocols on Layer 3 switches to reach Layer 3 routes. A VLANIF interface is a Layer 3 logical interface, which can be configured on either a Layer 3 switch or a router. As shown in Figure 7-3-3, hosts connected to the switch are assigned to VLAN 2 and VLAN 3. To implement inter-VLAN communication, configure as follows:
Create two VLANIF interfaces on the device, and configure IP addresses for them.
Set the default gateway address to the IP address of the VLANIF interface mapping the VLAN to which the user host belongs.
Figure 7-3-3 Inter-VLAN communication through VLANIF interfaces Host A communicates with Host C as follows:
Host A checks the IP address of Host C and determines that Host C is in another subnet.
Host A sends an ARP request packet to Device to request Device's MAC address.
After receiving the ARP request packet, Device returns an ARP reply packet in which the source MAC address is the MAC address of VLANIF2.
Host A obtains Device's MAC address.
Host A sends a packet whose destination MAC address is the MAC address of the VLANIF interface and destination IP address is Host C's IP address to Device.
After receiving the packet, Device forwards the packet and detects that the route to Host C is a direct route. The packet is forwarded by VLANIF3.
Functioning as the gateway of hosts in VLAN3, Device broadcasts an ARP packet requesting Host C's MAC address.
2016-1-11
Huawei Confidential
Page 323 of 1210
HCIE-R&S Material
Confidentiality Level
After receiving the packet, Host C returns an ARP reply packet.
After receiving the reply packet, DeviceA sends the packet from Host A to Host C. All packets sent from Host A to Host C are sent to Device first to implement Layer 3 forwarding.
VLAN Switch VLAN switch allows hosts in different VLANs to communicate with each other.
7.4 VLAN Aggregation 7.4.1 Background of VLAN Aggregation VLAN is widely applied to switching networks because of its flexible control of broadcast domains and convenient deployment. On a Layer-3 switch, the interconnection between the broadcast domains is implemented using one VLAN to correspond to one Layer-3 logic interface. However, this can waste IP addresses. Figure 7-4-1 shows the VLAN division in the device.
Figure 7-4-1 Diagram of a common VLAN
Table 7-4-1 Example of Assigning Host Addresses on a common VLAN VLAN
Sub-network
Gateway address
Number of available addresses
Number of available hosts
Practical requirements
2
1.1.1.0/28
1.1.1.1
14
13
10
3
1.1.1.16/29
1.1.1.17
6
5
5
4
1.1.1.24/30
1.1.1.25
2
1
1
As show in Table 7-4-1, VLAN 2 requires 10 host addresses. The sub network 1.1.1.0/28 with the mask length as 28 bits is assigned for VLAN 2. 1.1.1.0 is the address of the sub network, and 1.1.1.15 2016-1-11
Huawei Confidential
Page 324 of 1210
HCIE-R&S Material
Confidentiality Level
is the directed broadcast address. These two addresses cannot serve as the host address. In addition, as the default address of the network gateway of the sub network, 1.1.1.1 cannot be used as the host address. The other 13 addresses ranging from 1.1.1.2 to 1.1.1.14 can be used by the hosts. In this way, although VLAN 2 needs only ten addresses, 13 addresses need to be assigned for it according to the division of the sub network. VLAN 3 requires five host addresses. The sub network 1.1.1.16/29 with the mask length as 29 bits needs to be assigned for VLAN 3. VLAN 4 requires only one address. The sub network 1.1.1.24/30 with the mask length as 30 bits needs to be assigned for VLAN 4. In above, 16 (10+5+1) addresses are needed for all the preceding VLANs. However, 28 (16+8+4) addresses are needed according to the common VLAN addressing mode even if the optimal scheme is used. Nearly half of the addresses is wasted. In addition, if VLAN 2 is accessed to three hosts instead of ten hosts later, the extra addresses will not be used by other VLANs and will be wasted. This division is inconvenient for the later network upgrade and expansion. Assume that two more hosts need to be added to VLAN 4 and VLAN 4 does not want to change the assigned IP addresses, and the addresses after 1.1.1.24 has been assigned to others, a new sub network with the mask length as 29 bits and a new VLAN need to be assigned for the new customers of VLAN 4. Therefore, the customers of VLAN 4 have only three hosts, but the customers are assigned to two sub networks and are not in the same VLAN. As a result, this is inconvenient for network management. In above, many IP addresses are used as the addresses of sub networks, directional broadcast addresses of sub networks, and default addresses of network gateways of sub networks. These IP addresses cannot be used as the host addresses in the VLAN. The limit on address assignation reduces the addressing flexibility, so that many idle addresses are wasted. To solve this problem, VLAN aggregation is used.
7.4.2 Principle The VLAN aggregation technology, also known as the super-VLAN, provides a mechanism that partitions the broadcast domain using multiple VLANs in a physical network so that different VLANs can belong to the same subnet. In VLAN aggregation, two concepts are involved, namely, super-VLAN and sub-VLAN.
Super-VLAN: It is different from the common VLAN. In the super-VLAN, only Layer 3 interfaces are created and physical ports are not contained. The super-VLAN can be viewed as a logical Layer 3 concept. It is a collection of many sub-VLANs.
Sub-VLAN: It is used to isolate broadcast domains. In the sub-VLAN, only physical ports are contained and Layer 3 VLAN interfaces cannot be created. The Layer 3 switching with the external network is implemented through the Layer 3 interface of the super-VLAN.
A super-VLAN can contain one or more sub-VLANs retaining different broadcast domains. The sub-VLAN does not occupy an independent subnet segment. In the same super-VLAN, IP addresses of hosts belong to the subnet segment of the super-VLAN, regardless of the mapping between hosts and sub-VLANs. 2016-1-11
Huawei Confidential
Page 325 of 1210
HCIE-R&S Material
Confidentiality Level
The same Layer 3 interface is shared by sub-VLANs. Some subnet IDs, default gateway addresses of the subnets, and directed broadcast addresses of the subnets are saved and different broadcast domains can use the addresses in the same subnet segment. As a result, subnet differences are eliminated, addressing becomes flexible and idle addresses are reduced. Take the Table 7-4-1 to explain the implementation theory. Suppose that user demands are unchanged. In VLAN 2, 10 host addresses are demanded; in VLAN 3, 5 host addresses are demanded; in VLAN 4, 1 host address is demanded. According to the implementation of VLAN aggregation, create VLAN 10 and configure VLAN 10 as a super-VLAN. Then assign a subnet address 1.1.1.0/24 with the mask length being 24 to VLAN 10; 1.1.1.0 is the subnet ID and 1.1.1.1 is the gateway address of the subnet, as shown in Figure 7-4-2. Address assignments of sub-VLANs (VLAN 2, VLAN 3, and VLAN 4) are shown in Table 7-4-2.
Figure 7-4-2 Schematic diagram of VLAN aggregation
Table 7-4-2 Example for assigning Host addresses in VLAN aggregation mode VLAN
2
Subnet
1.1.1.0/24
Gateway address
Number of available hosts
Practical requirements
10
1.1.1.2-1.1.1.11
10
3
5
1.1.1.12-1.1.1.16
5
4
1
1.1.1.17
1
2016-1-11
1.1.1.1
Number of available addresses
Huawei Confidential
Page 326 of 1210
HCIE-R&S Material
Confidentiality Level
In VLAN aggregation implementation, sub-VLANs are not divided according to the previous subnet border. Instead, their addresses are flexibly assigned in the subnet corresponding to the super-VLAN according to the required host number. As the Table 7-4-2 shows that VLAN 2, VLAN 3, and VLAN 4 share a subnet (1.1.1.0/24), a default gateway address of the subnet (1.1.1.1), and a directed broadcast address of the subnet (1.1.1.255). In this manner, the subnet ID (1.1.1.16, 1.1.1.24), the default gateway of the subnet (1.1.1.17, 1.1.1.25), and the directed broadcast address of the subnet (1.1.1.5, 1.1.1.23, and 1.1.1.24) can be used as IP addresses of hosts. Totally, 16 addresses (10 + 5 + 1 = 16) are required for the three VLANs. In practice, in this subnet, a total of 16 addresses are assigned to the three VLANs (1.1.1.2 to 1.1.1.17). A total of 19 IP addresses are used, that is, the 16 host addresses together with the subnet ID (1.1.1.0), the default gateway of the subnet (1.1.1.1), and the directed broadcast address of the subnet (1.1.1.255). In the network segment, 236 addresses (255 - 19 = 236) are available, which can be used by any host in the sub-VLAN.
7.4.3 Communications between VLANs
Introduction VLAN aggregation ensures that different VLANs use the IP addresses in the same subnet segment. This, however, leads to the problem of Layer 3 forwarding between sub-VLANs. In common VLAN mode, the hosts of different VLANs can communicate with each other based on the Layer 3 forwarding through their respective gateways. In VLAN aggregation mode, the hosts in a super-VLAN uses the IP addresses in the same network segment and share the same gateway address. The hosts in different sub-VLANs belong to the same subnet. Therefore, they communicate with each other based on the Layer 2 forwarding, rather than the Layer 3 forwarding through a gateway. In practice, hosts in different sub-VLANs are separated in Layer 2. As a result, sub-VLANs fail to communicate with each other. To solve the preceding problem, you can use ARP proxy.
Layer 3 Communications between Different Sub-VLANs As shown in Figure 7-4-3, the super-VLAN, namely, VLAN 10, contains the sub-VLANs, namely, VLAN 2 and VLAN 3.
2016-1-11
Huawei Confidential
Page 327 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 7-4-3 Networking diagram of Layer 3 communications between different sub-VLANs based on ARP proxy Suppose that the ARP table of Host A has no corresponding entry of Host B, and the gateway is enabled with the ARP proxy between sub-VLANs. Then the communication process between Host A in VLAN 2 and Host B in VLAN 3 is shown as below: 1.
After comparing the IP address of Host B 1.1.1.3 with its IP address, Host A finds that both IP addresses are in the same network segment 1.1.1.0/24, and its ARP table has no corresponding entry of Host B.
2.
Host A initiates an ARP broadcast to request for the MAC address of Host B.
3.
Host B is not in the broadcast domain of VLAN 2, and cannot receive the ARP request.
4.
The gateway is enabled with the ARP proxy between sub-VLANs. Therefore, after receiving the ARP request from Host A, the gateway finds that the IP address of Host B 1.1.1.3 is the IP address of a directly-connected interface. Then the gateway initiates an ARP broadcast to all the other sub-VLAN interfaces to request for the MAC address of Host B.
5.
After receiving the ARP request, Host B offers an ARP response.
6.
After receiving the ARP response from Host B, the gateway replies its MAC address to Host A.
7.
The ARP tables in both the gateway and Host A have the corresponding entries of Host B.
8.
To send packets to Host B, Host A first sends packets to the gateway, and then the gateway performs the Layer 3 forwarding.
The process that Host B sends packets to Host A is just the same, and is not mentioned here.
Layer 2 Communications between a Sub-VLAN and an External Network
2016-1-11
Huawei Confidential
Page 328 of 1210
HCIE-R&S Material
Confidentiality Level
As shown in Figure 7-4-4, in the Layer 2 VLAN communications based on ports, the received or sent frames are not tagged with the super-VLAN ID.
Figure 7-4-4 Networking diagram of Layer 2 communications between a sub-VLAN and an external network The frame that accesses Switch 1 through Port1 on Host A is tagged with the ID of VLAN 2. The VLAN ID, however, is not changed to the ID of VLAN 10 on Switch 1 even if VLAN 2 is the sub-VLAN of VLAN 10. After passing through Port3, which is the trunk type, this frame still carries the ID of VLAN 2. That is to say, Switch 1 itself does not send the frames of VLAN 10. In addition, switch 1 discards the frames of VLAN 10 that are sent to Switch 1 by other devices because switch 1 has no corresponding physical port for VLAN 10. A super-VLAN has no physical port. This limitation is obligatory, as shown below:
If you configure the super-VLAN and then the trunk interface, the frames of a super-VLAN are filtered automatically according to the VLAN range set on the trunk interface. As shown in Figure 7-4-4, no frame of the super-VLAN 10 passes through Port3 on Switch 1, even though the interface allows frames from all VLANs to pass through.
If you finish configuring the trunk interface and allow all VLANs to pass through, you still cannot configure the super-VLAN on Switch 1. The root cause is that any VLAN with physical ports cannot be configured as the super-VLAN, and the trunk interface allows only the frames tagged with VLAN IDs to pass through. Therefore, no VLAN can be configured as a super-VLAN.
2016-1-11
Huawei Confidential
Page 329 of 1210
HCIE-R&S Material
Confidentiality Level
As for Switch 1, the valid VLANs are just VLAN 2 and VLAN 3, and all frames are forwarded in these VLANs.
Layer 3 Communications between a Sub-VLAN and an External Network
Figure 7-4-5 Networking diagram of Layer 3 communications between a sub-VLAN and an external network As shown in Figure 7-4-5, Switch 1 is configured with super-VLAN 4, sub-VLAN 2, sub-VLAN 3, and a common VLAN 10. Switch 2 is configured with two common VLANs, namely, VLAN 10 and VLAN 20. Suppose that Switch 1 is configured with the route to the network segment 1.1.3.0/24, and Switch 2 is configured with the route to the network segment 1.1.1.0/24. Then Host A in sub-VLAN 2 that belongs to the super-VLAN 4 needs to access Host C in Switch 2. 1.
After comparing the IP address of Host C 1.1.3.2 with its IP address, Host A finds that two IP addresses are not in the same network segment 1.1.1.0/24.
2.
Host A initiates an ARP broadcast to its gateway to request for the MAC address of the gateway.
3.
After receiving the ARP request, Switch 1 identifies the correlation between the sub-VLAN and the super-VLAN, and offers an ARP response to Host A through sub-VLAN 2. The source MAC address in the ARP response packet is the MAC address of VLANIF4 for super-VLAN 4.
4.
Host A learns the MAC address of the gateway.
5.
Host A sends the packet to the gateway, with the destination MAC address as the MAC address of VLANIF4 for super-VLAN 4, and the destination IP address as 1.1.3.2.
2016-1-11
Huawei Confidential
Page 330 of 1210
HCIE-R&S Material
6.
Confidentiality Level
After receiving the packet, Switch 1 performs the Layer 3 forwarding and sends the packet to Switch 2, with the next hop address as 1.1.2.2, the outgoing interface as VLANIF10.
7.
After receiving the packet, Switch 2 performs the Layer 3 forwarding and sends the packet to Host C through the directly-connected interface VLANIF20.
8.
The response packet from Host C reaches Switch 1 after the Layer 3 forwarding on Switch 2.
9.
After receiving the packet, Switch 1 performs the Layer 3 forwarding and sends the packet to Host A through the super-VLAN.
7.5 MUX VLAN 7.5.1 Background Multiplex VLAN (MUX VLAN) controls network resources by VLAN. For example, on an enterprise network, enterprise employees and enterprise customers can access the enterprise server. The enterprise requires that enterprise employees are able to communicate with each other whereas enterprise customers are not able to communicate with each other. To allow all users to access the enterprise server, configure communication between VLANs. If there are a large number of users in an enterprise, assign VLANs to users that cannot communicate with each other. This wastes VLAN IDs and requires great workload on network configuration and maintenance. The Layer 2 traffic isolation mechanism provided by MUX VLAN meets the preceding requirement.
7.5.2 Basic Concepts As shown in Table 7-5-1, a MUX VLAN is classified into principal VLANs and subordinate VLANs; a subordinate VLAN is classified into separate VLANs and group VLANs. Table 7-5-1 Classification of a MUX VLAN MUX VLAN
VLAN Type
Associated Port
Access Authority
Principal VLAN
-
Principal port
A principal port can communicate with all ports in a MUX VLAN.
Subordinate VLAN
Separate VLAN
Separate port
A separate port can communicate only with a principal port and is isolated from other types of ports. A separate VLAN must be bound to a principal VLAN.
Group VLAN
Group port
A group port can communicate with a principal port and the other ports in the same group, but cannot communicate with ports in other groups or a separate port.
2016-1-11
Huawei Confidential
Page 331 of 1210
HCIE-R&S Material
Confidentiality Level
Table 7-5-1 Classification of a MUX VLAN MUX VLAN
VLAN Type
Associated Port
Access Authority A group VLAN must be bound to a principal VLAN.
7.5.3 Principle of Communication in MUX VLAN As shown in Figure 7-5-1, the principal port connects to the enterprise server; separate ports connect to enterprise customers; group ports connect to enterprise employees. In this manner, enterprise customers and enterprise employees can access the enterprise server, enterprise employees can communicate with each other, enterprise customers cannot communicate with each other, and enterprise customers and enterprise employees cannot communicate with each other.
Figure 7-5-1 Application scenario of MUX VLAN
7.6 Examples for Configuring of VLAN 7.6.1 Example for Configuring Interface-based VLAN Assignment Networking Requirements An enterprise requires departments in charge of the same service to communicate with each other while isolating departments in charge of different services. As shown in Figure 7-6-1, an enterprise has four departments. Department 1 is connected to RouterA, which is connected to Ethernet 2/0/1 of the Router. Department 2 is connected to RouterB, which is connected to Ethernet 2/0/2 of the Router. Department 3 is connected to RouterC, which is connected to Ethernet 2/0/3 of the Router. Department 4 is connected to RouterD, which is connected to Ethernet 2/0/4 of the Router. The requirements are as follows: 2016-1-11
Huawei Confidential
Page 332 of 1210
HCIE-R&S Material
Confidentiality Level
Department 1 and Department 2 in VLAN 2 are isolated from Department 3 and Department 4 in VLAN 3.
Department 1 and Department 2 in VLAN 2 can communicate with each other.
Department 3 and Department 4 in VLAN 3 can communicate with each other.
Figure 7-6-1 Network diagram of interface-based VLAN assignment
Configuration Roadmap The configuration roadmap is as follows: 1.
Create VLANs.
2.
Add interfaces to the VLAN.
Procedure 1.
Configure the Router. # Create VLAN 2. system-view [Huawei] vlan 2 [Huawei-vlan2] quit # Set the link type of Ethernet 2/0/1 to trunk and add Ethernet 2/0/1 to VLAN 2. [Huawei] interface ethernet 2/0/1 [Huawei-Ethernet2/0/1] port link-type trunk [Huawei-Ethernet2/0/1] port trunk allow-pass vlan 2 [Huawei-Ethernet2/0/1] quit # Set the link type of Ethernet 2/0/2 to trunk and add Ethernet 2/0/2 to VLAN 2. [Huawei]interface ethernet 2/0/2 [Huawei-Ethernet2/0/2] port link-type trunk [Huawei-Ethernet2/0/2] port trunk allow-pass vlan 2
2016-1-11
Huawei Confidential
Page 333 of 1210
HCIE-R&S Material
Confidentiality Level
[Huawei-Ethernet2/0/2] quit # Create VLAN 3. [Huawei] vlan 3 [Huawei-vlan3] quit # Set the link type of Ethernet 2/0/3 to trunk and add Ethernet 2/0/3 to VLAN 3. [Huawei] interface ethernet 2/0/3 [Huawei-Ethernet2/0/3] port link-type trunk [Huawei-Ethernet2/0/3] port trunk allow-pass vlan 3 [Huawei-Ethernet2/0/3] quit # Set the link type of Ethernet 2/0/4 to trunk and add Ethernet 2/0/4 to VLAN 3. [Huawei] interface ethernet 2/0/4 [Huawei-Ethernet2/0/4] port link-type trunk [Huawei-Ethernet2/0/4] port trunk allow-pass vlan 3 [Huawei-Ethernet2/0/4] quit 2.
Verify the configuration. Ping any host in VLAN 3 from a host in VLAN 2. The ping operation fails, indicating that Department 1 and Department 2 are isolated from Department 3 and Department 4. Ping any host in Department 2 from a host in Department 1. The ping operation is successful, indicating that Department 1 and Department 2 can communicate with each other. Ping any host in Department 4 from a host in Department 3. The ping operation is successful, indicating that Department 3 and Department 4 can communicate with each other.
Configuration Files Configuration file of the Router # vlan batch 2 to 3 # interface Ethernet2/0/1 port link-type trunk port trunk allow-pass vlan 2 # interface Ethernet2/0/2 port link-type trunk port trunk allow-pass vlan 2 # interface Ethernet2/0/3 2016-1-11
Huawei Confidential
Page 334 of 1210
HCIE-R&S Material
Confidentiality Level
port link-type trunk port trunk allow-pass vlan 3 # interface Ethernet2/0/4 port link-type trunk port trunk allow-pass vlan 3 # return
7.6.2 Example for Implementing Inter-VLAN Communication Using VLANIF Interfaces Networking Requirements Users in an enterprise use different services and locate at different network segments. Users who use the same service belong to different VLANs and they want to communicate with each other. As shown in Figure 7-6-2, User 1 and User 2 use the same service but belong to different VLANs and locate at different network segments. User 1 wants to communicate with User 2.
Figure 7-6-2 Networking diagram for implementing inter-VLAN communication using VLANIF interfaces
Configuration Roadmap The configuration roadmap is as follows: 1.
Create VLANs on the switches for different users.
2.
Add interfaces to VLANs so that packets of the VLANs can pass through the interfaces.
3.
Create VLANIF interfaces and configure IP addresses for the VLANIF interfaces to implement Layer 3 communication.
NOTE: To implement communication between VLANs, hosts in each VLAN must use the IP address of the corresponding VLANIF interface as the gateway address. 2016-1-11
Huawei Confidential
Page 335 of 1210
HCIE-R&S Material
Confidentiality Level
Procedure 1.
Configure the Switch. # Create VLANs. system-view [HUAWEI] vlan batch 10 20 # Add interfaces to VLANs. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] port link-type access [HUAWEI-GigabitEthernet0/0/1] port default vlan 10 [HUAWEI-GigabitEthernet0/0/1] quit [HUAWEI] interface gigabitethernet 0/0/2 [HUAWEI-GigabitEthernet0/0/2] port link-type access [HUAWEI-GigabitEthernet0/0/2] port default vlan 20 [HUAWEI-GigabitEthernet0/0/2] quit # Assign IP addresses to the VLANIF interfaces. [HUAWEI] interface vlanif 10 [HUAWEI-Vlanif10] ip address 10.10.10.2 24 [HUAWEI-Vlanif10] quit [HUAWEI] interface vlanif 20 [HUAWEI-Vlanif20] ip address 20.20.20.2 24 [HUAWEI-Vlanif20] quit
2.
Verify the configuration. Configure the IP address 10.10.10.3/24 on user 1's host, configure the VLANIF 10 interface IP address 10.10.10.2/24 as the gateway address. Configure the IP address 20.20.20.3/24 on user 1's host, configure the VLANIF 10 interface IP address 20.20.20.2/24 as the gateway address. After the preceding configurations are complete, User 1 in VLAN 10 and User 2 in VLAN 20 can communicate.
Configuration Files Configuration file of the Switch # sysname HUAWEI # 2016-1-11
Huawei Confidential
Page 336 of 1210
HCIE-R&S Material
Confidentiality Level
vlan batch 10 20 # interface Vlanif10 ip address 10.10.10.2 255.255.255.0 # interface Vlanif20 ip address 20.20.20.2 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type access port default vlan 10 # interface GigabitEthernet0/0/2 port link-type access port default vlan 20 # return
7.6.3 Example for Configuring VLAN Aggregation Networking Requirements Multiple departments in an enterprise locate at the same network segment. To improve the service security, assign departments to different VLANs. Some departments need to communicate. As shown in Figure 7-6-3, departments in VLAN 2 and VLAN 3 want to communicate with each other. You can configure VLAN aggregation on the switch to isolate VLAN 2 from VLAN 3 at Layer 2 and allow them to communicate at Layer 3. VLAN 2 and VLAN 3 use the same subnet segment, saving IP addresses.
NOTE: The S2750, S5700LI and S5700S-LI do not support VLAN aggregation.
2016-1-11
Huawei Confidential
Page 337 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 7-6-3 Networking diagram for configuring VLAN aggregation
Configuration Roadmap The configuration roadmap is as follows: 1.
Add interfaces of the Switch to sub-VLANs to isolate sub-VLANs at Layer 2.
2.
Add the sub-VLANs to a super-VLAN.
3.
Configure the IP address for the VLANIF interface.
4.
Configure proxy ARP for the super-VLAN to allow sub-VLANs to communicate at Layer 3.
Procedure 1.
Set the interface type. # Configure GE 0/0/1 as an access interface. system-view [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] port link-type access [HUAWEI-GigabitEthernet0/0/1] quit Configurations of GE0/0/2, GE0/0/3, and GE0/0/4 are the same as that of GE0/0/1.
2.
Create VLAN 2 and add GE0/0/1 and GE0/0/2 to VLAN 2. [HUAWEI] vlan 2 [HUAWEI-vlan2] port gigabitethernet 0/0/1 0/0/2 [HUAWEI-vlan2] quit
2016-1-11
Huawei Confidential
Page 338 of 1210
HCIE-R&S Material
3.
Confidentiality Level
Create VLAN 3 and add GE0/0/3 and GE0/0/4 to VLAN 3. [HUAWEI] vlan 3 [HUAWEI-vlan3] port gigabitethernet 0/0/3 0/0/4 [HUAWEI-vlan3] quit
4.
Configure VLAN 4. # Configure the super-VLAN. [HUAWEI] vlan 4 [HUAWEI-vlan4] aggregate-vlan [HUAWEI-vlan4] access-vlan 2 to 3 [HUAWEI-vlan4] quit # Configure the VLANIF interface. [HUAWEI] interface vlanif 4 [HUAWEI-Vlanif4] ip address 100.1.1.12 255.255.255.0 [HUAWEI-Vlanif4] quit
5.
Configure the PCs. Configure an IP address for each PC. Ensure that the PC IP addresses are in the same network segment as VLAN 4. When the configuration is complete, the PCs and the Switch can ping each other, but the PCs in VLAN 2 and the PCs in VLAN 3 cannot ping each other. You need to configure proxy ARP on the switch.
Verify the configuration. When the configuration is complete, the PCs in VLAN 2 and VLAN 3 can ping each other.
Configuration Files Configuration file of the Switch # sysname HUAWEI # vlan batch 2 to 4 # vlan 4 2016-1-11
Huawei Confidential
Page 339 of 1210
HCIE-R&S Material
Confidentiality Level
aggregate-vlan access-vlan 2 to 3 # interface Vlanif4 ip address 100.1.1.12 255.255.255.0 arp-proxy inter-sub-vlan-proxy enable # interface GigabitEthernet0/0/1 port link-type access port default vlan 2 # interface GigabitEthernet0/0/2 port link-type access port default vlan 2 # interface GigabitEthernet0/0/3 port link-type access port default vlan 3 # interface GigabitEthernet0/0/4 port link-type access port default vlan 3 # return
7.6.4 Example for Configuring MUX VLAN (Access Devices) Networking Requirements On an enterprise network, all users can access the enterprise server. Some users need to communicate with each other, whereas some users must be isolated each other. As shown in Figure 7-6-4, MUX VLAN can be configured on the Switch to meet the enterprise's requirements using fewer VLAN IDs. In addition, MUX VLAN reduces the configuration workload of the network administrator, and facilitates network maintenance.
2016-1-11
Huawei Confidential
Page 340 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 7-6-4 MUX VLAN configuration
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure the principal VLAN.
2.
Configure the group VLAN.
3.
Configure the separate VLAN.
4.
Add interfaces to the VLANs and enable the MUX VLAN function.
Procedure 1.
Configure the MUX VLAN. # Create VLAN 2, VLAN 3, and VLAN 4. system-view [HUAWEI] vlan batch 2 3 4 # Configure the Group VLAN and Separate VLAN in the MUX VLAN. [HUAWEI] vlan 2 [HUAWEI-vlan2] mux-vlan [HUAWEI-vlan2] subordinate group 3 [HUAWEI-vlan2] subordinate separate 4 [HUAWEI-vlan2] quit # Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] port link-type access [HUAWEI-GigabitEthernet0/0/1] port default vlan 2 [HUAWEI-GigabitEthernet0/0/1] port mux-vlan enable vlan 2
2016-1-11
Huawei Confidential
Page 341 of 1210
HCIE-R&S Material
Confidentiality Level
[HUAWEI-GigabitEthernet0/0/1] quit [HUAWEI] interface gigabitethernet 0/0/2 [HUAWEI-GigabitEthernet0/0/2] port link-type access [HUAWEI-GigabitEthernet0/0/2] port default vlan 3 [HUAWEI-GigabitEthernet0/0/2] port mux-vlan enable vlan 3 [HUAWEI-GigabitEthernet0/0/2] quit [HUAWEI] interface gigabitethernet 0/0/3 [HUAWEI-GigabitEthernet0/0/3] port link-type access [HUAWEI-GigabitEthernet0/0/3] port default vlan 3 [HUAWEI-GigabitEthernet0/0/3] port mux-vlan enable vlan 3 [HUAWEI-GigabitEthernet0/0/3] quit [HUAWEI] interface gigabitethernet 0/0/4 [HUAWEI-GigabitEthernet0/0/4] port link-type access [HUAWEI-GigabitEthernet0/0/4] port default vlan 4 [HUAWEI-GigabitEthernet0/0/4] port mux-vlan enable vlan 4 [HUAWEI-GigabitEthernet0/0/4] quit [HUAWEI] interface gigabitethernet 0/0/5 [HUAWEI-GigabitEthernet0/0/5] port link-type access [HUAWEI-GigabitEthernet0/0/5] port default vlan 4 [HUAWEI-GigabitEthernet0/0/5] port mux-vlan enable vlan 4 [HUAWEI-GigabitEthernet0/0/5] quit 2.
Verify the configuration.
Server can ping Hosts B to E. Hosts B to E can also ping Server.
Host B and Host C can ping each other.
Host D and Host E cannot ping each other.
Host B and Host C cannot ping Host D or host E. Host D and Host E cannot ping Host B or Host C.
Configuration Files Configuration file of the Switch # sysname HUAWEI # vlan batch 2 to 4 # vlan 2 mux-vlan 2016-1-11
Huawei Confidential
Page 342 of 1210
HCIE-R&S Material
Confidentiality Level
subordinate separate 4 subordinate group 3 # interface GigabitEthernet0/0/1 port link-type access port default vlan 2 port mux-vlan enable vlan 2 # interface GigabitEthernet0/0/2 port link-type access port default vlan 3 port mux-vlan enable vlan 3 # interface GigabitEthernet0/0/3 port link-type access port default vlan 3 port mux-vlan enable vlan 3 # interface GigabitEthernet0/0/4 port link-type access port default vlan 4 port mux-vlan enable vlan 4 # interface GigabitEthernet0/0/5 port link-type access port default vlan 4 port mux-vlan enable vlan 4 # return
7.6.5 Example for Configuring MUX VLAN (Aggregate Devices) Networking Requirements In the enterprise network, every employees need to access servers. But to the enterprise, some of the employees are allowed to communicate with each other, whereas some of the employees are not. As shown in Figure 7-6-5, Switch1 is located at aggregate layer, works as gateway for access terminals. Switch2, Switch3, Switch4, Switch5 and Switch6 are access layer devices. At this point, it can apply MUX VLAN on Switch1. MUX VLAN not only can realize the needs of enterprise, can solve the lack of VLAN ID, but also can simplify maintenance for administrator. 2016-1-11
Huawei Confidential
Page 343 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 7-6-5 MUX VLAN configuration
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure the principal VLAN, configure the VLANIF interface and apply ip address to gateway address for hosts and servers.
2.
Configure the group VLAN.
3.
Configure the separate VLAN.
4.
Add interfaces to the VLANs and enable the MUX VLAN function.
5.
Configure interfaces of access devices and add interfaces to VLAN.
Procedure 1.
Configure the Switch1. # Create VLAN2, VLAN3 and VLAN4, configure the VLANIF interface of VLAN2 and apply ip address to gateway address for hosts and servers. system-view [HUAWEI] vlan batch 2 3 4 [HUAWEI] interface vlanif 2 [HUAWEI-Vlanif2] ip address 192.168.100.100 24 [HUAWEI-Vlanif2] quit # Configure the Group VLAN and Separate VLAN in the MUX VLAN.
2016-1-11
Huawei Confidential
Page 344 of 1210
HCIE-R&S Material
Confidentiality Level
[HUAWEI] vlan 2 [HUAWEI-vlan2] mux-vlan [HUAWEI-vlan2] subordinate group 3 [HUAWEI-vlan2] subordinate separate 4 [HUAWEI-vlan2] quit # Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces. [HUAWEI] interface gigabitethernet 0/0/2 [HUAWEI-GigabitEthernet0/0/1] port link-type access [HUAWEI-GigabitEthernet0/0/1] port default vlan 2 [HUAWEI-GigabitEthernet0/0/1] port mux-vlan enable vlan 2 [HUAWEI-GigabitEthernet0/0/1] quit [HUAWEI] interface gigabitethernet 0/0/3 [HUAWEI-GigabitEthernet0/0/2] port link-type access [HUAWEI-GigabitEthernet0/0/2] port default vlan 3 [HUAWEI-GigabitEthernet0/0/2] port mux-vlan enable vlan 3 [HUAWEI-GigabitEthernet0/0/2] quit [HUAWEI] interface gigabitethernet 0/0/4 [HUAWEI-GigabitEthernet0/0/3] port link-type access [HUAWEI-GigabitEthernet0/0/3] port default vlan 3 [HUAWEI-GigabitEthernet0/0/3] port mux-vlan enable vlan 3 [HUAWEI-GigabitEthernet0/0/3] quit [HUAWEI] interface gigabitethernet 0/0/5 [HUAWEI-GigabitEthernet0/0/4] port link-type access [HUAWEI-GigabitEthernet0/0/4] port default vlan 4 [HUAWEI-GigabitEthernet0/0/4] port mux-vlan enable vlan 4 [HUAWEI-GigabitEthernet0/0/4] quit [HUAWEI] interface gigabitethernet 0/0/6 [HUAWEI-GigabitEthernet0/0/5] port link-type access [HUAWEI-GigabitEthernet0/0/5] port default vlan 4 [HUAWEI-GigabitEthernet0/0/5] port mux-vlan enable vlan 4 [HUAWEI-GigabitEthernet0/0/5] quit 2. Configure interfaces of access devices and add interfaces to VLAN, and is not mentioned here. 3.
Verify the configuration.
Server can ping Hosts B to E. Hosts B to E can also ping Server.
Host B and Host C can ping each other.
Host D and Host E cannot ping each other.
2016-1-11
Huawei Confidential
Page 345 of 1210
HCIE-R&S Material
Confidentiality Level
Host B and Host C cannot ping Host D or host E. Host D and Host E cannot ping Host B or Host C.
Configuration Files Configuration file of the Switch1 # sysname HUAWEI # vlan batch 2 to 4 # vlan 2 mux-vlan subordinate separate 4 subordinate group 3 # interface Vlanif2 ip address 192.168.100.100 255.255.255.0 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 port mux-vlan enable vlan 2 # interface GigabitEthernet0/0/3 port link-type trunk port trunk allow-pass vlan 3 port mux-vlan enable vlan 3 # interface GigabitEthernet0/0/4 port link-type trunk port trunk allow-pass vlan 3 port mux-vlan enable vlan 3 # interface GigabitEthernet0/0/5 port link-type trunk port trunk allow-pass vlan 4 port mux-vlan enable vlan 4 # 2016-1-11
Huawei Confidential
Page 346 of 1210
HCIE-R&S Material
Confidentiality Level
interface GigabitEthernet0/0/6 port link-type trunk port trunk allow-pass vlan 4 port mux-vlan enable vlan 4 # return
Chapter 8 Layer 2 Ethernet Technologies 8.1
ARP 8.1.1 Basic Concepts As the basis of Ethernet network communication, ARP maps IP addresses to MAC addresses. On a local area network (LAN), a host or a network device must learn the IP address of the destination host or device before sending data to it. Additionally, the host or network device must learn the physical address of the destination host or device because IP packets must be encapsulated into frames for transmission over a physical network. Therefore, the mapping from an IP address into a physical address is required. ARP is used to map IP addresses into physical addresses.
8.1.2 ARP Feature ARP can be a dynamic ARP or a static ARP. ARP provides some extended functions, such as proxy ARP, ARP-Ping, ARP EAI and ARP forwarding after port isolated.
Comparison between dynamic ARP and static ARP ARP entries are classified into static and dynamic ARP entries. Table 8-1-1 Comparison between dynamic ARP and static ARP Item
Concept
Entry Generation and Maintenance
Usage Scenario
Dynamic ARP
Dynamic ARP entries are generated and maintained automatically using the ARP protocol.
They can be aged, updated, or overridden by static ARP entries. By default, ARP entries are dynamically learned and maintained.
Dynamic ARP entries are generated and maintained dynamically by the ARP protocol.
2016-1-11
Huawei Confidential
Page 347 of 1210
HCIE-R&S Material
Confidentiality Level
Table 8-1-1 Comparison between dynamic ARP and static ARP Item
Concept
Entry Generation and Maintenance
Static ARP
Static ARP entries are manually configured. Mappings between IP addresses and MAC addresses are fixed and cannot be changed on hosts or routers.
Usage Scenario
Static ARP entries are manually Static ARP is configured to: configured and maintained. They cannot be aged and Direct the packets whose overridden by dynamic ARP destination IP addresses are not entries. on the local network segment to NOTE: Static ARP entries improve a gateway on the local network communication security. segment so that the packets can However, a large number of be forwarded by the gateway. ARP entries increase configuration and Bind destination IP addresses of maintenance costs. illegal packets to a nonexistent MAC address so that illegal packets are filtered out. Static ARP entries can be configured on important network devices such as servers to specify member devices that they can communicate with. In this way, mappings between IP addresses and MAC addresses of these member devices cannot be modified by forged ARP packets and illegal ARP replies can be prevented. This protects servers against network attacks.
8.1.3 ARP Extended Functions ARP provides extended functions in the following Table 8-1-2. Table 8-1-2 ARP extended functions and their usage scenarios Function
2016-1-11
Concept
Huawei Confidential
Usage Scenario
Page 348 of 1210
HCIE-R&S Material
Confidentiality Level
Table 8-1-2 ARP extended functions and their usage scenarios Function Proxy ARP
Concept
Usage Scenario
The router can function as a proxy of Proxy ARP is classified into the following three the destination host to reply an ARP types: Request message. 1. Routed Proxy ARP: Routed Proxy ARP enables network devices on the same network segment but on different physical networks to communicate. 2.
Intra-VLAN Proxy ARP: Intra-VLAN Proxy ARP enables isolated network devices in a VLAN to communicate.
3.
Inter-VLAN Proxy ARP: Inter-VLAN Proxy ARP enables network devices in different VLANs or network devices in different sub-VLANs but on the same network segment to communicate.
8.2
MAC Address Table 8.2.1 Basic Concepts Each device maintains a MAC address table. A MAC address table records the MAC address, VLAN ID and outbound interfaces learned from other devices. When forwarding a data frame, the device searches the MAC table for the outbound interface according to the destination MAC address and VLAN ID in the frame. This helps the device reduce broadcasting.
Packet Forwarding Based on the MAC Address Table The device forwards packets based on the MAC address table in either of the following modes:
Unicast mode: If the destination MAC address of a packet can be found in the MAC address table, the device forwards the packet through the outbound interface specified in the matching entry.
Broadcast mode: If a packet is a broadcast or multicast packet or its destination MAC address cannot be found in the MAC address table, the device broadcasts the packet to all the interfaces in the VLAN except the inbound interface.
2016-1-11
Huawei Confidential
Page 349 of 1210
HCIE-R&S Material
Confidentiality Level
Categories of MAC Address Entries The MAC address entry can be classified into the dynamic entry, the static entry and the blackhole entry.
The dynamic entry is created by learning the source MAC address. It has aging time.
The static entry is set by users and is delivered to each SIC. It does not age.
The blackhole entry is used to discard the frame with the specified source MAC address or destination MAC address. Users manually set the blackhole entries and send them to each SIC. Blackhole entries have no aging time.
The dynamic entry will be lost after the system is reset or the interface board is hot swapped or reset. The static entry and the blackhole entry, however, will not be lost.
Generation of a MAC address entry MAC address entries are generated automatically or configured manually.
Automatically Generated MAC Address Entries MAC address entries are learned by the system automatically. For example, RouterA and RouterB are connected. When RouterB sends a frame to RouterA, RouterA obtains the source MAC address (the MAC address of RouterB) from the frame and adds the source MAC address and the interface number to the MAC address table. When RouterA receives a frame sent to RouterB again, RouterA can search the MAC address table to find the correct outbound interface. The entries in the MAC table will not be valid all the time. Each entry has its own lifetime. If the entry has not been refreshed at the expiration of its lifetime, the device will delete that entry from the MAC table. That lifetime is called aging time. If the entry is refreshed before its lifetime expires, the device resets the aging time for it.
Manually Configured MAC Address Entries When creating MAC address entries by itself, the device cannot identify whether the packets are from the legal users or the hackers. This threatens the network safety. Hackers can fake the source MAC address in attack packets. The packet with a forged address enters the device from the other port. Then the device learns a fault MAC table entry. That is why the packets sent to the legal users are forwarded to the hackers. For security, the network administrator can add static entries to the MAC table manually to bind the user's device and the port of the device. In this way, the device can stop the illegal users from stealing data.
2016-1-11
Huawei Confidential
Page 350 of 1210
HCIE-R&S Material
Confidentiality Level
By configuring blackhole MAC address entries, you can configure the specified user traffic not to pass through a switch to prevent attacks from unauthorized users. The priority of MAC entries set up by users is higher than that generated by the device itself.
Aging Time of MAC Addresses To adapt to the changes of networks, the MAC table needs to be updated constantly. The dynamic entries automatically created in a MAC address table are not always valid. Each entry has a life cycle. The entry that has never been updated till its life cycle ends will be deleted. This life cycle is called aging time. If the entry is updated before its life cycle ends, the aging time of the entry is recalculated.
Figure 8-2-1 Aging of MAC addresses As shown in the preceding figure, the aging time of MAC addresses is set to T. At t1, packets with the source MAC address 00e0-fc00-0001 and VLAN ID 1 reach an interface. Assume that the interface is added to VLAN 1. If no entry with the MAC address as 00e0-fc00-0001 and the VLAN ID as 1 exists in the MAC address table, the MAC address is added to the MAC address table as a dynamic MAC address entry and the flag of the matching entry is set to 1. The switch checks all learned dynamic MAC address entries at an interval of T. For example, at t 2, if the switch discovers that the flag of the matching dynamic MAC address entry with the MAC address as 00e0-fc00-0001 and the VLAN ID as 1 is 1, the flag of the matching MAC address entry is set to 0 and the MAC address entry is not deleted. If packets with the source MAC address as 00e0-fc00-0001 and the VLAN ID as 1 enter the switch between t2 and t3, the flag of the matching MAC address entry is set to 1 again. If no packet with the source MAC address as 00e0-fc00-0001 and the VLAN ID as 1 enters the switch between t2 and t3, the flag of the matching MAC address entry is always 0. At t 3, after discovering that the flag of the matching MAC address entry is 0, the switch assumes that the aging time of the MAC address entry expires and deletes the MAC address entry. As stated above, the minimum holdtime of a dynamic MAC address entry in the MAC address table ranges from the aging time T to 2 T configured on the switch through automatic aging. The aging time of MAC addresses is configurable. By setting the aging time of MAC addresses, you can flexibly control the holdtime of learned dynamic MAC address entries in the MAC address table.
8.2.2 Features of MAC Address Table Disabling MAC Address Learning and Limiting the Number of MAC Addresses The capacity of a MAC address table is limited. Therefore, when hackers forge a large quantity of packets with different source MAC addresses and send the packets to a device, the MAC address table of the device may reach its full capacity. When the MAC address table is full, the device cannot learn source MAC addresses of valid packets. 2016-1-11
Huawei Confidential
Page 351 of 1210
HCIE-R&S Material
Confidentiality Level
A device limits the number of learned MAC addresses in one of the following modes: Disabling MAC address learning on an interface or a VLAN Limiting the number of MAC addresses on an interface or a VLAN After MAC address learning is disabled on an interface or a VLAN, no MAC address entry can be learned on the interface or VLAN. The system deletes the previously learned dynamic MAC entries after the aging time expires. You can also manually delete these entries. You can limit the maximum number of dynamic MAC address entries on a specified VLAN or interface. After the number of MAC address entries learned by the VLAN or interface reaches the limit, no MAC address entry can be learned on the VLAN or interface until the previously learned MAC address entries age out. In most cases, attack packets sent by a hacker enter a switch through the same interface. Therefore, you can set the limit on the number of MAC address entries or disable MAC address learning on an interface to prevent attack packets from exhausting the MAC address table.
Port Security The port security function changes MAC addresses learned on an interface into secure MAC addresses (including secure dynamic MAC addresses and sticky MAC addresses). Only hosts using secure MAC addresses or static MAC addresses can communicate with the device through the interface. This function enhances security of the device.
MAC Address Anti-flapping MAC address flapping occurs on a network when the network has a loop or is attacked. MAC address flapping can be prevented in the following two modes:
Increasing the MAC address learning priority of an interface: When the same MAC address entries are learned by interfaces of different priorities, the MAC address entries learned by the interface with the highest priority overrides the MAC address entries learned by other interfaces.
MAC address flapping between interfaces with the same priority is forbidden. If the priority of the interface on the forged device is the same as that on the authorized device, the MAC address of the forged device learned later does not replace the correct MAC address. If the device powers off, the MAC address of the forged device is learned. After the device powers on, the device cannot learn the correct MAC address.
2016-1-11
Huawei Confidential
Page 352 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 8-2-2 Networking diagram of MAC address anti-flapping MAC Address Flapping Detection The device can detect MAC address flapping. When MAC address flapping occurs, the device can provide diagnosis information, including the flapping MAC address, interfaces between which the MAC address flaps, and VLAN that the interfaces belong to. A loop may exist on the interfaces between which the MAC address flaps. You will know how the loop is generated by checking interfaces where MAC addresses are flapping.
Figure 8-2-3 MAC address flapping detection
2016-1-11
Huawei Confidential
Page 353 of 1210
HCIE-R&S Material
8.3
Confidentiality Level
Link Aggregation 8.3.1 Basic Concepts Ethernet link aggregation, also called Eth-Trunk, bundles multiple physical links to form a logical link to increase link bandwidth. The bundled links back up each other, increasing reliability. As the network scale expands increasingly, users propose increasingly higher requirements on Ethernet backbone network bandwidth and reliability. Traditional technologies often use high-speed cards or devices supporting high-speed interface cards to increase the bandwidth. This solution, however, is costly and inflexible. Link aggregation helps increase bandwidth by bundling a group of physical interfaces into a single logical interface, without having to upgrade hardware. In addition, link aggregation provides link backup mechanisms, greatly improving link reliability. As shown in Figure 8-3-1, DeviceA and DeviceB are connected through three Ethernet physical links. These three Ethernet physical links are bundled into an Eth-Trunk link. The bandwidth of the Eth-Trunk link is the sum of bandwidth of the three Ethernet physical links, so bandwidth is increased. The three Ethernet physical links back up each other, which improves reliability.
NOTE: Both devices of the Eth-Trunk must use the same number of physical interfaces, interface rate, duplex mode, jumbo, and flow control mode.
Figure 8-3-1 Eth-Trunk networking
8.3.2 Features of Link Aggregation Link aggregation can work in manual load balancing mode and LACP mode. In stack scenario, it can support preferentially forwarding local traffic on an Eth-Trunk, and also support E-Trunk between two devices.
Link Aggregation in Manual Load Balancing Mode In manual load balancing mode, you need to manually create an Eth-Trunk interface and add member interfaces to the Eth-Trunk interface, without the assistance of the LACP protocol. In this mode, all the member interfaces of an LAG share the traffic evenly. If an active link fails, the other active links share the traffic evenly. If a high link bandwidth between two directly connected devices is required but the peer device does not support the LACP protocol, you can use the manual load balancing mode.
Figure 8-3-2 Eth-Trunk in manual load balancing mode 2016-1-11
Huawei Confidential
Page 354 of 1210
HCIE-R&S Material
Confidentiality Level
Link Aggregation in LACP Mode Eth-Trunk in manual load balancing mode, as a link aggregation technology, can increase the bandwidth. However, this mode can only detect link disconnections, but cannot detect other faults such as link layer faults and incorrect link connections. The Link Aggregation Control Protocol (LACP) is used, which can improve fault tolerance of the Eth-Trunk and ensure high reliability of the member links. LACP uses a standard negotiation mechanism for switching devices, ensuring that switching devices automatically create and enable aggregated links based on their configurations. After aggregated links are created, LACP maintains link status. If an aggregated link's status changes, LACP automatically adjusts or disables the link.
M:N backup In LACP mode, LACP is used to negotiate parameters to determine active member links in an LAG. This mode is also called the M:N mode, where M refers to the number of active links and N refers to the number of backup links. This mode guarantees high reliability and allows load balancing to be carried out across M active links. As shown in Figure 8-3-3, M+N links with the same attributes (in the same LAG) are set up between two devices. When data is transmitted over the aggregated link, load balancing is performed on the M active links; no data is transmitted over the N backup links. Therefore, the actual bandwidth of the aggregated link is the sum of the M links'bandwidth, and the maximum bandwidth of the aggregated link is the sum of the M+N links'bandwidth. If one of the M links fails, LACP selects a link from the N backup links to replace the faulty link. In such a situation, the actual bandwidth of the aggregated link is still the sum of M links'bandwidth; the maximum bandwidth of the aggregated link, however, becomes the sum of the M+N-1 links'bandwidth.
Figure 8-3-3 M:N backup network diagram M:N backup is mainly applied in situations where the bandwidth of M links must be assured, and a fault tolerance mechanism in place. If an active link fails, the system selects the backup link with the highest priority and this backup link becomes the active link. If no available backup link is found, and the number of active links is smaller than the lower threshold for the number of active interfaces, the system shuts down the LAG.
2016-1-11
Huawei Confidential
Page 355 of 1210
HCIE-R&S Material
Confidentiality Level
Inter-Device Eth-Trunk Supporting Preferential Forwarding of Local Traffic In a stack, an Eth-Trunk is configured to be the outbound interface of traffic to ensure reliable transmission. Member interfaces of the Eth-Trunk are located on different devices. When the stack device forwards traffic, the Eth-Trunk may select an inter-device member interface based on the hash algorithm. This occupies bandwidth resources between devices and reduces traffic forwarding efficiency.
Figure 8-3-4 Inter-device Eth-Trunk preferential forwarding of local traffic As shown in Figure 8-3-4, DeviceB and DeviceC constitute a stack, and the stack connects to DeviceA through an Eth-Trunk. After the Eth-Trunk in the stack is configured to preferentially forward local traffic, the following functions are implemented:
Forwarding received traffic by the local device When DeviceB has member interfaces of the Eth-Trunk and the member interfaces function properly, the Eth-Trunk forwarding table of DeviceB contains only local member interfaces. In this manner, the hash algorithm selects a local member interface, and traffic is only forwarded through DeviceB.
Forwarding received traffic by another device 2016-1-11
Huawei Confidential
Page 356 of 1210
HCIE-R&S Material
Confidentiality Level
When DeviceB does not have any member interface of the Eth-Trunk or all member interfaces are faulty, the Eth-Trunk forwarding table of DeviceB contains all available member interfaces. In this manner, the hash algorithm selects a member interface on DeviceC, and traffic is forwarded through DeviceC.
NOTE:
This function is only valid for known unicast packets, and is invalid for unknown unicast packets, broadcast packets and multicast packets.
Before configuring an Eth-Trunk to preferential forward local traffic, ensure that member interfaces of the local Eth-Trunk have sufficient bandwidth to forward local traffic; otherwise, traffic may be discarded.
E-Trunk Enhanced Trunk (E-Trunk), an extension from the Link Aggregation Control Protocol (LACP), is a mechanism that controls and implements link aggregation among multiple devices. E-Trunk implements device-level link reliability, instead of board-level link reliability implemented by LACP. E-Trunk is mainly applied to a scenario where a CE is dual-homed to a VPLS, VLL, or PWE3 network. In this scenario, E-Trunk can be used to protect PEs and links between the CE and PEs. Without E-Trunk, a CE can be connected to only one PE by using an Eth-Trunk link. If the Eth-Trunk link or PE fails, the CE cannot communicate with the PE. By using E-Trunk, the CE can be dual-homed to PEs, establishing device-level protection. As show in Figure 8-3-5, E-Trunk (Enhanced Trunk) is applied to between CE and double PE connecting, to protect link stability. CE connects PE1 and PE2 through one LACP mode Eth-Trunk. This two Eth-Trunk compose one E-Trunk, is used to link aggregation group backup, to enhance network reliability.
Figure 8-3-5 E-Trunk network
2016-1-11
Huawei Confidential
Page 357 of 1210
HCIE-R&S Material
8.4
Confidentiality Level
GVRP 8.4.1 Basic Concepts The Generic Attribute Registration Protocol (GARP) provides a mechanism to propagate attributes so that a protocol entity can register and deregister attributes. By filling different attributes into GARP packets, GARP supports different upper-layer applications. The GARP VLAN Registration Protocol (GVRP) is used to register and deregister VLAN attributes. GARP identifies applications through destination MAC addresses. IEEE Std 802.1Q assigns 01-80-C2-00-00-21 to the VLAN application (GVRP). To deploy certain VLANs on all devices on a network, the network administrator needs to manually create these VLANs on each device. As shown in Figure 8-4-1, three routers are connected through trunk links. VLAN 2 is configured on Router A, and VLAN 1 is configured on Router B and Router C. To forward packets of VLAN 2 from Router A to Router C, the network administrator must manually create VLAN 2 on Router B and Router C.
Figure 8-4-1 Networking of GVRP application
8.4.2 Registration Modes A manually configured VLAN is a static VLAN, and a VLAN created through GVRP is a dynamic VLAN. GVRP provides three registration modes. Static VLANs and dynamic VLANs are processed differently in each registration mode as follows:
Normal mode: Dynamic VLANs can be registered on a port, and the port can send declarations of static VLANs and dynamic VLANs.
Fixed mode: Dynamic VLANs cannot be registered on a port, and the port can send only declarations of static VLANs.
Forbidden mode: Dynamic VLANs cannot be registered on a port. All VLANs except VLAN 1 are deleted from the port, and the port can send only the declaration of VLAN 1.
8.4.3 GARP Timers The GARP protocol defines four timers:
Join timer The Join timer controls sending of Join messages including JoinIn messages and JoinEmpty messages. 2016-1-11
Huawei Confidential
Page 358 of 1210
HCIE-R&S Material
Confidentiality Level
After sending the first Join message, a participant starts the Join timer. If the participant receives a JoinIn message before the Join timer expires, it does not send the second Join message. If the participant does not receive any JoinIn message, it sends the second Join message when the Join timer expires. This ensures that the Join message can be sent to other participants. Each port maintains an independent Join timer.
Hold timer The Hold timer controls sending of Join messages (JoinIn messages and JoinEmpty messages) and Leave messages (LeaveIn messages and LeaveEmpty messages). After a participant is configured with an attribute or receives a message, it does not send the message to other participants before the Hold timer expires. The participant encapsulates messages received within the hold time into a minimum number of packets, reducing the packets sent to other participants. If the participant does not use the Hold timer but forwards a message immediately after receiving one, a large number of packets are transmitted on the network. This makes the network unstable and wastes data fields of packets. Each port maintains an independent Hold timer. The Hold timer value must be equal to or smaller than half of the Join timer value.
Leave timer The Leave timer controls attribute deregistration. A participant starts the Leave timer after receiving a Leave or LeaveAll message. If the participant does not receive any Join message of the corresponding attribute before the Leave timer expires, the participant deregisters the attribute. A participant sends a Leave message if one of its attributes is deleted, but this attribute may still exist on other participants. Therefore, the participant receiving the Leave message cannot deregister the attribute immediately and needs to wait for messages from other participants. For example, an attribute has two sources on the network: participant A and participant B. Other participants register the attribute through GARP. If the attribute is deleted from participant A, participant A sends a Leave message to other participants. After receiving the Leave message, participant B sends a Join message to other participants because the attribute still exists on participant B. After receiving the Join message from participant B, other participants retain the attribute. Other participants deregister the attribute only if they do not receive any Join message of the attribute within a period longer than two times the Join timer value. Therefore, the Leave timer value must be greater than two times the Join timer value. Each port maintains an independent Leave timer.
LeaveAll timer When a GARP participant starts, it starts the LeaveAll timer. When the LeaveAll timer expires, the participant sends a LeaveAll message and restarts the LeaveAll timer.
2016-1-11
Huawei Confidential
Page 359 of 1210
HCIE-R&S Material
Confidentiality Level
After receiving a LeaveAll message, a participant restarts all GARP timers. The participant sends another LeaveAll message when its LeaveAll timer expires. This reduces LeaveAll messages sent in a period of time. If LeaveAll timers of multiple devices expire at the same time, they send LeaveAll messages at the same time, which causes unnecessary LeaveAll messages. To solve this problem, each device uses a random value between the LeaveAll timer value and 1.5 times the LeaveAll timer value as its LeaveAll timer value. When a LeaveAll event occurs, all attributes on the entire network are deregistered. The LeaveAll event affects the entire network; therefore, you need to set the LeaveAll timer to a proper value, at least greater than the Leave timer value. Each device maintains a global LeaveAll timer.
8.5
Example for Configuration 8.5.1 Example for Configuring ARP Networking Requirements As shown in Figure 8-5-1, GE0/0/1 on the switch connects to hosts through the LAN Switch (LSW). GE0/0/2 connects to a server. Requirements are as follows:
GE0/0/1 belongs to VLAN2 and GE0/0/2 belongs to VLAN3.
Dynamic ARP parameters should be configured for VLANIF2 of the switch so that packets are transmitted correctly regardless of network topology change.
To protect the server and defend against attack ARP packets sent from bogus servers, a static ARP entry is added to GE0/0/2 of the switch. In this ARP entry, the IP address is 10.2.2.3 and the MAC address is 00e0-fc01-0000.
Figure 8-5-1 Networking diagram for configuring ARP 2016-1-11
Huawei Confidential
Page 360 of 1210
HCIE-R&S Material
Confidentiality Level
Configuration Roadmap The configuration roadmap is as follows: 1.
Create VLANs and add interfaces to the VLANs.
2.
Set dynamic ARP parameters for the user-side VLANIF interface.
3.
Configure a static ARP entry.
Procedure 1.
Create VLANs and add interfaces to the VLANs. # Create VLAN2 and VLAN3. system-view [HUAWEI] vlan batch 2 3 # Add GE0/0/1 to VLAN2 and GE0/0/2 to VLAN3. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] port link-type trunk [HUAWEI-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 [HUAWEI-GigabitEthernet0/0/1] quit [HUAWEI] interface gigabitethernet 0/0/2 [HUAWEI-GigabitEthernet0/0/2] port link-type access [HUAWEI-GigabitEthernet0/0/2] port default vlan 3 [HUAWEI-GigabitEthernet0/0/2] quit
2.
Set dynamic ARP parameters for the VLANIF interface. # Create VLANIF2. [HUAWEI] interface vlanif 2 # Configure an IP address for VLANIF2. [HUAWEI-Vlanif2] ip address 2.2.2.2 255.255.255.0 # Set the aging time of ARP entries to 60s. [HUAWEI-Vlanif2] arp expire-time 60 # Set the number of probes to ARP entries to 2. [HUAWEI-Vlanif2] arp detect-times 2 [HUAWEI-Vlanif2] quit # Create VLANIF3.
2016-1-11
Huawei Confidential
Page 361 of 1210
HCIE-R&S Material
Confidentiality Level
[HUAWEI] interface vlanif 3 # Configure an IP address for VLANIF3. [HUAWEI-Vlanif3] ip address 10.2.2.2 255.255.255.0 [HUAWEI-Vlanif3] quit 3.
Configure a static ARP entry. # Configure a static ARP entry with IP address 10.2.2.3, MAC address 00e0-fc01-0000, VLAN ID 3, and outbound interface GE0/0/2. [HUAWEI] arp static 10.2.2.3 00e0-fc01-0000 vid 3 interface gigabitethernet 0/0/2 [HUAWEI] quit
4.
Verify the configuration. # Run the display current-configuration command to check the aging time, number of probes, and ARP mapping entries. display current-configuration | include arp arp detect-times 2 arp expire-time 60 arp static 10.2.2.3 00e0-fc01-0000 vid 3 interface GigabitEthernet0/0/2
Configuration Files Configuration file of the switch # sysname HUAWEI # vlan batch 2 to 3 # interface Vlanif2 arp detect-times 2 arp expire-time 60 ip address 2.2.2.2 255.255.255.0 # interface Vlanif3 ip address 10.2.2.2 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk 2016-1-11
Huawei Confidential
Page 362 of 1210
HCIE-R&S Material
Confidentiality Level
port trunk allow-pass vlan 2 # interface GigabitEthernet0/0/2 port link-type access port default vlan 3 # arp static 10.2.2.3 00e0-fc01-0000 vid 3 interface GigabitEthernet0/0/2 # return
8.5.2 Example for Configuring Routed Proxy ARP Networking Requirements In Figure 8-5-2, Ethernet interfaces GE0/0/1 and GE0/0/2 connect to two LANs respectively. The two LANs are at the same network segment 172.16.0.0/16. HostA and HostB have no default gateway. Routed proxy ARP is required to be configured on the switch so that hosts on two LANs can communicate.
Figure 8-5-2 Networking diagram for configuring routed proxy ARP
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure IP addresses for interfaces.
2.
Enable routed proxy ARP on interfaces.
Procedure 1.
Create VLAN2 and add GE0/0/1 to VLAN2. system-view
Configure hosts. # Configure IP address 172.16.1.2/16 for HostA. # Configure IP address 172.16.2.2/16 for HostB.
8.
Verify the configuration.
2016-1-11
Huawei Confidential
Page 364 of 1210
HCIE-R&S Material
Confidentiality Level
# Ping Host B from Host A. Host A can ping Host B successfully.
Configuration Files Configuration file of the switch # sysname HUAWEI # vlan batch 2 to 3 # interface Vlanif2 ip address 172.16.1.1 255.255.255.0 arp-proxy enable # interface Vlanif3 ip address 172.16.2.1 255.255.255.0 arp-proxy enable # interface GigabitEthernet0/0/1 port link-type access port default vlan 2 # interface GigabitEthernet0/0/2 port link-type access port default vlan 3 # return
8.5.3 Example for Configuring Layer 2 Topology Detection Networking Requirements As shown in Figure 8-5-3, two GE interfaces are added to VLAN100. IP addresses of the switch that two GE interfaces connect.
2016-1-11
Huawei Confidential
Page 365 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 8-5-3 Networking diagram for configuring Layer 2 topology detection
Configuration Roadmap The configuration roadmap is as follows: 1.
Add two GE interfaces to VLAN100.
2.
Enable Layer 2 topology detection to view changes of ARP entries.
Procedure 1.
Create VLAN100 and add two GE interfaces on the switch to VLAN100. # Create VLAN100 and configure an IP address for the VLANIF interface. system-view [HUAWEI] vlan 100 [HUAWEI-vlan100] quit [HUAWEI] interface vlanif 100 [HUAWEI-Vlanif100] ip address 10.1.1.2 24 [HUAWEI-Vlanif100] quit # Add two GE interfaces to VLAN100. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] port link-type access [HUAWEI-GigabitEthernet0/0/1] port default vlan 100 [HUAWEI-GigabitEthernet0/0/1] quit [HUAWEI] interface gigabitethernet 0/0/2 [HUAWEI-GigabitEthernet0/0/2] port link-type access [HUAWEI-GigabitEthernet0/0/2] port default vlan 100 [HUAWEI-GigabitEthernet0/0/2] quit
2.
Enable Layer 2 topology detection.
2016-1-11
Huawei Confidential
Page 366 of 1210
HCIE-R&S Material
Confidentiality Level
[HUAWEI] l2-topology detect enable 3.
Restart GE0/0/1 and view changes of ARP entries and aging time. # Ping host IP addresses on network segments 10.1.1.1 and 10.1.1.3 from the switch, and then check the ARP entries on the switch. You can see that the switch has learned MAC addresses of the hosts. [HUAWEI] ping 10.1.1.1 PING 10.1.1.3: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=10 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=254 time=1 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=254 time=1 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=254 time=1 ms
--- 10.1.1.1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/2/10 ms [HUAWEI] ping 10.1.1.3 PING 10.1.1.3: 56 data bytes, press CTRL_C to break Reply from 10.1.1.3: bytes=56 Sequence=1 ttl=255 time=10 ms Reply from 10.1.1.3: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 10.1.1.3: bytes=56 Sequence=3 ttl=254 time=1 ms Reply from 10.1.1.3: bytes=56 Sequence=4 ttl=254 time=1 ms Reply from 10.1.1.3: bytes=56 Sequence=5 ttl=254 time=1 ms
--- 10.1.1.3 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/2/10 ms [HUAWEI] display arp all IP ADDRESS
# Run the shutdown and undo shutdown commands on GE0/0/1 and view the aging time of ARP entries. o
Run the shutdown command on GE0/0/1 to view the aging time of ARP entries. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] shutdown [HUAWEI-GigabitEthernet0/0/1] display arp all IP ADDRESS INTERFACE
100 -----------------------------------------------------------------------------Total:2 o
Dynamic:1
Static:0
Interface:1
Run the undo shutdown command on GE0/0/1. Ping a host IP address on the network segment 10.1.1.1 from the switch, and then check the aging time of the ARP entries on the switch. [HUAWEI] interface gigabitethernet 0/0/1 [HUAWEI-GigabitEthernet0/0/1] undo shutdown [HUAWEI-GigabitEthernet0/0/1] quit [HUAWEI] ping 10.1.1.1 PING 10.1.1.3: 56 data bytes, press CTRL_C to break Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=10 ms Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=254 time=1 ms Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=254 time=1 ms Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=254 time=1 ms Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=254 time=1 ms
NOTE: The preceding command output shows that the ARP entries learned from GE 0/0/1 are deleted after GE 0/0/1 is shut down. After the undo shutdown command is run on GE 0/0/1 and GE 0/0/1 goes Up, the ARP entry learned from GE 0/0/2 is aged, and then the device sends an ARP probe packet for updating ARP entry. After the entry is updated, the aging time restores the default value, 20 minutes. Configuration Files Configuration file of the switch # sysname HUAWEI # l2-topology detect enable # vlan batch 100 # interface Vlanif100 ip address 10.1.1.2 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type access port default vlan 100 # interface GigabitEthernet0/0/2 port link-type access port default vlan 100 # 2016-1-11
Huawei Confidential
Page 369 of 1210
HCIE-R&S Material
Confidentiality Level
return
8.5.4 Example for Configuring Multi-interface ARP Networking Requirements As shown in Figure 8-5-4, Switch connects to an NLB server cluster which works in unicast mode. Switch connects to three servers in the cluster through three interfaces GE0/0/1, GE0/0/2, and GE0/0/3 in VLAN10. The IP address and MAC address of the NLB server cluster are 192.168.1.1/24 and 02bf-fc01-0000 respectively. Switch needs to send packets destined for 192.168.1.1 to all the servers in the cluster.
Figure 8-5-4 Configuring multi-interface ARP
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure a multi-interface MAC address table and a static ARP entry, so IP packets can be sent to three servers simultaneously.
Procedure 1.
Create a VLAN and add interfaces to the VLAN. # Create VLAN10. system-view [HUAWEI] sysname Switch [Switch] vlan 10
2016-1-11
Huawei Confidential
Page 370 of 1210
HCIE-R&S Material
Confidentiality Level
[Switch-vlan10] quit # Add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN10. [Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] port link-type access [Switch-GigabitEthernet0/0/1] port default vlan 10 [Switch-GigabitEthernet0/0/1] quit [Switch] interface gigabitethernet 0/0/2 [Switch-GigabitEthernet0/0/2] port link-type access [Switch-GigabitEthernet0/0/2] port default vlan 10 [Switch-GigabitEthernet0/0/2] quit [Switch] interface gigabitethernet 0/0/3 [Switch-GigabitEthernet0/0/3] port link-type access [Switch-GigabitEthernet0/0/3] port default vlan 10 [Switch-GigabitEthernet0/0/3] quit 2.
Create VLANIF10 and assign an IP address to VLANIF10. [Switch] interface vlanif 10 [Switch-Vlanif10] ip address 192.168.1.2 24 [Switch-Vlanif10] quit
3.
Configure a multi-interface MAC address entry and a static ARP entry. Configure a multi-interface MAC address table. In this entry, the MAC address is 02bf-fc01-0000, the VLAN ID is VLAN10, and the corresponding outbound interfaces are GE0/0/1, GE0/0/2, and GE0/0/3. [Switch] mac-address multiport 02bf-fc01-0000 interface gigabitethernet 0/0/1 to gigabitethernet 0/0/3 vlan 10 Configure a static ARP entry that maps the IP address 192.168.1.1 to the MAC address 02bf-fc01-0000. [Switch] arp static 192.168.1.1 02bf-fc01-0000 [Switch] quit
4.
Verify the configuration. # Run the display mac-address multiport vlan 10 command on Switch to view the entries in the multi-interface MAC address table. display mac-address multiport vlan 10 --------------------------------------------------------------------------------
-------------------------------------------------------------------------------Total Group(s) : 1 # Run the display arp command on Switch to view the ARP entry. display arp IP ADDRESS
8.5.5 Example for Configuring the MAC Address Table Networking Requirements As shown in Figure 8-5-5, the MAC address of the user host PC1 is 0002-0002-0002 and that of the user host PC2 is 0003-0003-0003. PC1 and PC2 are connected to the Switch through the LSW. The LSW is connected to GE0/0/1 of the Switch, which belongs to VLAN 2. The MAC address of the server is 0004-0004-0004. The server is connected to GE0/0/2 of the Switch. GE0/0/2 belongs to VLAN 2.
To prevent hackers from using MAC addresses to attack the network, configure two static MAC address entries for each user host on the Switch.
To prevent hackers from stealing user information by forging the MAC address of the server, configure a static MAC address entry on the Switch for the server.
Figure 8-5-5 Configuring the MAC address table
Configuration Roadmap The configuration roadmap is as follows: 2016-1-11
Huawei Confidential
Page 373 of 1210
HCIE-R&S Material
Confidentiality Level
1.
Create a VLAN and add an interface to the VLAN to implement Layer 2 forwarding.
2.
Configure static MAC address entries to prevent MAC address attacks.
3.
Configure the aging time of dynamic MAC address entries to update the entries.
Procedure 1.
Configure static MAC address entries. # Create VLAN 2 and add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN 2. system-view [HUAWEI] sysname Switch [Switch] vlan 2 [Switch-vlan2] quit [Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 2 [Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 2 [Switch-GigabitEthernet0/0/1] quit [Switch] interface gigabitethernet 0/0/2 [Switch-GigabitEthernet0/0/2] port hybrid pvid vlan 2 [Switch-GigabitEthernet0/0/2] port hybrid untagged vlan 2 [Switch-GigabitEthernet0/0/2] quit # Configure a static MAC address entry. [Switch] mac-address static 2-2-2 GigabitEthernet 0/0/1 vlan 2 [Switch] mac-address static 3-3-3 GigabitEthernet 0/0/1 vlan 2 [Switch] mac-address static 4-4-4 GigabitEthernet 0/0/2 vlan 2
2.
Set the aging time of a dynamic MAC address entry. [Switch] mac-address aging-time 500
3.
Verify the configuration. # Run the display mac-address static command in any view to check whether the static MAC address entries are successfully added to the MAC address table. [Switch] display mac-address static vlan 2 ------------------------------------------------------------------------------MAC Address
------------------------------------------------------------------------------Total items displayed = 3 # Run the display mac-address aging-time command in any view to check whether the aging time of dynamic entries is set successfully. [Switch] display mac-address aging-time Aging time: 500 second(s)
8.5.6 Example for Configuring MAC Address Learning in a VLAN Networking Requirements As shown in Figure 8-5-6, user network 1 is connected to Switch on the GigabitEthernet0/0/1 through an LSW. User network 2 is connected to Switch on the GigabitEthernet0/0/2 through another LSW. Both GigabitEthernet0/0/1 and GigabitEthernet0/0/2 belong to VLAN 2. To prevent MAC address
2016-1-11
Huawei Confidential
Page 375 of 1210
HCIE-R&S Material
Confidentiality Level
attacks and limit the number of access users on the device, limit MAC address learning on all the interfaces in VLAN 2.
Figure 8-5-6 Networking diagram for MAC address limiting in a VLAN
Configuration Roadmap The configuration roadmap is as follows: 1.
Create a VLAN and add an interface to the VLAN to implement Layer 2 forwarding.
2.
Limit MAC address learning on all the interfaces in the VLAN to prevent MAC address attacks and limit the number of access users.
Procedure 1.
Limit MAC address learning. # Add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN 2. system-view [HUAWEI] sysname Switch [Switch] vlan 2 [Switch-vlan2] quit [Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 2 [Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 2 [Switch-GigabitEthernet0/0/1] quit [Switch] interface gigabitethernet 0/0/2
2016-1-11
Huawei Confidential
Page 376 of 1210
HCIE-R&S Material
Confidentiality Level
[Switch-GigabitEthernet0/0/2] port hybrid pvid vlan 2 [Switch-GigabitEthernet0/0/2] port hybrid untagged vlan 2 [Switch-GigabitEthernet0/0/2] quit # Configure the following MAC address limiting rule in VLAN 2: A maximum of 100 MAC addresses can be learned. When the number of learned MAC addresses reaches the limit, the device and sends an alarm. [Switch] vlan 2 [Switch-vlan2] mac-limit maximum 100 alarm enable [Switch-vlan2] return 2.
Verify the configuration. # Run the display mac-limit command in any view to check whether the MAC address limiting rule is successfully configured. display mac-limit MAC limit is enabled Total MAC limit rule count : 1
Configuration Files The following lists only the configuration file of Switch. # sysname Switch # vlan batch 2 # vlan 2 mac-limit maximum 100 # interface GigabitEthernet0/0/1 port hybrid pvid vlan 2 port hybrid untagged vlan 2 # interface GigabitEthernet0/0/2 port hybrid pvid vlan 2 2016-1-11
Huawei Confidential
Page 377 of 1210
HCIE-R&S Material
Confidentiality Level
port hybrid untagged vlan 2 # return
8.5.7 Example for Configuring MAC Address Anti-flapping Networking Requirements Employees of an enterprise need to access the enterprise server. If an attacker uses the server MAC address as the source MAC address to send packets to another interface, the server MAC address is learned on the interface. Packets sent to the server are sent to unauthorized users. In this case, employees cannot access the server, and important data will be intercepted by the attacker. As shown in Figure 8-5-7, MAC address anti-flapping can be configured to protect the server from attacks.
Figure 8-5-7 Networking diagram of MAC address anti-flapping
Configuration Roadmap The configuration roadmap is as follows: 1.
Create a VLAN and add an interface to the VLAN to implement Layer 2 forwarding.
2.
Configure MAC address anti-flapping on the server-side interface.
2016-1-11
Huawei Confidential
Page 378 of 1210
HCIE-R&S Material
Confidentiality Level
Procedure 1.
Create a VLAN and add the interfaces to the VLAN. # Add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN 10. system-view [HUAWEI] sysname Switch [Switch] vlan 10 [Switch-vlan10] quit [Switch] interface gigabitethernet 0/0/2 [Switch-GigabitEthernet0/0/2] port link-type trunk [Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 [Switch-GigabitEthernet0/0/2] quit [Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 10 [Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 10
2.
# Set the MAC address learning priority of GigabitEthernet0/0/1 to 2. [Switch-GigabitEthernet0/0/1] mac-learning priority 2 [Switch-GigabitEthernet0/0/1] quit
3.
Verify the configuration. # Run the display current-configuration command in any view to check whether the MAC address learning priority of the interface is set correctly. [Switch] display current-configuration interface gigabitethernet 0/0/1 # interface GigabitEthernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 mac-learning priority 2 # return
Configuration Files Configuration file of the Switch # sysname Switch 2016-1-11
Huawei Confidential
Page 379 of 1210
HCIE-R&S Material
Confidentiality Level
# vlan batch 10 # interface GigabitEthernet0/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 mac-learning priority 2 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 10 # return
8.5.8 Example for Configuring MAC Address Flapping Detection Networking Requirements As shown in Figure 8-5-8, a loop occurs on a user network because network cables between two LSWs are incorrectly connected. The loop causes MAC address flapping and bridge table flapping. You can enable MAC address flapping detection on the Switch to detect MAC address flapping and discover loops.
Figure 8-5-8 Networking diagram of MAC address flapping detection
Configuration Roadmap The configuration roadmap is as follows: 2016-1-11
Huawei Confidential
Page 380 of 1210
HCIE-R&S Material
Confidentiality Level
1.
Enable MAC address flapping detection.
2.
Set the aging time of flapping MAC addresses.
3.
Configure the action performed on the interface when MAC address flapping is detected on the interface to prevent loops.
Set the aging time of flapping MAC addresses. [Switch] mac-address flapping aging-time 500
3.
Shut down GE0/0/1 and GE0/0/2 when MAC address flapping is detected. [Switch] interface gigabitethernet 0/0/1 [Switch-GigabitEthernet0/0/1] mac-address flapping action error-down [Switch-GigabitEthernet0/0/1] quit [Switch] interface gigabitethernet 0/0/2 [Switch-GigabitEthernet0/0/2] mac-address flapping action error-down [Switch-GigabitEthernet0/0/2] quit
4.
Configure automatic recovery and set the automatic recovery time for the shutdown interface. [Switch] error-down auto-recovery cause mac-address-flapping interval 500
5.
Verify the configuration. After the configuration is complete, when the MAC address on GE0/0/1 flaps to GE0/0/2, GE0/0/2 is shut down. Run the display mac-address flapping record command to view the flapping records. [Switch] display mac-address flapping record S : start time E
: end time
(Q) : quit vlan (D) : error down -------------------------------------------------------------------------------
8.5.9 Example for Configuring Link Aggregation in Manual Load Balancing Mode Networking Requirements As shown in Figure 8-5-9, RouterA and RouterB connect to devices in VLAN 10 and VLAN 20 through Ethernet links, and heavy traffic is transmitted between RouterA and RouterB. RouterA and RouterB can provide higher link bandwidth to implement inter-VLAN communication. Reliability of data transmission needs to be ensured.
2016-1-11
Huawei Confidential
Page 382 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 8-5-9 Networking diagram for configuring link aggregation in manual load balancing mode
Configuration Roadmap The configuration roadmap is as follows: 1.
Create an Eth-Trunk and add member interfaces to the Eth-Trunk to increase link bandwidth.
2.
Create VLANs and add interfaces to the VLANs.
3.
Set the load balancing mode to ensure that traffic is load balanced between member interfaces of the Eth-Trunk.
Procedure 1.
Create an Eth-Trunk on RouterA and add member interfaces to the Eth-Trunk. The configuration of RouterB is similar to the configuration of RouterA, and the configuration details are not mentioned here. system-view [Huawei] sysname RouterA [RouterA] interface Eth-Trunk1 [RouterA-Eth-Trunk1] trunkport ethernet 1/0/1 to 1/0/3 [RouterA-Eth-Trunk1] quit
2.
Create VLANs and add interfaces to the VLANs. The configuration of RouterB is similar to the configuration of RouterA, and the configuration details are not mentioned here. # Create VLAN 10 and VLAN 20, and add interfaces to VLAN 10 and VLAN 20. [RouterA] vlan batch 10 20 [RouterA] interface ethernet 1/0/4 [RouterA-Ethernet1/0/4] port link-type trunk [RouterA-Ethernet1/0/4] port trunk allow-pass vlan 10 [RouterA-Ethernet1/0/4] quit [RouterA] interface ethernet 1/0/5
2016-1-11
Huawei Confidential
Page 383 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterA-Ethernet1/0/5] port link-type trunk [RouterA-Ethernet1/0/5] port trunk allow-pass vlan 20 [RouterA-Ethernet1/0/5] quit # Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass through. [RouterA] interface Eth-Trunk1 [RouterA-Eth-Trunk1] port link-type trunk [RouterA-Eth-Trunk1] port trunk allow-pass vlan 10 20 3.
Set the load balancing mode of Eth-Trunk 1. The configuration of RouterB is similar to the configuration of RouterA, and the configuration details are not mentioned here. [RouterA-Eth-Trunk1] load-balance src-dst-mac [RouterA-Eth-Trunk1] quit
4.
Verify the configuration. Run the display eth-trunk 1 command in any view to check whether the Eth-Trunk is created and whether member interfaces are added. [RouterA] display eth-trunk 1 Eth-Trunk1's state information is: WorkingMode: NORMAL
The preceding command output shows that Eth-Trunk 1 has three member interfaces: Ethernet1/0/1, Ethernet1/0/2, and Ethernet1/0/3. The member interfaces are both in Up state.
eth-trunk 1 # interface Ethernet1/0/4 port link-type trunk port trunk allow-pass vlan 20 # interface Ethernet1/0/5 port link-type trunk port trunk allow-pass vlan 10 # return
8.5.10 Example for Configuring Link Aggregation in LACP Mode Networking Requirements To increase the bandwidth and improve the connection reliability, you can configure a link aggregation group on two directly connected Routers, as shown in Figure 8-5-10. The requirements are as follows:
The link aggregation group contains three member links. Two links function as active links to implement load balancing, and the other link functions as the backup link.
When a fault occurs on an active link, the backup link replaces the faulty one to help ensure uninterrupted data.
Figure 8-5-10 Network diagram of link aggregation in LACP mode
Configuration Roadmap The configuration roadmap is as follows: 1.
Create an Eth-Trunk on each Router and configure the Eth-Trunk to work in LACP mode.
2.
Add member interfaces to the Eth-Trunk.
3.
Set the system priority and determine the Actor.
4.
Set the maximum number of active interfaces in the Eth-Trunk.
5.
Set the priority of the interface and determine the active link.
2016-1-11
Huawei Confidential
Page 386 of 1210
HCIE-R&S Material
Confidentiality Level
Procedure 1.
Create Eth-Trunk 1 and set the load balancing mode of the Eth-Trunk to LACP mode. # Configure RouterA. system-view [Huawei] sysname RouterA [RouterA] interface eth-trunk 1 [RouterA-Eth-Trunk1] mode lacp-static [RouterA-Eth-Trunk1] quit # Configure RouterB. system-view [Huawei] sysname RouterB [RouterB] interface eth-trunk 1 [RouterB-Eth-Trunk1] mode lacp-static [RouterB-Eth-Trunk1] quit
Set the system priority on RouterA to 100 so that RouterA becomes the Actor. [RouterA] lacp priority 100
4.
Set maximum number of active interfaces in the Eth-Trunk on RouterA to 2. [RouterA] interface eth-trunk 1 [RouterA-Eth-Trunk1] max active-linknumber 2 [RouterA-Eth-Trunk1] quit
5.
Set the priority of the interface and determine active links on RouterA. [RouterA] interface ethernet 2/0/1 [RouterA-Ethernet2/0/1] lacp priority 100 [RouterA-Ethernet2/0/1] quit [RouterA] interface ethernet 2/0/2 [RouterA-Ethernet2/0/2] lacp priority 100 [RouterA-Ethernet2/0/2] quit
6.
Verify the configuration. # Check information about the Eth-Trunk of the Routers and check whether the negotiation is successful on the link. [RouterA] display eth-trunk 1 Eth-Trunk1's state information is: Local: LAG ID: 1
11111100 Ethernet2/0/2 11111100 Ethernet2/0/3 11110000 The preceding information shows that the system priority of RouterA is 100, which is higher than the system priority of RouterB. Member interfaces Ethernet2/0/1 and Ethernet2/0/2 are active interfaces and are in Selected state. Interface Ethernet2/0/3 is in Unselect state. You can also see that load balancing and redundancy are implemented.
8.5.11 Example for Configuring an Inter-Chassis Eth-Trunk Interface to Forward Traffic Preferentially Through Local Member Interfaces(Stack) Networking Requirements NOTE: The S5700S-LI and S5710HI do not support this configuration. On the network shown in Figure 8-5-11, Switch 3 and Switch 4 are connected through CSS cables to increase the total capacity. The two switches are considered as one logical switch. To improve reliability, physical interfaces on the two switches are added to an Eth-Trunk interface. When the network runs properly, check member interface information on PE. Traffic from VLAN 2 is forwarded through GE1/0/1 and GE1/0/2, and traffic from VLAN 3 is forwarded through GE1/0/1 and GE1/0/2. This increases bandwidth use efficiency between devices and reduces traffic forwarding efficiency. To improve traffic forwarding efficiency, traffic from VLAN 2 should be forwarded through GE 1/0/1 and traffic from VLAN 3 should be forwarded through GE1/0/2. To achieve this goal, configure the Eth-Trunk interface to forward traffic preferentially through the local member interface.
2016-1-11
Huawei Confidential
Page 391 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 8-5-11 Preferentially forwarding traffic through the local member interface
Configuration Roadmap The configuration roadmap is as follows: 1.
Create an Eth-Trunk interface.
2.
Add member interfaces to the Eth-Trunk interface.
NOTE: An interface is added to VLAN1 by default. To avoid broadcast storm, shut down the interface or remove the interface from VLAN1 before adding it to an Eth-Trunk interface. 3.
Configure the Eth-Trunk interface to forward traffic preferentially through the local member interface.
4.
Configure the Layer 2 forwarding function.
2016-1-11
Huawei Confidential
Page 392 of 1210
HCIE-R&S Material
Confidentiality Level
Procedure 1.
Create an Eth-Trunk interface and configure the Eth-Trunk interface to allow packets all VLANs to pass through. # Configure the CSS. system-view [HUAWEI] sysname CSS [CSS] interface eth-trunk 10 [CSS-Eth-Trunk10] port link-type trunk [CSS-Eth-Trunk10] port trunk allow-pass vlan all [CSS-Eth-Trunk10] quit # Configure the PE. system-view [HUAWEI] sysname PE [PE] interface eth-trunk 10 [PE-Eth-Trunk10] port link-type trunk [PE-Eth-Trunk10] port trunk allow-pass vlan all [PE-Eth-Trunk10] quit
NOTE: By default, an Eth-Trunk is enabled to preferentially forward local traffic. If you run the local-preference enable command, the message "Error: The local preferential forwarding mode has been configured." is displayed. 4.
Configure the Layer 2 forwarding function. # Configure the CSS. [CSS] vlan batch 2 3 [CSS] interface gigabitethernet 1/0/3 [CSS-GigabitEthernet1/0/3] port link-type trunk [CSS-GigabitEthernet1/0/3] port trunk allow-pass vlan 2 [CSS-GigabitEthernet1/0/3] quit [CSS] interface gigabitethernet 2/0/3 [CSS-GigabitEthernet2/0/3] port link-type trunk [CSS-GigabitEthernet2/0/3] port trunk allow-pass vlan 3 [CSS-GigabitEthernet2/0/3] quit # Configure Switch 1. system-view [HUAWEI] sysname Switch1 [Switch1] vlan 2 [Switch1-vlan2] quit [Switch1] interface gigabitethernet 0/0/1 [Switch1-GigabitEthernet0/0/1] port link-type trunk [Switch1-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 [Switch1-GigabitEthernet0/0/1] quit [Switch1] interface gigabitethernet 0/0/2 [Switch1-GigabitEthernet0/0/2] port link-type trunk [Switch1-GigabitEthernet0/0/2] port trunk allow-pass vlan 2 [Switch1-GigabitEthernet0/0/2] quit # Configure Switch 2. system-view [HUAWEI] sysname Switch2 [Switch2] vlan 3 [Switch2-vlan3] quit [Switch2] interface gigabitethernet 0/0/1 [Switch2-GigabitEthernet0/0/1] port link-type trunk [Switch2-GigabitEthernet0/0/1] port trunk allow-pass vlan 3
2016-1-11
Huawei Confidential
Page 394 of 1210
HCIE-R&S Material
Confidentiality Level
[Switch2-GigabitEthernet0/0/1] quit [Switch2] interface gigabitethernet 0/0/2 [Switch2-GigabitEthernet0/0/2] port link-type trunk [Switch2-GigabitEthernet0/0/2] port trunk allow-pass vlan 3 [Switch2-GigabitEthernet0/0/2] quit 5.
Verify the configuration. Run the display trunkmembership eth-trunk command in any view to check information about Eth-Trunk member interface. The output on the CSS is used as an example. display trunkmembership eth-trunk 10 Trunk ID: 10 Used status: VALID TYPE: ethernet Working Mode : Normal Number Of Ports in Trunk = 2 Number Of Up Ports in Trunk = 2 Operate status: up Interface GigabitEthernet1/0/4, valid, operate up, weight=1 Interface GigabitEthernet2/0/4, valid, operate up, weight=1
Configuration Files
Configuration file of the CSS # sysname CSS # vlan batch 2 3 # interface Eth-Trunk10 port link-type trunk port trunk allow-pass vlan 2 to 4094 # interface GigabitEthernet1/0/3 port link-type trunk port trunk allow-pass vlan 2 # interface GigabitEthernet2/0/3 port link-type trunk 2016-1-11
Configuration file of the PE # sysname PE # interface Eth-Trunk10 port link-type trunk port trunk allow-pass vlan 2 to 4094 # interface GigabitEthernet1/0/1 eth-trunk 10 # interface GigabitEthernet1/0/2 eth-trunk 10 # return
Configuration file of Switch 1 # sysname Switch1 # vlan batch 2 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 # 2016-1-11
Huawei Confidential
Page 396 of 1210
HCIE-R&S Material
Confidentiality Level
return
Configuration file of Switch 2 # sysname Switch2 # vlan batch 3 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 3 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 3 # return
8.5.12 Example for Configuring GVRP Networking Requirements As shown in Figure 8-5-12, company A, a branch of company A, and company B are connected using switches. To implement dynamic VLAN registration, enable GVRP. The branch of company A can communicate with the headquarters using RouterA and RouterB. Company B can communicate with company A using RouterB and RouterC. Interfaces connected to company A allow only the VLAN to which company B belongs to pass.
Figure 8-5-12 Networking diagram of GVRP configuration
2016-1-11
Huawei Confidential
Page 397 of 1210
HCIE-R&S Material
Confidentiality Level
Configuration Roadmap The configuration roadmap is as follows: 1.
Enable GVRP to implement dynamic VLAN registration.
2.
Configure GVRP on all switche devices of company A and set the registration mode to normal for the interfaces to simplify configurations.
3.
Configure GVRP on all switche devices of company B and set the registration mode to fixed for the interfaces connecting to company A to allow only the VLAN to which company B belongs to pass.
Procedure 1.
Create VLAN 101 to VLAN 200 on RouterA. system-view [RouterA] vlan batch 101 to 200
2.
Configure GVRP on RouterA. # Enable GVRP globally. [RouterA] gvrp # Set the link type of Eth 2/0/1 and Eth 2/0/2 to trunk, and configure the interfaces to allow all VLANs to pass through. [RouterA] interface ethernet 2/0/1 [RouterA-Ethernet2/0/1] port link-type trunk [RouterA-Ethernet2/0/1] port trunk allow-pass vlan all [RouterA-Ethernet2/0/1] quit [RouterA] interface ethernet 2/0/2 [RouterA-Ethernet2/0/2] port link-type trunk [RouterA-Ethernet2/0/2] port trunk allow-pass vlan all [RouterA-Ethernet2/0/2] quit # Enable GVRP on the interfaces and set the registration modes for the interfaces. [RouterA] interface ethernet 2/0/1 [RouterA-Ethernet2/0/1] gvrp [RouterA-Ethernet2/0/1] gvrp registration normal [RouterA-Ethernet2/0/1] quit [RouterA] interface ethernet 2/0/2 [RouterA-Ethernet2/0/2] gvrp [RouterA-Ethernet2/0/2] gvrp registration normal
2016-1-11
Huawei Confidential
Page 398 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterA-Ethernet2/0/2] quit The configuration of RouterB is similar to that of RouterA. 3.
Configure RouterC. # Create VLAN 101 to VLAN 200. system-view [RouterC] vlan batch 101 to 200 # Enable GVRP globally. [RouterC] gvrp # Set the link type of Eth 2/0/1 and Eth 2/0/2 to trunk, and configure the interfaces to allow all VLANs to pass through. [RouterC] interface ethernet 2/0/1 [RouterC-Ethernet2/0/1] port link-type trunk [RouterC-Ethernet2/0/1] port trunk allow-pass vlan all [RouterC-Ethernet2/0/1] quit [RouterC] interface ethernet 2/0/2 [RouterC-Ethernet2/0/2] port link-type trunk [RouterC-Ethernet2/0/2] port trunk allow-pass vlan all [RouterC-Ethernet2/0/2] quit # Enable GVRP on the interfaces and set the registration modes for the interfaces. [RouterC] interface ethernet 2/0/1 [RouterC-Ethernet2/0/1] gvrp [RouterC-Ethernet2/0/1] gvrp registration fixed [RouterC-Ethernet2/0/1] quit [RouterC] interface ethernet 2/0/2 [RouterC-Ethernet2/0/2] gvrp [RouterC-Ethernet2/0/2] gvrp registration normal [RouterC-Ethernet2/0/2] quit
4.
Verify the configuration. After the configuration is complete, the branch of Company A can communicate with the headquarters, and users of Company A in VLAN 101 to VLAN 200 can communicate with users in Company B. Run the display gvrp status command on RouterA to check whether GVRP is enabled globally. The following information is displayed: display gvrp status Info: GVRP is enabled.
2016-1-11
Huawei Confidential
Page 399 of 1210
HCIE-R&S Material
Confidentiality Level
Run the display gvrp statistics command on RouterA to view GVRP statistics, including the GVRP state of each interface, number of GVRP registration failures, source MAC address of the last GVRP PDU, and registration mode of each interface. display gvrp statistics interface ethernet 2/0/1 GVRP statistics on port Ethernet2/0/1 GVRP status
: Enabled
GVRP registrations failed
:0
GVRP last PDU origin
: 0001-0001-0001
GVRP registration type
: Normal
Verify the configurations of RouterB and RouterC in the same way.
Configuration Files
Configuration file of RouterA
# sysname RouterA # vlan batch 101 to 200 # gvrp # interface ethernet2/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094 gvrp # interface ethernet2/0/2 port link-type trunk port trunk allow-pass vlan 2 to 4094 gvrp # return
Configuration file of RouterB
# sysname RouterB # gvrp # 2016-1-11
Huawei Confidential
Page 400 of 1210
HCIE-R&S Material
Confidentiality Level
interface ethernet2/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094 gvrp # interface ethernet2/0/2 port link-type trunk port trunk allow-pass vlan 2 to 4094 gvrp # return
Configuration file of RouterC
# sysname RouterC # vlan batch 101 to 200 # gvrp # interface ethernet2/0/1 port link-type trunk port trunk allow-pass vlan 2 to 4094 gvrp gvrp registration fixed # interface ethernet2/0/2 port link-type trunk port trunk allow-pass vlan 2 to 4094 gvrp # return
Chapter 9 Layer 2 WAN Technologies 9.1 PPP 9.1.1 PPP Overview Point-to-Point Protocol (PPP) is a link-layer protocol used to transmit point-to-point data over full-duplex synchronous and asynchronous links. 2016-1-11
Huawei Confidential
Page 401 of 1210
HCIE-R&S Material
Confidentiality Level
PPP is built upon the Serial Line Internet Protocol (SLIP). SLIP supports only the asynchronous transfer mode (ATM), transmits only IP packets, and does not support negotiation. Due to these disadvantages, SLIP is gradually being replaced by PPP. PPP has the following advantages:
PPP supports both synchronous and asynchronous links, other data link-layer protocols such as X.25 and Frame Relay (FR) support only synchronous links, and SLIP supports only asynchronous links.
PPP features high extensibility. For example, PPP is extended as Point-to-Point Protocol over Ethernet (PPPoE) when PPP packets need to be transmitted over an Ethernet.
PPP uses Link Control Protocol (LCP) to negotiate link-layer attributes.
PPP uses the Network Control Protocol (NCP) such as the IP Control Protocol (IPCP) and Internetwork Packet Exchange Control Protocol (IPXCP) to negotiate network-layer parameters.
PPP provides the Challenge Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP) to ensure network security.
PPP has no retransmission mechanism, reducing the network cost and speeding up packet transmission.
9.1.2 Basic PPP Architecture PPP is used at the data link layer of the TCP/IP protocol suite for point-to-point data transmission over full-duplex synchronous and asynchronous links.
Figure 9-1-1 Location of PPP in the protocol suite PPP consists of three types of protocols:
LCP: is used to establish, monitor, and tear down PPP data links.
NCP: is used to negotiate the format and type of packets transmitted on data links.
CHAP and PAP: are used for network security authentication.
9.1.3 PPP-Encapsulated Packet Format Figure 9-1-2 shows the PPP packet format. 2016-1-11
Huawei Confidential
Page 402 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 9-1-2 PPP packet format The meanings of the fields are as follows:
Flag field The Flag field identifies the start and end of a physical frame and is always 0x7E.
Address field The Address field identifies a peer. Two communicating devices connected by using PPP do not need to know the data link layer address of each other because PPP is used on P2P links. This field must be filled with a broadcast address of all 1s and is of no significance to PPP.
Control field The Control field value defaults to 0x03, indicating an unsequenced frame. By default, PPP does not use sequence numbers or acknowledgement mechanisms to ensure transmission reliability. The Address and Control fields identify a PPP packet, so the PPP packet header value is FF03.
Protocol field The Protocol field identifies the datagram encapsulated in the Information field of a PPP data packet. The structure of this field complies with the ISO 3309 extension mechanism for address fields. All Protocol field values must be odd; the least significant bit of the least significant byte must be "1"; the least significant bit of the most significant byte must be "0". If a receiver receives a data packet that does not comply with these rules from a sender, the receiver considers the packet unrecognizable and sends a Protocol-Reject packet padded with the protocol code of the rejected packet to the sender. Table 9-1-1 Common protocol codes Protocol Code 2016-1-11
Protocol Type Huawei Confidential
Page 403 of 1210
HCIE-R&S Material
Confidentiality Level
Table 9-1-1 Common protocol codes Protocol Code
Protocol Type
0021
Internet Protocol
002b
Novell IPX
002d
Van Jacobson Compressed TCP/IP
002f
Van Jacobson Uncompressed TCP/IP
8021
Internet Protocol Control Protocol
802b
Novell IPX Control Protocol
8031
Bridging NC
C021
Link Control Protocol
C023
Password Authentication Protocol
C223
Challenge Handshake Authentication Protocol
Information field The Information field contains the datagram for the protocol specified in the Protocol field. The maximum length for the Information field, including the Padding field, is the maximum receive unit (MRU). The MRU defaults to 1500 bytes and can be negotiated. In the Information field, the Padding field is optional. If there is the Padding field in the Information field, two communicating parties can communicate only when they can identify the padding information and information to be transmitted.
FCS field The frame check sequence (FCS) field checks the correctness of PPP packet transmission. Some mechanisms are used to ensure data packet transmission, increasing the cost and delay in data exchange at the application layer.
9.1.4 PPP Link Establishment Process The following figure shows the PPP link establishment process.
2016-1-11
Huawei Confidential
Page 404 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 9-1-3 PPP link establishment process The PPP link establishment process is as follows: 1.
Two communicating devices enter the Establish phase if one of them initiates a PPP connection request.
2.
In the Establish phase, the two devices perform an LCP negotiation to negotiate the following items: working mode (SP or MP), MRU (Maximum Receive Unit), authentication mode, and magic number (SP is short for single-link PPP). If the LCP negotiation succeeds, LCP turns Opened, which indicates that a lower-layer link has been established.
3.
If authentication is configured, the two devices enter the Authenticate phase and perform CHAP or PAP authentication. If no authentication is configured, the two devices enter the Network phase.
4.
In the Authentication phase, if CHAP or PAP authentication fails, the devices enter the Terminate phase. The link is removed and LCP turns Down. If CHAP or PAP authentication succeeds, the devices enter the Network phase and LCP remains Opened.
5.
In the Network phase, the two devices perform an NCP negotiation to select and configure a network protocol and to negotiate network-layer parameters. After the two devices succeed in negotiating a network protocol, packets can be sent over this PPP link using the network protocol. Various control protocols such as IPCP and Multiprotocol Label Switching Control Protocol (MPLSCP) can be used in NCP negotiation. IPCP mainly negotiates the IP addresses of the two devices.
6.
After NCP negotiation succeeds, packets can be sent over the PPP link. If the PPP connection is interrupted during PPP operation, the two devices enter the Termination phase, the physical link is disconnected, the PPP authentication fails, or the negotiation timer expires.
7.
In the Termination phase, the two devices enter the Dead phase after all resources are released. The two devices remain in the Dead phase until a new PPP connection is established between them.
The following describes the phases involved in PPP negotiation.
2016-1-11
Huawei Confidential
Page 405 of 1210
HCIE-R&S Material
Confidentiality Level
Dead Phase The physical layer is unavailable during the Dead phase. A PPP link begins and ends with this phase. When two communicating devices detect that the physical link between them is activated (for example, carrier signals are detected on the physical link), PPP enters the Establish phase from the Dead phase. After the link is terminated, PPP enters the Dead phase.
Establish Phase In the Establish phase, the two devices perform an LCP negotiation to negotiate the following items: working mode (SP or MP), MRU, authentication mode, and magic number. After the LCP negotiation is complete, PPP enters the next phase. In the Establish phase, the LCP status changes as follows:
When the link is unavailable (in the Dead phase), LCP is in the Initial or Starting state. When detecting that the link is available, the physical layer sends an Up event to the link layer. After receiving the Up event, the link layer changes the LCP status to Request-Sent. Then the devices at both ends send Configure-Request packets to configure a data link.
If the local device first receives a Configure-Ack packet from the peer, the LCP status changes from Request-Sent to Ack-Received. After the local device sends a Configure-Ack packet to the peer, the LCP status changes from Ack-Received to Opened.
If the local device first sends a Configure-Ack packet to the peer, the LCP status changes from Request-Sent to Ack-Sent. After the local device receives a Configure-Ack packet from the peer, the LCP status changes from Ack-Sent to Opened.
After LCP enters the Opened state, PPP enters the next phase.
The next phase is the Authentication or Network phase, depending on whether authentication is required.
Authentication Phase The Authentication phase is optional. By default, PPP does not perform authentication during PPP link establishment. If authentication is required, the authentication protocol must be specified in the Establish phase. PPP authentication is performed on links between hosts and devices that are connected through PPP network servers, switched circuits or dial-up lines, or on dedicated links. PPP provides two password authentication modes: PAP authentication and CHAP authentication. Two CHAP authentication modes are available: unidirectional CHAP authentication and bidirectional CHAP authentication. In unidirectional CHAP authentication, the device on one end functions as the authenticating device, and the device on the other end functions as the authenticated device. In 2016-1-11
Huawei Confidential
Page 406 of 1210
HCIE-R&S Material
Confidentiality Level
bidirectional CHAP authentication, each device functions as both the authenticating device and authenticated device. In practice, only unidirectional CHAP authentication is used.
Network Phase In the Network phase, NCP negotiation is performed to select and configure a network protocol and to negotiate network-layer parameters. Each NCP may be in Opened or Closed state at any time. After an NCP enters the Opened state, network-layer data can be transmitted over the PPP link.
Termination Phase PPP can terminate a link at any time. A link can be terminated manually by an administrator, or be terminated due to the loss of carrier, an authentication failure, or other causes.
9.1.5 PAP Authentication Process PAP is a two-way handshake authentication protocol that transmits passwords in plain text. Figure 9-1-4 shows the PAP authentication process.
Figure 9-1-4 PAP authentication process
The authenticated device sends the local user name and password to the authenticating device.
The authenticating device checks whether the received user name is in the local user table.
If the received user name is in the local user table, the authenticating device checks whether the received password is correct. If so, the authentication succeeds. If not, the authentication fails.
If the received user name is not in the local user table, the authentication fails.
2016-1-11
Huawei Confidential
Page 407 of 1210
HCIE-R&S Material
Confidentiality Level
9.1.6 CHAP Authentication Process CHAP is a three-way handshake authentication protocol. CHAP transmits only user names but not passwords, so it is more secure than PAP. Figure 9-1-5 shows the CHAP authentication process.
Figure 9-1-5 CHAP authentication process Unidirectional CHAP authentication is applicable to two scenarios:
The authenticating device is configured with a user name.
The authenticating device is not configured with a user name.
It is recommended that the authenticating device be configured with a user name.
When the authenticating device is configured with a user name:
The authenticating device initiates an authentication request by sending a Challenge packet that carries the local user name to the authenticated device.
After receiving the Challenge packet at an interface, the authenticated device checks whether the ppp chap password command is used on the interface. If this command is used, the authenticated device encrypts the Challenge packet with the packet ID and password configured by the command by using the Message Digest 5 (MD5) algorithm. Then the authenticated device sends a Response packet carrying the generated cipher text and local user name to the authenticating device. If the ppp chap password command is not configured, the authenticated device searches the local user table for the password matching the user name of the authenticating device in the received Challenge packet, and
2016-1-11
Huawei Confidential
Page 408 of 1210
HCIE-R&S Material
Confidentiality Level
encrypts the Challenge packet with the packet ID and user password by using the MD5 algorithm. Then the authenticated device sends a Response packet carrying the generated cipher text and local user name to the authenticating device.
The authenticating device encrypts the Challenge packet with the saved password of the authenticated device by using the MD5 algorithm. Then the authenticating device compares the generated cipher text with that carried in the received Response packet, and returns a response based on the result of the check.
When the authenticating device is not configured with a user name:
The authenticating device initiates an authentication request by sending a Challenge packet.
After receiving the Challenge packet, the authenticated device encrypts the Challenge packet with the packet ID and password configured by the ppp chap password command by using the Message Digest 5 (MD5) algorithm. Then the authenticated device sends a Response packet carrying the generated cipher text and local user name to the authenticating device.
The authenticating device encrypts the Challenge packet with the saved password of the authenticated device by using the MD5 algorithm. Then the authenticating device compares the generated cipher text with that carried in the received Response packet, and returns a response based on the result of the check.
9.1.7 Comparison Between CHAP and PAP Authentication Processes
In PAP authentication, passwords are sent over links in plain text. After a PPP link is established, the authenticated device repeatedly sends the user name and password until authentication finishes. This mode cannot ensure high security, so it is used on networks that do not require high security.
CHAP is a three-way handshake authentication protocol. In CHAP authentication, the authenticated device sends only the user name to the authenticating device. Compared with PAP, CHAP features higher security because passwords are not transmitted. On networks requiring high security, CHAP authentication is used to establish a PPP connection.
9.2 MP 9.2.1 MP Overview Multilink PPP (MP) is a technique that binds multiple PPP links together to increase bandwidth and ensure link reliability. MP provides the following functions:
Increases bandwidth.
Implements load balancing.
Provides link backup.
Reduces delay using fragments.
2016-1-11
Huawei Confidential
Page 409 of 1210
HCIE-R&S Material
Confidentiality Level
9.2.2 MP Implementation MP can be implemented using a virtual template interface or an MP-Group interface. Table 9-2-1 lists the MP implementation types and principles.
Table 9-2-1 Common protocol codes Type
Subtype
Principle
Using a virtual Binding PPP links to a Multiple physical interfaces are bound to a virtual template interface to implement MP. template interface virtual template interface Authentication is optional. NOTE: A virtual template If none authentication is configured, interface is used interface binding takes effect after the to configure a LCP status of the physical interfaces virtual access interface. After becomes Up. multiple PPP If authentication is configured, links are bundled interface binding takes effect only after into an MP link, a virtual access the physical interfaces are interface needs to authenticated. be created to exchange data with the peer. Searching for a virtual The system searches for the bound virtual template interface using the template interface using the authenticated user name of a PPP link remote user name. Multiple physical interfaces with the same user name are bound to the same virtual template interface and inherit the configuration of the virtual template interface to form an MP bundle. An MP bundle is represented by a channel of the virtual template interface and corresponds to one MP link. This MP binding mode requires PPP authentication. MP binding takes effect only after the physical interfaces are authenticated. Using MP-Group interface
an Binding PPP links to an An MP-Group interface is dedicated to MP MP-Group interface applications. MP binding cannot be implemented by specifying the remote user name and endpoint discriminator on an MP-Group interface, and one MP-Group interface cannot be used to form multiple MP bundles. Compared with MP implementation using a virtual template interface, MP implementation using an MP-Group interface is easier to configure.
If a virtual template interface is used to implement MP, multiple MP bundles can be formed and each MP bundle corresponds to one MP link, regardless of how MP binding is implemented. To differentiate MP bundles formed by using a virtual template interface, specify the binding mode using the ppp mp binding-mode command in the virtual template interface view. The command supports three binding modes: authentication, descriptor, and both. The default binding mode is both. 2016-1-11
Huawei Confidential
Page 410 of 1210
HCIE-R&S Material
Confidentiality Level
If the MP binding mode is authentication, links with the same remote user name are bound to the same MP bundle.
If the MP binding condition is descriptor, links with the same remote endpoint discriminator through LCP negotiation are bound to the same MP bundle.
If the MP binding mode is both, links with the same remote user name and remote endpoint discriminator are bound to the same MP bundle.
9.2.3 MP Link Establishment and Negotiation Processes In the MP link establishment process, the Dead and Terminate phases are the same as those in the PPP link establishment process. The differences in other phases are as follows:
In the Establish phase, LCP negotiation is performed to check whether the remote interface also works in MP mode in addition to negotiating LCP parameters. If they work in different working modes, LCP negotiation fails. After LCP becomes Up, the two devices enter the Authentication phase if authentication is configured. After authentication succeeds, the two devices enter the Network phase. If no authentication is configured, the two devices enter the Network phase.
In the Authenticate phase, neither the virtual template interface nor the MP-Group interface support authentication. Authentication must be configured on a physical interface.
In the Network phase, the local device searches for an MP bundle according to the binding mode. When no MP bundle is found, the local device creates an MP bundle corresponding to an MP link. When an MP bundle is found, a physical interface on the local device is bound to the MP bundle. IPCP negotiation is then performed on the MP bundle. After IPCP negotiation succeeds, packets can be sent over the MP link.
9.2.4 LFI As increasing network services are emerging and people are demanding higher network quality, limited bandwidth cannot meet network requirements. As a result, the delay and signal loss occur because of congestion. When a network is congested intermittently and delay-sensitive services require higher QoS than services not as susceptible to the delay, congestion management is required. If congestion persists on the network after congestion management is configured, the bandwidth needs to be increased. Congestion management often uses queue scheduling technologies such as Priority Queuing (PQ) and Weighted Fair Queueing (WFQ) to send packet flows in queues. On low-speed serial links, even if queue scheduling technologies are used to implement congestion management, real-time interactive communication such as Telnet and VoIP is often delayed due to transmission of oversized packets. For example, if a voice packet arrives when an oversized packet is being scheduled, the voice packet can be scheduled only after the oversized packet is transmitted, which deteriorates the voice communication quality. The interactive voice communication requires that the end-to-end delay should be less than or equal to 150 ms. If it takes 215 ms to transmit a 1500-byte packet over a 56 kbit/s link, this is unacceptable. To shorten the delay in transmitting packets of a real-time application on low-speed links, a method is 2016-1-11
Huawei Confidential
Page 411 of 1210
HCIE-R&S Material
Confidentiality Level
required to fragment oversized packets and place fragmented packets in the same queues as other packets. Link fragmentation and interleaving (LFI) fragments oversized packets. Then the fragmented packets are sent together with other packets. In this manner, the delay and jitter on a low-speed link are reduced. The fragmented packets are reassembled at the destination. Figure 9-2-1 shows the LFI process. When oversized packets and small voice packets arrive at an interface simultaneously, the oversized packets are fragmented. If weighted fair queuing (WFQ) is configured on the interface, the voice packets and the fragmented packets are placed into the WFQ queues in interleaving mode. Voice packets are transmitted first because they have a higher priority than the other packets in the queues.
Figure 9-2-1 LFI process
9.3 PPPoE 9.3.1 PPPoE Overview PPP over Ethernet (PPPoE) is a network protocol that encapsulates Point-to-Point Protocol (PPP) frames into Ethernet frames. PPPoE enables multiple hosts on an Ethernet to connect to a broadband remote access server (BRAS). Carriers want to connect multiple hosts at a site to the same remote access device. The access device is expected to provide access control and accounting for these hosts in a manner similar to dial-up access using PPP. Using PPPoE, carriers can achieve this goal at lower cost because Ethernet is the most cost-effective among all access technologies and PPP implements access control and accounting. PPPoE allows a large number of hosts on an Ethernet to connect to the Internet using a remote access device and controls each host using PPP. PPPoE features a large application scale, high security, and convenient accounting. The PPPoE technology implements practical applications such as Internet access accounting and is widely used by broadband access carriers.
9.3.2 PPPoE Networking PPPoE uses the client/server model. A PPPoE client sends a connection request to the PPPoE server, and the PPPoE server provides access control and authentication functions for the PPPoE client. 2016-1-11
Huawei Confidential
Page 412 of 1210
HCIE-R&S Material
Confidentiality Level
Two PPPoE network structures are available based on the start and end points of PPPoE sessions.
Figure 9-3-1 shows the first PPPoE network structure. In the network, a PPPoE session is established between Router A and Router B. Router A functions as a PPPoE client and forwards data from all hosts to Router B using the PPPoE session. No PPPoE client dialing software is installed on the hosts. The hosts, which are users in an enterprise or company, share one account. As shown in Figure 9-3-1, the PPPoE client is deployed in an enterprise or company, and the PPPoE server is a carrier's device.
Figure 9-3-1 PPPoE networking diagram (1)
Figure 9-3-2 shows the second PPPoE network structure. In the network, a PPPoE session is established between the carrier's router and each host. The router functions as the PPPoE server, and each host functions as a PPPoE client. Each host has a unique account, which facilitates user accounting and control by the carrier. The PPPoE client software must be installed on the hosts.
Figure 9-3-2 PPPoE networking diagram (2)
2016-1-11
Huawei Confidential
Page 413 of 1210
HCIE-R&S Material
Confidentiality Level
9.3.3 PPPoE Packet Format Figure 9-3-3 shows the format of a PPPoE packet, that is, a PPP packet encapsulated in an Ethernet frame.
Figure 9-3-3 Format of a PPPoE packet Each field is described as follows:
Destination_Address: indicates an Ethernet unicast destination address or Ethernet broadcast address 0xFFFFFFFF.
At the Discovery stage, the value is a unicast destination address or broadcast address. In a Discovery packet sent when a PPPoE client searches for the PPPoE server, the value is a broadcast address. In a Discovery packet sent after the PPPoE client finds the PPPoE server, the value is a unicast destination address.
At the PPPoE Session stage, the value must be the unicast destination address determined at the Discovery stage.
Source_Address: indicates the Ethernet MAC address of the source device.
Ethernet_Type:
The value is 0x8863 at the Discovery stage.
The value is 0x8864 at the PPPoE Session stage.
VER: indicates the PPPoE version number. This field is 4 bits in length and must be set to 0x01.
Type: indicates the PPPoE type. This field is 4 bits in length and must be set to 0x01.
Code: indicates the PPPoE packet type. This field is 8 bits in length.
2016-1-11
Huawei Confidential
Page 414 of 1210
HCIE-R&S Material
Confidentiality Level
The value 0x00 indicates session data; the value 0x09 indicates PPPoE Active Discovery Initiation (PADI) packets; the value 0x07 indicates PPPoE Active Discovery Offer (PADO) packets; the value 0x19 indicates PPPoE active discovery request (PADR) packets; the value 0x65 indicates PPPoE Active Discovery Session-confirmation (PADS) packets; the value 0xa7 indicates PPPoE Active Discovery Terminate (PADT) packets. For details about PPPoE packet structure, see PPPoE Packet Structure.
Session_ID: indicates the session ID. It is an unsigned number in network byte order. This field is 16 bits in length. The value is fixed for a given PPPoE session and defines a PPPoE session along with Ethernet Source_address and Destination_address. The value 0xFFFF is reserved.
Length: indicates the length of the PPPoE payload. This field is 16 bits in length. It does not include the length of the Ethernet or PPPoE packet header.
Tag_Type: indicates the network byte order. This field is 16 bits in length.
Tag_Length: indicates the number of bytes of the Tag_Value field. It is an unsigned number in network byte order. This field is 16 bits in length.
Checksum: checks the validity of packets.
9.3.4 PPPoE Session Establishment Process Figure 9-3-4 shows the process of establishing a PPPoE session.
Figure 9-3-4 PPPoE session establishment process 2016-1-11
Huawei Confidential
Page 415 of 1210
HCIE-R&S Material
Confidentiality Level
The PPPoE session establishment process includes three stages: Discovery, Session, and Terminate.
Discovery Stage The Discovery stage consists of the following steps: 1.
A PPPoE client broadcasts a PADI packet that contains service information required by the PPPoE client.
2.
After receiving the PADI packet, all PPPoE servers compare the requested service with the services they can provide. The PPPoE servers that can provide the requested service unicast PADO packets to the PPPoE client.
3.
Based on the network topology, the PPPoE client may receive PADO packets from more than one PPPoE server. The PPPoE client selects the PPPoE server from which the first PADO packet is received and unicasts a PADR packet to the PPPoE server.
4.
The PPPoE server generates a unique session ID to identify the PPPoE session with the PPPoE client. The PPPoE server sends a PADS packet containing this session ID to the PPPoE client. When the PPPoE session is established, the PPPoE server and PPPoE client enter the PPPoE Session stage.
When the PPPoE session is established, the PPPoE server and PPPoE client share the unique PPPoE session ID and learns the peer Ethernet address.
Session Stage The PPPoE Session stage involves PPP negotiation and PPP packet transmission. PPP negotiation at the PPPoE Session stage is the same as common PPP negotiation, which includes the LCP, authentication, and NCP phases. 1.
In the LCP phase, the PPPoE server and PPPoE client establish and configure a data link, and verify the data link status.
2.
When LCP negotiation is complete, authentication starts. The authentication protocol depends on the LCP negotiation result. The authentication protocol can be Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP).
3.
When authentication succeeds, PPP enters the Network Control Protocol (NCP) phase. NCP is a protocol suite used to configure network–layer protocols. A commonly used network-layer protocol is IP Control Protocol (IPCP), which is responsible for configuring IP addresses for users and the domain name server (DNS).
When PPP negotiation succeeds, PPP data packets can be forwarded. At the PPPoE Session Stage, the PPPoE server and PPPoE client unicast all Ethernet data packets.
2016-1-11
Huawei Confidential
Page 416 of 1210
HCIE-R&S Material
Confidentiality Level
Terminate Stage The PPPoE server and PPPoE client use PPP protocol packets to terminate the PPPoE session. When the PPP protocol packets are unavailable, PPP communicating parties can use PADT packets to terminate the PPPoE session. After a PPPoE session is established, the PPPoE client or the PPPoE server can unicast a PADT packet to terminate the PPPoE session at any time. After transmitting or receiving the PADT packet, the PPPoE server and PPPoE client is not allowed to use this session to send any PPP traffic.
9.4 Frame Relay 9.4.1 FR Overview Working at the data link layer of the Open System Interconnection (OSI) model, Frame Relay (FR) is a technique that uses simple methods to transmit and exchange data. A distinct feature of FR is that FR simplifies processes of error control, confirmation and re-transmission, traffic control, and congestion prevention on an X.25 packet switch network, thus reducing processing time. This is quite important to effective use of high-speed digital transmission channels.
NOTE: The delay of packet switching on an X.25 network is tens to hundreds milliseconds, whereas the delay of packet switching on an FR network can be reduced to several milliseconds. Data communications devices such as routers are connected through private lines, which results in many disadvantages.
Firstly, private lines use fixed bandwidth and interfaces. It is inconvenient for users to change bandwidth or expand capacity.
Secondly, the cost of connecting the networks by the private lines is high and user rental is also high.
In addition, if the private lines are used to construct a fully-connected network and the number of users is n, n (n-1) / 2 circuits are thus needed, which causes a lot of trouble to the management and application of the network resources.
FR is mainly used on Wide Area Networks (WANs) and it supports multiple types of data services. FR can address the following problems:
In the initial stage of applications, it is quite easy to realize FR by upgrading software on existing X.25 interfaces. FR is implemented based on X.25. Therefore, hardware of an existing X.25 device does not need reconstruction and the device can provide FR services after its software is upgraded.
The flexible charging of FR is suitable for burst transmission. At present, many carriers adopt Committed Information Rate (CIR) for accounting, thus reducing the communication charge of CIR users.
2016-1-11
Huawei Confidential
Page 417 of 1210
HCIE-R&S Material
Confidentiality Level
FR can dynamically allocate the network resources. Users can use the superfluous bandwidth and share network resources even if telecom carriers do not reinvest.
9.4.2 Basic Concepts of FR An FR network uses the VC to connect FR devices on two ends of the network. Every VC uses Data Link Connection Identifier (DLCI) to define an FR channel.
Data Link Connection Identifier FR is a statistical multiplexing protocol. It provides multiple VCs on a single physical line. DLCI is applied to differentiate VCs. It is valid only on the local interface and the directly-connected peer interface but not valid globally. On an FR network, the same DLCI on different physical interfaces does not indicate the same VC. A user interface on an FR network supports multiple VCs. The available DLCI ranges from 16 to 1022 among which DLCIs 1007 to 1022 are reserved. Because the FR VC is connection-oriented, different local DLCIs are connected to different remote devices. Therefore, the local DLCI can be considered as the "FR address" of the remote device. The FR address mapping associates the peer protocol address with the FR address (local DLCL). Thus, the upper-layer protocol can locate the remote device. When transmitting IP packets over FR links, a router searches for the next-hop address in the routing table first, and then it finds the corresponding DLCI in the address mapping table of FR. This table maintains the mapping information between remote IP address and next hop DLCL. The address mapping table can be configured manually or maintained dynamically by Inverse ARP.
DTE, DCE, UNI, and NNI FR networks allow devices to exchange data. Devices and interfaces on FR networks play one of the following roles:
DTE: data terminal equipment
DCE: data communication equipment, providing access services for DTE devices
UNI: user-network interface, interconnecting a DTE device and a DCE device
An FR network can be a public network, a private network of an enterprise, or a network formed by directly connected devices. On the FR network shown in Figure 9-4-1, two DTE devices RouterA and RouterD at the access layer are connected over the switch layer formed by two DCE devices, RouterB and RouterC. DTE and DCE devices are connected through UNIs, which must be configured with the same DLCI. UNIs are applicable to only the FR access scenario. A PVC is established between the two DTE devices, and each PVC segment can be configured with a different DLCI.
2016-1-11
Huawei Confidential
Page 418 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 9-4-1 Roles of devices and interfaces on FR networks NOTE: The device functions as a DTE or DCE. When functioning as a DCE, the device only provides UNIs for FR termination.
Virtual Circuit A VC is the logical circuit built on the shared network between two network devices. VCs can be divided into the Permanent VC (PVC) and Switching VC (SVC).
PVC: refers to the manually created VC.
SVC: refers to the VC that can be created or cleared automatically through negotiation.
At present, PVCs are often used on FR networks. The device supports only PVCs. The PVC status of the DTE is determined by the DCE, and the PVC status of the DCE is determined by the network. If two network devices are connected directly, the VC status on DCE side is configured by the administrator. The Local Management Interface (LMI) protocol maintains the link and PVC status of the Frame Relay through the status enquiry packet and status packet.
9.4.3 LMI Protocol Introduction to LMI In the PVC, both the network devices and user devices need to know the current status of PVC. The protocol that monitors the PVC status is called the Local Management Interface (LMI) protocol. The LMI protocol maintains the link and PVC status of the Frame Relay through the status enquiry packet and status packet. The LMI module is used to manage the PVC, including the adding and deleting of the PVC, the detecting of the PVC link integrity, and the PVC status. The system supports three LMI protocols:
LMI complying with ITU-T Q.933 Appendix A. 2016-1-11
Huawei Confidential
Page 419 of 1210
HCIE-R&S Material
Confidentiality Level
LMI complying with ANSI T1.617 Appendix D.
Nonstandard compatible protocol.
For details, refer to the protocol text. The LMI protocol belongs to the functions on the control layer. Q.933 Appendix A is used most in the LMI protocol.Q.933 Appendix A defines the information unit and the realized procedures of the LMI protocol.
LMI Protocol Procedure LMI protocol procedure includes as follows:
Adding the PVC notification
Deleting the PVC detection
Notifying the configured PVC available or unavailable status
Authenticating the link integrity
Types of LMI Protocol Message The LMI protocol message can be divided into two types:
Status enquiry message The DTE side sends a status enquiry message to request the DCE side for the VC status or the link integrity verification.
Status message The status message is a response message sent from DCE to DTE after DCE receives the status request message. This packet can transfer the VC status or verify the link integrity.
Types of LMI Protocol Packets The LMI protocol packets can be divided into three types as follows:
Link integrity verification packet: It is used only to verify the link integrity.
Full status packet: It is used to both verify the link integrity and transfer the PVC status.
Asynchronous PVC status packet: It does not contain the status request message, only used to timely notify the PVC status on the DTE side when the PVC status changes.
Q.933 Appendix A uses the VC whose DLCI is 0 to transmit the status or status request packets.
2016-1-11
Huawei Confidential
Page 420 of 1210
HCIE-R&S Material
Confidentiality Level
Status Packet Status message is used to reply the status request message, notifying the PVC status and link integrity detection. On a UNI interface, the PVC status of DTE is completely decided by DCE that notifies all PVCs status of DTE. Therefore, DTE has to only query DCE at a fixed time, and then it can obtain the current PVC status on this interface. The PVC status of DCE is determined by the network devices. On a NNI interface, the network devices on both sides exchange the PVC status at a fixed time by using the LMI protocol. Different from UNI, the network devices on both sides of a NNI interface send request packets to their peers. After receiving the request packets, the two ends of the NNI interface can respond to the packets.
Brief Process of the LMI Protocol The brief process of the LMI protocol is as follows: 1.
DTE sends a status request packet and the timer T391 begins to time. The interval of T391 is the interval of a polling. That is, DTE sends a status request packet in every other T391.At the same time, the counter V391 of DTE begins to count.
When V391 is less than N391, the status request packet sent by DTE queries only the link integrity.
When V391 is equal to N391, V391 is set to 0, and the status request packet sent by DTE queries both the link integrity and the status of all PVCs, this status request packet is called a full status request packet.
Therefore, N391 defines the time of a period, and DTE sends a full status request packet in every other a period. Both N392 and N393 can use the default value or set manually. 2.
After receiving the polling message, DCE uses the status message to respond the status request message. At the same time, the polling of DCE proves that the timer T392 begins to time, waiting for the next status request message. After T392 times out, DCE does not receive the status request message, and DCE records this error and the times of error increases by 1.
3.
DTE reads the received the status response message to know the link integrity and PVC status. DCE responds to the status that DTE needs to know. If the PVC status changes or the added or deleted PVC exists in local network, DCE must respond to the status message of all PVCs no matter DTE queries the PVC status or not. By doing so, DTE can know the changes of DCE timely and renew the previous record.
4.
After T391 times out, the DTE devices do not receive the status response message, and DTE records this error and the number of errors increases by 1.
5.
In N393 events, if the number of errors exceeds N392, DTE or DCE reckons that this physical channel and all the VCs are unavailable. N393 indicates the total observed events. N392
2016-1-11
Huawei Confidential
Page 421 of 1210
HCIE-R&S Material
Confidentiality Level
indicates the error threshold. Both N392 and N393 can be set manually or are set to the default value.
9.4.4 InARP The main function of InARP (Inverse ARP) is to solve the IP addresses of the remote device that is connected to every VC. If the protocol address of the remote device that is connected to a VC is known, the mapping between the remote protocol address and DLCI can be created on the local end, which can avoid configuring the address mapping manually. The basic process is as follows: 1.
When a new VC is found, InARP sends a request packet to the remote end on this VC if the local interface is configured with the protocol address. This request packet contains the local protocol address. When the remote device receives this request packet, the local protocol address can be obtained to create the address mapping and an InARP response packet is sent. The address mapping is thus created on the local end.
2.
If the static mapping is configured manually or dynamic mapping is created, the InARP request packet is not sent to the remote end on this VC regardless of whether the remote address in the dynamic mapping is correct. An InARP request packet is sent to the remote end only when no mapping exists.
3.
If the receiver of the InARP request packet finds the remote protocol address is the same as that in the local configured mapping, it does not create the dynamic mapping.
The format of an InARP packet is the same as that of a standard ARP packet.
9.4.5 Basic Principles of FR LMI Negotiation Process As shown in Figure 9-4-2, two routers are directly connected through serial interfaces.
FR interfaces on RouterA work in DCE mode.
FR interfaces on RouterB work in DTE mode.
Figure 9-4-2 Networking diagram of LMI negotiation process 2016-1-11
Huawei Confidential
Page 422 of 1210
HCIE-R&S Material
Confidentiality Level
The LMI negotiation process is as follows: 1.
The interface in DTE mode periodically sends status enquiry messages to the interface in DCE mode.
2.
The interface in DCE mode, after receiving a status enquiry message, replies with a status message to the interface in DTE mode.
3.
The interface in DTE mode determines the link status and PVC status according to the received status messages.
4.
If interfaces in DCE and DTE modes can normally exchange LMI negotiation messages, the link status changes to Up and the PVC status changes to Active.
5.
The FR LMI negotiation succeeds.
InARP Negotiation Process After the FR LMI negotiation succeeds and the PVC status changes to Active, the InARP negotiation starts. The InARP negotiation process is as follows: 1.
If the interface on the local device has been configured with a protocol address, the PVC of the interface on the local device can send Inverse ARP Request packets to the remote device. The request packet carries the protocol address of the interface on the local device.
2.
After receiving the request packet, the remote device generates an address mapping table based on the local address carried in the request packet and sends an Inverse ARP Response packet to the local device.
3.
The local device obtains the remote address from the received Inverse ARP Response packet and then generates an address mapping table.
4.
Address mapping tables are generated on RouterA and RouterB. For example, in the address mapping table on RouterA, the DLCI value corresponding to the IP address 10.1.1.2 is 100; in the address mapping table on RouterB, the DLCI value corresponding to the IP address 10.1.1.1 is 100.
After the LMI and InARP negotiations, the protocol status of the FR interface goes Up and address mapping tables are generated, which enable the PVC to transmit IP packets.
9.4.6 FR Sub-Interfaces Origins of FR Sub-Interfaces An FR network can connect the networks that are in different places. The possible network structures are star structure, partial-connected and full-connected network structures. 2016-1-11
Huawei Confidential
Page 423 of 1210
HCIE-R&S Material
Confidentiality Level
From the aspect of economy, the star structure is the excellent network structure because it uses the least PVCs and the primary node connects the multiple dispersive branch nodes by using multiple PVCs on one interface. This structure is mainly used for the headquarters to connect multiple subdivisions. The disadvantage of this structure is that the communication between branch nodes needs to be transmitted through a primary node. In the full-connected structure, all nodes are connected to other nodes through the PVCs and a node does not need other nodes to transmit the communication. In addition, this structure has high flexibility. When the directly-connected PVC is Down, the communication can be transmitted through other nodes. The disadvantage of this structure is that many PVCs are needed, and the number of PVCs needed increases sharply when the number of nodes increases in the network. In the partial-connected structure, not all nodes have PVCs to access other nodes. Its advantage and disadvantage are intervenient between the star and full-connected structure. The defaulted network of FR is Non-broadcast Multi-access (NBMA). Different from the Ethernet, the NBMA network does not support the broadcast, though nodes are connected in an FR network. If one node obtains the routing information, it generates many copies of the information and then sends the information to the connected multiple nodes through the PVCs. To decrease the routing loop, the split horizon mechanism does not allow the router to send out the updated information through the interface that receives this information.
Figure 9-4-3 FR and the split horizon As shown in Figure 9-4-3, RouterB advertises RouterA a piece of router information, but RouterA cannot advertise this information to RouterC or RouterD through Serial 1/0/0 that receives this router information according to the split horizon. The methods to solve this problem are as follows:
Using multiple physical interfaces to connect multiple adjacent nodes: This requires the router to have multiple physical interfaces, and increases the cost of users.
Using the sub-interfaces (that is, configuring multiple logical interfaces on one physical interface): Like a physical interface, every sub-interface has its network address.
Deleting the split horizon: This needs the support from the routing protocol, and increases the probability of routing loop.
2016-1-11
Huawei Confidential
Page 424 of 1210
HCIE-R&S Material
Confidentiality Level
FR Sub-Interfaces
Figure 9-4-4 FR Sub-Interfaces You can define these logical sub-interfaces on the serial line. Every sub-interface uses one or multiple DLCIs to connect to the remote device. After a DLCI is configured on a sub-interface, the mapping between the destination protocol address and this DLCI needs to be created. In this way, the DLCI on Serial 1/0/0.1 is defined to access RouterB, the DLCI on Serial 1/0/0.2 is defined to access RouterC, and the DLCI on Serial 1/0/0.3 is defined to access RouterD on Serial1/0/0, though only one physical serial port, Serial 1/0/0, exists on RouterA. After a logical sub-interface is defined on a physical interface, the FR connection can become the partial-connected connection. routers can interconnect and forward the updated information by configuring the sub-interfaces. In this way, multiple sub-interfaces on one physical interface are not affected by the split horizon. This connection of multiple sub-interfaces on one physical interface is different from the point-to-point (P2P) connection in NBMA. In the configuration of NBMA, all routers are on the same subnet, using the PVCs of the full-connected connection. However, only the sub-interfaces of two connected routers are on the same subnet, when the P2P sub-interface of FR is used. This FR configuration contains many subnets.
Classification of FR Sub-interfaces FR sub-interfaces can be classified into the following types:
Point-to-point sub-interface: used to connect a single remote device. Each point-to-point sub-interface can be configured with only one PVC. In this case, the remote device can be determined uniquely without the static address mapping. Thus, when the PVC is configured for the sub-interface, the peer address is identified.
Point-to-multipoint sub-interface: used to connect multiple remote devices. Each sub-interface can be configured with multiple PVCs. Each PVC maps the protocol address of its connected remote device. In this way, different PVCs can reach different remote devices. The address
2016-1-11
Huawei Confidential
Page 425 of 1210
HCIE-R&S Material
Confidentiality Level
mapping must be configured manually or dynamically set up through the Reverse Address Resolution Protocol (RARP).
9.5 Examples for Configuring of Layer 2 WAN Technologies
9.5.1 Example for Configuring Unidirectional PAP Authentication (Local Authentication)
Networking Requirements As shown in Figure 9-5-1, Serial1/0/0 of RouterA connects to Serial1/0/0 of RouterB. Users want that RouterA performs simple authentication on RouterB while RouterB does not authenticate RouterA.
Figure 9-5-1 Networking diagram of PAP authentication
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure PAP authentication because PAP authentication meets user's requirements of simple authentication and low security.
2.
Configure RouterA as the PAP authenticator and RouterB as the PAP authenticated party to meet the unidirectional authentication requirement.
Procedure 1.
Configure RouterA # Assign an IP address to Serial1/0/0 and configure PPP as the link layer protocol of Serial1/0/0. system-view [Huawei] sysname RouterA [RouterA] interface serial 1/0/0 [RouterA-Serial1/0/0] link-protocol ppp [RouterA-Serial1/0/0] ip address 10.10.10.9 30 # Set the PPP authentication mode to PAP authentication and specify an authentication domain named system. [RouterA-Serial1/0/0] ppp authentication-mode pap domain system [RouterA-Serial1/0/0] quit
2016-1-11
Huawei Confidential
Page 426 of 1210
HCIE-R&S Material
Confidentiality Level
# Configure a local user and specify the authentication domain for the local user. [RouterA] aaa [RouterA-aaa] authentication-scheme system_a [RouterA-aaa-authen-system_a] authentication-mode local [RouterA-aaa-authen-system_a] quit [RouterA-aaa] domain system [RouterA-aaa-domain-system] authentication-scheme system_a [RouterA-aaa-domain-system] quit [RouterA-aaa] local-user user1@system password cipher huawei [RouterA-aaa] local-user user1@system service-type ppp [RouterA-aaa] quit 2.
Configure RouterB # Assign an IP address to Serial1/0/0 and configure PPP as the link layer protocol of Serial1/0/0. system-view [Huawei] sysname RouterB [RouterB] interface serial 1/0/0 [RouterB-Serial1/0/0] link-protocol ppp [RouterB-Serial1/0/0] ip address 10.10.10.10 30 # Configure the user name and password sent from RouterB to RouterA in PAP authentication. [RouterB-Serial1/0/0] ppp pap local-user user1@system password simple huawei
3.
Verify the configurations. Run the display interface serial 1/0/0 command to check the interface configuration. The command output shows that both the physical layer status and link layer status of the interface are Up and that both LCP and IPCP are in Opened state. This indicates that PPP negotiation succeeds and that RouterA and RouterB can ping each other successfully. [Huawei] display interface serial 1/0/0 Serial1/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2011-03-25 11:35:10 Description:HUAWEI, AR Series, Serial1/0/0 Interface Route Port,The Maximum Transmit Unit is 1500, Hold timer is 0(sec) Internet Address is 10.10.10.9/30 Link layer protocol is PPP LCP opened, IPCP opened Last physical up time
: 2011-03-25 11:35:10
Last physical down time : 2011-03-25 11:35:01 Current system time: 2011-03-25 17:30:07 2016-1-11
Huawei Confidential
Page 427 of 1210
HCIE-R&S Material
Confidentiality Level
Physical layer is synchronous, Virtualbaudrate is 64000 bps Interface is DTE, Cable type is V35, Clock mode is RC Last 10 seconds input rate 7 bytes/sec 56 bits/sec 0 packets/sec Last 10 seconds output rate 7 bytes/sec 56 bits/sec 0 packets/sec Input: 7343762 packets, 463499285 bytes broadcasts:
Configuration file of RouterA # sysname RouterA # aaa authentication-scheme system_a domain system authentication-scheme system_a local-user user1@system password cipher %$%$04b=C9LzqIsL.w)N+pU<,g^U%$%$ local-user user1@system service-type ppp # interface Serial1/0/0 link-protocol ppp ppp authentication-mode pap domain system ip address 10.10.10.9 255.255.255.252 # return
Configuration file of RouterB # 2016-1-11
Huawei Confidential
Page 428 of 1210
HCIE-R&S Material
Confidentiality Level
sysname RouterB # interface Serial1/0/0 link-protocol ppp ppp pap local-user user1@system password simple huawei ip address 10.10.10.10 255.255.255.252 # return
9.5.2 Example for Configuring Unidirectional CHAP Authentication (Local Authentication)
Networking Requirements As shown in Figure 9-5-2, Serial1/0/0 of RouterA connects to Serial1/0/0 of RouterB. Users want that RouterA performs reliable authentication on RouterB while RouterB does not authenticate RouterA.
Figure 9-5-2 Networking diagram of CHAP authentication
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure CHAP authentication and the user name for CHAP authentication because CHAP authentication meets user's requirements of reliable authentication and high security.
2.
Configure RouterA as the CHAP authenticator and RouterB as the CHAP authenticated party to meet the unidirectional authentication requirement.
Procedure 1.
Configure RouterA. # Assign an IP address to Serial1/0/0 and configure PPP as the link layer protocol of Serial1/0/0. system-view [Huawei] sysname RouterA [RouterA] interface serial 1/0/0 [RouterA-Serial1/0/0] link-protocol ppp [RouterA-Serial1/0/0] ip address 10.10.10.9 30
2016-1-11
Huawei Confidential
Page 429 of 1210
HCIE-R&S Material
Confidentiality Level
# Set the PPP authentication mode to CHAP authentication, user name to user1@system, and authentication domain to system. [RouterA-Serial1/0/0] ppp authentication-mode chap domain system [RouterA-Serial1/0/0] ppp chap user user1@system [RouterA-Serial1/0/0] quit # Configure a local user and specify the authentication domain for the local user. [RouterA] aaa [RouterA-aaa] authentication-scheme system_a [RouterA-aaa-authen-system_a] authentication-mode local [RouterA-aaa-authen-system_a] quit [RouterA-aaa] domain system [RouterA-aaa-domain-system] authentication-scheme system_a [RouterA-aaa-domain-system] quit [RouterA-aaa] local-user user2@system password cipher huawei [RouterA-aaa] local-user user2@system service-type ppp [RouterA-aaa] quit 2.
Configure RouterB. # Assign an IP address to Serial1/0/0 and configure PPP as the link layer protocol of Serial1/0/0. system-view [Huawei] sysname RouterB [RouterB] interface serial 1/0/0 [RouterB-Serial1/0/0] link-protocol ppp [RouterB-Serial1/0/0] ip address 10.10.10.10 30 # Configure the user name and password sent from RouterB to RouterA in CHAP authentication. [RouterB-Serial1/0/0] ppp chap user user2@system # Configure a local user. [RouterB] aaa [RouterB-aaa] local-user user1@system password cipher huawei [RouterB-aaa] local-user user1@system service-type ppp [RouterB-aaa] quit
3.
Verify the configurations. Run the display interface serial 1/0/0 command to check the interface configuration. The command output shows that both the physical layer status and link layer status of the interface are Up and that both LCP and IPCP are in Opened state. This indicates that PPP negotiation succeeds and that RouterA and RouterB ping each other successfully.
2016-1-11
Huawei Confidential
Page 430 of 1210
HCIE-R&S Material
Confidentiality Level
[Huawei] display interface serial 1/0/0 Serial1/0/0 current state : UP Line protocol current state : UP Last line protocol up time : 2012-04-10 09:26:32 Description:HUAWEI, AR Series, Serial3/0/0 Interface Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec) Internet Address is 10.10.10.9/30 Link layer protocol is PPP LCP opened, IPCP opened Last physical up time
: 2012-04-10 09:26:29
Last physical down time : 2012-04-10 09:26:27 Current system time: 2012-04-10 09:29:56 Physical layer is synchronous, Virtualbaudrate is 64000 bps Interface is DTE, Cable type is V35, Clock mode is TC Last 300 seconds input rate 8 bytes/sec 64 bits/sec 0 packets/sec Last 300 seconds output rate 7 bytes/sec 56 bits/sec 0 packets/sec Input: 20239 packets, 465621 bytes Broadcast:
Configuration file of RouterA # sysname RouterA # 2016-1-11
Huawei Confidential
Page 431 of 1210
HCIE-R&S Material
Confidentiality Level
aaa authentication-scheme system_a domain system authentication-scheme system_a local-user user2@system password cipher %$%$04b=C9LzqIsL.w)N+pU<,g^U%$%$ local-user user2@system service-type ppp # interface Serial1/0/0 link-protocol ppp ppp authentication-mode chap domain system ppp chap user user1@system ip address 10.10.10.9 255.255.255.252 # return
Configuration file of RouterB # sysname RouterB # aaa local-user user1@system password cipher %$%$04b=C9LzqIsL.w)N+pU<,g^U%$%$ local-user user1@system service-type ppp # interface Serial1/0/0 link-protocol ppp ppp chap user user2@system ip address 10.10.10.10 255.255.255.252 # return
9.5.3 Example for Implementing MP by Binding PPP Links to a VT
Networking Requirements As shown in Figure 9-5-3, serial interfaces on RouterA respectively connects to the serial interfaces on RouterB. On a large-scale enterprise network, a single link cannot transmit a large volume of service traffic. Users want to increase bandwidth to ensure data transmission in a simple way and do not require high security. 2016-1-11
Huawei Confidential
Page 432 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 9-5-3 Networking diagram for implementing MP by binding PPP links to a VT
Configuration Roadmap The configuration roadmap is as follows: 1.
Bind PPP links into an MP-Group to increase data transmission bandwidth.
2.
Directly bind PPP links to a VT to implement MP in a simple way.
3.
PPP authentication is not required because users do not require high security.
Procedure 1.
Configure RouterA. # Create and configure a VT interface. system-view [Huawei] sysname RouterA [RouterA] interface virtual-template 1 [RouterA-Virtual-Template1] ip address 10.10.10.9 30 [RouterA-Virtual-Template1] quit # Bind Serial1/0/0 and Serial1/0/1 to the VT interface so that the physical interfaces work in MP mode. [RouterA] interface serial 1/0/0 [RouterA-Serial1/0/0] ppp mp virtual-template 1 [RouterA-Serial1/0/0] restart [RouterA-Serial1/0/0] quit [RouterA] interface serial 1/0/1 [RouterA-Serial1/0/1] ppp mp virtual-template 1 [RouterA-Serial1/0/1] restart [RouterA-Serial1/0/1] quit
2.
Configure RouterB. # Create and configure a VT interface. system-view
2016-1-11
Huawei Confidential
Page 433 of 1210
HCIE-R&S Material
Confidentiality Level
[Huawei] sysname RouterB [RouterB] interface virtual-template 1 [RouterB-Virtual-Template1] ip address 10.10.10.10 30 [RouterB-Virtual-Template1] quit # Bind Serial1/0/0 and Serial1/0/1 to the VT interface so that the physical interfaces work in MP mode. [RouterB] interface serial 1/0/0 [RouterB-Serial1/0/0] ppp mp virtual-template 1 [RouterB-Serial1/0/0] restart [RouterB-Serial1/0/0] quit [RouterB] interface serial 1/0/1 [RouterB-Serial1/0/1] ppp mp virtual-template 1 [RouterB-Serial1/0/1] restart [RouterB-Serial1/0/1] quit 3.
Verify the configurations. # Run the display ppp mp command on RouterA to view the MP binding information. [RouterA] display ppp mp Template is Virtual-Template1 Bundle 10cd6d925ac6, 2 members, slot 0, Master link is Virtual-Template1:0 0 lost fragments, 0 reordered, 0 unassigned, 0 interleaved, sequence 0/0 rcvd/sent The bundled sub channels are: Serial1/0/0 Serial1/0/1 Bundle 10cd6d925ac6 indicates that the MP binding is implemented using a VT interface. 10cd6d925ac6 is the endpoint discriminator of the remote device. The MP link contains two links Serial1/0/0 and Serial1/0/1. # Run the display virtual-access command on RouterA to view the VA interface status. [RouterA] display virtual-access Virtual-Template1:0 current state : UP Line protocol current state : UP Last line protocol up time : 2011-02-09 09:56:31 Description:HUAWEI, AR Series, Virtual-Template1:0 Interface Route Port,The Maximum Transmit Unit is 1500 Link layer protocol is PPP LCP opened, MP opened, IPCP opened Physical is MP
2016-1-11
Huawei Confidential
Page 434 of 1210
HCIE-R&S Material
Confidentiality Level
Current system time: 2011-02-09 09:59:16 Last 300 seconds input rate 0 bits/sec, 0 packets/sec Last 300 seconds output rate 0 bits/sec, 0 packets/sec Realtime 0 seconds input rate 0 bits/sec, 0 packets/sec Realtime 0 seconds output rate 0 bits/sec, 0 packets/sec Input: 0 packets,0 bytes 0 unicast,0 broadcast,0 multicast 0 errors,0 unknownprotocol Output:0 packets,0 bytes 0 unicast,0 broadcast,0 multicast 0 errors Input bandwidth utilization : 0.00% Output bandwidth utilization : 0.00% You can obtain similar MP binding information on RouterB. # Ping RouterA on RouterB. [RouterB] ping 10.10.10.9 PING 10.10.10.9: 56 data bytes, press CTRL_C to break Reply from 10.10.10.9: bytes=56 Sequence=1 ttl=255 time=40 ms Reply from 10.10.10.9: bytes=56 Sequence=2 ttl=255 time=50 ms Reply from 10.10.10.9: bytes=56 Sequence=3 ttl=255 time=50 ms Reply from 10.10.10.9: bytes=56 Sequence=4 ttl=255 time=50 ms Reply from 10.10.10.9: bytes=56 Sequence=5 ttl=255 time=50 ms --- 10.10.10.9 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 40/48/50 ms RouterB can ping RouterA successfully.
Configuration Files
Configuration file of RouterA
# sysname RouterA # interface serial 1/0/0 link-protocol ppp 2016-1-11
9.5.4 Example of Implementing MP by Binding PPP Links to an MP-Group
Networking Requirements As shown in Figure 9-5-4, serial interfaces on RouterA respectively connects to the serial interfaces on RouterB. On a large-scale enterprise network, a single link cannot transmit a large volume of service traffic. Users want to increase bandwidth to ensure data transmission in a simple and quick way and require high data security.
2016-1-11
Huawei Confidential
Page 436 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 9-5-4 Networking diagram of implementing MP by adding a PPP link to the MP-Group
Configuration Roadmap The configuration roadmap is as follows: 1.
Bind PPP links to an MP-Group interface to implement MP in a simple and quick way and to increase data transmission bandwidth.
2.
Configure bidirectional CHAP authentication on physical interfaces to ensure high security.
Procedure 1.
Configure RouterA. # Create and configure an MP-Group interface. system-view [Huawei] sysname RouterA [RouterA] interface mp-group 0/0/1 [RouterA-Mp-group0/0/1] ip address 100.10.10.9 30 [RouterA-Mp-group0/0/1] quit # Add Serial1/0/0 and Serial1/0/1 to the MP-Group interface and use CHAP authentication. Configure the local user if the device functions as the authenticator, or the user name and password for CHAP authentication if the device functions as the authenticated party. [RouterA] aaa [RouterA-aaa] local-user userb password Please configure the login password (8-128) It is recommended that the password consist of at least 2 types of characters, i ncluding lowercase letters, uppercase letters, numerals and special characters. Please enter password: Please confirm password: Info: Add a new user. Warning: The new user supports all access modes. The management user access mode s such as Telnet, SSH, FTP, HTTP, and Terminal have security risks. You are advi sed to configure the required access modes only. [RouterA-aaa] local-user userb service-type ppp
2016-1-11
Huawei Confidential
Page 437 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterA-aaa] authentication-scheme system_a [RouterA-aaa-authen-system_a] authentication-mode local [RouterA-aaa-authen-system_a] quit [RouterA-aaa] domain system [RouterA-aaa-domain-system] authentication-scheme system_a [RouterA-aaa-domain-system] quit [RouterA-aaa] quit [RouterA] interface serial 1/0/0 [RouterA-Serial1/0/0] ppp authentication-mode chap domain system [RouterA-Serial1/0/0] ppp chap user usera [RouterA-Serial1/0/0] ppp chap password cipher usera@123 [RouterA-Serial1/0/0] ppp mp mp-group 0/0/1 [RouterA-Serial1/0/0] quit [RouterA] interface serial 1/0/1 [RouterA-Serial1/0/1] ppp authentication-mode chap domain system [RouterA-Serial1/0/1] ppp chap user usera [RouterA-Serial1/0/1] ppp chap password cipher usera@123 [RouterA-Serial1/0/1] ppp mp mp-group 0/0/1 [RouterA-Serial1/0/1] quit 2.
Configure RouterB. # Create and configure an MP-Group interface. system-view [Huawei] sysname RouterB [RouterB] interface mp-group 0/0/1 [RouterB-Mp-group0/0/1] ip address 100.10.10.10 30 [RouterB-Mp-group0/0/1] quit # Add Serial1/0/0 and Serial1/0/1 to the MP-Group interface and use CHAP authentication. Configure the local user if the device functions as the authenticator, or the user name and password for CHAP authentication if the device functions as the authenticated party. [RouterB] aaa [RouterB-aaa] local-user usera password Please configure the login password (8-128) It is recommended that the password consist of at least 2 types of characters, i ncluding lowercase letters, uppercase letters, numerals and special characters. Please enter password: Please confirm password: Info: Add a new user.
2016-1-11
Huawei Confidential
Page 438 of 1210
HCIE-R&S Material
Confidentiality Level
Warning: The new user supports all access modes. The management user access mode s such as Telnet, SSH, FTP, HTTP, and Terminal have security risks. You are advi sed to configure the required access modes only. [RouterB-aaa] local-user usera service-type ppp [RouterB-aaa] authentication-scheme system_b [RouterB-aaa-authen-system_b] authentication-mode local [RouterB-aaa-authen-system_b] quit [RouterB-aaa] domain system [RouterB-aaa-domain-system] authentication-scheme system_b [RouterB-aaa-domain-system] quit [RouterB-aaa] quit [RouterB] interface serial 1/0/0 [RouterB-Serial1/0/0] ppp authentication-mode chap domain system [RouterB-Serial1/0/0] ppp chap user userb [RouterB-Serial1/0/0] ppp chap password cipher userb@123 [RouterB-Serial1/0/0] ppp mp mp-group 0/0/1 [RouterB-Serial1/0/0] quit [RouterB] interface serial 1/0/1 [RouterB-Serial1/0/1] ppp authentication-mode chap domain system [RouterB-Serial1/0/1] ppp chap user userb [RouterB-Serial1/0/1] ppp chap password cipher userb@123 [RouterB-Serial1/0/1] ppp mp mp-group 0/0/1 [RouterB-Serial1/0/1] quit 3.
Restart member interfaces on RouterA. [RouterA] interface serial 1/0/0 [RouterA-Serial1/0/0] restart [RouterA-Serial1/0/0] quit [RouterA] interface serial 1/0/1 [RouterA-Serial1/0/1] restart [RouterA-Serial1/0/1] quit
4.
Restart member interfaces on RouterB. Use the commands in step 3 to restart member interfaces.
NOTE: To make the configuration take effect, restart all the member interfaces after the configuration is complete. 5.
Verify the configurations.
2016-1-11
Huawei Confidential
Page 439 of 1210
HCIE-R&S Material
Confidentiality Level
# Run the display ppp mp command on RouterA to view the MP binding information. [RouterA] display ppp mp interface Mp-group 0/0/1 Mp-group is Mp-group0/0/1 ===========Sublinks status begin====== Serial1/0/0 physical UP,protocol UP Serial1/0/1 physical UP,protocol UP ===========Sublinks status end======== Bundle Multilink, 2 members, slot 0, Master link is Mp-group0/0/1 0 lost fragments, 0 reordered, 0 unassigned, 0 interleaved, sequence 0/0 rcvd/sent The bundled sub channels are: Serial1/0/0 Serial1/0/1 The command output provides the physical status and protocol status of member links, the number of member links, and member interfaces of the MP-Group interface. # Run the display interface mp-group command on RouterA to view the MP binding information. [RouterA] display interface mp-group 0/0/1 Mp-group0/0/1 current state : UP Line protocol current state : UP Last line protocol up time : 2011-02-09 10:20:36 Description:HUAWEI, AR Series, Mp-group0/0/1 Interface Route Port,The Maximum Transmit Unit is 1500 Internet Address is 100.10.10.9/30 Link layer protocol is PPP LCP opened, MP opened, IPCP opened Physical is MP, baudrate is 64000 bps Current system time: 2011-02-09 10:21:48 Last 300 seconds input rate 0 bytes/sec, 0 packets/sec Last 300 seconds output rate 0 bytes/sec, 0 packets/sec Realtime 0 seconds input rate 0 bytes/sec, 0 packets/sec Realtime 0 seconds output rate 0 bytes/sec, 0 packets/sec 6 packets input, 84 bytes, 0 drops 6 packets output, 84 bytes, 0 drops Input bandwidth utilization
: 0.00%
Output bandwidth utilization : 0.00% As shown in the preceding information, the MP-Group interface is Up, the link layer protocol is PPP, and the status of LCP negotiation, MP negotiation, and IPCP negotiation is Opened. 2016-1-11
Huawei Confidential
Page 440 of 1210
HCIE-R&S Material
Confidentiality Level
You can obtain similar MP binding information on RouterB. # Ping RouterA on RouterB. [RouterB] ping 100.10.10.9 PING 100.10.10.9: 56 data bytes, press CTRL_C to break Reply from 100.10.10.9: bytes=56 Sequence=1 ttl=255 time=40 ms Reply from 100.10.10.9: bytes=56 Sequence=2 ttl=255 time=50 ms Reply from 100.10.10.9: bytes=56 Sequence=3 ttl=255 time=60 ms Reply from 100.10.10.9: bytes=56 Sequence=4 ttl=255 time=50 ms Reply from 100.10.10.9: bytes=56 Sequence=5 ttl=255 time=50 ms --- 100.10.10.9 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 40/50/60 ms RouterB can ping RouterA successfully.
Configuration Files
Configuration file of RouterA
# sysname RouterA # aaa authentication-scheme system_a domain system authentication-scheme system_a local-user userb password cipher %@%@3k`38}:/##N~BmPHev|;;rdS%@%@ local-user userb service-type ppp # interface Mp-group0/0/1 ip address 100.10.10.9 255.255.255.252 # interface Serial1/0/0 link-protocol ppp ppp authentication-mode chap domain system ppp chap user usera ppp chap password cipher %@%@57:3#5ir.Q.zAI4:=pJY*a@E%@%@ 2016-1-11
Huawei Confidential
Page 441 of 1210
HCIE-R&S Material
Confidentiality Level
ppp mp mp-group 0/0/1 # interface Serial1/0/1 link-protocol ppp ppp authentication-mode chap domain system ppp chap user usera ppp chap password cipher %@%@57:3#5ir.Q.zAI5:=pJY*a@E%@%@ ppp mp mp-group 0/0/1 # return
Configuration file of RouterB
# sysname RouterB # aaa authentication-scheme system_b domain system authentication-scheme system_b local-user usera password cipher %@%@wSj=##g9INJIZ$Ip'6f7;rd!%@%@ local-user usera service-type ppp # interface Mp-group0/0/1 ip address 100.10.10.10 255.255.255.252 # interface Serial1/0/0 link-protocol ppp ppp authentication-mode chap domain system ppp chap user userb ppp chap password cipher %@%@57:3#5ir.Q.zAI5:=pJY*a@E%@%@ ppp mp mp-group 0/0/1 # interface Serial1/0/1 link-protocol ppp ppp authentication-mode chap domain system ppp chap user userb ppp chap password cipher %@%@57:5#5ir.Q.zAI4:=pJY*a@E%@%@ ppp mp mp-group 0/0/1 # 2016-1-11
Huawei Confidential
Page 442 of 1210
HCIE-R&S Material
Confidentiality Level
return
9.5.5 Example for Configuring the PPPoE Server
Networking Requirements As shown in Figure 9-5-5, hosts in the LAN are connected to the device functioning as the PPPoE server. Hosts on the enterprise network need to dial up to the Internet using PPPoE. PPPoE client software needs to be installed on each host so that the host can use a unique account to dial up to the Internet. Service requirements are as follows:
The PPPoE server dynamically assigns IP addresses to the hosts.
The PPPoE server uses AAA local authentication to authenticate users.
Figure 9-5-5 Networking diagram of the device functioning as the PPPoE server
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure the global IP address pool so that the PPPoE server can dynamically assign IP addresses to hosts.
2.
Configure a PPPoE user so that the PPPoE server can authenticate the user.
Procedure 1.
Configure the global IP address pool pool1. system-view [Huawei] ip pool pool1 [Huawei-ip-pool-pool1] network 192.168.10.10 mask 255.255.255.0 [Huawei-ip-pool-pool1] gateway-list 192.168.10.1 [Huawei-ip-pool-pool1] quit
2016-1-11
Huawei Confidential
Page 443 of 1210
HCIE-R&S Material
2.
Confidentiality Level
Create and configure a VT. system-view [Huawei] interface virtual-template 1 [Huawei-Virtual-Template1] ppp authentication-mode chap domain system [Huawei-Virtual-Template1] ip address 192.168.10.1 255.255.255.0 [Huawei-Virtual-Template1] remote address pool pool1 [Huawei-Virtual-Template1] quit
3.
Enable PPPoE on GE1/0/0 of the PPPoE server. [Huawei] interface gigabitethernet 1/0/0 [Huawei-GigabitEthernet1/0/0] pppoe-server bind virtual-template 1 [Huawei-GigabitEthernet1/0/0] quit
Verify the configurations. After the configurations are complete, verify the configurations on both the PPPoE server and client. a.
PPPoE client Install PPPoE client software on a host and configure the user name user1@system and password huawei on the host. Dial up to the PPPoE server.
b.
PPPoE server Run the display pppoe-server session all command to check the PPPoE session status and configuration. The following command output shows that the PPPoE session status is Up and the session configuration is correct. display pppoe-server session all SID Intf
State OIntf
RemMAC
LocMAC
2016-1-11
Huawei Confidential
Page 444 of 1210
HCIE-R&S Material
Confidentiality Level
10 Virtual-Template1:0
UP
GE1/0/0
0011.0914.1bd3
00e0.fc99.9999 Run the display virtual-access command to view the VA status. The LCP and IPCP negotiation status is Opened. display virtual-access Virtual-Template1:0 current state : UP Line protocol current state : UP Last line protocol up time : 2010-03-20 09:59:52 Description:HUAWEI, AR Series, Virtual-Template1:0 Interface Route Port,The Maximum Transmit Unit is 1492 Link layer protocol is PPP LCP opened, IPCP opened Current system time: 2010-03-20 12:01:47 Input bandwidth utilization : 0.00% Output bandwidth utilization : 0.00%
Configuration Files
Configuration file of the PPPoE server
# ip pool pool1 network 192.168.10.0 mask 255.255.255.0 gateway-list 192.168.10.1 # aaa authentication-scheme system_a domain system authentication-scheme system_a local-user user1@system password cipher %$%$04b=C9LzqIsL.w)N+pU<,g^U%$%$ local-user user1@system service-type ppp # interface Virtual-Template1 ppp authentication-mode chap domain system remote address pool pool1 ip address 192.168.10.1 255.255.255.0 # interface GigabitEthernet1/0/0 pppoe-server bind Virtual-Template 1 # 2016-1-11
Huawei Confidential
Page 445 of 1210
HCIE-R&S Material
Confidentiality Level
return
9.5.6 Example for Configuring the PPPoE Client
Networking Requirements As shown in Figure 9-5-6, the device functioning as the PPPoE client connects to hosts in the LAN using GE1/0/0 and connects to the PPPoE server using GE2/0/0. Users want the hosts to share an account. If the account is authenticated successfully on the PPPoE server, a PPPoE session is established. Service requirements are as follows:
The device establishes a PPPoE session with the PPPoE server using PPP authentication.
When no data needs to be transmitted within the specified period, the PPPoE client terminates the PPPoE session. When data needs to be transmitted, the PPPoE client establishes a PPPoE session with the PPPoE server again.
Figure 9-5-6 Networking diagram of the device functioning as the PPPoE client
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure Challenge Handshake Authentication Protocol (CHAP) authentication on the dialer interface so that the device can establish a PPPoE session with the PPPoE server using PPP authentication.
2.
Set the packet triggered mode so that the PPPoE client terminates the PPPoE session when no data is transmitted within the specified period and establishes the PPPoE session again when data needs to be transmitted.
Procedure 1.
Configure the PPPoE server.
2016-1-11
Huawei Confidential
Page 446 of 1210
HCIE-R&S Material
Confidentiality Level
Configure the authentication mode, IP address allocation mode, and IP address or IP address pool for the PPPoE client. For details about the configuration procedure, see the documentation of the PPPoE server. If the device functions as the PPPoE server, see Example for Configuring the PPPoE Server. 2.
Configure a dialer interface. system-view [Huawei] dialer-rule [Huawei-dialer-rule] dialer-rule 1 ip permit [Huawei-dialer-rule] quit [Huawei] interface dialer 1 [Huawei-Dialer1] dialer user user2 [Huawei-Dialer1] dialer-group 1 [Huawei-Dialer1] dialer bundle 1 [Huawei-Dialer1] ppp chap user user1@system [Huawei-Dialer1] ppp chap password cipher huawei [Huawei-Dialer1] dialer timer idle 300 INFO:
The configuration will become effective after link reset.
Configure a static route from the local host to the PPPoE server. Assume that the IP address of the PPPoE server is 10.10.10.3. [Huawei] ip route-static 0.0.0.0 0 dialer 1
5.
Verify the configurations. Run the display pppoe-client session summary command to check the PPPoE session status and configuration. The following command output shows that the PPPoE session status is Up and the session configuration is correct. display pppoe-client session summary PPPoE Client Session: ID
Bundle Dialer Intf
1
1
2016-1-11
1
Client-MAC
GE2/0/0
Server-MAC
State
00e0fc030201 0819a6cd0680 UP
Huawei Confidential
Page 447 of 1210
HCIE-R&S Material
Confidentiality Level
Configuration Files
Configuration file of the PPPoE client # dialer-rule dialer-rule 1 ip permit # interface Dialer1 link-protocol ppp ip address ppp-negotiate dialer user user2 ppp chap user user1@system ppp chap password cipher huawei dialer bundle 1 dialer queue-length 8 dialer timer idle 300 dialer-group 1 # interface GigabitEthernet2/0/0 pppoe-client dial-bundle-number 1 on-demand # ip route-static 0.0.0.0 0.0.0.0 Dialer1 # return
9.5.7 Example for Configuring IPoFR
Networking Requirements On the FR network, RouterA, RouterB, and RouterC function as DTEs to transmit IP packets. A public FR network connects local area networks (LANs).
2016-1-11
Huawei Confidential
Page 448 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 9-5-7 Example for configuring IPoFR (single link)
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure FR as the link-layer protocol on the router.
2.
Set the operation mode of the interface connecting the router to the public FR network.
3.
Configure the virtual circuit ID for each network segment.
4.
Configure address mapping for each sub-interface.
Procedure 1.
Configure routerRouterA. # Configure FR as the link-layer protocol on the interface. system-view [Huawei] sysname RouterA [RouterA] interface serial 1/0/0 [RouterA-Serial1/0/0] link-protocol fr Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N] :y [RouterA-Serial1/0/0] fr interface-type dte [RouterA-Serial1/0/0] quit # Configure static address mapping. [RouterA] interface serial 1/0/0.1 [RouterA-Serial1/0/0.1] fr dlci 50
2016-1-11
Huawei Confidential
Page 449 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterA-fr-dlci-Serial1/0/0.1-50] quit [RouterA-Serial1/0/0.1] ip address 202.38.163.251 24 [RouterA-Serial1/0/0.1] fr map ip 202.38.163.252 50 [RouterA-Serial1/0/0.1] quit [RouterA] interface serial 1/0/0.2 [RouterA-Serial1/0/0.2] fr dlci 60 [RouterA-fr-dlci-Serial1/0/0.2-60] quit [RouterA-Serial1/0/0.2] ip address 202.38.164.251 24 [RouterA-Serial1/0/0.2] fr map ip 202.38.164.252 60 [RouterA-Serial1/0/0.2] quit 2.
Configure routerRouterB. # Configure FR as the link-layer protocol on the interface. system-view [Huawei] sysname RouterB [RouterB] interface serial 1/0/0 [RouterB-Serial1/0/0] link-protocol fr Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N] :y [RouterB-Serial1/0/0] fr interface-type dte [RouterB-Serial1/0/0] quit # Configure static address mapping. [RouterB] interface serial 1/0/0.1 [RouterB-Serial1/0/0.1] fr dlci 70 [RouterB-fr-dlci-Serial1/0/0.1-70] quit [RouterB-Serial1/0/0.1] ip address 202.38.163.252 24 [RouterB-Serial1/0/0.1] fr map ip 202.38.163.251 70 [RouterB-Serial1/0/0.1] quit
3.
Configure routerRouterC. # Configure FR as the link-layer protocol on the interface. system-view [Huawei] sysname RouterC [RouterC] interface serial 1/0/0 [RouterC-Serial1/0/0] link-protocol fr Warning: The encapsulation protocol of the link will be changed. Continue? [Y/N] :y [RouterC-Serial1/0/0] fr interface-type dte [RouterC-Serial1/0/0] quit
2016-1-11
Huawei Confidential
Page 450 of 1210
HCIE-R&S Material
Confidentiality Level
# Configure static address mapping. [RouterC] interface serial 1/0/0.1 [RouterC-Serial1/0/0.1] fr dlci 80 [RouterC-fr-dlci-Serial1/0/0.1-80] quit [RouterC-Serial1/0/0.1] ip address 202.38.164.252 24 [RouterC-Serial1/0/0.1] fr map ip 202.38.164.251 80 [RouterC-Serial1/0/0.1] quit 4.
Verify the configuration. RouterA can ping the interface of RouterB. [RouterA] ping 202.38.164.252 PING 202.38.164.252: 56 data bytes, press CTRL_C to break Reply from 202.38.164.252: bytes=56 Sequence=1 ttl=255 time=14 ms Reply from 202.38.164.252: bytes=56 Sequence=2 ttl=255 time=9 ms Reply from 202.38.164.252: bytes=56 Sequence=3 ttl=255 time=9 ms Reply from 202.38.164.252: bytes=56 Sequence=4 ttl=255 time=9 ms Reply from 202.38.164.252: bytes=56 Sequence=5 ttl=255 time=9 ms --- 202.38.164.252 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 9/10/14 ms RouterB can ping the interface of RouterA. RouterA and RouterC can ping each other.
fr map ip 202.38.164.252 60 fr dlci 60 ip address 202.38.164.251 255.255.255.0 # return
Configuration file of RouterB # sysname RouterB # interface Serial1/0/0 link-protocol fr # interface Serial1/0/0.1 fr map ip 202.38.163.251 70 fr dlci 70 ip address 202.38.163.252 255.255.255.0 # return
Configuration file of RouterC # sysname RouterC # interface Serial1/0/0 link-protocol fr # interface Serial1/0/0.1 fr map ip 202.38.164.251 80 fr dlci 80 ip address 202.38.164.252 255.255.255.0 # return
2016-1-11
Huawei Confidential
Page 452 of 1210
HCIE-R&S Material
Confidentiality Level
Chapter 10 STP 10.1
STP/RSTP 10.1.1 Background STP is used to prevent loops in the LAN. The switching devices running STP discover loops on the network by exchanging information with one another, and block certain interfaces to cut off loops. Along with the growth of the LAN scale, STP has become an important protocol for the LAN.
Figure 10-1-1 Networking diagram for a typical LAN On the network shown in Figure 10-1-1, the following situations may occur:
Broadcast storms render the network unavailable. It is known that loops lead to broadcast storms. In Figure 10-1-1, assume that STP is not enabled on the switching devices. If Host A broadcasts a request, the request is received by port 1 and forwarded by port 2 on S1 and S2. Then, again on S1 and S2, port 2 receives the request broadcast by the other and port 1 forwards the request. As such transmission repeats, resources on the entire network are exhausted, causing the network unable to work.
Flapping of MAC address table damages MAC address entries. As shown in Figure 10-1-1, even update of MAC address entries upon the receipt of unicast packets damages the MAC address table. Assume that no broadcast storm occurs on the network. Host A unicasts a packet to Host B. If Host B is temporarily removed from the network at this time, the MAC address entries of Host B on S1 and S2 are deleted. The packet unicast by Host A to Host B is received by port 1 on S1. S1, however, does not have associated MAC address entries. Therefore, the unicast packet is forwarded to port 2. Then, port 2 on S2 receives the unicast packet from port 2 on S1 and sends it out through port 1. As such transmission repeats, port 1 and port 2 on S1 and S2 continuously receive unicast packets from Host A. Therefore, S1 and S2 modify the MAC address entries 2016-1-11
Huawei Confidential
Page 453 of 1210
HCIE-R&S Material
Confidentiality Level
continuously, causing the MAC address table to flap. As a result, MAC address entries are damaged.
10.1.2 Basic Concepts One Root Bridge A tree topology must have a root. Therefore, the root bridge is introduced by STP. There is only one root bridge on the entire STP-capable network. The root bridge is the logical center of but is not necessarily at the physical center of the entire network. The root bridge changes dynamically with the network topology. After the network converges, the root bridge generates and sends out configuration BPDUs at specific intervals. Other devices process the configuration BPDUs so that the configuration BPDUs are advertised to the entire network, ensuring a stable network.
Two Types of Measurements The spanning tree is calculated based on two types of measurements: ID and path cost.
ID IDs are classified into Bridge IDs (BIDs) and Port IDs (PIDs).
BID IEEE 802.1D defines that a BID is composed of a 16-bit bridge priority and a bridge MAC address. The bridge priority occupies the leftmost 16 bits and the MAC address occupies the rightmost 48 bits. On an STP-capable network, the device with the smallest BID is selected to be the root bridge.
PID The PID is composed of a 4-bit port priority and a 12-bit port number. The port priority occupies the left most 4 bits and the port number occupies remaining bits on the right. The PID is used to select the designated port.
NOTE: The port priority affects the role of a port in a specified spanning tree instance. For details, see STP Topology Calculation.
Path cost The path cost is a port variable and is used to select a link. STP calculates the path cost to select a robust link and blocks redundant links to trim the network into a loop-free tree topology.
2016-1-11
Huawei Confidential
Page 454 of 1210
HCIE-R&S Material
Confidentiality Level
On an STP-capable network, the accumulative cost of the path from a certain port to the root bridge is the sum of the costs of all the segment paths into which the path is separated by the ports on the transit bridges.
Three Elements There are generally three elements used when a ring topology is to be trimmed into a tree topology: root bridge, root port, and designated port. Figure 10-1-2 shows the three elements.
Figure 10-1-2 STP network architecture
Root bridge The root bridge is the bridge with the smallest BID. The smallest BID is discovered by exchanging configuration BPDUs.
Root port The root port is the port with the smallest root path to the root bridge. The root port is determined based on the path cost. Among all STP-capable ports on a network bridge, the port with the smallest root path cost is the root port. There is only one root port on an STP-capable device, but there is no root port on the root bridge.
Designated port For description of the designated bridge and designated port, see Table 10-1-1. Table 10-1-1 Description of the designated bridge and designated port
2016-1-11
Huawei Confidential
Page 455 of 1210
HCIE-R&S Material
Object
Confidentiality Level
Designated Bridge
Designated Port
Device
Device that forwards configuration Designated bridge port that forwards BPDUs to a directly connected configuration BPDUs to a device device
LAN
Device that forwards configuration Designated bridge port that forwards BPDUs to a network segment configuration BPDUs to a network segment.
As shown in Figure 10-1-3, AP1 and AP2 reside on S1; BP1 and BP2 reside on S2; CP1 and CP2 reside on S3.
S1 sends configuration BPDUs to S2 through AP1. S1 is the designated bridge of S2, and AP1 on S1 is the designated port.
Two devices, S2 and S3, are connected to the LAN. If S2 is responsible for forwarding configuration BPDUs to the LAN, S2 is the designated bridge of the LAN and BP2 on S2 is the designated port.
Figure 10-1-3 Networking diagram of the designated bridge and designated port After the root bridge, root port, and designated port are selected successfully, the entire tree topology is set up. When the topology is stable, only the root port and the designated port forward traffic. All the other ports are in the Blocking state and receive only STP protocol packets instead of forwarding user traffic.
Four Comparison Principles STP has four comparison principles that form a BPDU priority vector { root BID, total path costs, sender BID, port ID }. Table 10-1-2 shows the port information that is carried in the configuration BPDUs.
2016-1-11
Huawei Confidential
Page 456 of 1210
HCIE-R&S Material
Confidentiality Level
Table 10-1-2 Four important fields Field
Brief Description
Root BID
Each STP-capable network has only one root bridge.
Root path cost
The distance between the port sending configuration BPDUs to the root bridge determines the path cost to the root bridge.
Sender BID
BID of the device sending configuration BPDUs.
Port ID
PID of the port sending configuration BPDUs.
After a device on the STP-capable network receives configuration BPDUs, it compares the fields shown in Table 10-1-2 with that of the configuration BPDUs on itself. The four comparison principles are as follows:
NOTE: During the STP calculation, the smaller the value, the higher the priority.
Smallest BID: used to select the root bridge. Devices running STP select the smallest BID as the root BID shown in Table 10-1-2.
Smallest root path cost: used to select the root port on a non-root bridge. On the root bridge, the path cost of each port is 0.
Smallest sender BID: used to select the root port when a device running STP selects the root port between two ports that have the same path cost. The port with a smaller BID is selected as the root port in STP calculation. Assume that the BID of S2 is smaller than that of S3 in Figure 10-1-2. If the path costs in the BPDUs received by port A and port B on S4 are the same, port B becomes the root port.
Smallest PID: used to block the port with a greater PID but not the port with a smaller PID when the ports have the same path cost. The PIDs are compared in the scenario shown in Figure 10-1-4. The PID of port A on S1 is smaller than that of port B. In the BPDUs that are received on port A and port B, the path costs and BIDs of the sending devices are the same. Therefore, port B with a greater PID is blocked to cut off loops.
2016-1-11
Huawei Confidential
Page 457 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 10-1-4 Topology to which PID comparison is applied
Five Port States Table 10-1-3 shows the port status of an STP-capable device. Table 10-1-3 Port states Port State
Purpose
Description
Forwarding A port in Forwarding state can forward Only the root port and designated port can user traffic and process BPDUs. enter the Forwarding state. Learning
When a device has a port in the Learning This is a transitional state, which is state, the device creates a MAC address designed to prevent temporary loops. table based on the received user traffic but does not forward user traffic.
Listening
All ports are in the Listening state when This is a transitional state. STP calculation is being implemented to determine port roles.
Blocking
A port in the Blocking state receives and This is the final state of a blocked port. forwards only BPDUs, not user traffic.
Disabled
A port in Disabled state does not process The port is Down. BPDUs or forward user traffic.
Figure 10-1-5 shows the process of the state transition of a port.
2016-1-11
Huawei Confidential
Page 458 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 10-1-5 State transition of a port
CAUTION: A Huawei datacom device uses MSTP by default. After a device transitions from the MSTP mode to the STP mode, its STP-capable port supports the same port states as those supported by an MSTP-capable port, including the Forwarding, Learning, and Discarding states. For details, see Table 10-1-4. Table 10-1-4 Port status Port Status
Description
Forwarding A port in Forwarding state can forward user traffic and process BPDUs. Learning
A port in the Learning state learns MAC addresses from user traffic to construct a MAC address table. A port in Learning state processes BPDUs.
Discarding
A port in the Discarding state can only receive BPDUs.
The following parameters affect the STP-capable port states and convergence.
Hello time The Hello timer specifies the interval at which an STP-capable device sends configuration BPDUs and Hello packets to detect link faults. 2016-1-11
Huawei Confidential
Page 459 of 1210
HCIE-R&S Material
Confidentiality Level
When the network topology becomes stable, the change made on the interval takes effect only after a new root bridge takes over. The new root bridge adds certain fields in BPDUs to inform non-root bridges of the change in the interval. After a topology changes, TCN BPDUs will be sent. This interval is irrelevant to the transmission of TCN BPDUs.
Forward Delay The Forward Delay timer specifies the delay for interface status transition. When a link fault occurs, STP recalculation is performed, causing the structure of the spanning tree to change. The configuration BPDUs generated during STP recalculation cannot be immediately transmitted over the entire network. If the root port and designated port forward data immediately after being selected, transient loops may occur. Therefore, an interface status transition mechanism is introduced by STP. The newly selected root port and designated port do not forward data until an amount of time equal to twice the forward delay has past. In this manner, the newly generated BPDUs can be transmitted over the network before the newly selected root port and designated port forward data, which prevents transient loops.
NOTE: The Forward Delay timer specifies the duration of a port spent in both the Listening and Learning states. The default value is 15 seconds. This means that the port stays in the Listening state for 15 seconds and then stays in the Learning state for another 15 seconds. The port in the Listening or Learning state is blocked, which is key to preventing transient loops.
Max Age The Max Age time specifies the aging time of BPDUs. The Max Age time can be manually configured on the root bridge. Configuration BPDUs are transmitted over the entire network, ensuring a unique Max Age value. After a non-root bridge running STP receives a configuration BPDU, the non-root bridge compares the Message Age value with the Max Age value in the received configuration BPDU.
If the Message Age value is smaller than or equal to the Max Age value, the non-root bridge forwards the configuration BPDU.
If the Message Age value is larger than the Max Age value, the configuration BPDU ages and the non-root bridge directly discards it. In this case, the network size is considered too large and the non-root bridge disconnects from the root bridge.
NOTE: If the configuration BPDU is sent from the root bridge, the value of Message Age is 0. Otherwise, the value of Message Age indicates the total time during which a BPDU is sent from the root bridge to the local bridge, including the delay in transmission. In real world situations, each time a configuration BPDU passes through a bridge, the value of Message Age increases by 1. Table 10-1-5 shows the timer values defined in IEEE 802.1D. Table 10-1-5 Values of STP parameters (in centisecond) Parameter
2016-1-11
Default Value
Huawei Confidential
Value Range
Page 460 of 1210
HCIE-R&S Material
Confidentiality Level
Table 10-1-5 Values of STP parameters (in centisecond) Parameter
Default Value
Value Range
Hello time
200
100-1000
Max Age
2000
600-4000
Forward Delay
1500
400-3000
10.1.3 BPDU Format The BID, path cost, and PID that are described in the previous sections are all carried in BPDUs.
Configuration BPDUs are heartbeat packets. STP-enabled designated ports send BPDUs at intervals specified by the Hello timer.
TCN BPDUs are sent only after the device detects network topology changes.
A BPDU is encapsulated into an Ethernet frame. Its destination MAC address is a multicast MAC address 01-80-C2-00-00-00. The value of the Length/Type field is the MAC data length. The Length/Type field is followed by the LLC header and BPDU header. Figure 10-1-6 shows the Ethernet frame format.
Figure 10-1-6 Format of an Ethernet frame
Configuration BPDU Configuration BPDUs are most commonly used. During initialization, each bridge actively sends configuration BPDUs. After the network topology becomes stable, only the root bridge actively sends configuration BPDUs. Other bridges send configuration BPDUs only after receiving configuration BPDUs from upstream devices. A configuration BPDU is at least 35 bytes long, including the parameters such as the BID, path cost, and PID. A BPDU is discarded if both the sender BID and Port ID field values are the same as those of the local port. Otherwise, the BPDU is processed. In this manner, BPDUs containing the same information as that of the local port are not processed. A configuration BPDU is generated in one of the following scenarios:
Once the ports are enabled with STP, the designated ports send configuration BPDUs at intervals specified by the Hello timer. 2016-1-11
Huawei Confidential
Page 461 of 1210
HCIE-R&S Material
Confidentiality Level
When a root port receives configuration BPDUs, the device where the root port resides sends a copy of the configuration BPDUs to the specified ports on itself.
When receiving a configuration BPDU with a lower priority, a designated port immediately sends its own configuration BPDUs to the downstream device.
Table 10-1-6 shows the format of a BPDU. Table 10-1-6 BPDU format Field
Byte
Protocol Identifier Protocol Identifier
Description
2
Always 0
Version 1
Always 0
BPDU Type
Flags
1
1
Indicates the type of a BPDU. The value is one of the following:
0x00: configuration BPDU
0x80: TCN BPDU
Indicates whether the network topology is changed.
The rightmost bit is the Topology Change (TC) flag.
The leftmost bit is the Topology Change Acknowledgement (TCA) flag.
Root Identifier
8
Indicates the BID of the current root bridge.
Root Path Cost
4
Indicates the cumulative cost of all links to the root bridge.
Bridge Identifier
8
Indicates the BID of the bridge sending a BPDU.
Port Identifier
2
Indicates the ID of the port sending a BPDU.
Message Age
2
Records the time since the root bridge originally generated the information that a BPDU is derived from. If the configuration BPDU is sent from the root bridge, the value of Message Age is 0. Otherwise, the value of Message Age indicates the total time during which a BPDU is sent from the root bridge to the local bridge, including the delay in transmission. In real world situations, each time a configuration BPDU passes through a bridge, the value of Message Age increases by 1.
Max Age
2
Indicates the maximum time that a BPDU is saved.
Hello Time
2
Indicates the interval at which BPDUs are sent.
Forward Delay
2
Indicates the time spent in the Listening and Learning states.
Figure 10-1-7 shows the Flags field. Only the leftmost and rightmost bits are used in STP.
2016-1-11
Huawei Confidential
Page 462 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 10-1-7 Format of the Flags field
TCN BPDU The contents of TCN BPDUs are quite simple, including only three fields: Protocol ID, Version, and Type, as shown in Table 10-1-6. The value of the Type field is 0x80, four bytes in length. TCN BPDUs are transmitted by each device to its upstream device to notify the upstream device of changes in the downstream topology, until they reach the root bridge. A TCN BPDU is generated in one of the following scenarios:
Where the port is in the Forwarding state and at least one designated port resides on the device
Where a designated port receives TCN BPDUs and sends a copy to the root bridge
10.1.4 STP Topology Calculation After all devices on the network are enabled with STP, each device considers itself the root bridge. Each device only transmits and receives BPDUs but does not forward user traffic. All ports are in the Listening state. After exchanging configuration BPDUs, all devices participate in the selection of the root bridge, root port, and designated port.
BPDU Exchange As shown in Figure 10-1-8, the quadruple marked with {} indicates a set of ordered vectors: root BID (S1_MAC and S2_MAC indicates the BIDs of two devices), total path costs, sender BID, and Port ID. Configuration BPDUs are sent at intervals set by the Hello timer.
Figure 10-1-8 Exchange of initialization messages
STP algorithm implementation 1.
Initialization As each bridge considers itself the root bridge, the value of the root BID field in the BPDU sent by each port is recorded as its BID. The value of the Root Path Cost field is the accumulative
2016-1-11
Huawei Confidential
Page 463 of 1210
HCIE-R&S Material
Confidentiality Level
cost of all links to the root bridge; the sender BID is the ID of the local bridge; the Port ID is the PID of the local bridge port that sends the BPDU. 2.
Root bridge selection During network initialization, every device considers itself as the root bridge and the root bridge ID as the device ID. Devices exchange configuration BPDUs to compare the root bridge IDs. The device with the smallest BID is elected as the root bridge.
3.
Root port and designated port selection Table 10-1-7 lists the process of selecting the root port and designated port. Table 10-1-7 Selecting the root port and designated port No.
Procedure
1
The non-bridge device uses the port that receives the optimal configuration BPDU as the root port. Table 10-1-8 lists the process of selecting the optimal configuration BPDU.
2
The device calculates a BPDU for each designated port based on the BPDU and path cost of the root port.
The root bridge ID is replaced with the root bridge ID of the BPDU on the root interface.
The root path cost is replaced with the root path cost in the BPDU on the root interface plus the path cost of the root interface.
3
The sender BID is replaced with the device ID.
The designated port ID is replaced with the port ID.
The device compares the calculated BPDU with the BPDU on the port:
If the calculated BPDU is of higher priority, the port is selected as the designated port and its BPDU is replaced by the calculated BPDU. The port periodically sends the calculated BPDU.
If the BPDU of the port is of higher priority, the BPDU on the port is not updated and the port is blocked. The port only receives BPDUs, and does not forward data or send BPDUs.
Table 10-1-8 Selecting the optimal BPDU No. 1
Procedure Each port compares the received BPDU with its BPDU:
If the received BPDU has a lower priority, the port discards the received BPDU and does not process its BPDU.
2016-1-11
If the received BPDU has a higher priority, the port replaces its BPDU with the received Huawei Confidential
Page 464 of 1210
HCIE-R&S Material
Confidentiality Level
Table 10-1-7 Selecting the root port and designated port No.
Procedure BPDU.
2
The device compares BPDUs on all the ports and selects the optimal BPDU.
STP Calculation Example When the root bridge, root port, and designated port are selected successfully, the whole tree topology is set up. The following example describes STP calculation.
Figure 10-1-9 STP networking and topology after calculation As shown in Figure 10-1-9, priorities of DeviceA, DeviceB, and DeviceC are 0, 1, and 2, and the path costs between DeviceA and DeviceB, between DeviceA and DeviceC, and between DeviceB and DeviceC are 5, 10, and 4 respectively. 1.
Initial state of each device Table 10-1-9 lists the initial state of each device. Table 10-1-9 Initial state of each device Device DeviceA
2016-1-11
Port Name Port A1
BPDU {0, 0, 0, Port A1}
Huawei Confidential
Page 465 of 1210
HCIE-R&S Material
Confidentiality Level
Table 10-1-9 Initial state of each device Device
Port Name
DeviceB
DeviceC
2.
BPDU
Port A2
{0, 0, 0, Port A2}
Port B1
{1, 0, 1, Port B1}
Port B2
{1, 0, 1, Port B2}
Port C1
{2, 0, 2, Port C1}
Port C2
{2, 0, 2, Port C2}
Comparison and result Table 10-1-10 lists the comparison and result.
NOTE: The fields in the BPDU represent {root bridge ID, accumulative root path cost, sender BID, transmit port ID PID}. Table 10-1-10 Topology calculation and result Device DeviceA
Comparison
Port A1 receives the BPDU {1, 0, 1, Port B1} from
BPDU After Comparison
Port B1 and finds that its BPDU {0, 0, 0, Port A1} has higher priority than the BPDU {1, 0, 1, Port B1}
Port A1: {0, 0, 0, Port A1}
from Port B1 , so Port A1 discards the BPDU {1, 0,
Port A2: {0, 0, 0, Port A2}
1, Port B1}.
Port A2 receives the BPDU {2, 0, 2, Port C1} from Port C1 and finds that its BPDU {0, 0, 0, Port A2} has higher priority than the BPDU {2, 0, 2, Port C1} than so Port A2 discards the BPDU {2, 0, 2, Port C1}.
After finding that both the root and the designated switches are itself in the BPDU on each port, DeviceA considers itself as the root. SwitchA then sends BPDUs from each port periodically without modifying the BPDUs.
DeviceB
Port B1 receives the BPDU {0, 0, 0, Port A1} from Port A1 and finds that its BPDU {0, 0, 0, Port A1}
2016-1-11
Huawei Confidential
Port B1: {0, 0, 0, Port A1} Page 466 of 1210
HCIE-R&S Material
Confidentiality Level
Table 10-1-10 Topology calculation and result Device
Comparison has higher priority than the BPDU {1, 0, 1, Port
BPDU After Comparison
B1}, so Port B1 updates its BPDU.
Port B2: {1, 0, 1, Port B2}
Port B2 receives the BPDU {2, 0, 2, Port C2} from Port C2 and finds that its BPDU {1, 0, 1, Port B2} has higher priority than the BPDU {2, 0, 2, Port C2}, so Port B2 discards the BPDU {2, 0, 2, Port C2}.
DeviceB compares the BPDU on each port and
finds that the BPDU on Port B1 has the highest priority, so Port B1 is used as the root port and the
0, 0, Port A1}
BPDU on Port B1 remains unchanged.
Root port (Port B1): {0, Designated port (Port B2): {0, 5, 1, Port B2}
DeviceB calculates the BPDU {0, 5, 1, Port B2} for Port B2 based on the BPDU and path cost of the root port, and compares the BPDU {0, 5, 1, Port B2} with its BPDU {1, 0, 1, Port B2} on Port B2. Device B finds that the calculated BPDU has higher priority, so Port B2 is used as the designated port, and its BPDU is replaced by the calculated BPDU and the calculated BPDU is sent periodically.
DeviceC
Port C1 receives the BPDU {0, 0, 0, Port A2} from
Port A2 and finds that the BPDU {0, 0, 0, Port A2} has higher priority than its BPDU {2, 0, 2, Port C1},
A2}
so Port C1 updates its BPDU.
Port C1: {0, 0, 0, Port Port C2: {1, 0, 1, Port B2}
Port C2 receives the BPDU {1, 0, 1, Port B2} from Port B2 and finds that the BPDU {1, 0, 1, Port B2} has higher priority than its BPDU {2, 0, 2, Port C2}, so Port C2 updates its BPDU.
DeviceC compares the BPDU on each port and
finds that the BPDU on Port C1 has the highest priority, so Port C1 is used as the root port and the BPDU on Port C1 remains unchanged.
Root port (Port C1): {0, 0, 0, Port A2}
Designated port (Port C2): {0, 10, 2, Port C2}
DeviceC calculates the BPDU {0, 10, 2, Port C2} for Port C2 based on the BPDU and path cost of the root port, and compares the BPDU {0, 10, 2, Port C2} with its BPDU {1, 0, 1, Port B2} on Port C2.
2016-1-11
Huawei Confidential
Page 467 of 1210
HCIE-R&S Material
Confidentiality Level
Table 10-1-10 Topology calculation and result Device
Comparison
BPDU After Comparison
DeviceC finds that the calculated BPDU has higher priority, so Port C2 is used as the designated port and its BPDU is replaced by the calculated BPDU.
Port C2 receives the BPDU {0, 5, 1, Port B2} from
Port B2 and finds that the BPDU {0, 5, 1, Port B2} has higher priority than its BPDU {0, 10, 2, Port
A2}
C2}, so Port C2 updates its BPDU.
Port C1: {0, 0, 0, Port Port C2: {0, 5, 1, Port B2}
Port C1 receives the BPDU {0, 0, 0, Port A2} from Port A2 and finds that the BPDU {0, 0, 0, Port A2} is the same as its BPDU, so Port C1 discards the received BPDU.
DeviceC finds that the root path cost of Port C1 is
larger than the root patch cost of Port C2, so the BPDU on Port C2 has higher priority than that on Port C1. Port C2 is used as the root port and its
Blocked port (Port C1): {0, 0, 0, Port A2}
Root port (Port C2): {0, 5, 1, Port B2}
BPDU remains unchanged. The root path cost of Port C1 is 10 (root path cost 0 in the BPDU plus the link patch cost 10), and the root path cost of Port C2 is 9 (root path cost 5 in the BPDU plus the link patch cost 4).
DeviceC calculates the BPDU {0, 9, 2, Port C1} for Port C1 based on the BPDU and path cost of the root port, and compares the BPDU {0, 9, 2, Port C1} with its BPDU {0, 0, 0, Port A2} on Port C2. DeviceC finds that its BPDU has higher priority, so Port C1 is blocked and its BPDU remains unchanged. Port C1 does not forward data until STP recalculation is triggered. For example, when the link between DeviceB and DeviceC is Down, STP recalculation is triggered.
After the topology becomes stable, the root bridge still sends configuration BPDUs at intervals set by the Hello timer. Each non-root bridge forwards the received configuration BPDUs by using its designated port. If the priority of the received BPDU is higher than that on the non-root bridge, the non-root bridge updates its own BPDU based on the information carried in the received BPDU.
2016-1-11
Huawei Confidential
Page 468 of 1210
HCIE-R&S Material
Confidentiality Level
STP Topology Changes Figure 10-1-10 shows the packet transmission process after the STP topology changes.
Figure 10-1-10 Diagram of packet transmission after the topology changes 1.
After the network topology changes, a downstream device continuously sends TCN BPDUs to an upstream device.
2.
After the upstream device receives TCN BPDUs from the downstream device, only the designated port processes them. The other ports may receive TCN BPDUs but do not process them.
3.
The upstream device sets the TCA bit of the Flags field in the configuration BPDUs to 1 and returns the configuration BPDUs to instruct the downstream device to stop sending TCN BPDUs.
4.
The upstream device sends a copy of the TCN BPDUs to the root bridge.
5.
Steps 1, 2, 3 and 4 are repeated until the root bridge receives the TCN BPDUs.
6.
The root bridge sets the TC bit of the Flags field in the configuration BPDUs to 1 to instruct the downstream device to delete MAC address entries.
NOTE:
TCN BPDUs are used to inform the upstream device and root bridge of topology changes.
Configuration BPDUs with the TCA bit being set to 1 are used by the upstream device to inform the downstream device that the topology changes are known and instruct the downstream device to stop sending TCN BPDUs.
Configuration BPDUs with the TC bit being set to 1 are used by the upstream device to inform the downstream device of topology changes and instruct the downstream device to delete MAC address entries. In this manner, fast network convergence is achieved.
2016-1-11
Huawei Confidential
Page 469 of 1210
HCIE-R&S Material
Confidentiality Level
10.1.5 Evolution from STP to RSTP In 2001, IEEE 802.1w was published to introduce an extension of the Spanning Tree Protocol (STP), namely, Rapid Spanning Tree Protocol (RSTP). RSTP is developed based on STP but outperforms STP.
Disadvantages of STP STP ensures a loop-free network but has a slow network topology convergence speed, leading to service deterioration. If the network topology changes frequently, the connections on the STP-capable network are frequently torn down, causing frequent service interruption. Users can hardly tolerate such a situation. Disadvantages of STP are as follows:
Port states or port roles are not subtly distinguished, which is not conducive to the learning and deployment for beginners. A network protocol that subtly defines and distinguishes different situations is likely to outperform the others.
Ports in the Listening, Learning, and Blocking states do not forward user traffic and are not even slightly different to users.
The differences between ports in essence never lie in the port states but the port roles from the perspective of use and configuration. It is possible that the root port and designated port are both in the Listening state or Forwarding state.
The STP algorithm determines topology changes after the time set by the timer expires, which slows down network convergence.
The STP algorithm requires a stable network topology. After the root bridge sends configuration BPDUs, other devices process the configuration BPDUs so that the configuration BPDUs are advertised to the entire network. This also slows down topology convergence.
Advantages of RSTP over STP RSTP deletes three port states and adds two port roles, and decouples port attributes based on the port status and role. In addition, RSTP provides enhanced features and protection measures to implement network stability and fast convergence.
More port roles are defined to simplify the knowledge and deployment of STP.
2016-1-11
Huawei Confidential
Page 470 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 10-1-11 Diagram of port roles As shown in Figure 10-1-11, RSTP defines four port roles: root port, designated port, alternate port, and backup port. The functions of the root port and designated port are the same as those defined in STP. The alternate port and backup port are described as follows:
From the perspective of configuration BPDU transmission:
An alternate port is blocked after learning the configuration BPDUs sent by other bridges.
A backup port is blocked after learning the configuration BPDUs sent by itself.
From the perspective of user traffic:
An alternate port backs up the root port and provides an alternate path from the designated bridge to the root bridge.
A backup port backs up the designated port and provides an alternate path from the root bridge to the related network segment.
2016-1-11
Huawei Confidential
Page 471 of 1210
HCIE-R&S Material
Confidentiality Level
After all RSTP-capable ports are assigned roles, topology convergence is completed.
Port states are redefined in RSTP. Port states are simplified from five types to three types. Based on whether a port forwards user traffic and learns MAC addresses, the port is in one of the following states:
If a port neither forwards user traffic nor learns MAC addresses, the port is in the Discarding state.
If a port does not forward user traffic but learns MAC addresses, the port is in the Learning state.
If a port forwards user traffic and learns MAC addresses, the port is in the Forwarding state.
Table 10-1-11 shows the comparison between port states in STP and RSTP.
NOTE: Port states and port roles are not necessarily related. Table 10-1-11 lists states of ports with different roles. Table 10-1-11 Comparison between states of STP ports and RSTP ports with different roles STP Port State
RSTP Port State
Port Role
Forwarding
Forwarding
Root port or designated port
Learning
Learning
Root port or designated port
Listening
Discarding
Root port or designated port
Blocking
Discarding
Alternate port or backup port
Disabled
Discarding
Disabled port
Configuration BPDUs in RSTP are differently defined. Port roles are described based on the Flags field defined in STP. Compared with STP, RSTP slightly redefined the format of configuration BPDUs.
The value of the Type field is no longer set to 0 but 2. Therefore, the RSTP-capable device always discards the configuration BPDUs sent by an STP-capable device.
The 6 bits in the middle of the original Flags field are reserved. Such a configuration BPDU is called an RST BPDU, as shown in Figure 10-1-12.
2016-1-11
Huawei Confidential
Page 472 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 10-1-12 Format of the Flags field in an RST BPDU
Configuration BPDUs are processed in a different manner.
Transmission of configuration BPDUs In STP, after the topology becomes stable, the root bridge sends configuration BPDUs at an interval set by the Hello timer. A non-root bridge does not send configuration BPDUs until it receives configuration BPDUs sent from the upstream device. This renders the STP calculation complicated and time-consuming. In RSTP, after the topology becomes stable, a non-root bridge sends configuration BPDUs at Hello intervals, regardless of whether it has received the configuration BPDUs sent from the root bridge. Such operations are implemented on each device independently.
BPDU timeout period In STP, a device has to wait a Max Age period before determining a negotiation failure. In RSTP, if a port does not receive configuration BPDUs sent from the upstream device for three consecutive Hello intervals, the negotiation between the local device and its peer fails.
Processing of inferior BPDUs In RSTP, when a port receives an RST BPDU from the upstream designated bridge, the port compares the received RST BPDU with its own RST BPDU. If its own RST BPDU is superior to the received one, the port discards the received RST BPDU and immediately responds to the upstream device with its own RST BPDU. After receiving the RST BPDU, the upstream device updates its own RST BPDU based on the corresponding fields in the received RST BPDU. In this manner, RSTP processes inferior BPDUs more rapidly, independent of any timer that is used in STP.
Rapid convergence
Proposal/agreement mechanism When a port is selected as a designated port, in STP, the port does not enter the Forwarding state until a Forward Delay period expires; in RSTP, the port enters the Discarding state, and then the proposal/agreement mechanism allows the port to immediately enter the
2016-1-11
Huawei Confidential
Page 473 of 1210
HCIE-R&S Material
Confidentiality Level
Forwarding state. The proposal/agreement mechanism must be applied on the P2P links in full duplex mode. For details, see Details about RSTP.
Fast switchover of the root port If the root port fails, the most superior alternate port on the network becomes the root port and enters the Forwarding state. This is because there must be a path from the root bridge to a designated port on the network segment connecting to the alternate port. When the port role changes, the network topology accordingly changes. For details, see Details about RSTP.
Edge ports In RSTP, a designated port on the network edge is called an edge port. An edge port directly connects to a terminal and does not connect to any other switching devices. An edge port does not receive configuration BPDUs, so it does not participate in the RSTP calculation. It can directly change from the Disabled state to the Forwarding state without any delay, just like an STP-incapable port. If an edge port receives bogus configuration BPDUs from attackers, it is deprived of the edge port attributes and becomes a common STP port. The STP calculation is implemented again, causing network flapping.
Protection functions Table 10-1-12 shows protection functions provided by RSTP. Table 10-1-12 Protection functions Protection Function
Scenario
Principle
BPDU protection
On a switching device, ports that are directly connected to a user terminal such as a PC or file server are configured as edge ports. Usually, no RST BPDU will be sent to edge ports. If a switching device receives bogus RST BPDUs on an edge port, the switching device automatically sets the edge port to a non-edge port, and performs STP calculation again. This causes network flapping.
After BPDU protection is enabled on a switching device, if an edge port receives an RST BPDU, the switching device shuts down the edge port without depriving of its attributes, and notifies the NMS of the shutdown event.
Root protection
Due to incorrect configurations or malicious attacks on the network, the root bridge may receive RST BPDUs with a higher priority. Consequently, the valid root bridge is no longer able to serve as the root bridge, and the network topology
If a designated port is enabled with the root protection function, the port role cannot be changed. Once a designated port that is enabled with root protection receives RST BPDUs with a higher priority, the port enters the Discarding state and does not forward packets. If the port does not receive any RST BPDUs with a higher
2016-1-11
Huawei Confidential
Page 474 of 1210
HCIE-R&S Material
Confidentiality Level
Table 10-1-12 Protection functions Protection Function
Scenario
Principle
incorrectly changes. This also causes the traffic that should be transmitted over high-speed links to be transmitted over low-speed links, leading to network congestion.
priority before a period (generally two Forward Delay periods) expires, the port automatically enters the Forwarding state. NOTE:
On an RSTP-capable network, the switching device maintains the status of the root port and blocked ports by continually receiving BPDUs from the upstream switching device. If ports cannot receive BPDUs from the upstream switching device due to link congestion or unidirectional link failures, the switching device re-selects a root port. Then, the previous root port becomes a designated port and the blocked ports change to the Forwarding state. As a result, loops may occur on the network.
After loop protection is configured, if the root port or alternate port does not receive RST BPDUs from the upstream switching device for a long time, the switching device notifies the NMS that the port enters the Discarding state. The blocked port remains in the Blocked state and does not forward packets. This prevents loops on the network. The root port or alternate port restores the Forwarding state after receiving new RST BPDUs. NOTE:
TC BPDU After receiving TC BPDUs, a attack switching device will delete its defense MAC entries and ARP entries. In the event of a malicious attack by sending bogus TC BPDUs, a switching device receives a large number of TC BPDUs within a short period, and busies itself deleting its MAC entries and ARP entries. As a result, the switching device is heavily burdened, rendering the network rather unstable.
After the TC BPDU attack defense is enabled, the number of times that TC BPDUs are processed by the switching device within a given time period is configurable. If the number of TC BPDUs that the switching device receives within the given time exceeds the specified threshold, the switching device processes TC BPDUs only for the specified number of times. Excess TC BPDUs are processed by the switching device as a whole for once after the specified period expires. In this manner, the switching device is prevented from frequently deleting its MAC entries and ARP entries.
Loop protection
Root protection designated ports.
can
take effect
on
Loop protection can take effect on only the root port and alternate ports.
10.1.6 Details about RSTP P/A Mechanism The Proposal/Agreement (P/A) mechanism helps a designated port to enter the Forwarding state as soon as possible. As shown in Figure 10-1-12, a new link is established between the root bridges S1 and S2. On S2, p2 is an alternate port; p3 is a designated port in the Forwarding state; p4 is an edge port. 2016-1-11
Huawei Confidential
only
Page 475 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 10-1-13 Schematic diagram for the P/A negotiation The P/A mechanism works in the following process: 1.
p0 and p1 become designated ports and send RST BPDUs.
2.
After receiving an RST BPDU with a higher priority, p1 determines that it will become a root port but not a designated port. p1 then stops sending RST BPDUs.
3.
p0 enters the Discarding state, and sends RST BPDUs with the Proposal field being 1.
4.
After receiving an RST BPDU with the Proposal field being 1, S2 sets the sync variable to 1 for all its ports.
5.
As p2 has been blocked, its status keeps unchanged; p4 is an edge port, and does not participate in calculation. Therefore, only the non-edge designated port p3 needs to be blocked.
6.
After p2, p3, and p4 enter the Discarding state, their synced variables are set to 1. The synced variable of the root port p1 is then set to 1, and p1 sends an RST BPDU with the Agreement field being 1 to S1. Except for the Agreement field, which is set to 1, and the Proposal field, which is set to 0, the RST BPDU is the same as that was received.
7.
After receiving this RST BPDU, S1 identifies it as a reply to the proposal that it just sent, and p0 immediately enters the Forwarding state.
This P/A negotiation process finishes, and S2 continues to perform the P/A negotiation with its downstream device. Theoretically, STP can quickly select a designated port. To prevent loops, STP has to wait for a period of time long enough to determine the status of all ports on the network. All ports can enter the Forwarding state at least one forward delay later. RSTP is developed to eliminate this bottleneck by 2016-1-11
Huawei Confidential
Page 476 of 1210
HCIE-R&S Material
Confidentiality Level
blocking non-root ports to prevent loops. By using the P/A mechanism, the upstream port can rapidly enter the Forwarding state.
NOTE: To use the P/A mechanism, ensure that the link between the two devices is a P2P link in full-duplex mode. Once the P/A negotiation fails, a designated port can be selected by performing the STP negotiation after the forwarding delay timer expires twice.
RSTP Topology Change In RSTP, if a non-edge port changes to the Forwarding state, the topology changes. After a switching device detects the topology change (TC), it performs the following procedures:
Start a TC While Timer for every non-edge port. The TC While Timer value doubles the Hello Timer value. All MAC addresses learned by the ports whose status changes are cleared before the timer expires. These ports send RST BPDUs with the TC field being 1. Once the TC While Timer expires, they stop sending the RST BPDUs.
After another switching device receives the RST BPDU, it clears the MAC addresses learned by all ports excluding the one that receives the RST BPDU. The device then starts a TC While Timer for all non-edge ports and the root port, the same as the preceding process.
In this manner, RST BPDUs flood the network.
Interoperability between RSTP and STP When RSTP switches to STP, RSTP loses its advantages such as fast convergence. On a network where both STP-capable and RSTP-capable devices are deployed, STP-capable devices ignore RST BPDUs; if a port on an RSTP-capable device receives a configuration BPDU from an STP-capable device, the port switches to the STP mode after two Hello intervals and starts to send configuration BPDUs. In this manner, RSTP and STP are interoperable. After STP-capable devices are removed, Huawei RSTP-capable datacom devices can switch back to the RSTP mode.
10.2
MSTP Principles 10.2.1 MSTP Background RSTP, an enhancement to STP, implements fast convergence of the network topology. There is a defect for both RSTP and STP: All VLANs on a LAN use one spanning tree, and VLAN-based load balancing cannot be performed. Once a link is blocked, it will no longer transmit traffic, wasting bandwidth and causing the failure in forwarding certain VLAN packets. 2016-1-11
Huawei Confidential
Page 477 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 10-2-1 STP/RSTP defect On the network shown in Figure 10-2-1, STP or RSTP is enabled. The broken line shows the spanning tree. S6 is the root switching device. The links between S1 and S4 and between S2 and S5 are blocked. VLAN packets are transmitted by using the corresponding links marked with "VLAN2" or "VLAN3." Host A and Host B belong to VLAN 2 but they cannot communicate with each other because the link between S2 and S5 is blocked and the link between S3 and S6 denies packets from VLAN 2. To fix the defect of STP and RSTP, the IEEE released 802.1s in 2002, defining the Multiple Spanning Tree Protocol (MSTP). MSTP implements fast convergence and provides multiple paths to load balance VLAN traffic. MSTP divides a switching network into multiple regions, each of which has multiple spanning trees that are independent of each other. Each spanning tree is called a Multiple Spanning Tree Instance (MSTI) and each region is called a Multiple Spanning Tree (MST) region.
NOTE: An instance is a collection of VLANs. Binding multiple VLANs to an instance saves communication costs and reduces resource usage. The topology of each MSTI is calculated independent of one another, and traffic can be balanced among MSTIs. Multiple VLANs that have the same topology can be mapped to one instance. The forwarding status of the VLANs for a port is determined by the port status in the MSTI.
2016-1-11
Huawei Confidential
Page 478 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 10-2-2 Multiple spanning trees in an MST region As shown in Figure 10-2-2, MSTP maps VLANs to MSTIs in the VLAN mapping table. Each VLAN can be mapped to only one MSTI. This means that traffic of a VLAN can be transmitted in only one MSTI. An MSTI, however, can correspond to multiple VLANs. Two spanning trees are calculated:
MSTI 1 uses S4 as the root switching device to forward packets of VLAN 2.
MSTI 2 uses S6 as the root switching device to forward packets of VLAN 3.
In this manner, devices within the same VLAN can communicate with each other; packets of different VLANs are load balanced along different paths.
10.2.2 Basic MSTP Concepts MSTP Network Hierarchy As shown in Figure 10-2-3, the MSTP network consists of one or more MST regions. Each MST region contains one or more MSTIs. An MSTI is a tree network consisting of switching devices running STP, RSTP, or MSTP.
2016-1-11
Huawei Confidential
Page 479 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 10-2-3 MSTP network hierarchy
MST Region An MST region contains multiple switching devices and network segments between them. The switching devices of one MST region have the following characteristics:
MSTP-enabled
Same region name
Same VLAN-MSTI mappings
Same MSTP revision level
A LAN can comprise several MST regions that are directly or indirectly connected. Multiple switching devices can be grouped into an MST region by using MSTP configuration commands. As shown in Figure 10-2-4, the MST region D0 contains the switching devices S1, S2, S3, and S4, and has three MSTIs.
2016-1-11
Huawei Confidential
Page 480 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 10-2-4 MST region
VLAN Mapping Table The VLAN mapping table is an attribute of the MST region. It describes mappings between VLANs and MSTIs. As shown in Figure 10-2-4, the mappings in the VLAN mapping table of the MST region D0 are as follows:
VLAN 1 is mapped to MSTI 1.
VLAN 2 and VLAN 3 are mapped to MSTI 2.
Other VLANs are mapped to MSTI 0.
Regional Root Regional roots are classified into Internal Spanning Tree (IST) and MSTI regional roots. In the region B0, C0, and D0 on the network shown in Figure 10-2-6, the switching devices closest to the Common and Internal Spanning Tree (CIST) root are IST regional roots. An MST region can contain multiple spanning trees, each called an MSTI. An MSTI regional root is the root of the MSTI. On the network shown in Figure 10-2-5, each MSTI has its own regional root.
2016-1-11
Huawei Confidential
Page 481 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 10-2-5 MSTI MSTIs are independent of each other. An MSTI can correspond to one or more VLANs, but a VLAN can be mapped to only one MSTI.
Master Bridge The master bridge is the IST master, which is the switching device closest to the CIST root in a region, for example, S1 shown in Figure 10-2-4. If the CIST root is in an MST region, the CIST root is the master bridge of the region.
2016-1-11
Huawei Confidential
Page 482 of 1210
HCIE-R&S Material
Confidentiality Level
CIST Root
Figure 10-2-6 MSTP network On the network shown in Figure 10-2-6, the CIST root is the root bridge of the CIST. The CIST root is a device in A0.
CST A Common Spanning Tree (CST) connects all the MST regions on a switching network. If each MST region is considered a node, the CST is calculated by using STP or RSTP based on all the nodes. As shown in Figure 10-2-6, the MST regions are connected to form a CST.
IST An IST resides within an MST region. An IST is a special MSTI with the MSTI ID being 0, called MSTI 0. An IST is a segment of the CIST in an MST region. As shown in Figure 10-2-6, the switching devices in an MST region are connected to form an IST. 2016-1-11
Huawei Confidential
Page 483 of 1210
HCIE-R&S Material
Confidentiality Level
CIST A CIST, calculated by using STP or RSTP, connects all the switching devices on a switching network. As shown in Figure 10-2-6, the ISTs and the CST form a complete spanning tree, the CIST.
SST A Single Spanning Tree (SST) is formed in either of the following situations:
A switching device running STP or RSTP belongs to only one spanning tree.
An MST region has only one switching device.
As shown in Figure 10-2-6, the switching device in B0 forms an SST.
Port Role Based on RSTP, MSTP has two additional port types. MSTP ports can be root ports, designated ports, alternate ports, backup ports, edge ports, master ports, and regional edge port. The functions of root ports, designated ports, alternate ports, and backup ports have been defined in RSTP. Table 10-2-1 lists all port roles in MSTP.
NOTE: Except edge ports, all ports participate in MSTP calculation. A port can play different roles in different spanning tree instances. Table 10-2-1 Port roles Port Role
Description
Root port
A root port is the non-root bridge port closest to the root bridge. Root bridges do not have root ports. Root ports are responsible for sending data to root bridges. As shown in Figure 10-2-7 S1 is the root; CP1 is the root port on S3; BP1 is the root port on S2.
Designated port
The designated port on a switching device forwards BPDUs to the downstream switching device. As shown in Figure 10-2-7, AP2 and AP3 are designated ports on S1; CP2 is a designated port on S3.
Alternate port
From the perspective of sending BPDUs, an alternate port is blocked after a BPDU sent by another bridge is received.
From the perspective of user traffic, an alternate port provides an alternate path to the root bridge. This path is different than using the root port.
2016-1-11
Huawei Confidential
Page 484 of 1210
HCIE-R&S Material
Confidentiality Level
Table 10-2-1 Port roles Port Role
Description As shown in Figure 10-2-7, BP2 is an alternate port.
Backup port
From the perspective of sending BPDUs, a backup port is blocked after a BPDU sent by itself is received.
From the perspective of user traffic, a backup port provides a backup/redundant path to a segment where a designated port already connects.
As shown in Figure 10-2-7, CP3 is a backup port. Master port A master port is on the shortest path connecting MST regions to the CIST root. BPDUs of an MST region are sent to the CIST root through the master port. Master ports are special regional edge ports, functioning as root ports on ISTs or CISTs and master ports in instances. As shown in Figure 10-2-8, S1, S2, S3, and S4 form an MST region. AP1 on S1, being the nearest port in the region to the CIST root, is the master port. Regional edge port
A regional edge port is located at the edge of an MST region and connects to another MST region or an SST. During MSTP calculation, the roles of a regional edge port in the MSTI and the CIST instance are the same. If the regional edge port is the master port in the CIST instance, it is the master port in all the MSTIs in the region. As shown in Figure 10-2-8, AP1, DP1, and DP2 in an MST region are directly connected to other regions, and therefore they are all regional edge ports of the MST region. AP1 is a master port in the CIST. Therefore, AP1 is the master port in every MSTI in the MST region.
Edge port
An edge port is located at the edge of an MST region and does not connect to any switching device. Generally, edge ports are directly connected to terminals.
2016-1-11
Huawei Confidential
Page 485 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 10-2-7 Root port, designated port, alternate port, and backup port
Figure 10-2-8 Master port and regional edge port
MSTP Port Status Table 10-2-2 lists the MSTP port status, which is the same as the RSTP port status. Table 10-2-2 Port status
2016-1-11
Huawei Confidential
Page 486 of 1210
HCIE-R&S Material
Confidentiality Level
Port Status
Description
Forwarding A port in the Forwarding state can send and receive BPDUs as well as forward user traffic. Learning
A port in the Learning state learns MAC addresses from user traffic to construct a MAC address table. In the Learning state, the port can send and receive BPDUs, but not forward user traffic.
Discarding
A port in the Discarding state can only receive BPDUs.
There is no necessary link between the port status and the port role. Table 10-2-3 lists the relationships between port roles and port status. Table 10-2-3 Relationships between port roles and port status Port Status
Root Port/Master Port
Designated Port
Regional Edge Port
Alternate Port
Backup Port
Forwarding Yes
Yes
Yes
No
No
Learning
Yes
Yes
Yes
No
No
Discarding Yes
Yes
Yes
Yes
Yes
NOTE: Yes: The port supports this status. No: The port does not support this status.
10.2.3 MST BPDUs MSTP calculates spanning trees on the basis of Multiple Spanning Tree Bridge Protocol Data Units (MST BPDUs). By transmitting MST BPDUs, spanning tree topologies are computed, network topologies are maintained, and topology changes are conveyed. Table 10-2-4 shows differences between TCN BPDUs, configuration BPDUs defined by STP, RST BPDUs defined by RSTP, and MST BPDUs defined by MSTP. Table 10-2-4 Differences between BPDUs Version
Type
Name
0
0x00
Configuration BPDU
0
0x80
TCN BPDU
2
0x02
RST BPDU
2016-1-11
Huawei Confidential
Page 487 of 1210
HCIE-R&S Material
Confidentiality Level
Table 10-2-4 Differences between BPDUs Version 3
Type 0x02
Name MST BPDU
MST BPDU Format Figure 10-2-9 shows the MST BPDU format.
Figure 10-2-9 MST BPDU format The first 36 bytes of an intra-region or inter-region MST BPDU are the same as those of an RST BPDU. Fields from the 37th byte of an MST BPDU are MSTP-specific. The field MSTI Configuration Messages consists of configuration messages of multiple MSTIs. Table 10-2-5 lists the major information carried in an MST BPDU. Table 10-2-5 Major information carried in an MST BPDU Field 2016-1-11
Byte
Description Huawei Confidential
Page 488 of 1210
HCIE-R&S Material
Confidentiality Level
Table 10-2-5 Major information carried in an MST BPDU Field
Byte
Protocol Identifier
2
Description Indicates the protocol identifier.
Protocol Version 1 Identifier
Indicates the protocol version identifier. 0 indicates STP; 2 indicates RSTP; 3 indicates MSTP.
BPDU Type
Indicates the BPDU type:
1
CIST Flags CIST Identifier
1 Root 8
0x00: Configuration BPDU for STP
0x80: TCN BPDU for STP
0x02: RST BPDU or MST BPDU
Indicates the CIST flags. Indicates the CIST root switching device ID.
CIST External 4 Path Cost
Indicates the total path costs from the MST region where the switching device resides to the MST region where the CIST root switching device resides. This value is calculated based on link bandwidth.
CIST Regional 8 Root Identifier
Indicates the ID of the regional root switching device on the CIST, that is, the IST master ID. If the root is in this region, the CIST Regional Root Identifier is the same as the CIST Root Identifier.
CIST Identifier
Indicates the ID of the designated port in the IST.
Port 2
Message Age
2
Indicates the lifecycle of the BPDU.
Max Age
2
Indicates the maximum lifecycle of the BPDU. If the Max Age timer expires, it is considered that the link to the root fails.
Hello Time
2
Indicates the Hello timer value. The default value is 2 seconds.
Forward Delay
2
Indicates the forwarding delay timer. The default value is 15 seconds.
Version 1 Length
1
Indicates the BPDUv1 length, which has a fixed value of 0.
Version 3 Length
2
Indicates the BPDUv3 length.
MST Configuration Identifier
51
Indicates the MST configuration identifier, which has four fields.
CIST Internal 4 Root Path Cost 2016-1-11
Indicates the total path costs from the local port to the IST master. This value is calculated based on link bandwidth. Huawei Confidential
Page 489 of 1210
HCIE-R&S Material
Confidentiality Level
Table 10-2-5 Major information carried in an MST BPDU Field
Byte
Description
CIST Bridge 8 Identifier
Indicates the ID of the designated switching device on the CIST.
CIST Remaining 1 Hops
Indicates the remaining hops of the BPDU in the CIST.
MSTI 16 Configuration Messages(may be absent)
Indicates an MSTI configuration message. Each MSTI configuration message occupies 16 bytes. If there are n MSTIs, MSTI configuration messages are of nx16 bytes.
Configurable MST BPDU Format Currently, there are two MST BPDU formats:
dot1s: BPDU format defined in IEEE 802.1s.
legacy: private BPDU format.
If a port transmits either dot1s or legacy BPDUs by default, the user needs to identify the format of BPDUs sent by the peer, and then runs a command to configure the port to support the peer BPDU format. Once the configuration is incorrect, a loop probably occurs due to incorrect MSTP calculation. By using the stp compliance command, you can configure a port on a Huawei datacom device to automatically adjust the MST BPDU format. With this function, the port automatically adopts the peer BPDU format. The following MST BPDU formats are supported by Huawei datacom devices:
auto
dot1s
legacy
In addition to dot1s and legacy formats, the auto mode allows a port to automatically switch to the BPDU format used by the peer based on BPDUs received from the peer. In this manner, the two ports use the same BPDU format. In auto mode, a port uses the dot1s BPDU format by default, and keeps pace with the peer after receiving BPDUs from the peer.
Configurable Maximum Number of BPDUs Sent by a Port at a Hello Interval BPDUs are sent at Hello intervals to maintain the spanning tree. If a switching device does not receive any BPDU during a certain period of time, the spanning tree will be re-calculated. After a switching device becomes the root, it sends BPDUs at Hello intervals. Non-root switching devices adopt the Hello Time value set for the root. 2016-1-11
Huawei Confidential
Page 490 of 1210
HCIE-R&S Material
Confidentiality Level
Huawei datacom devices allow the maximum number of BPDUs sent by a port at a Hello interval to be configured as needed. The greater the Hello Time value, the more BPDUs sent at a Hello interval. Setting the Hello Time to a proper value limits the number of BPDUs sent by a port at a Hello interval. This helps prevent network topology flapping and avoid excessive use of bandwidth resources by BPDUs.
10.2.4 MSTP Topology Calculation MSTP Principle In MSTP, the entire Layer 2 network is divided into multiple MST regions, which are interconnected by a single CST. In an MST region, multiple spanning trees are calculated, each of which is called an MSTI. Among these MSTIs, MSTI 0 is also known as the internal spanning tree (IST). Like STP, MSTP uses configuration messages to calculate spanning trees, but the configuration messages are MSTP-specific.
Vectors Both MSTIs and the CIST are calculated based on vectors, which are carried in MST BPDUs. Therefore, switching devices exchange MST BPDUs to calculate MSTIs and the CIST.
Vectors are described as follows:
The following vectors participate in the CIST calculation: { root ID, external root path cost, region root ID, internal root path cost, designated switching device ID, designated port ID, receiving port ID }
The following vectors participate in the MSTI calculation: { regional root ID, internal root path cost, designated switching device ID, designated port ID, receiving port ID }
The priorities of vectors in braces are in descending order from left to right.
Table 10-2-6 describes the vectors. Table 10-2-6 Vector description Vector Name Root ID
External root cost (ERPC)
2016-1-11
Description Identifies the root switching device for the CIST. The root identifier consists of the priority value (16 bits) and MAC address (48 bits). The priority value is the priority of MSTI 0. path Indicates the path cost from a CIST regional root to the root. ERPCs saved on all switching devices in an MST region are the same. If the CIST root is in an MST region, ERPCs saved on all switching devices in the MST region are 0s. Huawei Confidential
Page 491 of 1210
HCIE-R&S Material
Confidentiality Level
Table 10-2-6 Vector description Vector Name Regional root ID
Description Identifies the MSTI regional root. The regional root ID consists of the priority value (16 bits) and MAC address (48 bits). The priority value is the priority of MSTI 0.
Internal root path cost Indicates the path cost from the local bridge to the regional root. The IRPC (IRPC) saved on a regional edge port is greater than the IRPC saved on a non-regional edge port. Designated switching Identifies the nearest upstream bridge on the path from the local bridge to the device ID regional root. If the local bridge is the root or the regional root, this ID is the local bridge ID.
Designated port ID
Identifies the port on the designated switching device connected to the root port on the local bridge. The port ID consists of the priority value (4 bits) and port number (12 bits). The priority value must be a multiple of 16.
Receiving port ID
Identifies the port receiving the BPDU. The port ID consists of the priority value (4 bits) and port number (12 bits). The priority value must be a multiple of 16.
The vector comparison principle is as follows: For a vector, the smaller the priority value, the higher the priority. Vectors are compared based on the following rules: 1. Compare the IDs of the roots. 2. If the IDs of the roots are the same, compare ERPCs. 3. If ERPCs are the same, compare the IDs of regional roots. 4. If the IDs of regional roots are the same, compare IRPCs. 5. If IRPCs are the same, compare the IDs of designated switching devices. 6. If the IDs of designated switching devices are the same, compare the IDs of designated ports. 7. If the IDs of designated ports are the same, compare the IDs of receiving ports. If the priority of a vector carried in the configuration message of a BPDU received by a port is higher than the priority of the vector in the configuration message saved on the port, the port replaces the saved configuration message with the received one. In addition, the port updates the global configuration message saved on the device. If the priority of a vector carried in the configuration message of a BPDU received on a port is equal to or lower than the priority of the vector in the configuration message saved on the port, the port discards the BPDU.
2016-1-11
Huawei Confidential
Page 492 of 1210
HCIE-R&S Material
Confidentiality Level
CIST Calculation After completing the configuration message comparison, the switching device with the highest priority on the entire network is selected as the CIST root. MSTP calculates an IST for each MST region, and computes a CST to interconnect MST regions. On the CST, each MST region is considered a switching device. The CST and ISTs constitute a CIST for the entire network.
MSTI Calculation In an MST region, MSTP calculates an MSTI for each VLAN based on mappings between VLANs and MSTIs. Each MSTI is calculated independently. The calculation process is similar to the process for STP to calculate a spanning tree. For details, see STP Topology Calculation. MSTIs have the following characteristics:
The spanning tree is calculated independently for each MSTI, and spanning trees of MSTIs are independent of each other.
MSTP calculates the spanning tree for an MSTI in the manner similar to STP.
Spanning trees of MSTIs can have different roots and topologies.
Each MSTI sends BPDUs in its spanning tree.
The topology of each MSTI is configured by using commands.
A port can be configured with different parameters for different MSTIs.
A port can play different roles or have different status in different MSTIs.
On an MSTP-aware network, a VLAN packet is forwarded along the following paths:
MSTI in an MST region
CST among MST regions
MSTP Responding to Topology Changes MSTP topology changes are processed in the manner similar to that in RSTP. For details about how RSTP processes topology changes, see Details about RSTP.
10.2.5 MSTP Fast Convergence MSTP supports both ordinary and enhanced Proposal/Agreement (P/A) mechanisms:
Ordinary P/A The ordinary P/A mechanism supported by MSTP is implemented in the same manner as that supported by RSTP. For details about the P/A mechanism supported by RSTP, see Details about RSTP. 2016-1-11
Huawei Confidential
Page 493 of 1210
HCIE-R&S Material
Confidentiality Level
Enhanced P/A
Figure 10-2-10 Enhanced P/A mechanism As shown in Figure 10-2-10, in MSTP, the P/A mechanism works as follows: 1.
The upstream device sends a proposal to the downstream device, indicating that the port connecting to the downstream device wants to enter the Forwarding state as soon as possible. After receiving this BPDU, the downstream device sets its port connecting to the upstream device to the root port, and blocks all non-edge ports.
2.
The upstream device continues to send an agreement. After receiving this BPDU, the root port enters the Forwarding state.
3.
The downstream device replies with an agreement. After receiving this BPDU, the upstream device sets its port connecting to the downstream device to the designated port, and the port enters the Forwarding state.
By default, Huawei datacom devices use the fast transition mechanism in enhanced mode. To enable a Huawei datacom device to communicate with a third-party device that use the fast transition mechanism in common mode, configure the Proposal/Agreement mechanism on the Huawei datacom device so that the Huawei datacom device works in common mode.
10.2.6 MSTP Multi-Process Background On the network shown in Figure 10-2-11:
UPEs are deployed at the aggregation layer, running MSTP.
UPE1 and UPE2 are connected by a Layer 2 link.
Multiple rings are connected to UPE1 and UPE2 through different ports. 2016-1-11
Huawei Confidential
Page 494 of 1210
HCIE-R&S Material
Confidentiality Level
Switching devices on the rings reside at the access layer, running STP or RSTP. In addition, UPE1 and UPE2 work for different carriers, so they need to reside on different spanning trees whose topology changes do not affect each other.
Figure 10-2-11 Application with both MSTP and STP/RSTP On the network shown in Figure 10-2-11, switching devices and UPEs construct multiple Layer 2 rings. STP must be enabled on these rings to prevent loops. UPE1 and UPE2 are connected to multiple access rings that are independent of each other. The spanning tree protocol cannot calculate a single spanning tree for all switching devices. Instead, the spanning tree protocol must be enabled on each ring to calculate a separate spanning tree. MSTP supports MSTIs, but these MSTIs must belong to one MST region and devices in the region must have the same configurations. If the devices belong to different regions, MSTP calculates the spanning tree based on only one instance. Assume that devices on the network belong to different regions, and only one spanning tree is calculated in one instance. In this case, the status change of any device on the network affects the stability of the entire network. On the network shown in Figure 10-2-11, the switching devices connected to UPEs support only STP or RSTP but not MSTP. When MSTP-enabled UPEs receive RST BPDUs from the switching devices, the UPEs consider that they and switching devices belong to different regions. As a result, only one spanning tree is calculated for the rings composed of UPEs and switching devices, and the rings affect each other. To prevent this problem, MSTP multi-process is introduced. MSTP multi-process is an enhancement to MSTP. The MSTP multi-process mechanism allows ports on switching devices to be bound to different 2016-1-11
Huawei Confidential
Page 495 of 1210
HCIE-R&S Material
Confidentiality Level
processes. MSTP calculation is performed based on processes. In this manner, only ports that are bound to a process participate in the MSTP calculation for this process. With the MSTP multi-process mechanism, spanning trees of different processes are calculated independently and do not affect each other. The network shown in Figure 10-2-11 can be divided into multiple MSTP processes by using MSTP multi-process. Each process takes charge of a ring composed of switching devices. The MSTP processes have the same functions and support MSTIs. The MSTP calculation for one process does not affect the MSTP calculation for another process.
NOTE: MSTP multi-process is applicable to MSTP as well as RSTP and STP.
Purpose On the network shown in Figure 10-2-11, MSTP multi-process is configured to implement the following:
Greatly improves applicability of STP to different networking conditions. To help a network running different spanning tree protocols run properly, you can bind the devices running different spanning tree protocols to different processes. In this manner, every process calculates a separate spanning tree.
Improves the networking reliability. For a network composed of many Layer 2 access devices, using MSTP multi-process reduces the adverse effect of a single node failure on the entire network. The topology is calculated for each process. If a device fails, only the topology corresponding to the process to which the device belongs changes.
Reduces the network administrator workload during network expansion, facilitating operation and maintenance. To expand a network, you only need to configure new processes, connect the processes to the existing network, and keep the existing MSTP processes unchanged. If device expansion is performed in a process, only this process needs to be modified.
Implements separate Layer 2 port management An MSTP process manages parts of ports on a device. Layer 2 ports on a device are separately managed by multiple MSTP processes.
Principle
Public link status As shown in Figure 10-2-11, the public link between UPE1 and UPE2 is a Layer 2 link running MSTP. The public link between UPE1 and UPE2 is different from the links connecting switching devices to UPEs. The ports on the public link need to participate in the calculation for multiple
2016-1-11
Huawei Confidential
Page 496 of 1210
HCIE-R&S Material
Confidentiality Level
access rings and MSTP processes. Therefore, the UPEs must identify the process from which MST BPDUs are sent. In addition, a port on the public link participates in the calculation for multiple MSTP processes, and obtains different status. As a result, the port cannot determine its status. To prevent this situation, it is defined that a port on a public link always adopts its status in MSTP process 0 when participating in the calculation for multiple MSTP processes.
NOTE: After a device normally starts, MSTP process 0 exists by default, and MSTP configurations in the system view and interface view belong to this process.
Reliability On the network shown in Figure 10-2-12, after the topology of a ring changes, the MSTP multi-process mechanism helps UPEs flood a TC packet to all devices on the ring and prevent the TC packet from being flooded to devices on the other ring. UPE1 and UPE2 update MAC and ARP entries on the ports corresponding to the changed spanning tree.
2016-1-11
Huawei Confidential
Page 497 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 10-2-12 MSTP multi-process topology change On the network shown in Figure 10-2-13, if the public link between UPE1 and UPE2 fails, multiple switching devices that are connected to the UPEs will unblock their blocked ports.
Figure 10-2-13 Public link fault Assume that UPE1 is configured with the highest priority, UPE2 with the second highest priority, and switching devices with default or lower priorities. After the link between UPE1 and UPE2 fails, the blocked ports (replacing the root ports) on switching devices no longer receive packets with higher priorities and re-performs state machine calculation. If the calculation changes the blocked ports to designated ports, a permanent loop occurs, as shown in Figure 10-2-14.
2016-1-11
Huawei Confidential
Page 498 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 10-2-14 Loop between access rings
Solutions To prevent a loop between access rings, use either of the following solutions:
Configure an inter-board Eth-Trunk link between UPE1 and UPE2. An inter-board Eth-Trunk link is used as the public link between UPE1 and UPE2 to improve link reliability, as shown in Figure 10-2-15.
2016-1-11
Huawei Confidential
Page 499 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 10-2-15 Inter-board Eth-Trunk link
Configure root protection between UPE1 and UPE2. If all physical links between UPE1 and UPE2 fail, configuring an inter-board Eth-Trunk link cannot prevent the loop. Root protection can be configured to prevent the loop shown in Figure 10-2-14.
2016-1-11
Huawei Confidential
Page 500 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 10-2-16 MSTP multi-process with root protection Use the blue ring shown in Figure 10-2-16 as an example. UPE1 is configured with the highest priority, UPE2 with the second highest priority, and switching devices on the blue ring with default or lower priorities. In addition, root protection is enabled on UPE2. Assume that a port on S1 is blocked. When the public link between UPE1 and UPE2 fails, the blocked port on S1 begins to calculate the state machine because it no longer receives BPDUs of higher priorities. After the calculation, the blocked port becomes the designated port and performs P/A negotiation with the downstream device. After S1, which is directly connected to UPE2, sends BPDUs of higher priorities to the UPE2 port enabled with root protection, the port is blocked. From then on, the port remains blocked because it continues receiving BPDUs of higher priorities. In this manner, no loop will occur.
2016-1-11
Huawei Confidential
Page 501 of 1210
HCIE-R&S Material
10.3
Confidentiality Level
Examples for Configuring of STP 10.3.1 Example for Configuring Basic STP Functions Networking Requirements Network designers tend to deploy multiple physical links between two devices (one link is the master and the others are backups) to fulfill network redundancy requirements. Loops are bound to occur on such types of complex networks. Loops will cause broadcast storms, which exhaust network resources and paralyze the network. Loops also cause MAC address flapping that damages MAC address entries. STP can be deployed on a network to eliminate loops by blocking some ports. On the network shown in Figure 10-3-1, after SwitchA, SwitchB, SwitchC, and SwitchD running STP discover loops by exchanging information, they trim the ring topology into a loop-free tree topology by blocking a certain port. STP prevents replication and circular propagation of packets on the network and the release the switching devices from processing duplicate packets, improving their processing performance.
Figure 10-3-1 Networking diagram of basic STP configurations
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure basic STP functions, including:
2016-1-11
Huawei Confidential
Page 502 of 1210
HCIE-R&S Material
Confidentiality Level
a.
Configure the STP mode for the ring network.
b.
Configure primary and secondary root bridges.
c.
Set path costs for ports to block certain ports.
d.
Enable STP to eliminate loops.
NOTE: STP is not required on the interfaces connected to terminals because these interfaces do not need to participate in STP calculation.
Procedure 1.
Configure basic STP functions. a.
Configure the STP mode for the devices on the ring network. # Configure the STP mode on SwitchA. system-view [Huawei] sysname SwitchA [RouterA] stp mode stp # Configure the STP mode on SwitchB. system-view [HUAWEI] sysname SwitchB [SwitchB] stp mode stp # Configure the STP mode on SwitchC. system-view [HUAWEI] sysname SwitchC [SwitchC] stp mode stp # Configure the STP mode on SwitchD. system-view [HUAWEI] sysname SwitchD [SwitchD] stp mode stp
b.
Configure primary and secondary root bridges. # Configure RouterA as the primary root bridge. [RouterA] stp root primary # Configure SwitchA as the secondary root bridge. [SwitchA] stp root secondary
c. 2016-1-11
Set path costs for ports in each spanning tree to block certain ports. Huawei Confidential
Page 503 of 1210
HCIE-R&S Material
Confidentiality Level
NOTE:
The values of path costs depend on path cost calculation methods. This example uses the Huawei proprietary calculation method and sets the path cost to 200000.
All switching devices on a network must use the same path cost calculation method. Refer to STP List of path costs to get standard of other calculation methods.
# On SwitchA, configure the path cost calculation method as the Huawei calculation method. [SwitchA] stp pathcost-standard legacy # On SwitchB, configure the path cost calculation method as the Huawei calculation method. [SwitchB] stp pathcost-standard legacy # Set the path cost of GigabitEthernet0/0/1 on SwitchC to 20000. [SwitchC] stp pathcost-standard legacy [SwitchC] interface gigabitethernet 0/0/1 [SwitchC-GigabitEthernet0/0/1] stp cost 20000 [SwitchC-GigabitEthernet0/0/1] quit # On SwitchD, configure the path cost calculation method as the Huawei calculation method. [SwitchD] stp pathcost-standard legacy d.
Enable STP to eliminate loops.
Disable STP on interfaces connected to PCs. # Disable STP on GigabitEthernet 0/0/2 on SwitchB. Enable STP globally. [SwitchB] interface gigabitethernet 0/0/2 [SwitchB-GigabitEthernet0/0/2] stp disable [SwitchB-GigabitEthernet0/0/2] quit # Disable STP on GigabitEthernet 0/0/2 on SwitchC. [SwitchC] interface gigabitethernet 0/0/2 [SwitchC-GigabitEthernet0/0/2] stp disable [SwitchC-GigabitEthernet0/0/2] quit
Enable STP globally. # Enable STP globally on SwitchA. [SwitchA] stp enable # Enable STP globally on SwitchB.
Verify the configuration. After the previous configurations, run the following commands to verify the configuration when the network is stable: # Run the display stp brief command on RouterA to view the interface status and protection type. The displayed information is as follows: [SwitchA] display stp brief MSTID Port
Role STP State
Protection
0
GigabitEthernet0/0/1
DESI FORWARDING
NONE
0
GigabitEthernet0/0/2
DESI FORWARDING
NONE
After SwitchA is configured as a root bridge, GigabitEthernet 0/0/2 and GigabitEthernet 0/0/1 connected to SwitchB and SwitchD respectively are elected as designated ports in spanning tree calculation. # Run the display stp interface gigabitethernet 0/0/1 brief command on SwitchB to view status of GigabitEthernet 0/0/1. The displayed information is as follows: [SwitchB] display stp interface gigabitethernet 0/0/1 brief MSTID Port 0
Role STP State
GigabitEthernet0/0/1
DESI FORWARDING
Protection NONE
GigabitEthernet 0/0/1 is elected as a designated port in spanning tree calculation and is in the Forwarding state. # Run the display stp brief command on SwitchC to view the interface status and protection type. The displayed information is as follows: [SwitchC] display stp brief MSTID Port
Role STP State
0
GigabitEthernet0/0/1
ALTE
DISCARDING
0
GigabitEthernet0/0/3
ROOT
FORWARDING
Protection NONE NONE
GigabitEthernet 0/0/3 is elected as a root port in spanning tree calculation and is in the Forwarding state. GigabitEthernet 0/0/1 is elected as an alternate port in spanning tree calculation and is in the Discarding state.
10.3.2 Example for Configuring Basic RSTP Functions Networking Requirements On a complex network, loops are inevitable. With the requirement for network redundancy backup, network designers tend to deploy multiple physical links between two devices, one of which is the master and the others are the backup. Loops are likely or bound to occur in such a situation. Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the network. Loops also cause flapping of MAC address tables and damages MAC address entries. RSTP can be deployed on a network to eliminate loops by blocking some ports. On the network shown in Figure 10-3-2, after RouterA, SwitchA, SwitchB, SwitchC and SwitchD running RSTP discover loops on the network by exchanging information with each other, they trim the ring topology into a loop-free tree topology by blocking an interface. In this manner, replication and circular propagation of packets are prevented on the network and the switching devices are released from processing duplicated packets, thereby improving their processing performance.
2016-1-11
Huawei Confidential
Page 507 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 10-3-2 Networking diagram of configuring basic RSTP functions
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure basic RSTP functions, including: a.
Configure the RSTP mode for the ring network.
b.
Configure primary and secondary root bridges.
c.
Set path costs for ports to block certain ports.
d.
Enable RSTP to eliminate loops, including:
Enable RSTP globally.
Enable RSTP on all the interfaces except the interfaces connected to terminals.
NOTE: RSTP is not required on the interfaces connected to terminals because these interfaces do not need to participate in RSTP calculation. 2016-1-11
Huawei Confidential
Page 508 of 1210
HCIE-R&S Material
2.
Confidentiality Level
Configure RSTP protection functions, for example, configure root protection on a designated port of a root bridge.
Procedure 1.
Configure basic RSTP functions. a.
Configure the RSTP mode for the devices on the ring network. # Configure the RSTP mode on RouterA. system-view [Huawei] sysname RouterA [RouterA] stp mode rstp # Configure the RSTP mode on SwitchA, SwitchB, SwitchC and SwitchD.
b.
Configure primary and secondary root bridges. # Configure RouterA as the primary root bridge. [RouterA] stp root primary # Configure SwitchA as a second root bridge. (The detailed configuration is not provided here.)
c.
Set path costs for the interface to be blocked.
NOTE:
The values of path costs depend on path cost calculation methods. This example uses the Huawei proprietary calculation method and sets the path cost to 200000.
All switching devices on a network must use the same path cost calculation method. Refer to STP List of path costs to get standard of other calculation methods.
# On RouterA, configure the path cost calculation method as the Huawei proprietary method. [RouterA] stp pathcost-standard legacy # On SwitchA, SwitchB, SwitchC and SwitchD, configure the path cost calculation method as the Huawei proprietary method. (The detailed configuration is not provided here.) # As shown in Figure 10-3-2, set the path cost of Eth0/0/4 on SwitchC and SwitchD to 200000. (The detailed configuration is not provided here.) d.
Enable RSTP to eliminate loops.
Disable RSTP on interfaces connected to PCs. # Disable RSTP on interfaces connected to terminals for SwitchC and SwitchD.
2016-1-11
Huawei Confidential
Page 509 of 1210
HCIE-R&S Material
Confidentiality Level
Enable RSTP globally. # Enable RSTP globally on RouterA. [RouterA] stp enable # Enable RSTP globally on other switching devices.
Enable RSTP on all the interfaces except the interfaces connected to terminals. # Enable RSTP on RouterA Ethernet2/0/0 and Ethernet2/0/1. [RouterA] interface ethernet 2/0/0 [RouterA-Ethernet2/0/0] stp enable [RouterA-Ethernet2/0/0] quit [RouterA] interface ethernet 2/0/1 [RouterA-Ethernet2/0/1] stp enable [RouterA-Ethernet2/0/1] quit # Enable STP on all the interfaces except the interfaces connected to terminals for SwitchA, SwitchB, SwitchC and SwitchD.
Verify the configuration. After the previous configurations, run the following commands to verify the configuration when the network is stable: # Run the display stp brief command on RouterA to view the interface status and protection type. The displayed information is as follows: [RouterA] display stp brief MSTID Port
Role STP State
Protection
0
Ethernet2/0/0
DESI FORWARDING
ROOT
0
Ethernet2/0/1
DESI FORWARDING
ROOT
After RouterA is configured as a root bridge, Ethernet2/0/0 connected to SwitchA and Ethernet2/0/1 connected to SwitchB are elected as designated ports during spanning tree calculation.
10.3.3 Example for Configuring Basic MSTP Functions Networking Requirements On a complex network, loops are inevitable. With the requirement for network redundancy backup, network designers tend to deploy multiple physical links between two devices, one of which is the master and the others are the backup. Loops are likely or bound to occur in such a situation. Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the network. Loops also cause flapping of MAC address tables and damages MAC address entries. MSTP can be deployed to eliminate loops. MSTP blocks redundant links on a Layer 2 network and trims the network into a loop-free tree. As shown in Figure 10-3-3, to load balance traffic of VLANs 2 to 10 and traffic of VLANs 11 to 20, multiple MSTIs are created. MSTP defines a VLAN mapping table in which VLANs are associated with spanning tree instances. Run MSTP on RouterA, SwitchA, SwitchB, SwitchC and SwitchD.
2016-1-11
Huawei Confidential
Page 513 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 10-3-3 Networking diagram of configuring basic MSTP functions
2016-1-11
Huawei Confidential
Page 514 of 1210
HCIE-R&S Material
Confidentiality Level
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure basic MSTP functions, including: a.
Configure the MSTP mode for the ring network.
b.
Configure an MST region and create multiple MSTIs to implement load balancing.
c.
In the MST region, configure a primary root bridge and a secondary root bridge for each MSTI.
d.
Set path costs for ports to be blocked in each MSTI.
e.
Enable MSTP to eliminate loops, including:
Enable MSTP globally.
Enable MSTP on all the interfaces except the interfaces connected to terminals.
NOTE: MSTP is not required on the interfaces connected to terminals because these interfaces do not need to participate in MSTP calculation. 2.
Configure MSTP protection functions, for example, configure root protection on a designated port of a root bridge in each MSTI.
3.
Configure the Layer 2 forwarding function on devices.
Procedure 1.
Configure basic MSTP functions. a.
Configure the MSTP mode for the devices on the ring network. # Configure the MSTP mode on RouterA. system-view [Huawei] sysname RouterA [RouterA] stp mode mstp # Configure the MSTP mode on SwitchA, SwitchB, SwitchC and SwitchD.
b.
Add all devices to MST region RG1, and create two MSTIs. MSTI1 maps to VLAN (2 to 10), and MSTI2 maps to VLAN (11 to 20). # Configure RouterA to MST region. [RouterA] stp region-configuration [RouterA] region-name RG1 [RouterA] instance 1 vlan 2 to 10 [RouterA] instance 2 vlan 11 to 20
2016-1-11
Huawei Confidential
Page 515 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterA] active region-configuration [RouterA] quit # Configure SwitchA, SwitchB, SwitchC and SwitchD to MST region RG1, and create two MSTIs. MSTI1 maps to VLAN (2 to 10), and MSTI2 maps to VLAN (11 to 20). c.
In RG1, configure primary and secondary root bridges for MSTI1 and MSTI2. # Configure primary root bridge on RouterA in MSTI1. [RouterA] stp instance 1 root primary # Configure secondary root bridge on SwitchA in MSTI1. # Configure primary root bridge on RouterA in MSTI2. [RouterA] stp instance 2 root primary # Configure secondary root bridge on SwitchB in MSTI2.
d.
Set the path costs of the ports to be blocked in MSTI1 and MSTI2 to be larger than the default value.
NOTE:
The values of path costs depend on path cost calculation methods. Use the Huawei proprietary calculation method as an example to set the path costs of the ports to be blocked to 200000.
If the switches are not Huawei 2300 Series, all switches on a network must use the same path cost calculation method. Refer to STP List of path costs to get standard of other calculation methods.
# On RouterA, configure the path cost calculation method as the Huawei proprietary method. [RouterA] stp pathcost-standard legacy # On SwitchA, SwitchB, SwitchC and SwitchD, configure the path cost calculation method as the Huawei proprietary method. # As shown in Figure 10-3-3, set the path cost of Eth0/0/4 on SwitchC to 200000 in MSTI1. # As shown in Figure 10-3-3, set the path cost of Eth0/0/4 on SwitchD to 200000 in MSTI2. e.
Enable MSTP to eliminate loops.
Disable MSTP on interfaces connected to PCs. # As shown in Figure 10-3-3, disable MSTP on interface Eth0/0/2 and Eth0/0/3 of SwitchC. # As shown in Figure 10-3-3, disable MSTP on interface Eth0/0/2 and Eth0/0/3 of SwitchD.
2016-1-11
Huawei Confidential
Page 516 of 1210
HCIE-R&S Material
Confidentiality Level
Enable MSTP globally. # Enable MSTP globally on RouterA. [RouterA] stp enable # Enable MSTP globally on SwitchA, SwitchB, SwitchC and SwitchD.
Enable MSTP on all the interfaces except the interfaces connected to terminals. # Enable MSTP on RouterA Eth2/0/0 and Eth2/0/1. [RouterA] interface ethernet 2/0/0 [RouterA-Ethernet2/0/0] stp enable [RouterA-Ethernet2/0/0] quit [RouterA] interface ethernet 2/0/1 [RouterA-Ethernet2/0/1] stp enable [RouterA-Ethernet2/0/1] quit # As shown in Figure 10-3-3, Enable MSTP on all interfaces except the interfaces connected to terminals, for SwitchA, SwitchB, SwitchC and SwitchD.
Configure the Layer 2 forwarding function on devices in the ring.
Create VLANs on RouterA, SwitchA, SwitchB, SwitchC and SwitchD. # Create VLANs 2 to 20 on RouterA. [RouterA] vlan batch 2 to 20 # Create VLANs 2 to 20 on SwitchA and SwitchB. # Create VLANs 2 to 10 on SwitchC. # Create VLANs 11 to 20 on SwitchD.
Add interfaces on the switching devices in the ring to VLANs. # Add RouterA Eth2/0/0 and Eth2/0/1 to VLAN 2 to 20. [RouterA] interface ethernet 2/0/0 [RouterA-Ethernet2/0/0] port link-type trunk [RouterA-Ethernet2/0/0] port trunk allow-pass vlan 2 to 20
2016-1-11
Huawei Confidential
Page 517 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterA-Ethernet2/0/0] quit [RouterA] interface ethernet 2/0/1 [RouterA-Ethernet2/0/1] port link-type trunk [RouterA-Ethernet2/0/1] port trunk allow-pass vlan 2 to 20 [RouterA-Ethernet2/0/1] quit # Add interfaces Eth0/0/1, Eth0/0/2 and Eth0/0/3 on SwitchA and SwitchB to VLAN 2 to 20. # Add interfaces Eth0/0/1, Eth0/0/2, Eth0/0/3 and Eth0/0/4 on SwitchC to VLAN 2 to 10. # Add interfaces Eth0/0/1, Eth0/0/2, Eth0/0/3 and Eth0/0/4 on SwitchD to VLAN 11 to 20. 4.
Verify the configuration. After the previous configurations, run the following commands to verify the configuration when the network is stable: # run display stp brief on RouterA to view the interface status and protection type. The displayed information is as follows: [RouterA] display stp brief MSTID Port
Role STP State
Protection
0
Ethernet2/0/0
DESI FORWARDING
NONE
0
Ethernet2/0/1
DESI FORWARDING
NONE
1
Ethernet2/0/0
DESI FORWARDING
ROOT
1
Ethernet2/0/1
DESI FORWARDING
ROOT
2
Ethernet2/0/0
DESI FORWARDING
ROOT
2
Ethernet2/0/1
DESI FORWARDING
ROOT
In MSTI1, after RouterA is configured as a root bridge, RouterA Eth2/0/0 and Eth2/0/1 are elected as designated ports during spanning tree calculation. In MSTI2, after RouterA is configured as a root bridge, RouterA Eth2/0/0 and Eth2/0/1 are elected as designated ports during spanning tree calculation. # Verify the interface status and protection type on SwitchA. In MSTI1, interface Eth0/0/1 is elected as root port, interfaces Eth0/0/2 and Eth0/0/3 are elected as designated ports. In MSTI2, interface Eth0/0/1 is elected as root port, interfaces Eth0/0/2 and Eth0/0/3 are elected as designated ports. # Verify the interface status and protection type on SwitchB. In MSTI1, interface Eth0/0/1 is elected as root port, interfaces Eth0/0/2 and Eth0/0/3 are elected as designated ports. In MSTI2, interface Eth0/0/1 is elected as root port, interfaces Eth0/0/2 and Eth0/0/3 are elected as designated ports. # Verify the interface status and protection type on SwitchC. In MSTI1, interface Eth0/0/1 is elected as root port, interface Eth0/0/4 is blocked. In MSTI2, interface Eth0/0/1 is elected as root port, interface Eth0/0/4 is elected as designated port. 2016-1-11
Huawei Confidential
Page 518 of 1210
HCIE-R&S Material
Confidentiality Level
# Verify the interface status and protection type on SwitchD. In MSTI1, interface Eth0/0/1 is elected as root port, interface Eth0/0/4 is elected as designated port. In MSTI2, interface Eth0/0/1 is elected as root port, interface Eth0/0/4 is blocked.
Configuration Files
Configuration file of RouterA # sysname RouterA # vlan batch 2 to 20 # stp instance 1 root primary stp instance 2 root primary stp pathcost-standard legacy # stp region-configuration region-name RG1 instance 1 vlan 2 to 10 instance 2 vlan 11 to 20 active region-configuration # interface Ethernet2/0/0 port link-type trunk port trunk allow-pass vlan 2 to 20 stp root-protection # interface Ethernet2/0/1 port link-type trunk port trunk allow-pass vlan 2 to 20 stp root-protection # return
Configuration file of SwitchA # sysname SwitchA # vlan batch 2 to 20 # 2016-1-11
Huawei Confidential
Page 519 of 1210
HCIE-R&S Material
Confidentiality Level
stp instance 1 root secondary stp pathcost-standard legacy # stp region-configuration region-name RG1 instance 1 vlan 2 to 10 instance 2 vlan 11 to 20 active region-configuration # interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 20 # interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 to 20 # interface Ethernet0/0/3 port link-type trunk port trunk allow-pass vlan 2 to 20 # return
Configuration file of SwitchB # sysname SwitchB # vlan batch 2 to 20 # stp instance 2 root secondary stp pathcost-standard legacy # stp region-configuration region-name RG1 instance 1 vlan 2 to 10 instance 2 vlan 11 to 20 active region-configuration # interface Ethernet0/0/1 port link-type trunk 2016-1-11
Huawei Confidential
Page 520 of 1210
HCIE-R&S Material
Confidentiality Level
port trunk allow-pass vlan 2 to 20 # interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 to 20 # interface Ethernet0/0/3 port link-type trunk port trunk allow-pass vlan 2 to 20 # return
Configuration file of SwitchC # sysname SwitchC # vlan batch 2 to 10 # stp pathcost-standard legacy # stp region-configuration region-name RG1 instance 1 vlan 2 to 10 instance 2 vlan 11 to 20 active region-configuration # interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 10 # interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 to 10 stp disable # interface Ethernet0/0/3 port link-type trunk port trunk allow-pass vlan 2 to 10 stp disable # 2016-1-11
Huawei Confidential
Page 521 of 1210
HCIE-R&S Material
Confidentiality Level
interface Ethernet0/0/4 port link-type trunk port trunk allow-pass vlan 2 to 10 stp instance 1 cost 200000 # return
Configuration file of SwitchD # sysname SwitchD # vlan batch 11 to 20 # stp pathcost-standard legacy # stp region-configuration region-name RG1 instance 1 vlan 2 to 10 instance 2 vlan 11 to 20 active region-configuration # interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 11 to 20 # interface Ethernet0/0/2 port link-type trunk port trunk allow-pass vlan 11 to 20 stp disable # interface Ethernet0/0/3 port link-type trunk port trunk allow-pass vlan 11 to 20 stp disable # interface Ethernet0/0/4 port link-type trunk port trunk allow-pass vlan 11 to 20 stp instance 2 cost 200000 # 2016-1-11
Huawei Confidential
Page 522 of 1210
HCIE-R&S Material
Confidentiality Level
return
10.3.4 Example for Configuring MSTP + VRRP Network Networking Requirements As shown in Figure 10-3-4, hosts connect to SwitchC, and SwitchC connects to the Internet through SwitchA and SwitchB. To improve access reliability, the user configures redundant links. The redundant links causes a network loop, which leads to broadcast storm and destroy MAC bridge entries. It is required that the network loop be prevented when redundant links are deployed, traffic be switched to another link when one link is broken, and network bandwidth be effectively used. MSTP can be configured on the network to prevent loops. MSTP blocks redundant links and prunes a network into a tree topology free from loops. In addition, VRRP needs to be configured on Switch A and SwitchB. Host A connects to the Internet by using SwitchA as the default gateway and SwitchB as the secondary gateway. Host B connects to the Internet by using SwitchB as the default gateway and SwitchA as the secondary gateway. Traffic is thus load balanced and communication reliability is improved.
Figure 10-3-4 MSTP + VRRP network 2016-1-11
Huawei Confidential
Page 523 of 1210
HCIE-R&S Material
Confidentiality Level
Table 10-3-1 Parameters of MSTP + VRRP network Device
Interface
SwitchA
SwitchB
VLANIF Interface
IP Address
GE0/0/1 and GE0/0/2
VLANIF 2
10.1.2.102/24
GE0/0/1 and GE0/0/2
VLANIF 3
10.1.3.102/24
GE0/0/3
VLANIF 4
10.1.4.102/24
GE0/0/1 and GE0/0/2
VLANIF 2
10.1.2.103/24
GE0/0/1 and GE0/0/2
VLANIF 3
10.1.3.103/24
GE0/0/3
VLANIF 5
10.1.5.103/24
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure basic MSTP on the switches, including: a.
Configure MST and create multi-instance, map VLAN 2 to MSTI1, and map VLAN 3 to MSTI2 to load balance traffic.
b.
Configure the root bridge and backup bridge in the MST region.
c.
Configure the path cost on an interface so that the interface can be blocked.
d.
Enable MSTP to prevent loops:
Enable MSTP globally.
Enable MSTP on all interfaces except the interfaces connecting to hosts.
NOTE: The interfaces connecting to hosts do not participate in MSTP calculation. 2.
Enable the protection function to protect devices or links. For example, enable the protection function on the root bridge of each instance to protect roots.
3.
Configure Layer 2 forwarding.
4.
Assign an IP address to each interface and configure the routing protocol on each device to ensure network connectivity.
5.
Create VRRP group 1 and VRRP group 2 on SwitchA and SwitchB. Configure SwitchA as the master device and SwitchB as the backup device of VRRP group 1. Configure SwitchB as the master device and SwitchA as the backup device of VRRP group 2.
2016-1-11
Huawei Confidential
Page 524 of 1210
HCIE-R&S Material
Confidentiality Level
Procedure 1.
Configure basic MSTP functions. a.
Add SwitchA, SwitchB, and SwitchC to region RG1, and create instances MSTI1 and MSTI2. # Configure an MST region on SwitchA. system-view [HUAWEI] sysname SwitchA [SwitchA] stp region-configuration [SwitchA-mst-region] region-name RG1 [SwitchA-mst-region] instance 1 vlan 2 [SwitchA-mst-region] instance 2 vlan 3 [SwitchA-mst-region] active region-configuration [SwitchA-mst-region] quit # Configure an MST region on SwitchB. system-view [HUAWEI] sysname SwitchB [SwitchB] stp region-configuration [SwitchB-mst-region] region-name RG1 [SwitchB-mst-region] instance 1 vlan 2 [SwitchB-mst-region] instance 2 vlan 3 [SwitchB-mst-region] active region-configuration [SwitchB-mst-region] quit # Configure an MST region on SwitchC. system-view [HUAWEI] sysname SwitchC [SwitchC] stp region-configuration [SwitchC-mst-region] region-name RG1 [SwitchC-mst-region] instance 1 vlan 2 [SwitchC-mst-region] instance 2 vlan 3 [SwitchC-mst-region] active region-configuration [SwitchC-mst-region] quit
b.
Configure the root bridges and backup bridges for MSTI1 and MSTI2 in RG1.
Configure the root bridge and backup bridge for MSTI1. # Set SwitchA as the root bridge of MSTI1. [SwitchA] stp instance 1 root primary
2016-1-11
Huawei Confidential
Page 525 of 1210
HCIE-R&S Material
Confidentiality Level
# Set SwitchB as the root bridge of MSTI1. [SwitchB] stp instance 1 root secondary
Configure the root bridge and backup bridge for MSTI2. # Set SwitchB as the root bridge of MSTI2. [SwitchB] stp instance 2 root primary # Set SwitchA as the root bridge of MSTI2. [SwitchA] stp instance 2 root secondary
c.
Set the path costs of the interfaces that you want to block on MSTI1 and MSTI2 to be greater than the default value.
NOTE:
The path cost range is decided by the algorithm. The Huawei proprietary algorithm is used as an example. Set the path costs of the interfaces to 20000.
The switches on the same network must use the same algorithm to calculate path costs.
# Set the path cost algorithm on SwitchA to Huawei proprietary algorithm. [SwitchA] stp pathcost-standard legacy # Set the path cost algorithm on SwitchB to Huawei proprietary algorithm. [SwitchB] stp pathcost-standard legacy # Set the path cost algorithm on SwitchC to Huawei proprietary algorithm. Set the path cost of GE0/0/1 in MSTI2 to 20000; set the path cost of GE0/0/4 in MSTI1 to 20000. [SwitchC] stp pathcost-standard legacy [SwitchC] interface gigabitethernet 0/0/1 [SwitchC-GigabitEthernet0/0/1] stp instance 2 cost 20000 [SwitchC-GigabitEthernet0/0/1] quit [SwitchC] interface gigabitethernet 0/0/4 [SwitchC-GigabitEthernet0/0/4] stp instance 1 cost 20000 [SwitchC-GigabitEthernet0/0/4] quit d.
Enable MSTP to prevent loops.
Enable MSTP globally. # Enable MSTP on SwitchA. [SwitchA] stp enable # Enable MSTP on SwitchB. [SwitchB] stp enable # Enable MSTP on SwitchC.
2016-1-11
Huawei Confidential
Page 526 of 1210
HCIE-R&S Material
Confidentiality Level
[SwitchC] stp enable
Disable MSTP on the interfaces connecting to hosts. # Disable STP on GE0/0/2 and GE0/0/3 of SwitchC. [SwitchC] interface gigabitethernet 0/0/2 [SwitchC-GigabitEthernet0/0/2] stp disable [SwitchC-GigabitEthernet0/0/2] quit [SwitchC] interface gigabitethernet 0/0/3 [SwitchC-GigabitEthernet0/0/3] stp disable [SwitchC-GigabitEthernet0/0/3] quit
2.
Enable the protection function on the designated interfaces of each root bridge. # Enable root protection on GE0/0/1 of SwitchA. [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] stp root-protection [SwitchA-GigabitEthernet0/0/1] quit # Enable root protection on GE0/0/1 of SwitchB. [SwitchB] interface gigabitethernet 0/0/1 [SwitchB-GigabitEthernet0/0/1] stp root-protection [SwitchB-GigabitEthernet0/0/1] quit
3.
Configure Layer 2 forwarding on the switches in the ring.
Create VLANs 2 and 3 on SwitchA, SwitchB, and SwitchC. # Create VLANs 2 and 3 on SwitchA. [SwitchA] vlan batch 2 to 3 # Create VLANs 2 and 3 on SwitchB. [SwitchB] vlan batch 2 to 3 # Create VLANs 2 and 3 on SwitchC. [SwitchC] vlan batch 2 to 3
Add the interfaces connecting to the loops to VLANs. # Add GE0/0/1 of SwitchA to VLANs. [SwitchA] interface gigabitethernet 0/0/1 [SwitchA-GigabitEthernet0/0/1] port link-type trunk [SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 to 3 [SwitchA-GigabitEthernet0/0/1] quit # Add GE0/0/2 of SwitchA to VLANs. [SwitchA] interface gigabitethernet 0/0/2
2016-1-11
Huawei Confidential
Page 527 of 1210
HCIE-R&S Material
Confidentiality Level
[SwitchA-GigabitEthernet0/0/2] port link-type trunk [SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 2 to 3 [SwitchA-GigabitEthernet0/0/2] quit # Add GE0/0/1 of SwitchB to VLANs. [SwitchB] interface gigabitethernet 0/0/1 [SwitchB-GigabitEthernet0/0/1] port link-type trunk [SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 to 3 [SwitchB-GigabitEthernet0/0/1] quit # Add GE0/0/2 of SwitchB to VLANs. [SwitchB] interface gigabitethernet 0/0/2 [SwitchB-GigabitEthernet0/0/2] port link-type trunk [SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 2 to 3 [SwitchB-GigabitEthernet0/0/2] quit # Add GE0/0/1 of SwitchC to VLANs. [SwitchC] interface gigabitethernet 0/0/1 [SwitchC-GigabitEthernet0/0/1] port link-type trunk [SwitchC-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 to 3 [SwitchC-GigabitEthernet0/0/1] quit # Add GE0/0/2 of SwitchC to VLANs. [SwitchC] interface gigabitethernet 0/0/2 [SwitchC-GigabitEthernet0/0/2] port link-type access [SwitchC-GigabitEthernet0/0/2] port default vlan 2 [SwitchC-GigabitEthernet0/0/2] quit # Add GE0/0/3 of SwitchC to VLANs. [SwitchC] interface gigabitethernet 0/0/3 [SwitchC-GigabitEthernet0/0/3] port link-type access [SwitchC-GigabitEthernet0/0/3] port default vlan 3 [SwitchC-GigabitEthernet0/0/3] quit # Add GE0/0/4 of SwitchC to VLANs. [SwitchC] interface gigabitethernet 0/0/4 [SwitchC-GigabitEthernet0/0/4] port link-type trunk [SwitchC-GigabitEthernet0/0/4] port trunk allow-pass vlan 2 to 3 [SwitchC-GigabitEthernet0/0/4] quit 4.
Verify the configuration. After the preceding configurations are complete and the network topology becomes stable, perform the following operations to verify the configuration.
2016-1-11
Huawei Confidential
Page 528 of 1210
HCIE-R&S Material
Confidentiality Level
# Run the display stp brief command on SwitchA to view the status and protection type on interfaces. The displayed information is as follows: [SwitchA] display stp brief MSTID
Port
Role STP State
Protection
0
GigabitEthernet0/0/1
DESI FORWARDING
ROOT
0
GigabitEthernet0/0/2
DESI FORWARDING
NONE
1
GigabitEthernet0/0/1
DESI FORWARDING
ROOT
1
GigabitEthernet0/0/2
DESI FORWARDING
NONE
2
GigabitEthernet0/0/1
DESI FORWARDING
ROOT
2
GigabitEthernet0/0/2
ROOT
FORWARDING
NONE
In MSTI1, GE0/0/2 and GE0/0/1 of SwitchA are set as designated interfaces because SwitchA is the root bridge of MSTI1. In MSTI2, GE0/0/1 of SwitchA is set as the designated interface and GE0/0/2 is set as the root interface. # Run the display stp brief command on SwitchB. The displayed information is as follows: [SwitchB] display stp brief MSTID
Port
Role STP State
Protection ROOT
0
GigabitEthernet0/0/1
DESI FORWARDING
0
GigabitEthernet0/0/2
ROOT
1
GigabitEthernet0/0/1
DESI FORWARDING
1
GigabitEthernet0/0/2
ROOT
2
GigabitEthernet0/0/1
DESI FORWARDING
ROOT
2
GigabitEthernet0/0/2
DESI FORWARDING
NONE
FORWARDING FORWARDING
NONE ROOT NONE
In MSTI2, GE0/0/1 and GE0/0/2 of SwitchB are set as designated interfaces because SwitchB is the root bridge of MSTI2. In MSTI1, GE0/0/1 of SwitchB is set as the designated interface and GE0/0/2 is set as the root interface. # Run the display stp interface brief command on SwitchC. The displayed information is as follows: [SwitchC] display stp interface gigabitethernet 0/0/1 brief MSTID
GE0/0/1 of SwitchC is the root interface of MSTI1, and is blocked in MSTI2. GE0/0/4 of SwitchC is the root interface of MSTI2, and is blocked in MSTI1. 5.
Connect devices. # Assign an IP address to each interface, for example, the interfaces on SwitchA. The configurations on SwitchB are similar to the configurations on SwitchA. For details, see the configuration file. system-view [HUAWEI] sysname SwitchA [SwitchA] vlan batch 4 [SwitchA] interface gigabitethernet 0/0/3 [SwitchA-GigabitEthernet0/0/3] port link-type trunk [SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 4 [SwitchA-GigabitEthernet0/0/3] quit [SwitchA] interface vlanif 2 [SwitchA-Vlanif2] ip address 10.1.2.102 24 [SwitchA-Vlanif2] quit [SwitchA] interface vlanif 3 [SwitchA-Vlanif3] ip address 10.1.3.102 24 [SwitchA-Vlanif3] quit [SwitchA] interface vlanif 4 [SwitchA-Vlanif4] ip address 10.1.4.102 24 [SwitchA-Vlanif4] quit # Run OSPF on SwitchA, SwitchB, and routers. The configurations on SwitchA are used as an example. The configurations on SwitchB are similar to the configurations on SwitchA. For details, see the configuration file. [SwitchA] ospf 1 [SwitchA-ospf-1] area 0 [SwitchA-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255 [SwitchA-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255 [SwitchA-ospf-1-area-0.0.0.0] network 10.1.4.0 0.0.0.255 [SwitchA-ospf-1-area-0.0.0.0] quit [SwitchA-ospf-1] quit
6.
Configure VRRP groups. # Create VRRP group 1 on SwitchA and SwitchB. Set SwitchA as the master device, priority to 120, and preemption delay to 20 seconds. Set SwitchB as the backup device and retain the default priority. [SwitchA] interface vlanif 2 [SwitchA-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100
2016-1-11
Huawei Confidential
Page 530 of 1210
HCIE-R&S Material
Confidentiality Level
[SwitchA-Vlanif2] vrrp vrid 1 priority 120 [SwitchA-Vlanif2] vrrp vrid 1 preempt-mode timer delay 20 [SwitchA-Vlanif2] quit [SwitchB] interface vlanif 2 [SwitchB-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100 [SwitchB-Vlanif2] quit # Create VRRP group 2 on SwitchA and SwitchB. Set SwitchB as the master device, priority to 120, and preemption delay to 20 seconds. Set SwitchA as the backup device and retain the default priority. [SwitchB] interface vlanif 3 [SwitchB-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100 [SwitchB-Vlanif3] vrrp vrid 2 priority 120 [SwitchB-Vlanif3] vrrp vrid 2 preempt-mode timer delay 20 [SwitchB-Vlanif3] quit [SwitchA] interface vlanif 3 [SwitchA-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100 [SwitchA-Vlanif3] quit # Set the virtual IP address 10.1.2.100 of VRRP group 1 as the default gateway of Host A, and the virtual IP address 10.1.3.100 of VRRP group 2 as the default gateway of Host B. 7.
Verify the configuration. # After completing the preceding configurations, run the display vrrp command on SwitchA. SwitchA's VRRP status is master in VRRP group 1 and backup in VRRP group 2. display vrrp Vlanif2 | Virtual Router 1 State : Master Virtual IP : 10.1.2.100 Master IP : 10.1.2.102 PriorityRun : 120 PriorityConfig : 120 MasterPriority : 120 Preempt : YES
Delay Time : 20 s
TimerRun : 1 s TimerConfig : 1 s Auth type : NONE Virtual MAC : 0000-5e00-0101 Check TTL : YES Config type : normal-vrrp Backup-forward : disabled 2016-1-11
Huawei Confidential
Page 531 of 1210
HCIE-R&S Material
Confidentiality Level
Create time : 2012-05-11 11:39:18 UTC+08:00 Last change time : 2012-05-26 11:38:58 UTC+08:00
Vlanif3 | Virtual Router 2 State : Backup Virtual IP : 10.1.3.100 Master IP : 10.1.3.103 PriorityRun : 100 PriorityConfig : 100 MasterPriority : 120 Preempt : YES
Delay Time : 0 s
TimerRun : 1 s TimerConfig : 1 s Auth type : NONE Virtual MAC : 0000-5e00-0102 Check TTL : YES Config type : normal-vrrp Backup-forward : disabled Create time : 2012-05-11 11:40:18 UTC+08:00 Last change time : 2012-05-26 11:48:58 UTC+08:00 # Run the display vrrp command on SwitchB. SwitchB's VRRP status is backup in VRRP group 1 and master in VRRP group 2. display vrrp Vlanif2 | Virtual Router 1 State : Backup Virtual IP : 10.1.2.100 Master IP : 10.1.2.102 PriorityRun : 100 PriorityConfig : 100 MasterPriority : 120 Preempt : YES
Delay Time : 0 s
TimerRun : 1 s TimerConfig : 1 s Auth type : NONE Virtual MAC : 0000-5e00-0101 Check TTL : YES Config type : normal-vrrp Backup-forward : disabled Create time : 2012-05-11 11:39:18 UTC+08:00 2016-1-11
Huawei Confidential
Page 532 of 1210
HCIE-R&S Material
Confidentiality Level
Last change time : 2012-05-26 11:38:58 UTC+08:00
Vlanif3 | Virtual Router 2 State : Master Virtual IP : 10.1.3.100 Master IP : 10.1.3.103 PriorityRun : 120 PriorityConfig : 120 MasterPriority : 120 Preempt : YES
Delay Time : 20 s
TimerRun : 1 s TimerConfig : 1 s Auth type : NONE Virtual MAC : 0000-5e00-0102 Check TTL : YES Config type : normal-vrrp Backup-forward : disabled Create time : 2012-05-11 11:40:18 UTC+08:00 Last change time : 2012-05-26 11:48:58 UTC+08:00
stp instance 2 root primary stp pathcost-standard legacy # stp region-configuration region-name RG1 instance 1 vlan 2 instance 2 vlan 3 active region-configuration # interface Vlanif2 ip address 10.1.2.103 255.255.255.0 vrrp vrid 1 virtual-ip 10.1.2.100 # interface Vlanif3 ip address 10.1.3.103 255.255.255.0 vrrp vrid 2 virtual-ip 10.1.3.100 vrrp vrid 2 priority 120 vrrp vrid 2 preempt-mode timer delay 20 # interface Vlanif5 ip address 10.1.5.103 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 3 stp root-protection # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 2 to 3 # interface GigabitEthernet0/0/3 port link-type trunk port trunk allow-pass vlan 5 # ospf 1 area 0.0.0.0 network 10.1.2.0 0.0.0.255 network 10.1.3.0 0.0.0.255 2016-1-11
Huawei Confidential
Page 535 of 1210
HCIE-R&S Material
Confidentiality Level
network 10.1.5.0 0.0.0.255 # return
Configuration file of SwitchC # sysname SwitchC # vlan batch 2 to 3 # stp pathcost-standard legacy # stp region-configuration region-name RG1 instance 1 vlan 2 instance 2 vlan 3 active region-configuration # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 2 to 3 stp instance 2 cost 20000 # interface GigabitEthernet0/0/2 port link-type access port default vlan 2 stp disable # interface GigabitEthernet0/0/3 port link-type access port default vlan 3 stp disable # interface GigabitEthernet0/0/4 port link-type trunk port trunk allow-pass vlan 2 to 3 stp instance 1 cost 20000 # return
2016-1-11
Huawei Confidential
Page 536 of 1210
HCIE-R&S Material
Confidentiality Level
Chapter 11 Multicast 11.1 IP Multicast Basics 11.1.1 Introduction to IP Multicast Definition IP multicast transmission is a mode in which packets are transmitted from a source to a group of receivers. Compared with unicast and broadcast transmission, IP multicast transmission saves network bandwidth and reduces loads on networks. IP multicast is widely used in IPTV, real-time data transmission, and multimedia conferencing services.
Purpose Traditional IP communication supports two transmission modes: unicast and broadcast. In unicast transmission, a source sends an independent data packet to each host that requiring its data. In broadcast transmission, a source sends data to all the hosts on the local network segment, regardless whether the hosts require its data. To transmit data to multiple destination hosts but not all hosts, a source host uses the broadcast mode or sends multiple copies of data in unicast mode to the destination hosts one by one, as shown in Figure 11-1-1.
2016-1-11
Huawei Confidential
Page 537 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-1-1 Point-to-multipoint data transmission in unicast and broadcast modes
In unicast mode, the amount of data transmitted on the network is proportional to the number of users that require the data. If a large number of users require the same data, the source host must send many copies of data to these users, consuming high bandwidth on the source host and 2016-1-11
Huawei Confidential
Page 538 of 1210
HCIE-R&S Material
Confidentiality Level
network. Therefore, the unicast mode is not suitable for batch data transmission and is applicable only to networks with a small number of users.
In broadcast mode, data is sent to all hosts on a network segment regardless of whether they require the data. This threatens information security and causes storms on the network segment. Therefore, the broadcast mode is not suitable for data transmission from a source to specified destinations and it also wastes network bandwidth.
In a summary, traditional unicast and broadcast modes cannot effectively implement point-to-multipoint data transmission. Multicast is a solution to point-to-multipoint data transmission. As shown in Figure 11-1-2, the source sends only one copy of data, and all the hosts that require the data (HostA and HostC) can receive the same data copy. HostB cannot receive the data.
Figure 11-1-2 Point-to-multipoint data transmission in multicast mode Multicast has the following advantages over unicast and broadcast:
Compared with the unicast mode, the multicast mode starts to copy data and distribute data copies on the network node as far from the source as possible. Therefore, the amount of data and network resource consumption will not increase greatly when the number of receivers increases.
Compared with the broadcast mode, the multicast mode transmits data only to receivers that require the data. This saves network resources and enhances data transmission security.
11.1.2 Multicast Concepts Multicast transmits data from one source to multiple receivers. Figure 11-1-3 shows the multicast transmission model. HostA and HostC are interested in information sent from Source and request for reception of the information. The data sent from Source is received only by HostA and HostC.
2016-1-11
Huawei Confidential
Page 539 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-1-3 Multicast transmission
Multicast group: a group of receivers identified by an IP multicast address. User hosts (or other receiver devices) that have joined a multicast group become members of the group and can identify and receive the IP packets destined for the multicast group address.
Multicast source: a sender of multicast data. Source in Figure 11-1-3 is a multicast source. A multicast source can simultaneously send data to multiple multicast groups. Multiple multicast sources can simultaneously send data to a multicast group. A multicast source does not need to join any multicast groups.
Multicast group member: a host that has joined a multicast group. HostA and HostC in Figure 11-1-3 are multicast group members. Memberships in a multicast group change dynamically. Hosts can join or leave a multicast group anytime. Members of a multicast group are located anywhere on a network.
Multicast router: a router or Layer 3 switch that supports IP multicast. The routers in Figure 11-1-3 are multicast routers. In addition to multicast routing functions, multicast routers connected to user network segments provide multicast member management functions.
Table 11-1-1 describes concepts involved in IP multicast by using TV channels and programs. Table 11-1-1 Analogy between TV watching and multicast transmission Sequence
TV Broadcasting
Multicast Transmission
1
A television station sends data to A multicast source sends data to its channel. a multicast group.
2
Some audiences turn on their TV Receivers join the multicast set and select this channel. group.
3
TV sets play this channel.
2016-1-11
Huawei Confidential
Member hosts receive data sent to the multicast group. Page 540 of 1210
HCIE-R&S Material
Confidentiality Level
Table 11-1-1 Analogy between TV watching and multicast transmission Sequence 4
TV Broadcasting
Multicast Transmission
Audiences switch to other Member hosts dynamically join channels or turn on/off their TV or leave multicast groups. sets.
11.1.3 Multicast Service Models Multicast service models differ for receiver hosts and do not affect multicast sources. A multicast source sends multicast packets by using its own IP address as the source IP address and a group address as the destination IP address. Depending on whether receiver hosts can select multicast sources, two multicast models are defined: the Any-Source Multicast (ASM) model and Source-Specific Multicast (SSM) model. The two models use multicast group addresses in different ranges.
ASM Model The ASM model distributes multicast data based on group addresses. A group address identifies a collection of network service, and multicast packets sent from any source to this address obtain the same service. After joining a group, a host can receive multicast data sent from any source with this group address as the destination address. To improve security, multicast source filter policies can be configured on routers to permit or deny packets from specified multicast sources. This filters data sent to receiver hosts. In the ASM model, each group address must be unique on the entire multicast network. An ASM group can only be used by a single application at a time. If two applications use the same ASM group simultaneously, receiver hosts of the two applications receive traffic from both application sources. This may result in network congestion and malfunction of receiver hosts of the applications.
SSM Model The SSM model provides service for the data flow from specific sources to a specific group. Receiver hosts can specify the sources from which they want to receive data when they join a group. After joining the group, the hosts receive only the data sent from the specified sources. The SSM model does not require globally unique group addresses. Each group address must be unique for a multicast source. Different applications on a source must use different SSM groups. Different applications on different sources can reuse SSM group addresses because each pair of source and group has an (S, G). This model saves multicast group address without congesting the network.
2016-1-11
Huawei Confidential
Page 541 of 1210
HCIE-R&S Material
Confidentiality Level
11.1.4 Multicast Addresses To enable multicast sources and group members to communicate, the network must provide network-layer multicast service, which uses IP multicast addresses. To enable multicast data to be correctly transmitted on the local physical network, the network must provide link-layer multicast service, which uses multicast MAC addresses. A technology is required to map IP multicast addresses to multicast MAC addresses.
IPv4 Multicast Addresses The Internet Assigned Numbers Authority (IANA) allocates Class D addresses for IPv4 multicast. An IPv4 address is 32 bits long, and the first four bits of a Class D IP address is 1110. Therefore, multicast IP addresses range from 224.0.0.0 to 239.255.255.255. Table 11-1-2 describes IPv4 multicast addresses. Table 11-1-2 Range and description of IPv4 multicast addresses Class D Address Range
Description
224.0.0.0-224.0.0.255
Permanent multicast group addresses that are reserved by the IANA for routing protocols. The addresses identify a group of network devices and are not used for multicast forwarding. Table 11-1-2 lists the permanent multicast group addresses.
ASM group addresses that are valid on the entire network.
232.0.0.0-232.255.255.255
Default SSM group addresses that are valid on the entire network.
239.0.0.0-239.255.255.255
Administrative multicast addresses that are valid only in the local administrative domain. Different administrative domains can use the same administrative multicast addresses.
Table 11-1-2 List of permanent multicast group addresses Permanent Multicast Group Addresses
Description
224.0.0.0
Unassigned
224.0.0.1
All the hosts and routers on a network segment (similar to a broadcast address)
224.0.0.2
All multicast routers
224.0.0.3
Unassigned
2016-1-11
Huawei Confidential
Page 542 of 1210
HCIE-R&S Material
Confidentiality Level
Table 11-1-2 List of permanent multicast group addresses Permanent Multicast Group Addresses
IPv6 Multicast Addresses An IPv6 address is 128 bits long. The IPv6 multicast address format is defined in RFC 4291, as shown in Figure 11-1-4.
2016-1-11
Huawei Confidential
Page 543 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-1-4 IPv6 multicast address format Compared with an IPv4 multicast address, an IPv6 multicast address has a Group ID field to identify a multicast group.
0xFF: The high-order eight bits are 11111111, indicating that the address is a multicast address. All IPv6 multicast addresses start with FF.
Flags: It is 4 bits long and identifies the state of a multicast address.
Figure 11-1-5 Format of the Flags field Table 11-1-3 Description of flag values Flag
Description
0
The high-order flag is reserved and must be 0.
R flag
The value 0 indicates a multicast address that does not embed the address of the RP.
The value 1 indicates a multicast address that embeds the address of the RP. When the R flag is 1, the P and T flags must also be 1.
P flag
The value 0 indicates a multicast address that is not assigned based on the network prefix.
The value 1 indicates a multicast address that is assigned based on the network prefix. When the P flag is 1, the T flag must also be 1.
T flag
The value 0 indicates a permanently-assigned multicast address.
The value 1 indicates a non-permanently-assigned multicast address.
Scope: It is 4 bits long and identifies the scope of a multicast group, for example, whether a multicast group covers nodes in the same network, same site, same organization or any node in the global address space. Table 11-1-4 Description of Scope field values
2016-1-11
Huawei Confidential
Page 544 of 1210
HCIE-R&S Material
Confidentiality Level
Value
Description
0, 3, F
Reserved
1
Node/interface-local scope
2
Link-local scope
4
Admin-Local scope
5
Site-local scope
8
Organization-local scope
E
Global scope
Others
Unassigned
Group ID: It is 112 bits long and identifies a unique multicast group in the range specified by the Scope field. The Group ID can be permanently or temporarily assigned, depending on the value of the T flag in the Flags field.
Table 11-1-5 Range and description of IPv6 multicast addresses Range
Description
FF0x::/32
Reserved group addresses (see Table 11-1-6).
FF1x::/32 (x is not 1 or 2) FF2x::/32 (x is not 1 or 2)
ASM group addresses that are valid on the entire network.
FF3x::/32 (x is not 1 or 2)
Default SSM group address range. Addresses in this range are valid on the entire network.
Table 11-1-6 Commonly used IPv6 multicast addresses Range Node/interface-local scope
Link-local scope
2016-1-11
IPv6 Multicast Addresses
Description
FF01::1
All node or interface addresses
FF01::2
All router addresses
FF02::1
All node addresses
FF02::2
All router addresses
FF02::3
Unassigned addresses
FF02::4
DVMRP routers
FF02::5
OSPF IGP routers Huawei Confidential
Page 545 of 1210
HCIE-R&S Material
Confidentiality Level
Table 11-1-6 Commonly used IPv6 multicast addresses Range
Site-local scope
IPv6 Multicast Addresses
Description
FF02::6
OSPF IGP DRs
FF02::7
ST routers
FF02::8
ST hosts
FF02::9
RIP routers
FF02::A
EIGRP routers
FF02::B
Mobile agents
FF02::D
All PIM routers
FF02::E
RSVP encapsulation
FF02::1:1
Link name
FF02::1:2
All DHCP proxy agents
FF02::1:FFXX:XXXX
Solicited-node addresses (XX:XXXX indicates the last 24 bits of a node IPv6 address)
FF05::2
All router addresses
FF05::1:3
All DHCP servers
FF05::1:4
All DHCP relay agents
FF05::1:1000-FF05::1:13FF
Service location
IPv4 Multicast MAC Addresses When unicast IPv4 packets are transmitted on an Ethernet network, the packets use receiver MAC addresses as destination MAC addresses. However, the destination of a multicast data packet is a group with changeable members but not a specific receiver. Therefore, multicast data packets must use IPv4 multicast MAC addresses on an Ethernet network. IPv4 multicast MAC addresses are link-layer addresses mapped from IPv4 multicast addresses. As defined by the IANA, leftmost 24 bits of an IPv4 multicast MAC address are 0x01005e, the 25th bit is 0, and the rightmost 23 bits are the same as the rightmost 23 bits of a multicast IPv4 address, as shown in Figure 11-1-6. Multicast MAC address 01-00-5e-00-01-01 is mapped to IP multicast address 224.0.1.1.
2016-1-11
Huawei Confidential
Page 546 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-1-6 Mapping between an IPv4 multicast address and an IPv4 multicast MAC address The first four bits of an IPv4 multicast address is 1110, mapping the leftmost 25 bits of a multicast MAC address. Only 23 bits of the last 28 bits are mapped to a MAC address. That is, information about 5 bits of the IP address is lost. As a result, 32 multicast IP addresses are mapped to the same MAC address. For example, IP multicast addresses 224.0.1.1, 224.128.1.1, 225.0.1.1, and 239.128.1.1 are all mapped to multicast MAC address 01-00-5e-00-01-01. Address conflicts must be considered in address assignment.
IPv6 Multicast MAC Addresses In an IPv6 multicast MAC address, the leftmost 16 bits are 0x3333, and the rightmost 32 bits are mapped to the rightmost 32 bits of an IPv6 multicast address. Figure 11-1-7 shows the mapping between IPv6 multicast address FF01::1111:1 and an IPv6 multicast MAC address.
Figure 11-1-7 Mapping between an IPv6 multicast address and an IPv6 multicast MAC address The figure shows that more IPv6 multicast addresses are mapped to the same multicast MAC address.
11.1.5 Multicast Protocols In IP multicast transmission, the sender only needs to send data to a specified destination address and does not need to know the locations of receivers. It is the responsibility of network devices to forward data from the sender to the receivers. Routers on the multicast network must collect information about 2016-1-11
Huawei Confidential
Page 547 of 1210
HCIE-R&S Material
Confidentiality Level
receivers, and forward and replicate multicast packets along correct paths. A set of protocols are developed to complete these tasks.
Receiver information is collected and managed using the Internet Group Management Protocol (IGMP) or Multicast Listener Discovery (MLD). IGMP applies to IPv4 networks, and MLD applies to IPv6 networks.
Forwarding paths are established for multicast packets by various multicast routing protocols, among which Protocol Independent Multicast (PIM) is the most widely used. PIM is an intra-domain multicast routing protocol. Inter-domain multicast transmission requires the Multicast Source Discovery Protocol (MSDP), and multicast transmission between autonomous systems (ASs) requires the MultiProtocol Border Gateway Protocol (MBGP).
On a small-sized network, all multicast routers are located in the same PIM domain. Figure 11-1-8 shows a multicast network with a single PIM domain.
Figure 11-1-8 Multicast network with a single PIM domain
Table 11-1-7 Protocols used on a multicast network with a single PIM domain Protocol
Deployment Location
IGMP (IPv4) MLD (IPv6)
Hosts and router connected to hosts
2016-1-11
Huawei Confidential
interfaces
Purpose
Allow hosts to dynamically join or leave Page 548 of 1210
HCIE-R&S Material
Confidentiality Level
Table 11-1-7 Protocols used on a multicast network with a single PIM domain Protocol
Deployment Location
Purpose multicast groups.
Manage and maintain group memberships on routers and exchange information with upper-layer multicast routing protocols.
PIM Dense Mode (PIM-DM) or All interfaces on all multicast Provide multicast routing and PIM Sparse Mode (PIM-SM) routers forwarding, and maintain the multicast routing table based on network topology changes. IGMP snooping (IPv4) MLD snooping (IPv6)
VLANs on Layer 2 switches Listen on IGMP/MLD messages between multicast routers and exchanged between routers and hosts hosts to create and maintain a Layer 2 multicast forwarding table. In this manner, multicast data can be forwarded on a Layer 2 network.
A multicast domain can be divided into multiple isolated PIM-SM domains to facilitate management of multicast resources, including multicast groups, multicast sources, and group members. Figure 11-1-9 shows a multicast network spanning multiple PIM-SM domains.
2016-1-11
Huawei Confidential
Page 549 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-1-9 Multicast network with multiple PIM-SM domains The MSDP protocol must be deployed between the PIM-SM domains to enable the PIM-SM domains to exchange multicast data. An MSDP peer relationship is established between the PIM-SM domains, and MSDP peers exchange SA messages to obtain each other's multicast information. Then receiver hosts in one PIM-SM domain can receive data from a multicast source in another PIM-SM domain. MSDP applies only to IPv4 networks and is useful only in the ASM model. Within a PIM domain, IGMP manages group memberships, and PIM-SM maintains multicast forwarding routes. PIM forwards multicast data based on a unicast routing table; therefore, multicast forwarding paths are the same as unicast forwarding paths. When a multicast source and receivers are located in different ASs, a multicast distribution tree needs to be set up between the ASs. In this scenario, MBGP can be used to create a multicast routing table independent of the unicast routing table. Then multicast data is transmitted based on the multicast routing table. Figure 11-1-10 shows a multicast network spanning multiple ASs.
NOTE: For details about MBGP, see "BGP" in Feature Description - IP Routing.
2016-1-11
Huawei Confidential
Page 550 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-1-10 Multicast network with multiple ASs
11.1.6 Multicast Packet Forwarding In unicast transmission, the destination address of a packet indicates a specific receiver. Unicast forwarding paths are established based on destination addresses of packets. Each routing entry records the outbound interface through which a packet can be forwarded to a destination. When a router receives a unicast packet, it searches the routing table based on the destination address to select the optimal path to the destination network segment. Then the router forwards the packet through the outbound interface specified in the matching routing entry. In multicast transmission, the destination address of a packet indicates a group but of a specific receiver. A multicast source only needs to send information to a specified destination address and does not need to know how many members need to receive the information. Multicast routers must ensure that information from the source is correctly forwarded to group members. The source address of a multicast packet is a unicast address. When a router receives a multicast packet, it checks the unicast route destined for the source address to determine whether the inbound interface is on the optimal path to the multicast source. This process is reverse path forwarding (RPF) check. When the packet passes the RPF check, the router copies the packet to multiple outbound interfaces. Therefore, multicast forwarding paths are established based on multicast source addresses in either of the following ways: 2016-1-11
Huawei Confidential
Page 551 of 1210
HCIE-R&S Material
Confidentiality Level
Dynamically generated using the RPF check mechanism. Routers perform RPF check for received multicast packets. When multicast packets pass the RPF check, routers create multicast routing entries and establish distribution paths to downstream routers. For details, see RPF Check.
Manually configured: Static multicast routes are manually configured on routers. Each route specifies outbound interfaces for a multicast source address. Routers forward packets to specified outbound interfaces and establish distribution paths to downstream routers. For details, see Multicast Static Route.
11.2 IGMP 11.2.1 IGMP Versions Currently, IGMP has three versions:
IGMPv1 defined in RFC 1112
IGMPv2 defined in RFC 2236
IGMPv3 defined in RFC 3376
IGMPv1 defines the multicast member query and report processes. IGMPv2 extends IGMPv1 by adding the querier election and member leave mechanisms. IGMPv3 adds the function that allows hosts to specify the multicast sources from which they want to or not want to receive data. The IGMP versions are backward compatible. Therefore, a multicast router running a later IGMP version can identify Membership Report messages sent from hosts running an earlier IGMP version, although the IGMP messages in different versions use different formats. All IGMP versions support the Any-Source Multicast (ASM) model. IGMPv3 can be independently used in the Source-Specific Multicast (SSM) model, whereas IGMPv1 and IGMPv2 must be used with SSM mapping. For details about the ASM and SSM models, see IP Multicast Basics.
11.2.2 IGMPv1 Rationale IGMPv1 Messages IGMP messages are encapsulated in IP packets. IGMPv1 defines the following types of messages:
General Query: A querier sends General Query messages to all hosts and routers on the shared network segment to discover which host groups have members on the network segment.
Report: Hosts send Report messages to multicast switches to request to join a multicast group or respond to General Query messages.
2016-1-11
Huawei Confidential
Page 552 of 1210
HCIE-R&S Material
Confidentiality Level
How IGMPv1 Works IGMPv1 uses a query-report mechanism to manage multicast groups. When multicast routers exist on a network segment, one router is elected as the IGMP querier to send Query messages. In IGMPv1 implementation, a unique Assert winner or designated router (DR) is elected by Protocol Independent Multicast (PIM) to work as the querier. The querier is the only device that sends Host Membership Query messages on the local network segment. For details about Assert and DR election, see PIM. General query and report
Figure 11-2-1 IGMPv1 general query and report As shown in Figure 11-2-1, RouterA and RouterB connect to a user network segment with three receivers: HostA, HostB, and HostC. RouterA is the querier on the network segment. HostA and HostB want to receive data sent to multicast group G1, and HostC wants to receive data sent to multicast group G2. The general query and report process is as follows: 1.
The IGMP querier (RouterA) sends a General Query message with the destination address 224.0.0.1 (indicating all hosts and routers on the same network segment). The IGMP querier sends General Query messages at intervals. The interval can be configured using a command, and the default interval is 60 seconds.
2.
All hosts on the network segment receive the General Query message. Then HostA and HostB start a timer for G1 (Timer-G1), and HostC starts a timer for G2 (Timer-G2). The timer length is a random value between 0 and 10, in seconds.
3.
The host with the timer expiring first sends a Report message for the multicast group. In this example, the Timer-G1 on HostA expires first, and HostA sends a Report message with the
2016-1-11
Huawei Confidential
Page 553 of 1210
HCIE-R&S Material
Confidentiality Level
destination address as G1. When HostB detects the Report message sent by HostA, HostB stops Timer-G1 and does not send any Report messages for G1. This listening mechanism reduces the number of Report messages transmitted on the network segment, lowering loads on multicast routers. 4.
When Timer-G2 on HostC expires, HostC sends a Report message with the destination address as G2 to the network segment.
5.
After the routers receive the Report message, they know that multicast groups G1 and G2 have members on the local network segment. Then the routers use the multicast routing protocol to create (*, G1) and (*, G2) entries, in which * stands for any multicast source. Once the routers receive data sent to G1 and G2, they forward the data to this network segment.
A new member joins a group
Figure 11-2-2 A new member joins a group As shown in Figure 11-2-2, HostD connects to the network segment. HostD wants to join multicast group G3 but detects no multicast data for G3. In this case, HostD immediately sends a Report message for G3 without waiting for a General Query message. After receiving the Report message, the routers know that a number of G3 has connected to the network segment, and they create a (*, G3) entry. Once the routers receive data sent to G3, they forward the data to this network segment. A member leaves a group IGMPv1 does not define the Leave message. After a host leaves a multicast group, it no longer responds to General Query messages. Assume that HostC has left group G2. It does not send Report messages for G2 when receiving General Query messages. Because G2 has not member on this network segment, the routers no longer receive Report messages for G2. After a fixed period (130 seconds), the routers delete the (*, G2) entry.
2016-1-11
Huawei Confidential
Page 554 of 1210
HCIE-R&S Material
Confidentiality Level
The routers will not know if HostA leaves G1 because G1 still has a member HostB on the network segment.
11.2.3 Changes in IGMPv2 IGMPv2 Messages IGMPv2 defines two types of new messages in addition to General Query and Report messages:
Group-Specific Query: A querier sends a Group-Specific Query message to a specified group on the shared network segment to check whether the group has members on the network segment.
Leave: A host sends a Leave message to notify routers on the local network segment that it has left a group.
IGMPv2 adds a new field Max Response Time to General Query messages. The field value controls the response speed of group members and is configurable.
How IGMPv2 Works Compared with IGMPv1, IGMPv2 adds the querier election and leave mechanisms. Querier election IGMPv2 defines an independent querier election mechanism. When multiple multicast routers exist in a shared network segment, the router with the smallest IP address works as the querier.
Figure 11-2-3 Querier election 1.
Each IGMPv2 router considers itself as a querier when it starts and sends a General Query message to all hosts and routers on the local network segment.
2.
When other routers receive a General Query message, they compare the source IP address of the message with their own interface IP addresses. The router with the smallest IP address becomes
2016-1-11
Huawei Confidential
Page 555 of 1210
HCIE-R&S Material
Confidentiality Level
the querier, and the other routers are non-queriers. As shown in Figure 11-2-3, RouterA becomes the querier because it has a smaller interface address than RouterB. 3.
All non-queriers start a timer (Other Querier Present Timer). If non-queriers receive a Query message from the querier before the timer expires, they reset the timer. If non-queriers receive no Query message from the querier when the timer expires, they trigger election of a new querier.
Leave mechanism
Figure 11-2-4 A host leaves a group As shown in Figure 11-2-4, when HostC wants to leave multicast group G2: 1.
HostC sends a Leave message for G2 to all multicast routers on the local network segment. The destination address of the Leave message is 224.0.0.2.
2.
When the querier receives the Leave message, it sends Group-Specific Query messages for G2 at intervals to check whether G2 has other members on the network segment. The sending interval and number of Group-Specific Query messages sent by the querier are configurable. By default, the querier sends a total of two Group-Specific Query messages, at an interval of 1 second. In addition, the querier starts the membership timer (Timer-Membership). The timer length is calculated using the following formula: Timer-Membership = Interval for sending Group-Specific Query messages x Number of messages sent
3.
If G2 has no member on the network segment, the routers cannot receive any Report message for G2. After Timer-Membership expires, the routers delete the downstream interface connected to the network segment from the (*, G2) entry. Then the routers no longer forward data of G2 to the network segment.
2016-1-11
Huawei Confidential
Page 556 of 1210
HCIE-R&S Material
4.
Confidentiality Level
If G2 has other members on the network segment, the members send a Report message for G2 within the maximum response time defined in the Group-Specific Query message. The routers continues maintaining membership of G2.
11.2.4 Changes in IGMPv3 IGMPv3 was developed to support the Source-Specific Multicast (SSM model). IGMPv3 messages can contain multicast source information so that hosts can receive data sent from a specific source to a specific group.
IGMPv3 Messages IGMPv3 also defines two types of messages: Query messages and Report messages. Compared with IGMPv2, IGMPv3 has the following changes:
In addition to General Query and Group-Specific Query messages, IGMPv3 defines a new Query message type: Group-and-Source-Specific Query. A querier sends a Group-and-Source-Specific Query message to members of a specific group on the shared network segment, to check whether the group members are interested in data from specific sources. A Group-and-Source-Specific Query message carries one or more multicast source addresses.
A host sends a Report message to notify a multicast router that it wants to join a multicast group and receive data from specified multicast sources. IGMPv3 supports source filtering and defines two filter modes: INCLUDE and EXCLUDE. In IGMPv3, group-source mappings are represented by (G, INCLUDE, (S1, S2...)) or (G, EXCLUDE, (S1, S2...)). A (G, INCLUDE, (S1, S2...)) entry indicates that members of group G receive only data sent from sources S1, S2, and so on. A (G, EXCLUDE, (S1, S2...)) entry indicates that members of group G receive data from multicast sources except S1, S2, and so on. When mappings between multicast groups and sources change, a multicast router sends an IGMPv3 Report message with Group Record fields to the querier on the network segment. Group Records are classified into six types, as described in Table 11-2-1. Table 11-2-1 Group Record types in IGMPv3 Report messages Category
Group Record Type
Description
Current-State Record, sent in IS_IN response to a Query message to report the current state of the local system.
Indicates that the source filter mode is INCLUDE for a multicast group. That is, members of the group receive only data sent from the specified sources to the group.
IS_EX
Indicates that the source filter mode is EXCLUDE for a multicast group. That is, members of the group receive
2016-1-11
Huawei Confidential
Page 557 of 1210
HCIE-R&S Material
Confidentiality Level
Table 11-2-1 Group Record types in IGMPv3 Report messages Category
Group Record Type
Description data sent from multicast sources except the specified sources to the group.
Filter-Mode-Change Record, TO_IN sent when the source filter mode for a multicast group changes from INCLUDE to EXCLUDE or from EXCLUDE to INCLUDE.
Indicates that the source filter mode for a multicast group has changed from EXCLUDE to INCLUDE. If the source list is empty, the members have left the multicast group.
TO_EX
Indicates that the source filter mode for a multicast group has changed from INCLUDE to EXCLUDE.
Source-List-Change Record, ALLOW sent when the source list of a multicast group changes.
Indicates that members of a multicast group want to receive data from the specified multicast sources in addition to the current sources. If the source filter mode for the multicast group is INCLUDE, the specified sources are added to the source list. If the source filter mode is EXCLUDE, the specified sources are deleted from the source list.
BLOCK
Indicates that members of a multicast group no longer want to receive data from the specified multicast sources. If the source filter mode for the multicast group is INCLUDE, the specified sources are deleted from the source list. If the source filter mode is EXCLUDE, the specified sources are added to the source list.
An IGMPv3 Report message can carry information about multiple multicast groups, whereas an IGMPv1 or IGMPv2 Report message carries information about only one multicast group. IGMPv3 greatly reduces the number of messages transmitted on a network. IGMPv3 does not define dedicated Leave message. Group members send Report messages of a specified type to notify multicast routers that they leave a multicast group. For example, if a member of group 225.1.1.1 wants to leave the group, it sends a Report message with (225.1.1.1, TO_IN, (0)).
2016-1-11
Huawei Confidential
Page 558 of 1210
HCIE-R&S Material
Confidentiality Level
How IGMPv3 Works Compared with IGMPv2, IGMPv3 allows hosts to select multicast sources. Joining a specific source and group IGMPv3 Report messages have a destination address 224.0.0.22, indicating all IGMPv3-capable multicast routers on the same network segment. A Report message contains Group Record fields, allowing hosts to specify the multicast sources from which they want to or not want to receive data when joining a multicast group. As shown in Figure 11-2-5, two multicast sources S1 and S2 send data to multicast group G. The host only wants to receive data sent from S1 to G.
Figure 11-2-5 Source-and-group-specific multicast data transmission If IGMPv1 or IGMPv2 is running between the host and its upstream router, the host cannot select multicast sources when it joins group G. The host receives data from both S1 and S2, regardless of whether it requires the data. If IGMPv3 is running between the host and its upstream router, the host can choose to receive only data from S1 using either of the following methods:
Method 1: Send an IGMPv3 Report (G, IS_IN, (S1)), requesting to receive only the data sent from S1 to G.
Method 2: Send an IGMPv3 (G, IS_EX, (S2)), notifying the upstream router that it does not want to receive data from S2. Then only data sent from S1 is forwarded to the host.
Group-and-Source-Specific Query When a querier receives a Report message containing a Filter-Mode-Change Record or Source-List-Change Record (the last four types listed in Table 11-2-1), the querier sends Group-and-Source-Specific Query messages. If a member wants to receive the data from any source in the source list, it sends a Report message. The multicast router updates the source list of the corresponding group according to the received Report messages.
2016-1-11
Huawei Confidential
Page 559 of 1210
HCIE-R&S Material
Confidentiality Level
11.2.5 IGMP SSM Mapping Source-Specific Multicast (SSM) requires multicast routers to know multicast sources that hosts specify when they join a multicast group. A host running IGMPv3 can specify multicast source addresses in IGMPv3 Report messages. Some hosts can run only IGMPv1 or IGMPv2. To enable such hosts to obtain the SSM service, multicast routers need to provide the IGMP SSM mapping function. After static SSM mapping entries are configured on a multicast router, the router can convert (*, G) information in IGMPv1 and IGMPv2 Report messages to (S, G) information to provide the SSM service for the IGMPv1 and IGMPv2 hosts. By default, SSM group addresses range from 232.0.0.0 to 232.255.255.255. For details about SSM group addresses, see PIM-SSM. With SSM mapping entries configured, a multicast router checks the multicast group address G in each received IGMPv1 or IGMPv2 Report message, and processes the message based on the check result:
If G is in the range of Any-Source Multicast (ASM) group addresses, the router provides the ASM service for the host.
If G is in the range of SSM group addresses:
When the router has no SSM mapping entry matching G, it does not provide the SSM service and drops the Report message.
If the router has an SSM mapping entry matching G, it converts (*, G) information in the Report message into (S, G) information and provides the SSM service for the host.
NOTE: IGMP SSM mapping does not apply to IGMPv3 Report messages. To enable hosts running any IGMP version on a network segment to obtain the SSM service, IGMPv3 must run on interfaces of multicast routers on the network segment. As shown in Figure 11-2-6, HostA runs IGMPv3, HostB runs IGMPv2, and HostC runs IGMPv1 on an SSM network. HostB and HostC cannot run IGMPv3. To provide the SSM service for all the hosts on the network segment, IGMP SSM mapping must be configured on the Router.
Figure 11-2-6 SSM mapping The following table lists the SSM mapping entries configured on the Router. Table 11-2-2 SSM mapping entries 2016-1-11
Huawei Confidential
Page 560 of 1210
HCIE-R&S Material
Confidentiality Level
Multicast Group Address
Multicast Source Address
232.0.0.0/8
10.10.1.1
232.1.0.0/16
10.10.2.2
232.1.0.0/16
10.10.3.3
232.1.1.0/24
10.10.4.4
When the Router receives Report messages from HostB and HostC, it checks whether the multicast group addresses in the messages are in the SSM group address range. If so, the Router generates (S, G) entries based on the SSM mappings (see the following table). If a group address is mapped to multiple sources, the Router generates multiple (S, G) entries. Table 11-2-3 Multicast address Multicast Group Address in IGMPv1/IGMPv2 Report
NOTE: The Router generates an (S, G) entry as long as a multicast group address matches an SSM mapping entry. Therefore, the Router generates four (S, G) entries for 232.1.1.1, and three (S, G) entries for 232.1.2.2.
11.3 Layer 2 Multicast 11.3.1 IGMP/MLD Snooping Principles IGMP/MLD snooping is a basic Layer 2 multicast function that forwards and controls multicast traffic at Layer 2. IGMP/MLD snooping runs on a Layer 2 device and analyzes IGMP/MLD messages exchanged between a Layer 3 device and hosts to set up and maintain a Layer 2 multicast forwarding table. The Layer 2 device forwards multicast packets based on the Layer 2 multicast forwarding table.
NOTE: IGMP snooping applies to IPv4 multicast networks, while MLD snooping applies IPv6 multicast networks. The implementation of these two technologies is the same, except that they use different address types and define different protocol packets. The following describes IGMP snooping implementation as an example.
2016-1-11
Huawei Confidential
Page 561 of 1210
HCIE-R&S Material
Confidentiality Level
As shown in Figure 11-3-1, after receiving multicast packets from a Layer 3 device Router, Switch at the edge of the access layer forwards the multicast packets to receiver hosts. If Switch does not run IGMP snooping, it broadcasts multicast packets at Layer 2. After IGMP snooping is configured, Switch forwards multicast packets only to specified hosts. With IGMP snooping configured, Switch listens on IGMP messages exchanged between Router and hosts. It analyzes packet information (such as packet type, group address, and receiving interface) to set up and maintain a Layer 2 multicast forwarding table, and forwards multicast packets based on the Layer 2 multicast forwarding table.
Figure 11-3-1 Multicast packet transmission before and after IGMP snooping is configured on a Layer 2 device
Concepts As shown in Figure 11-3-2, Router connects to the multicast source. IGMP snooping is configured on SwitchA and SwitchB. HostA, HostB, and HostC are receiver hosts.
2016-1-11
Huawei Confidential
Page 562 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-3-2 IGMP snooping ports Figure 11-3-2 shows IGMP snooping ports. The following table describes these ports. Table 11-3-1 IGMP snooping ports Port Role
Function
Router port A router port receives multicast Ports marked as blue points on packets from a Layer 3 multicast device such as a designated SwitchA and SwitchB. router (DR) or IGMP querier. NOTE:
Generation
A dynamic router port is generated by MLD/IGMP snooping. A port becomes a dynamic router port
A router port is a port on a Layer 2 multicast device and connects to an upstream multicast router.
when it receives an IGMP General Query message or PIM Hello message with any source address except 0.0.0.0. The PIM Hello messages are sent from the PIM port on a Layer 3 multicast device to discover and maintain neighbor relationships.
A static router port is manually configured.
2016-1-11
Huawei Confidential
Page 563 of 1210
HCIE-R&S Material
Confidentiality Level
Table 11-3-1 IGMP snooping ports Port Role
Function
Member port A member port is a member of a Ports marked as yellow points multicast group. A Layer 2 multicast device sends multicast on SwitchA and SwitchB. data to the receiver hosts through member ports.
Generation
A dynamic member port is generated by MLD/IGMP snooping. A Layer 2 multicast device sets a port as a dynamic member port when the port receives an IGMP Report message.
A static member port is manually configured.
The router port and member port are outbound interfaces in Layer 2 multicast forwarding entries. A router port functions as an upstream interface, while a member port functions as a downstream interface. Port information learned through protocol packets is saved as dynamic entries, and port information manually configured is saved as static entries. Besides the outbound interfaces, each entry includes multicast group addresses and VLAN IDs.
Multicast group addresses can be multicast IP addresses or multicast MAC addresses mapped from multicast IP addresses. In MAC address-based forwarding mode, multicast data may be forwarded to hosts that do not requires the data because multiple IP addresses are mapped to the same MAC addresses. The IP address-based forwarding mode can prevent this problem.
The VLAN ID specifies a Layer 2 broadcast domain. After multicast VLAN is configured, the inbound VLAN ID is the multicast VLAN ID, and the outbound VLAN ID is a user VLAN ID. If multicast VLAN is not configured, both the inbound and outbound VLAN IDs are the ID of the VLAN to which a host belongs. For details about multicast VLAN, see Multicast VLAN.
Implementation After IGMP snooping is configured, the Layer 2 multicast device processes the received IGMP protocol packets in different ways and sets up Layer 2 multicast forwarding entries. Table 11-3-2 IGMP message processing by IGMP snooping IGMP Working Phase
IGMP Message Received on a Layer 2 Device
General query IGMP General Query message The IGMP querier periodically sends General Query messages to all hosts and the router (224.0.0.1) on the local network segment, to 2016-1-11
Huawei Confidential
Processing Method A Layer 2 device forwards IGMP General Query messages to all ports excluding the port receiving the messages. The Layer 2 device processes the Page 564 of 1210
HCIE-R&S Material
Confidentiality Level
Table 11-3-2 IGMP message processing by IGMP snooping IGMP Working Phase
IGMP Message Received on a Layer 2 Device
check which multicast groups have members on the network segment.
Processing Method receiving port as follows:
If the port is included in the router port list, the Layer 2 device resets the aging timer of the router port.
If the port is not in the router port list, the Layer 2 device adds it to the list and starts the aging timer.
NOTE: By default, the Layer 2 device sets the aging time to 180 seconds when the router port receives an IGMP General Query message. You can set the aging time using a command. Membership report IGMP Report message Membership Report messages are used in two scenarios:
Upon receiving an IGMP General Query message, a member returns an IGMP Report message.
A Layer 2 device forwards an IGMP Report message to all router ports in a VLAN. The Layer 2 device obtains the multicast group address from the Report message and performs the following operations on the port receiving the message:
A member sends an IGMP
If the multicast group
Report message to the
matches no forwarding
IGMP querier to announce
entry, the Layer 2 device
its joining to a multicast
creates a forwarding
group.
entry, adds the port to the outbound interface list as a dynamic member port, and starts the aging timer.
If the multicast group matches a forwarding entry but the port is not in the outbound interface list, the Layer 2 device adds the port to the
2016-1-11
Huawei Confidential
Page 565 of 1210
HCIE-R&S Material
Confidentiality Level
Table 11-3-2 IGMP message processing by IGMP snooping IGMP Working Phase
IGMP Message Received on a Layer 2 Device
Processing Method
outbound interface list as a dynamic member port, and starts the aging timer.
If the multicast group matches a forwarding entry and the port is in the router port list, the Layer 2 device resets the aging timer.
NOTE: Aging time of a dynamic router port = Robustness variable x General query interval + Maximum response time for General Query messages Leave of multicast members There are two phases: 1.
IGMP Leave message
An IGMPv2/IGMPv3 member sends an IGMP Leave message to notify
The Layer 2 device determines whether the multicast group matches a forwarding entry and whether the port that receives the message is in the outbound interface list.
routers on the local
matches the multicast
network segment that it has
group or the outbound
left a multicast group. 2.
If no forwarding entry
interface list of the
Upon receiving the IGMP
matching entry does not
Leave message, the IGMP
contain the receiving port,
querier obtains the
the Layer 2 device drops
multicast group address
the IGMP Leave message.
and sends an IGMP
Group-Specific/Group-Sou
If the multicast group matches a forwarding
rce-Specific Query
entry and the port is in the
message to the multicast
outbound interface list,
group.
the Layer 2 device forwards the IGMP Leave message to all router ports in the VLAN. The following assumes that the port receiving an IGMP Leave message is a dynamic member 2016-1-11
Huawei Confidential
Page 566 of 1210
HCIE-R&S Material
Confidentiality Level
Table 11-3-2 IGMP message processing by IGMP snooping IGMP Working Phase
IGMP Message Received on a Layer 2 Device
Processing Method port. Within the aging time of the member port:
If the port receives IGMP Report messages in response to the IGMP Group-Specific Query message, the Layer 2 device knows that the multicast group has members connected to the port and resets the aging timer.
If the port receives no IGMP Report message in response to the IGMP Group-Specific Query message, no member of the multicast group exists under the interface. Then the Layer 2 device deletes the port from the outbound interface list when the aging time is reached.
An IGMP Group-Specific/Group-SourceSpecific Query message is forwarded to all ports in a VLAN excluding the port receiving the message.
Upon receiving a PIM Hello message, a Layer 2 device forwards the message to all ports excluding the port that receives the Hello message. The Layer 2 device processes the receiving port as follows:
If the port is included in the router port list, the device resets the aging timer of the router port.
If the port is not in the router port list, the device adds it to the list and starts the aging timer.
NOTE: When the Layer 2 device receives a PIM Hello message, it sets the aging time of the router port to the Holdtime value in the Hello message.
2016-1-11
Huawei Confidential
Page 567 of 1210
HCIE-R&S Material
Confidentiality Level
If a static router port is configured, the Layer 2 device forwards received IGMP Report and Leave messages to the static router port. If a static member port is configured for a multicast group, the Layer 2 device adds the port to the outbound interface list for the multicast group. After a Layer 2 multicast forwarding table is set up, the Layer 2 device searches the multicast forwarding table for outbound interfaces of multicast data packets according to the VLAN IDs and destination addresses (group addresses) of the packets. If outbound interfaces are found for a packet, the Layer 2 device forwards the packet to all the member ports of the multicast group. If no outbound interface is found, the Layer 2 device drops the packet or broadcasts the packet in the VLAN.
11.3.2 IGMP/MLD Snooping Proxy Principles IGMP/MLD snooping proxy can be configured on a Layer 2 device. The Layer 2 device then functions as a host to send IGMP Report messages to the upstream Layer 3 device. This function reduces the number of IGMP Report/MLD Report and IGMP Leave/MLD Done messages sent to the upstream Layer 3 device. A device configured with IGMP/MLD snooping proxy functions as a host for its upstream device and a querier for its downstream hosts.
NOTE: IGMP snooping proxy applies to IPv4 multicast networks, while MLD snooping proxy applies to IPv6 multicast networks. The implementation of these two technologies is the same, except that they use different address types and define different protocol packets. The following uses IGMP snooping proxy implementation as an example. As shown in Figure 11-3-3, when Switch runs IGMP snooping, it forwards IGMP Query, Report, and Leave messages transparently to the upstream Router. When numerous hosts exist on the network, redundant IGMP messages increase the burden of Router. With IGMP snooping proxy configured, Switch can terminate IGMP Query messages sent from Router and IGMP Report/Leave sent from downstream hosts. When receiving these messages, Switch constructs new messages to send them to Router.
2016-1-11
Huawei Confidential
Page 568 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-3-3 Networking diagram of IGMP snooping proxy After IGMP snooping proxy is deployed on the Layer 2 device, the Layer 3 device considers that it interacts with only one user. The Layer 2 device interacts with the upstream device and downstream hosts. The IGMP snooping proxy function conserves bandwidth by reducing IGMP message exchanges. In addition, IGMP snooping proxy functions as a querier to process protocol messages received from downstream hosts and maintain group memberships. This reduces the load of the upstream Layer 3 device.
Implementation A device that runs IGMP snooping proxy sets up and maintains a Layer 2 multicast forwarding table and sends multicast data to hosts based on the multicast forwarding table. Table 11-3-3 describes how the IGMP snooping proxy device processes IGMP messages. Table 11-3-3 received IGMP message processing by IGMP snooping proxy IGMP Message IGMP General Query message
2016-1-11
Processing Method The Layer 2 device forwards the message to all ports excluding the port receiving the message. The device generates an IGMP Report message based on the group memberships and sends the IGMP Report message to all router ports. Huawei Confidential
Page 569 of 1210
HCIE-R&S Material
Confidentiality Level
Table 11-3-3 received IGMP message processing by IGMP snooping proxy IGMP Message
Processing Method
IGMP Group-Specific/Group-Source-Specific If the group specified in the message has member Query message ports in the multicast forwarding table, the Layer 2 device responds with an IGMP Report message to all router ports. IGMP Report message
If the multicast group matches no forwarding entry, the Layer 2 device creates a forwarding entry, adds the message receiving port to the outbound interface list as a dynamic member port, starts the aging timer, and sends an IGMP Report message to all router ports.
If the multicast group matches a forwarding entry and the message receiving is in the outbound interface list, the device resets the aging timer.
If the multicast group matches a forwarding entry, but the port is not in the outbound interface list, the Layer 2 device adds the port to the list as a dynamic router port, and starts the aging timer.
IGMP Leave message
The Layer 2 device sends a Group-Specific Query message to the port that receives the IGMP Leave message. The Layer 2 device sends an IGMP Leave message to all router ports only when the last member port is deleted from the forwarding entry.
11.3.3 Layer 2 SSM Mapping Compared to Any-Source Multicast (ASM), Source-Specific Multicast (SSM) conserves multicast addresses and has higher security. Only IGMPv3 and MLDv2 support SSM. A host running IGMPv3 or MLDv2 can specify multicast source addresses in IGMP Report messages. Some hosts can run only IGMPv1, IGMPv2, or MLDv1. To enable such hosts to obtain the SSM service, multicast routers need to provide the IGMP/MLD SSM mapping function. Layer 2 SSM mapping is used to implement SSM mapping on Layer 2 networks. Currently, only IPv4 multicast networks support Layer 2 SSM mapping that is implemented based on IGMP snooping. After static SSM mapping entries are configured on a multicast device, the device can convert (*, G) information in IGMPv1 and IGMPv2 Report messages to (S, G) information to provide the SSM service for IGMPv1 and IGMPv2 hosts. S indicates the multicast source, G indicates the multicast 2016-1-11
Huawei Confidential
Page 570 of 1210
HCIE-R&S Material
Confidentiality Level
group, and the asterisk (*) indicates any multicast source. By default, SSM group addresses range from 232.0.0.0 to 232.255.255.255. As shown in Figure 11-3-4, HostA runs IGMPv3, HostB runs IGMPv2, and HostC runs IGMPv1 on an SSM network. HostB and HostC cannot run IGMPv3. To provide the SSM service for all the hosts on the network segment, configure IGMP SSM mapping on Switch.
Figure 11-3-4 Networking diagram of Layer 2 SSM mapping The following table lists the SSM mapping entries configured on Switch. Table 11-3-4 SSM mapping entries Multicast Group Address
Multicast Source Address
232.1.1.0/24
10.10.1.1
232.1.2.0/24
10.10.2.2
232.1.3.0/24
10.10.3.3
When Switch receives Report messages from HostB and HostC, it checks whether the multicast group addresses in the messages are within the SSM group address range. If so, Switch generates (S, G) entries based on the SSM mappings, as shown in the following table. Table 11-3-4 SSM mapping entries Multicast Group Address in IGMPv1/IGMPv2 Report
Generated Multicast Forwarding Entry
232.1.1.1 (from HostC)
(10.10.1.1, 232.1.1.1)
232.1.2.2 (from HostB)
(10.10.2.2, 232.1.2.2)
When the multicast group address in a Report message is within the SSM group address range, but Switch no SSM mapping entry matching the multicast group address, it does not provide the SSM service and drops the Report message.
2016-1-11
Huawei Confidential
Page 571 of 1210
HCIE-R&S Material
Confidentiality Level
If the multicast group address in a Report message is out of the SSM group address range, Switch provides only the ASM service.
11.3.4 Multicast VLAN Principles On a Layer 2 broadcast network, multicast data is broadcast to all hosts. The IGMP snooping function solves this problem. This function, however, takes effect based on a VLAN. If users in different VLANs require the same multicast data, the upstream router still has to send multiple copies of identical multicast data to different VLANs. As shown in Figure 11-3-5, users in VLAN 2 and VLAN 3 need to receive the same multicast data flows. RouterA replicates the multicast data in each VLAN and sends two copies of data to SwitchA. This wastes bandwidth between the router and Layer 2 device and increases burden on the router. The multicast VLAN function can be configured on the Layer 2 device to implement inter-VLAN multicast replication. As shown in Figure 11-3-5, after the multicast VLAN function is configured on SwitchA, RouterA replicates multicast data in VLAN 4 and sends only one copy to the SwitchA. RouterA no longer needs to send several identical multicast data flows downstream. This saves network bandwidth and reduces the burden on the router.
2016-1-11
Huawei Confidential
Page 572 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-3-5 Multicast data flow processing before and after multicast VLAN is configured
Concepts
Multicast VLAN: VLAN to which a network-side interface belongs. A multicast VLAN is used to aggregate multicast data flows. One multicast VLAN can be bound to multiple user VLANs.
User VLAN: VLAN to which a user-side interface belongs. A user VLAN is used to receive multicast data flows from the multicast VLAN. A user VLAN can be bound only to one multicast VLAN.
Multicast VLAN Extensions In most cases, the multicast VLAN replicates multicast data and sends identical data to different user VLANs to save bandwidth. Sometimes, a single user VLAN needs to receive multicast data from 2016-1-11
Huawei Confidential
Page 573 of 1210
HCIE-R&S Material
Confidentiality Level
multiple multicast VLANs. To meet this requirement, the multicast VLAN function is extended as follows:
N-to-N multicast replication N-to-N multicast replication supplements the traditional 1-to-N multicast replication. In 1-to-N multicast replication, multiple user VLANs can be bound to one multicast VLAN, but a user VLAN can be bound only to one multicast VLAN. As shown in Figure 11-3-6, the user VLAN (UVLAN) needs multicast data from multicast VLANs (MVLANs) MVLAN1 and MVLAN2. The N-to-N multicast replication meets this requirement. The implementation process is as follows: 1.
Enable static multicast flow triggering in UVLAN.
2.
Configure static multicast flows for Source1 and Source2 in the multicast VLANs.
3.
Bind UVLAN to MVLAN1 and MVLAN2.
The implementation requires static multicast flow triggering and 1-to-N multicast replication.
Figure 11-3-6 N-to-N multicast replication
Port-based multicast VLAN
2016-1-11
Huawei Confidential
Page 574 of 1210
HCIE-R&S Material
Confidentiality Level
In some cases, multiple Internet service providers (ISPs) provide multicast services on a network, and users in a single user VLAN subscribe multicast services of different ISPs. N-to-N multicast replication allows users that subscribe to multicast services of one ISP to receive multicast services from other ISPs. To isolate multicast services users, assign a multicast VLAN to each ISP and bind the multicast VLAN to user VLANs on a specified port. The mapping between the multicast VLAN and a combination of the user port and user VLAN is generated. The user port then forwards multicast data only to the user VLANs bound to the multicast VLAN. As shown in Figure 11-3-7, ISP1 and ISP2 provide multicast services on the network. Host1 and Host2 obtain the multicast services from ISP1, and Host3 and Host4 obtain the multicast services from ISP2. To ensure that multicast data is sent to only hosts that requires the data, configure MVLAN1 and MVLAN2 for ISP1 and ISP2 respectively. Bind the access ports of Host1 and Host2 to MVLAN1, and bind access ports of Host3 and Host4 to MVLAN2. Multicast data provided by ISP1 is sent to Host1 and Host2, and that provided by ISP2 is sent to Host3 and Host4. Only IGMP snooping supports port-based multicast VLAN.
Figure 11-3-7 Port-based multicast VLAN 2016-1-11
Huawei Confidential
Page 575 of 1210
HCIE-R&S Material
Confidentiality Level
11.3.5 Layer 2 Multicast CAC Principles As the IPTV service develops, the number of channels increases rapidly. If the number of channels demanded by users keeps increasing, aggregation devices will be overloaded, which causes low user experience. If multicast-based network attacks exist, devices on the network may be busy processing attack packets and cannot respond to valid requests on the network. When providing the IPTV service, ISPs should consider whether their network bandwidth supports these sparse channels in case of a large number of channels. If the network bandwidth is insufficient, the network must reject the requests to join new channels to ensure service quality for most users. Figure 11-3-8 shows how Layer 2 multicast call admission control (CAC) addresses this problem for the IPTV service. Layer 2 multicast CAC controls user access based on different rules. This technology accurately controls the multicast services to ensure service quality for most users and reduces multicast-based network attacks.
Figure 11-3-8 Networking diagram of multicast services
2016-1-11
Huawei Confidential
Page 576 of 1210
HCIE-R&S Material
Confidentiality Level
Concepts
CAC: provides a series of rules for controlling multicast entry learning, including restrictions on the number of group memberships and the number of multicast groups in a channel. Layer 2 multicast CAR controls multicast services on Layer 2 networks.
Channel: is a series of multicast groups. For example, a channel can be regarded as TV, and TV1 or TV2 indicates a multicast group.
Implementation If IGMP snooping is configured to provide multicast services, Layer 2 multicast CAC can be used to control the multicast services. Multicast CAC controls the generation of multicast forwarding entries. When the number of existing multicast forwarding entries reaches the configured limit, no more forwarding entries will be generated. This ensures the processing capacity of devices and controls link bandwidth. Layer 2 multicast CAC restricts the following items:
Number of group memberships This restriction applies to all multicast groups. As shown in Figure 11-3-9, Layer 2 multicast CAC controls the multicast services based on the system, VLAN, port, or a combination of port and VLAN. When the Layer 2 device receives IGMP Report messages from hosts, it generates corresponding entries. The number of group memberships increases by 1 every time a multicast group is created or a member joins a group. If the number of group memberships does not exceed the limit, the device can generate forwarding entries. If the number of group memberships exceeds the limit, no entry is generated. The number of group memberships decreases by 1 every time an entry is deleted because an IGMP Leave message is received or the entry ages out.
Figure 11-3-9 Restriction rules of Layer 2 multicast CAC
Number of multicast groups in a channel Each channel has a multicast group range. Layer 2 multicast CAC controls the number of multicast groups in a channel. The restriction on the channel is also based on the system, VLAN, 2016-1-11
Huawei Confidential
Page 577 of 1210
HCIE-R&S Material
Confidentiality Level
port, or a combination of port and VLAN. These restriction rules take effect only for the number of multicast groups in a channel.
11.3.6 Controllable Multicast Principles Traditional multicast services are uncontrollable. Users send IGMP/MLD Report messages to join a desired multicast group, and then they can receive multicast packets of the group. After the IPTV service emerges, the uncontrollable multicast services cannot meet carriers' requirements. The IPTV service aims to make profits. Users in multicast groups can watch a program (join a multicast group) only after they pay fees. Users that are not authenticated cannot obtain the IPTV service. Controllable multicast is developed to control the user rights to join a multicast group. When a user sends a request to join a multicast group, a Layer 2 device authenticates the request packet and rejects invalid and unauthorized requests. As shown in Figure 11-3-10, SwitchA configured with the controllable multicast function can control the generation of Layer 2 multicast forwarding entries by intercepting IGMP/MLD Report messages. When SwitchA receives an IGMP/MLD Report message from a user, it obtains the profile based on the VLAN ID of the message.
If the multicast group requested by the user is not in the multicast group list of the profile, the user cannot join the group. SwitchA then drops the IGMP/MLD Report message and does not generate the related forwarding entry. Therefore, the user cannot receive data flows of this multicast group.
If the multicast group is in the multicast group list of the profile, SwitchA checks the mode in which the list is added to the profile. If the list is added to the profile in watch mode, the IGMP/MLD Report message can pass. If the list is added to the profile in preview mode, SwitchA allows the IGMP/MLD Report message to pass and starts a preview timer. When the preview timer times out, SwitchA deletes the forwarding entry of this multicast group and intercepts subsequent IGMP/MLD Report messages of the multicast group. In this manner, the preview function is implemented.
2016-1-11
Huawei Confidential
Page 578 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-3-10 Usage scenario of controllable multicast
Concepts As shown in Figure 11-3-11, a Layer 2 device provides the VLAN-based controllable multicast function and controls the user rights to join a multicast group using the multicast group, multicast group list, and multicast profile.
Figure 11-3-11 Hierarchical control mechanism of controllable multicast
Multicast group: a group identified by a multicast address such as 224.1.1.1. A multicast group can be regarded as a channel or program of IPTV. 2016-1-11
Huawei Confidential
Page 579 of 1210
HCIE-R&S Material
Confidentiality Level
Multicast group list: a set of multicast groups. A multicast group list can contain multiple multicast groups. For example, in Figure 11-3-11, multicast group list L1 contains groups G1, G2, G3, and G4. A multicast group can be contained in multiple multicast group lists. For example, G3 is contained in L1 and L2.
Multicast profile: a set of multicast group lists, which define user rights to join desired multicast groups. A multicast profile can contain multiple multicast group lists. For example, in Figure 11-3-11, multicast profile P1 contains L1, L2, and LN. A multicast group list can be contained in multiple multicast profiles. For example, L2 is contained in P1 and P2. Multicast group lists in a profile have the attributes such as preview or watch. If a multicast group list is added to a multicast profile in watch mode, users bound to the multicast profile can watch all multicast groups in the list. If a multicast group list is added to a multicast profile in preview mode, users bound to the multicast profile can only preview all multicast groups in the list.
11.4 PIM 11.4.1 Concepts This section describes PIM-related concepts based on the network shown in Figure 11-4-1.
Figure 11-4-1 PIM network
2016-1-11
Huawei Confidential
Page 580 of 1210
HCIE-R&S Material
Confidentiality Level
Multicast Distribution Tree On a PIM network, a point-to-multipoint (P2MP) multicast forwarding path is established for each multicast group on separate routers. The multicast forwarding path looks like a tree, so it is also called a multicast distribution tree (MDT). Two types of MDTs are available:
Shortest path tree (SPT): uses the multicast source as the root and multicast group members as leaves. SPT applies to both PIM-DM and PIM-SM networks. In Figure 11-4-1, the MDT, RouterE→RouterD→RouterA/RouterB, is an SPT, which uses the source as the root and HostA and HostB as leaves.
Rendezvous point tree (RPT): uses a rendezvous point (RP) as the root and multicast group members as leaves. RPT applies only to PIM-SM networks. For details about RP and RPT, see PIM-SM (ASM Model).
PIM Router Routers with PIM enabled on interfaces are called PIM routers. During the establishment of an MDT, PIM routers play the following roles:
Leaf router: connects to user hosts, which may not be multicast group members. For example, RouterA, RouterB, and RouterC in Figure 11-4-1 are leaf routers.
First-hop router: directly connects to the multicast source on the multicast forwarding path and is responsible for forwarding multicast data from the multicast source. For example, RouterE in Figure 11-4-1 is the first-hop router.
Last-hop router: directly connects to multicast group members (receivers) on the multicast forwarding path and is responsible for forwarding multicast data to these members. For example, RouterA and RouterB in Figure 11-4-1 are last-hop routers.
Intermediate router: resides between the first-hop router and the last-hop router on the multicast forwarding path. For example, RouterD in Figure 11-4-1 is an intermediate router.
PIM Routing Entry Two types of PIM routing entries are generated using PIM: (S, G) and (*, G); S indicates a specific multicast source, G indicates a specific multicast group, and * indicates any multicast source.
An (S, G) entry is often used to establish an SPT on PIM routers. (S, G) entries apply to PIM-DM and PIM-SM networks.
A (*, G) entry is often used to establish an RPT on PIM routers. (*, G) entries apply only to PIM-SM networks. 2016-1-11
Huawei Confidential
Page 581 of 1210
HCIE-R&S Material
Confidentiality Level
A PIM router may have both (S, G) and (*, G) entries. When a PIM router receives a multicast packet with the source address S and the group address G and the packet passes the RPF check, the router forwards the packet according to the following rules:
If the (S, G) entry exists, the router forwards the packet according to the (S, G) entry.
If the (S, G) entry does not exist but the (*, G) entry exists, the router creates an (S, G) entry based on this (*, G) entry, and then forwards the packet according to the (S, G) entry.
PIM routing entries contain the following information to guide multicast packet forwarding:
Multicast source address
Multicast group address
Upstream interface, which receives multicast data on the local router, such as GE3/0/0 in Figure 11-4-1
Downstream interface, which forwards multicast data, such as GE1/0/0 and GE2/0/0 in Figure 11-4-1
11.4.2 PIM-DM Principles PIM-DM forwards multicast packets in push mode and is for use on small-scale networks with densely distributed multicast group members. PIM-DM assumes that each network segment has multicast group members. When a multicast source sends multicast packets, PIM-DM floods all PIM routers on the network with the multicast packets and prunes the branches that do not have multicast group members. Through periodic flooding and pruning, PIM-DM creates and maintains a unidirectional loop-free SPT that connects the multicast source and group members. If a new member joins a multicast group on the network segment connected to a leaf router in a pruned branch, the router can initiate the grafting mechanism before starting new flooding and pruning. As a result, the pruned branch turns into a forwarding branch. PIM-DM uses the following mechanisms: neighbor discovery, flooding, pruning, grafting, assert, and state refresh. The flooding, pruning, and grafting mechanisms are used to establish an SPT. For details about all of these six mechanisms, see the sections below.
Neighbor Discovery PIM routers send Hello messages through PIM-enabled interfaces. For example, in a Hello message:
The destination address is 224.0.0.13 and all PIM routers on the same network segment will receive this Hello message.
The source address is the IP address of the interface that receives multicast packets.
The time to live (TTL) value is 1. 2016-1-11
Huawei Confidential
Page 582 of 1210
HCIE-R&S Material
Confidentiality Level
Hello messages are used to discover PIM neighbors, adjust various PIM protocol parameters, and maintain neighbor relationships.
Discovering PIM neighbors PIM routers on the same network segment must receive multicast packets with the destination address 224.0.0.13. By exchanging Hello messages, directly connected PIM routers learn neighbor information and establish neighbor relationships. A PIM router can receive other PIM messages to create multicast routing entries only after it establishes neighbor relationships with other PIM routers.
Adjusting PIM protocol parameters A Hello message carries the following PIM protocol parameters:
DR_Priority: indicates the priority used by router interfaces to elect the designated router (DR). The interface with the highest priority becomes the DR.
Holdtime: indicates the period during which a neighbor remains reachable. If a router receives no Hello message from a neighbor within this period, the router considers that the neighbor is unreachable.
LAN_Delay: indicates the delay in transmitting Prune messages on a shared network segment.
Neighbor-Tracking: indicates the neighbor tracking function. For details about this function, see the configuration guide.
Override-Interval: indicates the interval for overriding the pruning mechanism.
NOTE: The DR_Priority parameter is only used in DR election on PIM-SM networks. For details about DR election, see DR Election.
Maintaining neighbor relationships PIM routers periodically send Hello messages to each other. If a PIM router does not receive a new Hello message from its PIM neighbor within the Holdtime, the router considers the neighbor unreachable and deletes the neighbor from the neighbor list. Changes of PIM neighbors lead to multicast topology changes on the network. If an upstream or downstream neighbor in the MDT is unreachable, multicast routes re-converge and the MDT is re-established.
Flooding On a PIM-DM network, multicast packets from a multicast source are flooded throughout the entire network. When a PIM router receives a multicast packet, the router performs the RPF check on the packet based on the unicast routing table. If the packet passes the RPF check, the router creates an (S,
2016-1-11
Huawei Confidential
Page 583 of 1210
HCIE-R&S Material
Confidentiality Level
G) entry, in which the downstream interface list contains all the interfaces connected to PIM neighbors. The router then forwards subsequent multicast packets through each downstream interface. When the multicast packets reach a leaf router, the leaf router processes the packets as follows:
If the network segment connected to the leaf router has group members, the leaf router adds its interface that is connected to the network segment to the downstream interface list of the (S, G) entry, and forwards subsequent multicast packets to the group members.
If the network segment connected to the leaf router has no group member and the leaf router does not need to forward multicast packets to downstream PIM neighbors, the leaf router initiates the pruning mechanism and stops forwarding.
NOTE: Multicast packets are sometimes flooded to a shared network segment with multiple PIM routers. If the packets pass the RPF check on these PIM routers, multiple copies of multicast packets are forwarded to this network segment. These PIM routers will need to initiate the assert mechanism. As shown in Figure 11-4-2, RouterA, RouterB, and RouterC on the PIM-DM network establish PIM neighbor relationships by exchanging Hello messages. HostA joins multicast group G using Internet Group Management Protocol (IGMP) that runs between RouterA and HostA, but HostB does not join any multicast group.
Figure 11-4-2 Flooding diagram The flooding process is as follows: 1.
Multicast source S sends a multicast packet to multicast group G.
2.
RouterC receives the multicast packet and performs the RPF check based on the unicast routing table. If the packet passes the RPF check, RouterC creates an (S, G) entry, in which the downstream interface list contains interfaces connected to RouterA and RouterB. RouterC then forwards subsequent packets to RouterA and RouterB.
3.
RouterA receives the multicast packet from RouterC. If the packet passes the RPF check, RouterA creates an (S, G) entry, in which the downstream interface list contains the interface connected to HostA. RouterA then forwards subsequent packets to HostA.
2016-1-11
Huawei Confidential
Page 584 of 1210
HCIE-R&S Material
4.
Confidentiality Level
RouterB receives the multicast packet from RouterC. Because the downstream network segment does not have group members or PIM neighbors, RouterB sends a Prune message to RouterC.
Pruning When a PIM router receives a multicast packet, it performs the RPF check on the packet. If the packet passes the RPF check but the downstream network segment does not need to receive the multicast packet, the PIM router sends a Prune message to an upstream router. After receiving the Prune message, the upstream router deletes the downstream interface from the downstream interface list of the created (S, G) entry. The deletion ensures that the downstream interface can no longer forward multicast packets. A leaf router initiates the pruning mechanism, and the Prune message is sent upstream by hop along the MDT to prune the network segment that has no group members. A PIM router starts a prune timer for the pruned downstream interface. The interface resumes forwarding multicast packets after the timer expires. Subsequently, multicast packets are flooded throughout the entire network and new group members can receive multicast packets. If a leaf router connecting to a network segment that has no group members receives the flooded multicast packets, the leaf router initiates the pruning mechanism. PIM-DM updates the SPT periodically through the process of periodic flooding and pruning. After a downstream interface of a leaf router is pruned, the leaf router will initiate either the grafting or state refresh mechanism:
Grafting: When new members join a multicast group on the network segment connected to the leaf router and want to receive multicast packets before the prune timer expires, the leaf router initiates the grafting mechanism.
State Refresh: When no member joins a multicast group on the network segment connected to the leaf router and the downstream interface is expected to remain suppressed, the leaf router initiates the state refresh mechanism.
As shown in Figure 11-4-3, no group member connects to RouterB, so RouterB sends a Prune message to the upstream router.
2016-1-11
Huawei Confidential
Page 585 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-4-3 Pruning diagram The pruning process is as follows: 1.
RouterB sends a Prune message to RouterC, instructing RouterC not to forward data to the network segment (HostB) to which RouterB connects.
2.
After receiving the Prune message, RouterC stops forwarding data through its downstream interface connecting to RouterB, and deletes this downstream interface from the (S, G) entry. The pruning process for this network segment ends. RouterC sends subsequent multicast packets only to RouterA, which then forwards the packets to connected group members (such as HostA).
Grafting PIM-DM uses the grafting mechanism to enable new group members on a pruned network segment to rapidly obtain multicast data. IGMP helps a leaf router learn whether new group members have joined a multicast group on the connected network segment. If a leaf router learns that new group members have joined multicast group G, the leaf router sends a Graft message to the upstream router. The message requests the upstream router to resume multicast packet forwarding on the downstream interface and to add the downstream interface to the downstream interface list of the (S, G) entry. The grafting mechanism is initiated by a leaf router and ends when the upstream router receives the multicast packets destined to the leaf router. As shown in Figure 11-4-4, RouterC does not send multicast packets to RouterB after the pruning process ends. When HostB joins multicast group G, RouterB initiates the grafting mechanism.
2016-1-11
Huawei Confidential
Page 586 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-4-4 Grafting diagram The grafting process is as follows: 1.
RouterB sends a Graft message to RouterC. The message requires RouterC to resume multicast packet forwarding on the downstream interface connecting to RouterB.
2.
After receiving the Graft message, RouterC resumes multicast packet forwarding on the interface and adds the interface to the downstream interface list of the (S, G) entry. The grafting process for RouterB ends. RouterC sends subsequent multicast packets to RouterB, which then forwards the packets to HostB.
State Refresh To prevent a pruned interface from resuming multicast packet forwarding after the prune timer expires, the first-hop router nearest to the multicast source periodically sends a State-Refresh message throughout the entire PIM-DM network. PIM routers receiving the State-Refresh message refresh the prune timer state. If no group member joins a multicast group on the network segment connected to a leaf router in a pruned branch, the upstream interface connected to this router remains suppressed. In Figure 11-4-5, RouterC's interface connected to RouterB is pruned, and no group member joins a multicast group on the network segment connected to RouterB.
2016-1-11
Huawei Confidential
Page 587 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-4-5 State refresh diagram The state refresh process is as follows: 1.
RouterC initiates the state refresh mechanism and sends a State-Refresh message to RouterA and RouterB.
2.
RouterC has a pruned interface and refreshes the prune timer state of this interface. When RouterC starts new flooding and pruning, the pruned interface on RouterC is still prohibited from forwarding multicast packets because no group member connects to RouterB.
Assert When multicast packets pass the RPF check on multiple PIM routers connecting to a network segment, the assert mechanism is required to ensure that only one PIM router forwards the multicast packets to the network segment. When a PIM router receives a multicast packet that is the same as the multicast packet it sends to other neighbors, the PIM router broadcasts an Assert message with the destination address 224.0.0.13 to all other PIM routers on the same network segment. When the other PIM routers receive the Assert message, they compare their parameters with those carried in the Assert message for assert election. The election rules are as follows: 1.
If these routers have different priorities, the router with the highest unicast routing priority wins.
2.
If these routers have the same unicast routing priority, the router with the smallest route cost to the multicast source wins.
3.
If these routers have the same unicast routing priority and the same route cost to the multicast source, the router with the highest IP address for the downstream interface wins.
A PIM router performs the following operations based on assert election results:
If a router wins the assert election, its downstream interface becomes the assert winner and is responsible for forwarding multicast packets to the shared network segment. 2016-1-11
Huawei Confidential
Page 588 of 1210
HCIE-R&S Material
Confidentiality Level
If a router fails the assert election, its downstream interface becomes the assert loser, is prohibited from forwarding multicast packets to the shared network segment, and is deleted from the downstream interface list of the (S, G) entry.
After the assert election is complete, only one downstream interface exists on the shared network segment and it transmits only one copy of multicast packets. All assert losers can periodically resume multicast packet forwarding, which causes periodic assert elections. As shown in Figure 11-4-6, RouterB and RouterC receive multicast packets from the multicast source. The multicast packets from RouterA pass the RPF check on RouterB and RouterC, RouterB and RouterC create (S, G) entries and send multicast packets to the same network segment that their downstream interfaces connect to.
Figure 11-4-6 Assert diagram The assert process is as follows: 1.
RouterB and RouterC receive a multicast packet from each other through a downstream interface, but this packet fails the RPF check and is discarded. Then, RouterB and RouterC send an Assert message to the network segment.
2.
RouterB compares its routing information with that carried in the Assert message sent by RouterC, and it wins the assert election because its route cost to the multicast source is lower than that of RouterC. RouterB then continues to forward subsequent multicast packets to the network segment, whereas RouterC discards subsequent multicast packets because these packets fail the RPF check.
3.
RouterC compares its routing information with that carried in the Assert message sent by RouterB, and it fails the assert election because its route cost to the multicast source is higher than that of RouterB. RouterC then prohibits its downstream interface from forwarding multicast packets to the network segment and deletes the interface from the downstream interface list of the (S, G) entry.
2016-1-11
Huawei Confidential
Page 589 of 1210
HCIE-R&S Material
Confidentiality Level
11.4.3 PIM-SM (ASM Model) Implementation PIM-Sparse Mode (PIM-SM) forwards multicast packets in pull mode and is for use on large-scale networks with sparsely distributed group members. In Any-Source Multicast (ASM) implementation, devices on the PIM-SM network work as follows:
A Rendezvous Point (RP), an important PIM router, is available to provide services for group members or multicast sources that appear anytime. All PIM routers on the network know the position of the RP.
When a new group member appears on the network (that is, a user host joins a multicast group G through IGMP), the last-hop router sends a Join message to the RP. A (*, G) entry is created hop by hop, and an RPT with the RP as the root is generated.
When an active multicast source appears on the network (that is, the multicast source sends the first multicast packet to a multicast group G), the first-hop router encapsulates the multicast data in a Register message and unicasts the Register message to the RP. The RP then creates an (S, G) entry and registers multicast source information.
PIM-SM uses the following mechanisms in the ASM model: neighbor discovery, DR election, RP discovery, RPT setup, multicast source registration, SPT switchover, prune, and assertion. You can also configure a Bootstrap router (BSR) to implement fine-grained management in a single PIM-SM domain. For details about all of these mechanisms, see the sections below.
Neighbor Discovery Neighbor discovery in PIM-SM is similar to that in PIM-DM. For details, see Neighbor Discovery.
DR Election The network segment where a multicast source or group member resides is usually connected to multiple PIM routers. These PIM routers exchange Hello messages to set up PIM neighbor relationships. The Hello messages carry the DR priority and the interface address of the network segment. Each PIM router compares its own information with the information carried in the messages sent by its neighbors. The DR that forwards multicast packets from the source DR or receiver DR is elected based on the following election rules. The election rules are as follows:
If all PIM routers on the network segment allow Hello messages to carry DR priorities, the PIM router with the highest DR priority is elected as the DR.
If PIM routers have the same DR priority or at least one PIM router does not allow Hello messages to carry the DR priority, the PIM router with the largest IP address is elected as the DR.
2016-1-11
Huawei Confidential
Page 590 of 1210
HCIE-R&S Material
Confidentiality Level
If an existing DR becomes faulty, PIM neighbor relationships time out, and a new DR election is triggered among PIM neighbors. As shown in Figure 11-4-7, there are two types of DRs in the ASM model:
Source DR: DR connected to the multicast source. On the shared network segment connected to the multicast source, the source DR is responsible for sending Register messages to the RP.
Receiver DR: DR connected to group members. On the shared network segment connected to group members, the receiver DR is responsible for sending Join messages to the RP.
Figure 11-4-7 DR election
RP Discovery An RP is responsible for processing Register messages from the multicast source and Join messages from group members. All PIM routers on the network know the position of the RP. An RP can serve multiple multicast groups simultaneously, but each multicast group can be associated with only one RP. RPs can be configured either static or dynamic:
Static RP: All the PIM routers on the network are manually configured with the same RP address.
Dynamic RP: Several PIM routers in the PIM domain are configured as Candidate-RPs (C-RPs) and an RP is elected from the candidates. One or more PIM routers are configured as Candidate-BSRs (C-BSRs). The C-BSRs automatically elect a BSR, and this BSR is responsible for collecting and advertising C-RP information. During a BSR election, each C-BSR considers itself the BSR and sends the entire network a BootStrap message that carries its address and priority. Each PIM router compares the Bootstrap messages it receives from the C-BSRs. The BSR is elected based on the result of the comparison:
2016-1-11
Huawei Confidential
Page 591 of 1210
HCIE-R&S Material
Confidentiality Level
If the C-BSRs have different priorities, the C-BSR with the highest priority (largest priority value) is elected as the BSR.
If the C-BSRs have the same priority, the C-BSR with the largest IP address is elected as the BSR.
Figure 11-4-8 shows the C-RP election process: 1. C-RPs send Advertisement messages to the BSR. An Advertisement message carries the address of the C-RP, the range of the multicast groups that it serves, and its priority. 2. The BSR collects the information in an RP-Set, encapsulates the RP-Set in a Bootstrap message, and advertises the message to each PIM-SM router on the network. 3. The routers elect an RP from multiple C-RPs that serve a specific multicast group based on the RP-set and the following election rules:
If the C-RPs have interface address masks of different lengths, the C-RP with the longest interface address mask is elected as the RP.
If the C-RPs have interface address masks of the same length, the C-RP with the highest priority (largest priority value) is elected.
If the C-RPs have the same priority, a hash algorithm is used to elect the C-RP with the largest hash value.
If all the preceding values are the same, the C-RP with the largest IP address is elected as the RP.
4. PIM routers save the relationship between this multicast group and its RP for subsequent multicast operations. This relationships on all PIM routers are the same because they use the same RP-Set and the same election rules.
Figure 11-4-8 Dynamic RP election
2016-1-11
Huawei Confidential
Page 592 of 1210
HCIE-R&S Material
Confidentiality Level
RPT Setup
Figure 11-4-9 RPT setup A PIM-SM RPT is a multicast distribution tree (MDT) that uses an RP as the root and group member routers as leaves. As shown in Figure 11-4-9, when a group member appears on the network (that is, a user host joins a multicast group G through IGMP), the receiver's DR sends a Join message to the RP. A (*, G) entry is created hop by hop, and an RPT with the RP as the root is generated.
Multicast Source Registration
Figure 11-4-10 Multicast source registration As shown in Figure 11-4-10, a new multicast source on the PIM-SM network must register with the RP so that the RP can forward multicast data to group members. The registration and forwarding process is as follows: 1.
The multicast source sends a multicast packet to the source's DR.
2.
After receiving the multicast packet, the source's DR encapsulates the multicast packet into a Register message and sends the Register message to the RP.
2016-1-11
Huawei Confidential
Page 593 of 1210
HCIE-R&S Material
3.
Confidentiality Level
After receiving the Register message, the RP decapsulates it, creates an (S, G) entry, and sends multicast data to group members along the RPT.
SPT Switchover A multicast group on a PIM-SM network can be associated with only one RP and sets up only one RPT. Under normal circumstances, all multicast packets destined for a multicast group are encapsulated in Register messages and sent to the RP. The RP then decapsulates the packets and forwards them along the RPT to multicast group members. All multicast packets pass through the RP. If the number of multicast packets increases dramatically, the RP becomes heavily burdened. To resolve this problem, PIM-SM allows the RP or the receiver DR to trigger an SPT switchover.
SPT switchover triggered by the RP After receiving a Register message from the source DR, the RP decapsulates the Register message and forwards multicast packets along the RPT to group members. The RP also sends a Join message to the source's DR to set up an SPT from the RP to the source. After the SPT is set up, the source DR forwards multicast packets directly to the RP. After the switchover, the source DR and RP do not need to encapsulate or decapsulate packets.
SPT switchover triggered by the receiver DR
Figure 11-4-11 SPT switchover triggered by the receiver's DR As shown in Figure 11-4-11, the receiver DR periodically checks the forwarding rate of multicast packets. When the receiver DR finds that the forwarding rate is higher than a configured threshold, it triggers an SPT switchover. 1.
The receiver DR sends a Join message to the source DR hop by hop, creates an (S, G) entry hop by hop, and then sets up an SPT from the source DR to the receiver DR.
2016-1-11
Huawei Confidential
Page 594 of 1210
HCIE-R&S Material
2.
Confidentiality Level
After the SPT is set up, the receiver DR sends Prune messages along the RPT to the RP and deletes the RP's interface connected to it from the (S, G) entry. After the prune action is complete, the RP does not forward multicast packets along the RPT.
3.
Because the SPT does not pass through the RP, the RP continues to send Prune messages along the RPT to the source DR and deletes the RP's interface connected to it from the (S, G) entry. After the prune action is complete, the source's DR does not forward multicast packets along the SPT to the RP.
NOTE: By default, no threshold for the multicast packet forwarding rate is configured on the device. Therefore, an SPT switchover is triggered upon the receiving of the first multicast packet from the multicast source, instead of threshold crossing.
Assert The Assert mechanism in PIM-SM is similar to that in PIM-DM. For details, see "PIM-DM Assert".
BSR Administrative Domain To provide fine-grained network management, a PIM-SM network has both a global domain and multiple BSR administrative domains. This reduces the workload on individual BSRs and allows provisioning of special services to users in a specific domain by using private group addresses. Each BSR administrative domain maintains only one BSR that serves multicast groups within a specific group address range. The global domain maintains a BSR that serves multicast groups not served by an administrative domain. This section describes the relationship between BSR administrative domains and the global domain in terms of domain space, group address ranges, and multicast functions.
Domain space
2016-1-11
Huawei Confidential
Page 595 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-4-12 Relationship between BSR administrative domains and the global domain from in terms of domain space As shown in Figure 11-4-12, BSR administrative domains contain different PIM routers. A PIM router belongs to only one BSR administrative domain. BSR administrative domains are independent of and isolated from each other. Each BSR administrative domain manages the multicast groups within a specific group address range. Multicast packets within this range can be transmitted only within this administrative domain and cannot cross its border. The global domain contains all PIM routers on the PIM-SM network. A multicast packet that does not belong to any BSR administrative domain can be transmitted throughout the entire PIM network.
Group address range
Figure 11-4-13 Relationship between BSR administrative domains and the global domain in terms of group address ranges Each BSR administrative domain provides services for multicast groups within a specific group address range. The group address ranges served by different BSR administrative domains can 2016-1-11
Huawei Confidential
Page 596 of 1210
HCIE-R&S Material
Confidentiality Level
overlap. As shown in Figure 11-4-13, the group address range of BSR1 overlap that of the BSR3. The address of a multicast group that a BSR administrative domain serves is used as a private group address and is valid only in its BSR administrative domain. The global domain serves all multicast groups that do not belong to a BSR administrative domain. As shown in Figure 11-4-13, the group address range of the global domain is G-G1-G2.
Multicast function As shown in Figure 11-4-13, the global domain and each BSR administrative domain have their respective C-RP and BSR devices. These devices function only in the domain where they reside. Each domain holds independent BSR and RP elections. Each BSR administrative domain has a border. Multicast messages from this domain, such as C-RP Advertisement messages or BSR BootStrap messages, can be transmitted only within the domain where they originate. Multicast messages from the global domain can be transmitted throughout the entire global domain and traverse any BSR administrative domain.
11.4.4 PIM-SM (SSM Model) Implementation The SSM model uses IGMPv3/MLDv2 and PIM-SM technology. There is no need to maintain an RP, set up an RPT, or register a multicast source. An SPT can be built directly between the source and group members. In the SSM model, user hosts know the positions of multicast sources in advance of requesting multicast services. When user hosts join multicast groups, they can specify the sources from which they want to receive data. After receiving requests from user hosts, the receiver DR directly forwards Join messages to the source DR. The Join message is then transmitted upstream hop by hop to set up an SPT between the source and group members. In the SSM model, PIM-SM uses the following mechanisms: neighbor discovery, DR election, and SPT setup. For details about all of these three mechanisms, see the sections below.
Neighbor Discovery Neighbor discovery in PIM-SM is similar to that in PIM-DM. For details, see "PIM DM Neighbor Discovery".
DR Election DR election in PIM-SM (SSM model) is similar to that in PIM-SM (ASM model). For details, see "PIM DM DR Election".
Using IGMPv3/MLDv2, RouterD and RouterE learn that packets from user hosts have the same multicast group address but are requesting multicast data from different source addresses. They send Join messages to sources hop by hop.
2.
PIM routers create (S1, G) and (S2, G) entries based on the Join messages and set up SPTs from S1 to HostA and from S2 to HostB.
3.
After SPTs are set up, the sources forward multicast packets along the SPTs to group members.
Comparisons of PIM Protocols PIM has three implementations: PIM-DM, PIM-SM (ASM model), and PIM-SM (SSM model). Table 11-4-1 compares these PIM implementations. Table 11-4-1 Comparisons between PIM implementations Protocol
PIM-DM
2016-1-11
Full Name
Model
Protocol Independent Multicast-Dense Mode
ASM model
Huawei Confidential
Usage Scenario
Small-scale LANs where multicast group members are distributed densely
Implementation Using the flood-prune mechanism, PIM-DM creates and maintains a unidirectional and loop-free SPT connecting a multicast source Page 598 of 1210
HCIE-R&S Material
Confidentiality Level
Table 11-4-1 Comparisons between PIM implementations Protocol
Full Name
Model
Usage Scenario
Implementation and members.
PIM-SM
group
ASM model
An MDT is set up Large-scale when receivers network where join a multicast multicast group group. PIM-SM members are needs to maintain distributed an RP, set up an sparsely RPT, and register a multicast source.
SSM model
Scenarios where user hosts know the exact positions of multicast sources in advance and can specify the sources from which they want to receive data before they join multicast groups
Protocol Independent Multicast-Sparse Mode
PIM-SSM does not need to maintain an RP, set up an RPT, or register a multicast source.
11.4.5 PIM BFD A network device must detect a communications fault between adjacent devices quickly so that the upper layer protocol can rectify the fault and prevent a service interruption. Bidirectional Forwarding Detection (BFD) provides uniform, millisecond-level detection for all media and protocol layers. Two systems set up a BFD session and periodically send BFD control packets along the path between them. If one system does not receive BFD control packets within a specified period, the system considers that a fault has occurred on the path.
Implementation If the current DR or Assert winner on the shared network segment is faulty in a multicast scenario, other PIM neighbors start a new DR election or Assert election after the neighbor relationship or the Assert timer times out. Consequently, multicast data transmission is interrupted. The interruption period, usually in seconds, is at least as long as the timeout interval of the neighbor relationship or the Assert timer. Because PIM BFD detects the link status on a shared network segment within milliseconds, it responds quickly to PIM neighbor faults. If an interface enabled with PIM BFD does not receive BFD control 2016-1-11
Huawei Confidential
Page 599 of 1210
HCIE-R&S Material
Confidentiality Level
packets from the DR or Assert winner within the detection interval, it considers that the DR or Assert winner is faulty. BFD fast notifies the RM of the session status and the RM then notifies the PIM module. The PIM module triggers a new DR election or Assert election without waiting for the neighbor relationship or the Assert timer to expire. PIM BFD reduces the time services are interrupted and makes data transmission more reliable.
NOTE: PIM BFD can be used only on a PIM-SM network.
Figure 11-4-15 PIM BFD Figure 11-4-15 shows a shared network segment connected to user hosts. Downstream Interface1 on RouterB and downstream Interface2 on RouterC establish a PIM BFD session and send BFD control packets to detect link status. RouterB functions as the DR and its downstream interface Interface1 is responsible for forwarding multicast data. If Interface1 becomes faulty, BFD fast notifies the RM of the session status and the RM then notifies the PIM module. The PIM module then triggers a new DR election. RouterC quickly begins functioning as the new DR and its downstream interface Interface2 forwards multicast data to the receivers.
11.4.6 PIM GR Graceful Restart (GR) is a type of master/slave switchover protocol on the control plane. Protocol Independent Multicast (PIM) GR ensures multicast non-stop forwarding (NSF) during a master/slave switchover. PIM GR supports PIM-Sparse Mode (PIM-SM) and PIM-Source Specific Multicast (PIM-SSM) but does not support PIM-Dense Mode (PIM-DM).
2016-1-11
Huawei Confidential
Page 600 of 1210
HCIE-R&S Material
Confidentiality Level
Implementation Multicast GR is based on unicast GR. PIM GR ensures multicast NSF when a master/slave switchover occurs on a device that has PIM-SM or PIM-SSM enabled and dual main control boards configured. The PIM protocol of the new main control board learns Join messages from downstream neighbors or Report messages from Internet Group Management Protocol (IGMP) hosts and performs the following operations:
Recalculates PIM multicast routing entries.
Maintains the Join status of upstream neighbors.
Updates multicast routing entries of the forwarding plane.
After a master/slave switchover, PIM routing entries on the main control board are quickly restored, and multicast forwarding entries are updated. This shortens multicast traffic interruption during a master/slave switchover. PIM GR is for use on PIM-SM networks. On a PIM-SM network, PIM GR on PIM router ensures multicast NSF during a master/slave switchover. PIM GR can also be used for an in-service software upgrade (ISSU). PIM GR ensures that main control boards and interface boards can forward multicast traffic during ISSUs. The example in Figure 11-4-16 uses RouterA to show the PIM GR process.
Figure 11-4-16 PIM GR PIM GR involves three phases: GR_START, GR_SYNC, and GR_END.
GR_START 1.
After RouterA performs a master/slave switchover, the PIM protocol starts the GR timer, and PIM GR enters the GR_START phase. Unicast GR begins at the same time.
2.
The PIM protocol sends Hello messages carrying new Generation IDs to all interfaces enabled with PIM-SM.
2016-1-11
Huawei Confidential
Page 601 of 1210
HCIE-R&S Material
3.
Confidentiality Level
When RouterB and RouterD, reverse path forwarding (RPF) neighbors of RouterA, discover that the Generation ID of RouterA has changed, they send new Join-Prune messages to RouterA.
4.
If dynamic RPs are used and the neighbors receive Hello messages with the changed Generation ID, the neighbors send a BSR message to RouterA to restore BSR information and RP information on RouterA.
5.
After RouterA receives a Join-Prune message from RouterD or RouterB, it creates a PIM routing entry in an empty inbound interface table to record the Join status of RouterD or RouterB. During this period, the entries in the forwarding module remain unchanged and forwarding of multicast traffic continues.
GR_SYNC After unicast GR is complete, PIM GR enters the GR_SYNC phase. The PIM protocol builds a multicast distribution tree (MDT) based on unicast routing information, restores the inbound interface of the PIM routing entry, and updates the Join queue to the source or the Rendezvous Point (RP). The PIM protocol then instructs the multicast forwarding module to update the forwarding table.
GR_END After the GR timer expires, the PIM protocol enters the GR_END phase and notifies the multicast forwarding module. The multicast forwarding module then ages the forwarding entries that were not updated during GR.
11.5 Multicast Route Management 11.5.1 Multicast Routing and Forwarding Devices that play different roles on a multicast network maintain different multicast tables, including the IGMP/MLD group table, IGMP/MLD routing table, multicast protocol routing table, multicast routing table, and multicast forwarding table. This section uses an IPv4 network as an example to describe the functions of these tables in multicast routing and forwarding.
IGMP Group and Routing Tables A multicast router creates an IGMP group entry when receiving an IGMP Report message (IGMP Join) that a host sends to join a group. The router maintains group memberships in IGMP group entries and instructs a multicast routing protocol, usually the Protocol Independent Multicast (PIM) protocol, to create matching (*, G) entries. The router maintains an IGMP group entry for each interface as long as
2016-1-11
Huawei Confidential
Page 602 of 1210
HCIE-R&S Material
Confidentiality Level
the interfaces have IGMP enabled and have received IGMP Join messages. The following is an example of a group entry on an interface: display igmp group Interface group report information of VPN-Instance: public net GigabitEthernet1/0/0 (10.1.6.2): Total 1 IGMP Group reported Group Address 225.1.1.2
Last Reporter 10.1.6.10
Uptime
Expires
00:02:04
00:01:17
Table 11-5-1 explains the fields in an IGMP group entry. Table 11-5-1 Description of fields in an IGMP group entry Field
Description
Group Address
Address of a group that an interface has joined.
Last Reporter
IP address of the last user that sent an IGMP Join message to the group.
Uptime
Time that elapsed since the group was created.
Expires
Time before the group will be aged out.
An IGMP routing table is also maintained by the IGMP protocol. An interface is included in an IGMP routing entry only when PIM is not enabled on the interface. IGMP routing entries provide downstream interfaces to extend multicast routing entries. The following is an example of an IGMP routing entry: display igmp routing-table Routing table of VPN-Instance: public net Total 1 entry
00001. (*, 225.1.1.1) List of 1 downstream interface GigabitEthernet1/0/0 (20.20.20.1), Protocol: IGMP Table 11-5-2 explains the fields in an IGMP routing entry. Table 11-5-2 Description of fields in an IGMP routing entry Field
2016-1-11
Description
Huawei Confidential
Page 603 of 1210
HCIE-R&S Material
Confidentiality Level
Table 11-5-2 Description of fields in an IGMP routing entry Field
Description
00001. (*, 225.1.1.1)
Entry number 00001, in the (*, G) format.
List of 1 downstream interface
List of downstream interfaces in a routing entry.
Protocol: IGMP
Type of the protocol that generates the downstream interfaces.
According to the preceding information, the protocol type of the downstream interface is IGMP, indicating that PIM is not enabled on the interface. If PIM is enabled on an interface, the routing entries of the interface are maintained by PIM.
Multicast Protocol Routing Table Multicast routing protocols maintain their own routing tables to guide multicast routing and forwarding. PIM is the most widely used multicast routing protocol. The following is an example of a PIM routing table: display pim routing-table VPN-Instance: public net Total 0 (*, G) entry; 1 (S, G) entry
(172.168.0.12, 227.0.0.1) RP: 2.2.2.2 Protocol: pim-sm, Flag: SPT LOC ACT UpTime: 02:54:43 Upstream interface: GigabitEthernet1/0/0 Upstream neighbor: NULL RPF prime neighbor: NULL Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet2/0/0 Protocol: pim-sm, UpTime: 02:54:43, Expires: 00:02:47 Table 11-5-3 explains the fields in a PIM routing entry. Table 11-5-3 Description of fields in a PIM routing entry
2016-1-11
Huawei Confidential
Page 604 of 1210
HCIE-R&S Material
Confidentiality Level
Field
Description
(172.168.0.12, 227.0.0.1)
(S, G) entry.
RP: 2.2.2.2
RP IP address, which is displayed only when the protocol type is PIM-SM.
Protocol: pim-sm
Protocol type. The first Protocol field in an entry indicates the protocol that generates the entry, and the second Protocol field indicates the protocol that generates the downstream interfaces.
UpTime: 02:54:43
Life time. The first UpTime field in an entry indicates how long the entry has existed, and the second UpTime field indicates how long a downstream interface has existed.
Flag: SPT LOC ACT
Flag of a PIM routing entry.
Upstream GigabitEthernet1/0/0
interface: Upstream interface.
Upstream neighbor: NULL
Upstream neighbor. NULL indicates that no upstream neighbor is available.
RPF prime neighbor: NULL
RPF neighbor. NULL indicates that no RPF neighbor is available.
Downstream interface(s) information:
Information about downstream interfaces.
Expires: 00:02:47
Aging time of a downstream interface.
For details about PIM routing entries, see Concepts in the PIM feature description.
Multicast Routing Table A multicast routing table is generated and maintained by the multicast route management module of a router. If a router supports multiple multicast protocols, its multicast routing table contains the optimal routes selected from routing tables of these protocols. PIM Dense Mode (DM) and PIM Sparse Mode (SM) cannot run simultaneously on a router. In unicast routing, routing tables of various routing protocols such as Open Shortest Path First (OSPF), Routing Information Protocol (RIP), and Boarder Gateway Protocol (BGP) constitute an IP routing table. Similarly, routing tables of different multicast protocols constitute a multicast table. Routers deliver multicast routing entries to their multicast forwarding tables to guide multicast data forwarding. The following is an example of a multicast routing table: 2016-1-11
Huawei Confidential
Page 605 of 1210
HCIE-R&S Material
Confidentiality Level
display multicast routing-table Multicast routing table of VPN-Instance: public net Total 1 entry 00001. (172.168.0.2, 227.0.0.1) Uptime: 00:00:28 Upstream Interface: GigabitEthernet1/0/0 List of 2 downstream interfaces 1: GigabitEthernet2/0/0 2: GigabitEthernet3/0/0 Table 11-5-4 explains the fields in a multicast routing entry. Table 11-5-4 Description of fields in a multicast routing entry Field
Description
00001. (172.168.0.2, 227.0.0.1)
Entry number 00001, in the (S, G) format.
UpTime: 02:54:43
Time that elapsed since the multicast routing entry was updated.
Upstream GigabitEthernet1/0/0
Interface: Upstream interface.
Multicast Forwarding Table A multicast forwarding table, usually called a multicast forwarding information base (MFIB), is created and maintained by the route management module of a router according to multicast routing information. Routers forward multicast data according to their MFIBs. You can use the display multicast forwarding-table command to view entries in an MFIB. An MFIB has the same functions as a unicast FIB. The following is an example of an MFIB. display multicast forwarding-table Multicast Forwarding Table of VPN-Instance: public net Total 1 entry, 1 matched
Activetime: 00:23:15 Matched 38264 packets(1071392 bytes), Wrong If 0 packets Forwarded 38264 packets(1071392 bytes) Table 11-5-5 explains the fields in a multicast forwarding entry. Table 11-5-5 Description of fields in a multicast forwarding entry Field
Description
00001. (172.168.0.2, 227.0.0.1)
Entry number 00001, in the (S, G) format.
Flags: 0x0:0
Flag of the multicast forwarding entry.
MID: 0
Unique identifier of the multicast forwarding entry in the MFIB, which is used to rapidly search the multicast forwarding table.
UpTime: 02:54:43
How long the multicast forwarding entry has existed.
Timeout in: 00:03:26
How soon the multicast forwarding entry will time out.
Incoming GigabitEthernet1/0/0
interface: Inbound interface in the multicast forwarding entry.
List of 1 outgoing interfaces:
List of outbound interfaces.
Activetime: 00:23:15
How long an outbound interface has existed.
Matched bytes)
38264
packets(1071392 Number of packets that match the multicast forwarding entry.
Wrong If 0 packets
Number of packets that arrive on the incorrect inbound interfaces.
Forwarded bytes)
38264
packets(1071392 Number of forwarded packets.
The preceding information shows that multicast data is actually forwarded according to the MFIB. Each multicast forwarding entry records statistics about packets that are forwarded according to the entry.
2016-1-11
Huawei Confidential
Page 607 of 1210
HCIE-R&S Material
Confidentiality Level
11.5.2 RPF Check RPF Check Basics In unicast routing and forwarding, unicast packets are transmitted along a point-to-point path. Routers only need to know the destination address of a packet to find the outbound interface. In multicast routing and forwarding, routers cannot know the location of a receiver because the destination address of a multicast packet identifies a group of receivers. However, routers can know the source of a multicast packet according to the source address, and they ensure correct forwarding paths for multicast packets by checking source addresses of the packets. When a router receives a multicast packet, it searches the unicast routing table for the route to the source address of the packet. After finding the route, the router checks whether the outbound interface of the route is the same as the inbound interface of the multicast packet. If they are the same, the router considers that the multicast packet is received from a correct interface. This process is called an RPF check, which ensures correct forwarding paths for multicast packets. The correct interface is called an RPF interface.
Process of an RPF Check In addition to unicast routes, RPF checks can also be performed using Multiprotocol Border Gateway Protocol (MBGP) routes and multicast static routes. If a router has all these routes, it performs an RPF check as follows after receiving a multicast packet: 1.
The router selects an optimal route from each of the unicast routing table, MBGP routing table, and multicast static routing table according to the source address of the multicast packet. The outbound interfaces of the unicast route and MBGP route are RPF interfaces, and the next hops of the routes are the RPF neighbors. The RPF interface and RPF neighbor of the multicast static route have been specified when the route is manually configured.
2.
The router selects a route from the three routes as the RPF route according to the following rules:
If the longest match rule is configured, the router selects the route with the longest mask. If the routes have the same mask length, the router selects the one with the highest preference. If the routes have the same preference, the router selects a route in an order of multicast static route, MBGP route, and unicast route.
If the longest match rule is not configured, the router selects the route with the highest preference. If the routes have the same preference, the router selects a route in an order of multicast static route, MBGP route, and unicast route.
3.
The router compares the inbound interface of the packet with the RPF interface of the selected RPF route. If the inbound interface is the same as the RPF interface, the router considers that the packet has arrived on the correct path from the source and forwards the packet to downstream
2016-1-11
Huawei Confidential
Page 608 of 1210
HCIE-R&S Material
Confidentiality Level
interfaces. If the inbound interface is different from the RPF interface, the packet fails the RPF check. The router considers that the packet is received from an incorrect interface and drops the packet. As shown in Figure 11-5-1, a multicast stream sent from the source 152.10.2.2 arrives at interface S1 of the router. The router checks the routing table and finds that the multicast stream from this source should arrive at interface S0. Therefore, the RPF check fails and the multicast stream is dropped by the router.
Figure 11-5-1 RPF check fails As shown in Figure 11-5-2, a multicast stream sent from the source 152.10.2.2 arrives at interface S0 of the router. The router checks the routing table and finds that the RPF interface is also S0. The RPF check succeeds, and the multicast stream is correctly forwarded.
Figure 11-5-2 RPF check succeeds
RPF Check in Multicast Data Forwarding Multicast routing protocols determine the upstream and downstream neighbors and create multicast routing entries according to existing unicast routes, MBGP routes, and multicast static routes. The RPF check mechanism enables multicast data streams to be transmitted along the multicast distribution tree and prevents loops on forwarding paths. If a router searches the unicast routing table to perform an RPF check on every multicast data packet received, many system resources are consumed. To save system resources, a router first searches for the matching (S, G) entry after receiving a data packet sent from a source S to a group G.
If no matching (S, G) entry is found, the router performs an RPF check to find the RPF interface for the packet. The router then creates a multicast route with the RPF interface as the upstream interface and delivers the route to the multicast forwarding table. If the RPF check succeeds, the inbound interface of the packet is the RPF interface, and the router forwards the packet to all the 2016-1-11
Huawei Confidential
Page 609 of 1210
HCIE-R&S Material
Confidentiality Level
downstream interfaces in the forwarding entry. If the RPF check fails, the packet is forwarded along an incorrect path, and the router drops the packet.
If a matching (S, G) entry is found and the inbound interface of the packet is the same as the upstream interface in the entry, the router forwards the packet to all the downstream interfaces specified in the entry.
If a matching (S, G) entry is found but the inbound interface of the packet is different from the upstream interface in the entry, the router performs an RPF check on the packet. The router processes the packet according to the RPF check as follows:
If the RPF interface is the same as the upstream interface in the entry, the (S, G) entry is correct and the packet is forwarded along an incorrect path. The router drops the packet.
If the RPF interface is different from the upstream interface in the entry, the (S, G) entry is outdated, and the router changes the upstream interface in the entry to the RPF interface. The router then compares the RPF interface with the inbound interface of the packet. If the inbound interface is the RPF interface, the router forwards the packet to all the downstream interfaces specified in the (S, G) entry. If the inbound interface is not the RPF interface, the router drops the packet.
11.5.3 Multicast Static Route RPF checks can be performed using multicast static routes. Multicast static routes can be used to change RPF routes and connect RPF routes.
Changing RPF Routes You can change RPF routes on a network by configuring multicast static routes. Then multicast data can be transmitted along a different path than unicast data. As shown in Figure 11-5-3, RouterA is the RPF neighbor of RouterC towards the multicast source (Source). Multicast packets sent from Source are transmitted along the path Source-> RouterA-> RouterC. If you configure a multicast static route on RouterC and specify RouterB as the RPF neighbor, the transmission path of multicast packets sent from Source changes to Source-> RouterA-> RouterB-> RouterC. Then the multicast path diverges from the unicast path.
2016-1-11
Huawei Confidential
Page 610 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-5-3 Configure a multicast static route to change the RPF route
Connecting RPF Routes When unicast routes on a multicast network are incomplete, multicast packets cannot be forwarded due to lack of an RPF route. You can configure multicast static routes on the network to generate new RPF routes. Then multicast routers can create new multicast forwarding entries to guide multicast data forwarding. As shown in Figure 11-5-4, Domain1 and Domain2 are routing domains (RIP and OSPF domains for example). The domains have no unicast route to each other, so the receivers in Domain2 cannot receive data from the multicast source in Domain1. To enable the receivers to receive data from the multicast source, configure multicast static routes on RouterC and RouterD in Domain2. On RouterC, specify RouterB as the RPF neighbor. On RouterD, specify RouterC as the RPF neighbor.
2016-1-11
Huawei Confidential
Page 611 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-5-4 Configure multicast static routes to connect RPF routes
NOTE: Multicast static routes are local to the router where they are configured and are not advertised or redistributed to any other router.
11.5.4 Multicast Load Splitting Load splitting and load balancing are different. Load splitting provides a way to distribute data streams destined for the same destination to multiple equal-cost paths, which may not result in a balanced traffic load on the paths. Load balancing is a special form of load splitting and distributes even data traffic loads on multiple equal-cost paths.
Implementation By default, a router selects an RPF route from multiple equal-cost optimal routes to forward multicast packets according to the following RPF check policy:
If the equal-cost routes are in the same routing table, for example, unicast routing table, multicast static routing table, or MBGP routing table, the router selects the route with the largest next-hop address as the RPF route.
If the equal-cost routes are in different routing tables, the router selects the route with the highest preference. If the routes have the same preference, the router selects the route with the longest mask length. If the routes have the same preference and mask length, the router uses an algorithm to select a route as the RPF route.
No matter in which condition, the router selects only one route as the RPF route. 2016-1-11
Huawei Confidential
Page 612 of 1210
HCIE-R&S Material
Confidentiality Level
Multicast load splitting enables a router to distribute multicast traffic to multiple equal-cost routes, instead of selecting only one route according to the RPF check policy. As shown in Figure 11-5-5, the multicast source (Source) sends multicast streams to group G. RouterA and RouterD run an Interior Gateway Protocol (IGP), OSPF for example, to implement IP interworking. Two equal-cost paths are available: RouterA-> RouterB-> RouterD and RouterA-> RouterC-> RouterD. According to the default RPF check policy, the multicast streams are forwarded through interface Int0 of RouterA because interface Int0 has a larger IP address than interface Int1. After multicast load splitting is configured on RouterA, RouterA does not select forwarding paths by comparing the next-hop IP addresses. Multicast streams are forwarded through both the two equal-cost paths.
Figure 11-5-5 Multicast forwarding without and with multicast load splitting
Multicast Load Splitting Modes Various methods are available to load split (*, G) and (S, G) data streams in different scenarios, as described in the following table. 2016-1-11
Huawei Confidential
Page 613 of 1210
HCIE-R&S Material
Confidentiality Level
Load splitting based on group addresses As shown in Figure 11-5-6, the source sends data streams to different multicast groups (G1 to G10). Router7, Router6, and Router5 each have two equal-cost paths towards the source.These routers use route selection algorithms to select an optimal route for data sent to each group.In this load splitting mode, streams transmitted on different paths are sent to different groups.
Figure 11-5-6 Load splitting based on group addresses
Load splitting based on source addresses As shown in Figure 11-5-7, different sources (S1 to S10) send data streams to the same group. Router7, Router6, and Router5 each have two equal-cost paths towards the sources.These routers use route selection algorithms to select an optimal path for data from each source.In this load splitting mode, streams transmitted on different paths are sent from different sources.
Figure 11-5-7 Load splitting based on source addresses
Load splitting based on source and group addresses As shown in Figure 11-5-8, different sources (S1 to S10) send data streams to different groups (G1 to G10). Router7, Router6, and Router5 each have two equal-cost paths towards the sources.These routers use route selection algorithms to select an optimal path for each (S, G) stream.In this load splitting mode, streams transmitted on different paths have different source and group addresses. 2016-1-11
Huawei Confidential
Page 614 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-5-8 Load splitting based on source and group addresses
Other load splitting methods
Figure 11-5-9 Other load splitting methods
Stable-preferred load splitting As shown in Figure 11-5-9, when route flapping occurs on a multicast network, frequent changes of multicast traffic distribution on equal-cost paths will worsen route flapping. Stable-preferred load splitting can be configured to solve the problem. When route flapping occurs, a router with stable-preferred load splitting adjusts traffic distribution on equal-cost paths until route flapping ends.When the network topology becomes stable, the router evenly distributes (S, G) streams from the same source to the equal-cost paths.
Balance-preferred load splitting As shown in Figure 11-5-9, balance-preferred load splitting enables routers to adjust traffic distribution among equal-cost paths immediately when route flapping occurs on a multicast network.When the network topology becomes stable, the router evenly distributes (S, G) streams from the same source to the equal-cost paths.
Unbalanced load splitting
2016-1-11
Huawei Confidential
Page 615 of 1210
HCIE-R&S Material
Confidentiality Level
As shown in Figure 11-5-9, unbalanced load splitting is a supplement to stable-preferred and balance-preferred load splitting and does not change the behaviors of the two load splitting modes. In unbalanced load splitting mode, (S, G) streams are distributed to equal-cost paths in proportion to the weights of the paths.As transmission paths on a network have different capabilities, you may need to manually adjust loads on some paths. In this case, you can configure load splitting weights on upstream interfaces of a router to implement unbalanced load splitting. A larger weight on an upstream interface allows the corresponding path to transmit more (*, G) and (S, G) streams.
11.5.5 MPing/MTrace Introduction to MPing/MTrace As the Internet develops, more and more data, voice, and video service information is exchanged on the network and multicast services are rapidly developing. The following comes the requirement for management on multicast networks. Multicast ping/tracert (MPing/MTrace) has been developed to provide users with the multicast service detection and fault diagnosis functions.
MPing: a tool for detecting multicast services. MPing sends ICMP Echo Request messages to trigger the setup of the multicast forwarding tree and detect members of reserved multicast groups on the network.
NOTE: Reserved multicast group: The reserved multicast group addresses range from 224.0.0.0 to 224.0.0.255. For example, 224.0.0.5 is reserved for the OSPF multicast group; 224.0.0.13 is reserved for the PIMv2 multicast group.
MTrace: a tool for tracing multicast forwarding paths. MTrace traces the path from a receiver to a multicast source along the multicast forwarding tree.
MPing MPing uses standard ICMP messages to detect the connectivity of a multicast path. MPing constructs an ICMP Echo Request message with the encapsulated destination address being a multicast address (either a multicast address for the reserved multicast group or a common multicast group address).
If the encapsulated destination address of an ICMP Echo Request message is the address of a reserved multicast group, the querier must specify the outbound interface of the message. Upon receiving such an ICMP Echo Request message, the member of the reserved multicast group responds with an ICMP Echo Reply packet. Therefore, you can ping the address of the reserved multicast group to detect the members in the reserved multicast group.
If the encapsulated destination address of an ICMP Echo Request message is the address of a common multicast group, the querier cannot specify the outbound interface of the message. The ICMP Echo Request message, as limited multicast traffic, is forwarded on the multicast network, which triggers the setup of multicast routing entries. The querier collects statistics on received 2016-1-11
Huawei Confidential
Page 616 of 1210
HCIE-R&S Material
Confidentiality Level
ICMP Echo Reply packets from the destination host and calculates the TTL and response time from the multicast source to the member of a multicast group.
MTrace MTrace complies with the protocol draft draft-fenner-traceroute-ipm-01.txt defined by the Internet Engineering Task Force (IETF). This draft describes a mechanism to trace the path along which multicast data is forwarded from the multicast source to the designated receiver.
Figure 11-5-10 Networking diagram of MTrace MTrace takes effect only on a network where a multicast protocol (such as the PIM-SM protocol) is enabled and the multicast distribution tree is established. MTrace detects the multicast forwarding path by sending query messages. Query messages are classified into IGMP Tracert Query message, IGMP Tracert Request message, and IGMP Tracert Response message. MTrace implements as follows: 1.
The querier sends an IGMP Tracert Query message to the last-hop device connected to the destination host.
2.
After receiving the IGMP Tracert Query message, the last-hop device adds a response data block containing information about the interface that receives the IGMP Tracert Query message, and sends an IGMP Tracert Request message to the previous-hop device.
3.
Devices of each hop add a response data block to the IGMP Tracert Request message and send the message upstream.
4.
When the first-hop device connected to the multicast source receives the IGMP Tracert Request message, it adds a response data block and sends the IGMP Tracert Response message to the querier.
2016-1-11
Huawei Confidential
Page 617 of 1210
HCIE-R&S Material
5.
Confidentiality Level
The querier parses the IGMP Tracert Response message and obtains information about the forwarding path from the multicast source to the destination host.
6.
If the IGMP Tracert Request message cannot reach the first-hop device because of some errors, the IGMP Tracert Response message is directly sent to the querier. The querier then parses the data block information for locating and monitoring the faulty node.
11.5.6 Multicast in BGP/MPLS IP VPN Applicable Scenario Figure 11-5-11 shows the typical BGP/MPLS IP VPN networking. Multicast in BGP/MPLS IP VPN allows private multicast traffic to be forwarded on the BGP/MPLS IP VPN. VPN users at each site receive multicast data from the users of the same VPN. PEs at the public network edge support multi-instance, and multicast traffic in VPN instances is isolated.
Figure 11-5-11 Typical networking of BGP/MPLS IP VPN
2016-1-11
Huawei Confidential
Page 618 of 1210
HCIE-R&S Material
Confidentiality Level
Implementation
Figure 11-5-12 Using the GRE tunnel to transmit private multicast traffic As shown in Figure 11-5-12, the device transmits private multicast traffic over the GRE tunnel deployed between PEs. To deploy multicast in BGP/MPLS IP VPN network, create a tunnel interface on the PE and bind the tunnel interface and the interface connecting the PE and the CE to the same VPN instance. The private routing protocol process on the PE advertises IP addresses of network segments where the tunnel interface and the interface connecting the PE and the CE are located. After multicast packets reaches the PE, the next hop in the VPN instance routing table is the tunnel interface. The PE encapsulates a GRE header to multicast packets and sends it to the remote PE over the GRE tunnel. The remote PE decapsulates the multicast packets. When configuring multicast in BGP/MPLS IP VPN network, note the following points:
There must be a reachable route between the source address and destination address of the tunnel interface. The tunnel interface can use the loopback interface address as the source address. The loopback interface binds to the same VPN instance as the tunnel interface. In addition, there must be a reachable route between the loopback interface and the source address of the peer tunnel interface.
IP addresses of tunnel interfaces at both ends of the GRE tunnel must be located on the same network segment.
Interfaces including tunnel interfaces in a VPN instance must use the same PIM protocol. PIM can be not configured on the source interface of tunnel interface.
All the PEs bound to the same VPN instance must establish a GRE tunnel.
2016-1-11
Huawei Confidential
Page 619 of 1210
HCIE-R&S Material
Confidentiality Level
11.6 Configuration Examples 11.6.1 Example for Adding an Interface to a Multicast Group Statically Networking Requirements As shown in Figure 11-6-1, video on demand (VoD) users receive video streams in multicast mode. User hosts are located on two network segments: N1 and N2. The receiver HostA is located on N1, and receivers HostC and HostD are located on N2. HostA needs to receive data of multicast group 225.1.1.1 for long time, while HostC and HostD do not have such requirements.
Figure 11-6-1 Networking diagram for basic IGMP configuration
Configuration Roadmap To meet the preceding requirements, add the interface connected to the network segment of HostA to multicast group 225.1.1.1 statically. The configuration roadmap is as follows: 1.
Configure a unicast routing protocol to implement IP interworking. Configure IP addresses for interfaces and configure a unicast routing protocol on each Router. Multicast routing protocols depend on unicast routing protocols.
2.
Configure basic multicast functions to enable multicast data to be forwarded on the network. Enable PIM-SM and configure an RP on each Router. Enable IGMP on the interface connected to the receiver network segment.
3.
Enable HostA to receive data of multicast group 225.1.1.1 for a long time. On RouterA, add the interface connected to the network segment of HostA to multicast group 225.1.1.1 statically.
2016-1-11
Huawei Confidential
Page 620 of 1210
HCIE-R&S Material
Confidentiality Level
Procedure 1.
Configure IP addresses for interfaces and configure a unicast routing protocol on each Router. Configure an IP address and mask for each interface according to Figure 11-6-1. Configure OSPF on each Router to ensure IP connectivity between them, and enable them to dynamically update routing information. The detailed configurations are not mentioned here. For details, see Configuration Files.
2.
Enable PIM-SM and configure an RP. # Enable multicast functions on RouterA and enable PIM-SM on GE1/0/0 and GE2/0/0. The configurations of RouterB, RouterC and RouterD are similar to the configuration of RouterA, and are not mentioned here. For details, see Configuration Files. [RouterA] multicast routing-enable [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] pim sm [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] pim sm [RouterA-GigabitEthernet2/0/0] quit [RouterA] pim [RouterA-pim] static-rp 192.168.4.1 [RouterA-pim] quit
3.
Enable IGMP on the interface connected to user hosts. # Enable IGMP on GE1/0/0 of RouterA. The configurations of RouterB, RouterC and RouterD are similar to the configuration of RouterA, and are not mentioned here. For details, see Configuration Files. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] igmp enable [RouterA-GigabitEthernet1/0/0] quit
4.
Add GE1/0/0 of RouterA to the multicast group 225.1.1.1 to enable user hosts connected to GE1/0/0 to receive stable multicast data sent to the multicast group 225.1.1.1. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] igmp static-group 225.1.1.1
5.
Verify the configuration. # Run the display igmp interface command to check the IGMP configuration and running status on each router interface. The IGMP command output on GE1/0/0 of RouterB is as follows:
2016-1-11
Huawei Confidential
Page 621 of 1210
HCIE-R&S Material
Confidentiality Level
display igmp interface gigabitethernet 1/0/0 Interface information of VPN-Instance: public net GigabitEthernet1/0/0(10.110.2.1): IGMP is enabled Current IGMP version is 2 IGMP state: up IGMP group policy: none IGMP limit: Value of query interval for IGMP (negotiated): Value of query interval for IGMP(configured): 60 s Value of other querier timeout for IGMP: 0 s Value of maximum query response time for IGMP: 10 s Querier for IGMP: 10.110.2.1 (this router) Total 2 IGMP Groups reported # Run the display pim routing-table command on RouterA to check whether GE1/0/0 has been added to the multicast group 225.1.1.1 statically. The command output is displayed as follows: If a (*, 225.1.1.1) entry is generated on RouterA, the downstream interface is GigabitEthernet1/0/0, and the protocol type is static, it means GigabitEthernet1/0/0 has been added to the multicast group 225.1.1.1 statically. display pim routing-table VPN-Instance: public net Total 1 (*, G) entry; 0 (S, G) entry
(*, 225.1.1.1) RP: 192.168.4.1 Protocol: pim-sm, Flag: WC UpTime: 00:12:17 Upstream interface: GigabitEthernet2/0/0 Upstream neighbor: 192.168.1.1 RPF prime neighbor: 192.168.1.1 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet1/0/0 Protocol: static, UpTime: 00:12:17, Expires: -
Configuration Files
Configuration file of RouterA # 2016-1-11
Huawei Confidential
Page 622 of 1210
HCIE-R&S Material
Confidentiality Level
sysname RouterA # multicast routing-enable # interface GigabitEthernet1/0/0 ip address 10.110.1.1 255.255.255.0 pim sm igmp enable igmp static-group 225.1.1.1 # interface GigabitEthernet2/0/0 ip address 192.168.1.1 255.255.255.0 pim sm # ospf 1 area 0.0.0.0 network 10.110.1.0 0.0.0.255 network 192.168.1.0 0.0.0.255 # pim static-rp 192.168.4.1 # return
Configuration file of RouterB # sysname RouterB # multicast routing-enable # interface GigabitEthernet1/0/0 ip address 10.110.2.1 255.255.255.0 pim sm igmp enable # interface GigabitEthernet2/0/0 ip address 192.168.2.1 255.255.255.0 pim sm # ospf 1 2016-1-11
interface GigabitEthernet1/0/0 ip address 192.168.1.2 255.255.255.0 pim sm # interface GigabitEthernet2/0/0 ip address 192.168.2.2 255.255.255.0 pim sm # interface GigabitEthernet3/0/0 ip address 192.168.3.2 255.255.255.0 pim sm # interface GigabitEthernet/0/0 ip address 192.168.4.1 255.255.255.0 pim sm # ospf 1 area 0.0.0.0 network 192.168.1.0 0.0.0.255 network 192.168.2.0 0.0.0.255 network 192.168.3.0 0.0.0.255 network 192.168.4.0 0.0.0.255 # pim static-rp 192.168.4.1 # return
11.6.2 Example for Configuring Basic IGMP Functions Networking Requirements As shown in Figure 11-6-2, video on demand (VoD) users receive video streams in multicast mode. User hosts are located on two network segments: N1 and N2. The receivers HostA and HostC are located on the two network segments respectively. On this network, multicast groups 225.1.1.1 to 225.1.1.5 are used to receive video streams. HostA subscribes to only the program of group 225.1.1.1, and HostC can receive all the programs.
2016-1-11
Huawei Confidential
Page 625 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-6-2 Networking diagram for basic IGMP configuration
Configuration Roadmap To meet the preceding requirements, configure basic IGMP functions and limit the range of multicast groups on the interface connected to the network segment of HostA. The configuration roadmap is as follows: 1.
Configure a unicast routing protocol to implement IP interworking. Configure IP addresses for interfaces and configure a unicast routing protocol on each Router. Multicast routing protocols depend on unicast routing protocols.
2.
Configure basic multicast functions to enable multicast data to be forwarded on the network. Enable PIM-SM and configure an RP on each Router. Enable IGMP on the interface connected to the receiver network segment.
3.
Control multicast data that HostA can receive. Configure an ACL on the interface of RouterA connected to the network segment of HostA to filter multicast data sent to HostA.
Procedure 1.
Configure IP addresses for interfaces and configure a unicast routing protocol on each Router. Configure an IP address and mask for each interface according to Figure 11-6-2. Configure OSPF on each Router to ensure IP connectivity between them, and enable them to dynamically update routing information. The configuration details are not mentioned here.
2.
Enable multicast routing on RouterA and enable PIM-SM on all interfaces.
2016-1-11
Huawei Confidential
Page 626 of 1210
HCIE-R&S Material
Confidentiality Level
# Enable multicast routing on RouterA, enable PIM-SM on all interfaces, and configure GE1/0/0 of RouterD as the static RP. The configurations of RouterB, RouterC and RouterD are similar to the configuration of RouterA, and are not mentioned here. [RouterA] multicast routing-enable [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] pim sm [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] pim sm [RouterA-GigabitEthernet2/0/0] quit [RouterA] pim [RouterA-pim] static-rp 192.168.4.2 [RouterA-pim] quit 3.
On RouterA, RouterB, RouterC, enable IGMP on the interfaces connected to the receiver network segments. # Enable IGMP on GE1/0/0 of RouterA. The configurations of RouterB and RouterC are similar to the configuration of RouterA, and are not mentioned here. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] igmp enable [RouterA-GigabitEthernet1/0/0] quit
4.
Add GE1/0/0 of RouterA to the multicast group 225.1.1.1 only. # On RouterA, create an ACL, configure a rule that only permits packets of the multicast group 225.1.1.1, and apply the ACL rule to GE1/0/0. [RouterA] acl number 2001 [RouterA-acl-basic-2001] rule permit source 225.1.1.1 0 [RouterA-acl-basic-2001] quit [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] igmp group-policy 2001 [RouterA-GigabitEthernet1/0/0] quit
5.
Verify the configuration. # Run the display igmp interface command to check the IGMP configuration and running status on each interface. The IGMP command output on GE1/0/0 of RouterA is as follows: display igmp interface gigabitethernet 1/0/0 Interface information of VPN-Instance: public net gigabitethernet1/0/0(10.110.1.1): IGMP is enabled Current IGMP version is 2
2016-1-11
Huawei Confidential
Page 627 of 1210
HCIE-R&S Material
Confidentiality Level
IGMP state: up IGMP group policy: 2001 IGMP limit: Value of query interval for IGMP (negotiated): Value of query interval for IGMP (configured): 60 s Value of other querier timeout for IGMP: 0 s Value of maximum query response time for IGMP: 10 s Querier for IGMP: 10.110.1.1 (this router) Total 1 IGMP Group reported
Configuration Files
Configuration file of RouterA # sysname RouterA # multicast routing-enable # acl number 2001 rule 5 permit source 225.1.1.1 0 # interface GigabitEthernet1/0/0 ip address 10.110.1.1 255.255.255.0 pim sm igmp enable igmp group-policy 2001 # interface GigabitEthernet2/0/0 ip address 192.168.1.1 255.255.255.0 pim sm # ospf 1 area 0.0.0.0 network 10.110.1.0 0.0.0.255 network 192.168.1.0 0.0.0.255 # pim static-rp 192.168.4.2 # 2016-1-11
Huawei Confidential
Page 628 of 1210
HCIE-R&S Material
Confidentiality Level
return
Configuration file of RouterB # sysname RouterB # multicast routing-enable # interface GigabitEthernet1/0/0 ip address 10.110.2.1 255.255.255.0 pim sm igmp enable # interface GigabitEthernet2/0/0 ip address 192.168.2.1 255.255.255.0 pim sm # ospf 1 area 0.0.0.0 network 10.110.2.0 0.0.0.255 network 192.168.2.0 0.0.0.255 # pim static-rp 192.168.4.2 # return
Configuration file of RouterC # sysname RouterC # multicast routing-enable # interface GigabitEthernet1/0/0 ip address 10.110.2.2 255.255.255.0 pim sm igmp enable # interface GigabitEthernet2/0/0 ip address 192.168.3.1 255.255.255.0 2016-1-11
Huawei Confidential
Page 629 of 1210
HCIE-R&S Material
Confidentiality Level
pim sm # ospf 1 area 0.0.0.0 network 10.110.2.0 0.0.0.255 network 192.168.3.0 0.0.0.255 # pim static-rp 192.168.4.2 # return
Configuration file of RouterD # sysname RouterD # multicast routing-enable # interface GigabitEthernet1/0/0 ip address 192.168.4.2 255.255.255.0 pim sm # interface GigabitEthernet2/0/0 ip address 192.168.1.2 255.255.255.0 pim sm # interface GigabitEthernet3/0/0 ip address 192.168.2.2 255.255.255.0 pim sm # interface GigabitEthernet4/0/0 ip address 192.168.3.2 255.255.255.0 pim sm # ospf 1 area 0.0.0.0 network 192.168.1.0 0.0.0.255 network 192.168.2.0 0.0.0.255 network 192.168.3.0 0.0.0.255 network 192.168.4.0 0.0.0.255 2016-1-11
Huawei Confidential
Page 630 of 1210
HCIE-R&S Material
Confidentiality Level
# pim static-rp 192.168.4.2 # return
11.6.3 Example for Configuring IGMP SSM Mapping Networking Requirements On the multicast network shown in Figure 11-6-3, PIM-SM is run and SSM mode is configured to provide multicast services. The Router interface connected to the receiver network segment runs IGMPv3, whereas the receiver runs IGMPv2 and cannot upgrade the version to IGMPv3. Therefore, the receiver cannot specify a multicast source from which it wants to receive multicast data when joining a multicast group. The range of SSM group addresses on the network is 232.1.1.0/24. Source 1, Source 2, and Source 3 all send multicast data to the multicast groups in this range. Configure the receiver to receive only multicast data from Source 1 and Source 3.
2016-1-11
Huawei Confidential
Page 631 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-6-3 Networking diagram for the SSM mapping configuration
Device
RouterA
RouterB
2016-1-11
Interface
IP Address
GE1/0/0
10.10.1.2/24
GE2/0/0
Device
RouterC
Interface
IP Address
GE1/0/0
10.10.3.2/24
192.168.1.1/24
GE2/0/0
192.168.3.1/24
GE3/0/0
192.168.4.2/24
GE3/0/0
192.168.2.2/24
GE1/0/0
10.10.2.2/24
GE1/0/0
10.10.4.2/24
GE2/0/0
192.168.1.2/24
GE2/0/0
192.168.3.2/24
RouterD
Huawei Confidential
Page 632 of 1210
HCIE-R&S Material
GE3/0/0
Confidentiality Level
192.168.2.1/24
GE3/0/0
192.168.4.1/24
Configuration Roadmap To meet the preceding requirements, configure basic multicast functions on the Routers, and then configure SSM mapping on RouterD. The configuration roadmap is as follows: 1.
Configure a unicast routing protocol to implement IP interworking. Configure IP addresses for interfaces and configure a unicast routing protocol on each Router. Multicast routing protocols depend on unicast routing protocols.
2.
Configure basic multicast functions to enable multicast data to be forwarded on the network. Enable PIM-SM and configure an RP on each Router. Enable IGMP on the interface connected to the receiver network segment.
3.
Configure SSM mapping to enable the receiver to select multicast sources. Enable SSM mapping on the interface of RouterD connected to the receiver network segment, and configure SSM mapping rules on RouterD.
Procedure 1.
Configure IP addresses for interfaces and configure a unicast routing protocol on each Router. Configure an IP address and mask for each interface according to Figure 11-6-3 Networking diagram for the SSM mapping configuration. Configure OSPF on each Router to ensure IP connectivity between them, and enable them to dynamically update routing information. The detailed configurations are not mentioned here. For details, see Configuration Files.
2.
Enable IP multicast routing on each Router, and enable PIM-SM and IGMP on interfaces. # Enable IP multicast routing on RouterD and enable PIM-SM on interfaces. Enable IGMP on GE1/0/0 and set the IGMP version to IGMPv3. [RouterD] multicast routing-enable [RouterD] interface gigabitethernet 1/0/0 [RouterD-GigabitEthernet1/0/0] pim sm [RouterD-GigabitEthernet1/0/0] igmp enable [RouterD-GigabitEthernet1/0/0] igmp version 3 [RouterD-GigabitEthernet1/0/0] quit [RouterD] interface gigabitethernet 2/0/0 [RouterD-GigabitEthernet2/0/0] pim sm [RouterD-GigabitEthernet2/0/0] quit [RouterD] interface gigabitethernet 3/0/0 [RouterD-GigabitEthernet3/0/0] pim sm
2016-1-11
Huawei Confidential
Page 633 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterD-GigabitEthernet3/0/0] quit # Enable IP multicast routing on RouterA and enable PIM-SM on interfaces of RouterA. The configurations of RouterB and RouterC are similar to the configuration of RouterA, and are not mentioned here. [RouterA] multicast routing-enable [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] pim sm [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] pim sm [RouterA-GigabitEthernet2/0/0] quit [RouterA] interface gigabitethernet 3/0/0 [RouterA-GigabitEthernet3/0/0] pim sm [RouterA-GigabitEthernet3/0/0] quit # Configure GE3/0/0 as the C-BSR and C-RP on RouterD. [RouterD] pim [RouterD-pim] c-bsr gigabitethernet 3/0/0 [RouterD-pim] c-rp gigabitethernet 3/0/0 [RouterD-pim] quit 3.
Enable SSM mapping on the interface connected to the receiver network segment. # Enable SSM mapping on GE1/0/0 of RouterD. [RouterD] interface gigabitethernet 1/0/0 [RouterD-GigabitEthernet1/0/0] igmp ssm-mapping enable [RouterD-GigabitEthernet1/0/0] quit
4.
Configure the range of SSM group addresses on all Routers. # Set the range of SSM group addresses to 232.1.1.0/24 on RouterA. The configurations of RouterB, RouterC, and RouterD are similar to the configuration of RouterA, and are not mentioned here. [RouterA] acl number 2000 [RouterA-acl-basic-2000] rule permit source 232.1.1.0 0.0.0.255 [RouterA-acl-basic-2000] quit [RouterA] pim [RouterA-pim] ssm-policy 2000 [RouterA-pim] quit
5.
Configure SSM mapping rules on RouterD. # Map the multicast groups in the range of 232.1.1.0/24 to Source 1 and Source 3.
11.6.4 Example for Configuring IGMP Limit Networking Requirements When many users are watching multiple video programs, the programs occupy high bandwidth. As a result, the device performance degrades and multicast data received by users is unstable. Multicast services are deployed on the network shown in Figure 11-6-4, HostA connected to RouterA subscribes to the program of group 225.1.1.3 for a long time. The IGMP limit function can be configured on RouterA, RouterB and RouterC to limit the number of multicast groups that users can join and allows network resources to be used more efficiently. When the number of multicast groups that hosts can join reaches the limit, hosts cannot subscribe to new programs. This ensures that users can watch high-quality programs.
2016-1-11
Huawei Confidential
Page 638 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-6-4 Networking diagram for IGMP limit configuration
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure a unicast routing protocol to implement IP interworking. Configure IP addresses for interfaces and configure a unicast routing protocol on each Router. Multicast routing protocols depend on unicast routing protocols.
2.
Configure basic multicast functions to enable multicast data to be forwarded on the network. Enable PIM-SM and configure an RP on each Router. Enable IGMP on the interface connected to the receiver network segment.
3.
Configure HostA to steadily receive multicast data of multicast group 225.1.1.3 for a long time. On RouterA, add the interface connected to the network segment of HostA to multicast group 225.1.1.3 statically.
4.
Limit the number of IGMP group memberships on Router to control the programs that multicast users can subscribe to.
Procedure 1.
Configure IP addresses for interfaces and configure a unicast routing protocol on each Router. Configure an IP address and mask for each interface according to Figure 11-6-4. Configure OSPF on each Router to ensure IP connectivity between them, and enable them to dynamically update routing information. The configuration details are not mentioned here.
2016-1-11
Huawei Confidential
Page 639 of 1210
HCIE-R&S Material
2.
Confidentiality Level
Enable multicast routing on RouterA and enable PIM-SM on all interfaces. # Enable multicast routing on RouterA, enable PIM-SM on all interfaces, and configure GE4/0/0 of RouterD as the static RP. The configurations of RouterB, RouterC and RouterD are similar to the configuration of RouterA, and are not mentioned here. [RouterA] multicast routing-enable [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] pim sm [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] pim sm [RouterA-GigabitEthernet2/0/0] quit [RouterA] pim [RouterA-pim] static-rp 192.168.4.1 [RouterA-pim] quit
3.
On RouterA, RouterB, RouterC, enable IGMP on the interfaces connected to the receiver network segments. # Enable IGMP on GE1/0/0 of RouterA. The configurations of RouterB and RouterC are similar to the configuration of RouterA, and are not mentioned here. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] igmp enable [RouterA-GigabitEthernet1/0/0] quit
4.
Set the maximum number of IGMP group memberships on the last-hop router. # Set the maximum number of IGMP memberships on RouterA to 50. [RouterA] igmp global limit 50 # Set the maximum number of IGMP group memberships in the public network instance to 40. [RouterA] igmp [RouterA-igmp] limit 40 [RouterA-igmp] quit # Set the maximum number of IGMP group memberships on GE1/0/0 to 30. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] igmp limit 30 [RouterA-GigabitEthernet1/0/0] quit The configurations of RouterB and RouterC are similar to the configuration of RouterA, and are not mentioned here.
5.
Verify the configuration.
2016-1-11
Huawei Confidential
Page 640 of 1210
HCIE-R&S Material
Confidentiality Level
# Run the display igmp interface command to check the IGMP configuration and running status on router interfaces. The IGMP command output on GE1/0/0 of RouterA is as follows: display igmp interface gigabitethernet 1/0/0 Interface information of VPN-Instance: public net GigabitEthernet1/0/0(10.110.1.1): IGMP is enabled Current IGMP version is 2 IGMP state: up IGMP group policy: none IGMP limit: 30 Value of query interval for IGMP (negotiated): Value of query interval for IGMP (configured): 60 s Value of other querier timeout for IGMP: 0 s Value of maximum query response time for IGMP: 10 s Querier for IGMP: 10.110.1.1 (this router) You can find that a maximum of 30 IGMP group memberships can be created on GE1/0/0 of RouterA.
Configuration Files
Configuration file of RouterA # sysname RouterA # igmp global limit 50 multicast routing-enable # interface GigabitEthernet1/0/0 ip address 10.110.1.1 24 pim sm igmp enable igmp limit 30 # interface GigabitEthernet2/0/0 ip address 192.168.1.1 24 pim sm # ospf 1 area 0.0.0.0 2016-1-11
Configuration file of RouterB # sysname RouterB # igmp global limit 50 multicast routing-enable # interface GigabitEthernet1/0/0 ip address 10.110.2.1 24 pim sm igmp enable igmp limit 30 # interface GigabitEthernet2/0/0 ip address 192.168.2.1 24 pim sm # ospf 1 area 0.0.0.0 network 10.110.2.0 0.0.0.255 network 192.168.2.0 0.0.0.255 # igmp limit 40 # pim static-rp 192.168.4.1 # return 2016-1-11
Huawei Confidential
Page 642 of 1210
HCIE-R&S Material
Confidentiality Level
Configuration file of RouterC # sysname RouterC # igmp global limit 50 multicast routing-enable # interface GigabitEthernet1/0/0 ip address 10.110.2.2 24 pim sm igmp enable igmp limit 30 # interface GigabitEthernet2/0/0 ip address 192.168.3.1 24 pim sm # ospf 1 area 0.0.0.0 network 10.110.2.0 0.0.0.255 network 192.168.3.0 0.0.0.255 # igmp limit 40 # pim static-rp 192.168.4.1 # return
Configuration file of RouterD # sysname RouterD # interface GigabitEthernet1/0/0 ip address 192.168.1.2 24 pim sm # interface GigabitEthernet2/0/0 ip address 192.168.2.2 24 2016-1-11
Huawei Confidential
Page 643 of 1210
HCIE-R&S Material
Confidentiality Level
pim sm # interface GigabitEthernet3/0/0 ip address 192.168.3.2 24 # interface GigabitEthernet4/0/0 ip address 192.168.4.1 24 pim sm # ospf 1 area 0.0.0.0 network 192.168.1.0 0.0.0.255 network 192.168.2.0 0.0.0.255 network 192.168.3.0 0.0.0.255 network 192.168.4.0 0.0.0.255 # pim static-rp 192.168.4.1 # return
11.6.5 Example for Configuring IGMP Proxy Networking Requirements When a large number of users watch the same channel at the same time or frequently change channels, the access device will have to allocate a large amount of bandwidth to process the service requests. As a result, the access device will be heavily burdened and unable to guarantee stable transmission of multicast traffic. To resolve this problem, configure IGMP proxy on a Layer 3 device between the RouterA and hosts. The Layer 3 device works as a proxy for hosts to send Report and Leave messages and for the access device to send Query messages, therefore reducing the load on the access device and improving user experience for multicast services. On the network shown in Figure 11-6-5, RouterA is an access device. RouterB functions as a Layer 3 device between the access devices and hosts (receivers 1 and 2) and should be enabled with IGMP proxy. For RouterB to proactively send Report and Leave messages, set the robustness variable to 3 and the source lifetime to 300s.
2016-1-11
Huawei Confidential
Page 644 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-6-5 Networking diagram for configuring IGMP proxy
Configuration Roadmap Configure IGMP proxy on RouterB to mitigate the pressure of the upatream PIM router (RouterA) in processing protocol packets. The configuration roadmap is as follows: 1.
Enable multicast routing on all Routers that provide multicast services. (Multicast is a prerequisite for enabling IGMP.)
2.
Enable IGMP on the Router interfaces connected to hosts.
3.
Enable IGMP proxy on the Router interface GE1/0/0 connected to the access device.
4.
Configure a backup IGMP proxy interface GE4/0/0 on the Router.
5.
Configure a source lifetime in the IGMP view of an IGMP proxy-capable Router.
Procedure 1.
Configure an IP address for each interface. The configuration details are omitted.
2.
Enable the multicast function on devices and configure IGMP on the interface connected to hosts. # Enable the multicast function on RouterA, enable IGMP on GE 1/0/0 and GE 2/0/0, and set the IGMP version number to 3. [RouterA] multicast routing-enable
2016-1-11
Huawei Confidential
Page 645 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] igmp enable [RouterA-GigabitEthernet1/0/0] igmp version 3 [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] igmp enable [RouterA-GigabitEthernet2/0/0] igmp version 3 [RouterA-GigabitEthernet2/0/0] quit # Enable the multicast function on RouterB, enable IGMP on GE 2/0/0 and GE 3/0/0, and set the IGMP version number to 3. [RouterB] multicast routing-enable [RouterB] interface gigabitethernet 2/0/0 [RouterB-GigabitEthernet2/0/0] igmp enable [RouterB-GigabitEthernet2/0/0] igmp version 3 [RouterB-GigabitEthernet2/0/0] quit [RouterB] interface gigabitethernet 3/0/0 [RouterB-GigabitEthernet3/0/0] igmp enable [RouterB-GigabitEthernet3/0/0] igmp version 3 [RouterB-GigabitEthernet3/0/0] quit 3.
Enable IGMP proxy on an interface on RouterB. # Enable IGMP proxy on GE 1/0/0 on RouterB and set the IGMP robustness variable to 3. [RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] igmp proxy [RouterB-GigabitEthernet1/0/0] igmp version 3 [RouterB-GigabitEthernet1/0/0] igmp robust-count 3 [RouterB-GigabitEthernet1/0/0] quit
4.
Configure a backup IGMP proxy interface on the Router. # Configure GE 4/0/0 on RouterB as a backup IGMP proxy interface. [RouterB] interface gigabitethernet 4/0/0 [RouterB-GigabitEthernet4/0/0] igmp proxy backup [RouterB-GigabitEthernet4/0/0] igmp version 3 [RouterB-GigabitEthernet4/0/0] quit
5.
Configure a source lifetime in the IGMP view of an IGMP proxy-capable Router. # Configure a source lifetime in the IGMP view of RouterB. [RouterB] igmp [RouterB-igmp] proxy source-lifetime 300
2016-1-11
Huawei Confidential
Page 646 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterB-igmp] quit 6.
Verify the IGMP-proxy configurations. # Run the display igmp proxy interface command to check the IGMP proxy interface on the Router. [RouterB] display igmp proxy interface Interface information of VPN-Instance: public net GigabitEthernet1/0/0(192.168.1.2): IGMP proxy is enabled Current IGMP proxy version (negotiated) is 3 Current IGMP proxy version (configured) is 3 IGMP proxy state: up Value of query interval for IGMP (negotiated): 60 s Value of query interval for IGMP (configured): 60 s Value of querier present timeout for IGMPv1: off Value of querier present timeout for IGMPv2: off Value of querier present timeout for IGMPv3: off General query response expiry: off Querier for IGMP: Robustness (negotiated): 3 Robustness (configured): 3 Require-router-alert: disabled Send-router-alert: enabled
GigabitEthernet4/0/0(192.168.4.2): IGMP proxy backup is enabled Current IGMP proxy version (negotiated) is 3 Current IGMP proxy version (configured) is 3 IGMP proxy state: up Value of query interval for IGMP (negotiated): 60 s Value of query interval for IGMP (configured): 60 s Value of querier present timeout for IGMPv1: off Value of querier present timeout for IGMPv2: off Value of querier present timeout for IGMPv3: off General query response expiry: off Querier for IGMP: Robustness (negotiated): 2 Robustness (configured): 2 Require-router-alert: disabled Send-router-alert: enabled 2016-1-11
Huawei Confidential
Page 647 of 1210
HCIE-R&S Material
Confidentiality Level
The command output shows that IGMP proxy is enabled on GE 1/0/0, and GE 4/0/0 functions as a backup for GE 1/0/0. # Run the display igmp proxy group command to check IGMP proxy groups on the Router. [RouterB] display igmp proxy group Interface group report information of VPN-Instance: public net GigabitEthernet1/0/0(192.168.1.2): Total 1 IGMP proxy Group Group Address 232.0.0.1
Filter mode include
The preceding command output shows that GE 1/0/0 has information about the multicast group 232.0.0.1 and the filter mode of the group is include, which indicates that Receiver1 has joined the multicast group 232.0.0.1. # Run the display igmp proxy routing-table command to check the IGMP proxy routing table on the Router. Receiver1 sends a (1.1.1.1, 232.1.1.1) Report message. [RouterB] display igmp proxy routing-table Routing table of VPN-Instance: public net Total 0 (*, G) entry; 1 (S, G) entry (1.1.1.1, 232.1.1.1) Flag: JOIN, UpTime: 01:38:45 Upstream interface: GigabitEthernet1/0/0 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet2/0/0 Protocol: static, UpTime: 01:38:45 The preceding command output shows that the IGMP proxy routing table of RouterB has the (1.1.1.1, 232.1.1.1) entry, which indicates that Receiver1 has joined the multicast group 232.1.1.1 to which the multicast source 1.1.1.1 sends data.
ip address 192.168.1.1 255.255.255.0 igmp enable igmp version 3 # interface GigabitEthernet2/0/0 ip address 192.168.4.1 255.255.255.0 igmp enable igmp version 3 # return
Configuration file of RouterB # sysname RouterB # multicast routing-enable # interface GigabitEthernet1/0/0 ip address 192.168.1.2 255.255.255.0 igmp version 3 igmp robust-count 3 igmp proxy # interface GigabitEthernet2/0/0 ip address 192.168.2.1 255.255.255.0 igmp enable igmp version 3 # interface GigabitEthernet3/0/0 ip address 192.168.3.1 255.255.255.0 igmp enable igmp version 3 # interface GigabitEthernet4/0/0 ip address 192.168.4.2 255.255.255.0 igmp version 3 igmp proxy backup # igmp proxy source-lifetime 300 2016-1-11
Huawei Confidential
Page 649 of 1210
HCIE-R&S Material
Confidentiality Level
# return
11.6.6 Example for Configuring IGMP Snooping
Networking Requirements As shown in Figure 11-6-6, RouterA connects to user hosts through a Layer 2 device RouterB and RouterA runs IGMPv2. The multicast source sends data to multicast groups 225.1.1.1 to 225.1.1.5. On the network, there are three receivers HostA, HostB, and HostC and the three hosts only want to receive data of multicast groups 225.1.1.1 to 225.1.1.3.
Figure 11-6-6 Networking diagram for IGMP snooping configuration
Configuration Roadmap To meet the preceding requirements, configure basic IGMP snooping functions and a multicast group policy on the Layer 2 RouterB. The configuration roadmap is as follows: 1.
On RouterB, create a VLAN and add interfaces to the VLAN.
2.
Enable IGMP snooping globally and in the VLAN.
3.
Configure a multicast group policy and apply this policy to the VLAN.
2016-1-11
Huawei Confidential
Page 650 of 1210
HCIE-R&S Material
Confidentiality Level
Procedure 1.
Create a VLAN and add interfaces to the VLAN. system-view [Huawei] sysname RouterB [RouterB] vlan 10 [RouterB-vlan10] quit [RouterB] interface ethernet 2/0/1 [RouterB-Ethernet2/0/1] port hybrid pvid vlan 10 [RouterB-Ethernet2/0/1] port hybrid untagged vlan 10 [RouterB-Ethernet2/0/1] quit [RouterB] interface ethernet 2/0/2 [RouterB-Ethernet2/0/2] port hybrid pvid vlan 10 [RouterB-Ethernet2/0/2] port hybrid untagged vlan 10 [RouterB-Ethernet2/0/2] quit [RouterB] interface ethernet 2/0/3 [RouterB-Ethernet2/0/3] port hybrid pvid vlan 10 [RouterB-Ethernet2/0/3] port hybrid untagged vlan 10 [RouterB-Ethernet2/0/3] quit
Configure a multicast group policy and apply this policy. # Configure a multicast group policy. [RouterB] acl 2000 [RouterB-acl-basic-2000] rule deny source 225.1.1.4 0 [RouterB-acl-basic-2000] rule deny source 225.1.1.5 0 [RouterB-acl-basic-2000] quit # Apply the multicast group policy in VLAN 10. [RouterB] vlan 10 [RouterB-vlan10] igmp-snooping group-policy 2000 [RouterB-vlan10] quit
2016-1-11
Huawei Confidential
Page 651 of 1210
HCIE-R&S Material
4.
Confidentiality Level
Verify the configuration. # Check the interface information on RouterB. display igmp-snooping port-info vlan 10 ----------------------------------------------------------------------(Source, Group) Port Flag: S:Static
2 port(s) ----------------------------------------------------------------------The command output shows that multicast groups 225.1.1.1 to 225.1.1.3 have dynamically generated member ports Eth2/0/1 and Eth2/0/2 on RouterB. # Check the Layer 2 multicast forwarding table on RouterB. display l2-multicast forwarding-table vlan 10 VLAN ID : 10, Forwarding Mode : IP -----------------------------------------------------------------------(Source, Group)
Total Group(s) : 3 ---------------------------------------------------------------------2016-1-11
Huawei Confidential
Page 652 of 1210
HCIE-R&S Material
Confidentiality Level
The command output shows that the forwarding table contains only information about multicast groups 225.1.1.1 to 225.1.1.3. The multicast groups 225.1.1.4 to 225.1.1.5 do not forward data to the hosts.
Configuration Files
Configuration file of RouterB # sysname RouterB # vlan batch 10 # igmp-snooping enable # acl number 2000 rule 5 deny source 225.1.1.4 0 rule 10 deny source 225.1.1.5 0 # vlan 10 igmp-snooping enable igmp-snooping group-policy 2000 # interface Ethernet2/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # interface Ethernet2/0/2 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # interface Ethernet2/0/3 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # return
2016-1-11
Huawei Confidential
Page 653 of 1210
HCIE-R&S Material
Confidentiality Level
11.6.7 Example for Configuring Layer 2 Multicast through Static Interfaces
Networking Requirements As shown in Figure 11-6-7, RouterA connects to user hosts through a Layer 2 device RouterB and RouterA runs IGMPv2. There are four receivers on the network: HostA, HostB, HostC, and HostD. HostA and HostB expect to receive data of multicast groups 225.1.1.1 to 225.1.1.3 for long time. HostC and HostD expect to receive data of multicast groups 225.1.1.4 to 225.1.1.5.
Figure 11-6-7 Networking diagram for Layer 2 multicast configuration through static interfaces
Configuration Roadmap To meet the preceding requirements, configure a static router port and static member ports of IGMP snooping on the Layer 2 RouterB. The configuration roadmap is as follows: 1.
On RouterB, create a VLAN and add interfaces to the VLAN.
2.
Enable IGMP snooping globally and in the VLAN.
3.
Configure a static router port.
4.
Configure static member ports.
2016-1-11
Huawei Confidential
Page 654 of 1210
HCIE-R&S Material
Confidentiality Level
Procedure 1.
Create a VLAN and add interfaces to the VLAN. system-view [Huawei] sysname RouterB [RouterB] vlan 10 [RouterB-vlan10] quit [RouterB] interface ethernet 2/0/1 [RouterB-Ethernet2/0/1] port hybrid pvid vlan 10 [RouterB-Ethernet2/0/1] port hybrid untagged vlan 10 [RouterB-Ethernet2/0/1] quit [RouterB] interface ethernet 2/0/2 [RouterB-Ethernet2/0/2] port hybrid pvid vlan 10 [RouterB-Ethernet2/0/2] port hybrid untagged vlan 10 [RouterB-Ethernet2/0/2] quit [RouterB] interface ethernet 2/0/3 [RouterB-Ethernet2/0/3] port hybrid pvid vlan 10 [RouterB-Ethernet2/0/3] port hybrid untagged vlan 10 [RouterB-Ethernet2/0/3] quit
The command output shows that Eth2/0/3 has been configured as static router port. # Check the member port information on RouterB. display igmp-snooping port-info vlan 10 ----------------------------------------------------------------------(Source, Group) Port Flag: S:Static
----------------------------------------------------------------------The command output shows that multicast groups 225.1.1.1 to 225.1.1.3 have a static member port Eth2/0/1 on RouterB and multicast groups 225.1.1.4 to 225.1.1.5 have a static member port Eth2/0/2 on RouterB. # Check the Layer 2 multicast forwarding table on RouterB. display l2-multicast forwarding-table vlan 10 VLAN ID : 10, Forwarding Mode : IP --------------------------------------------------------------------------(Source, Group) 2016-1-11
Total Group(s) : 5 -------------------------------------------------------------------------The command output shows that multicast groups 225.1.1.1 to 225.1.1.5 have a forwarding table on RouterB.
Configuration Files
Configuration file of RouterB # sysname RouterB # vlan batch 10 # igmp-snooping enable # vlan 10 igmp-snooping enable # interface Ethernet2/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 l2-multicast static-group group-address 225.1.1.1 to 225.1.1.3 vlan 10 # interface Ethernet2/0/2 port hybrid pvid vlan 10 port hybrid untagged vlan 10 l2-multicast static-group group-address 225.1.1.4 to 225.1.1.5 vlan 10 2016-1-11
Huawei Confidential
Page 657 of 1210
HCIE-R&S Material
Confidentiality Level
# interface Ethernet2/0/3 port hybrid pvid vlan 10 port hybrid untagged vlan 10 igmp-snooping static-router-port vlan 10 # return
11.6.8 Example for Configuring an IGMP Snooping Querier
Networking Requirements As shown in Figure 11-6-8, on a pure Layer 2 network, multicast sources Source1 and Source2 send multicast data to multicast groups 224.1.1.1 and 225.1.1.1. HostA and HostC expect to receive data of multicast group 224.1.1.1 for long time, while HostB and HostD expect to receive data of multicast group 225.1.1.1 for long time. All the hosts run IGMPv2.
Figure 11-6-8 Networking diagram for IGMP snooping querier configuration
Configuration Roadmap To meet the preceding requirements, enable IGMP snooping on the four Routers and configure an IGMP snooping querier. Enable all the Routers to discard unknown multicast packets to prevent the Routers from broadcasting multicast data in the VLAN when there are no Layer 2 multicast forwarding entries on the Routers. The configuration roadmap is as follows: 1.
On all the Routers, create a VLAN and add interfaces to the VLAN according to Figure 11-6-8.
2016-1-11
Huawei Confidential
Page 658 of 1210
HCIE-R&S Material
Confidentiality Level
2.
Enable IGMP snooping globally and in the VLAN on all the Routers.
3.
Configure RouterA as an IGMP snooping querier.
4.
Enable all the Routers to discard unknown multicast packets.
Procedure 1.
On all the Routers, create a VLAN and add interfaces to the VLAN. # Configure RouterA. system-view [Huawei] sysname RouterA [RouterA] vlan 10 [RouterA-vlan10] quit [RouterA] interface ethernet 2/0/1 [RouterA-Ethernet2/0/1] port hybrid pvid vlan 10 [RouterA-Ethernet2/0/1] port hybrid untagged vlan 10 [RouterA-Ethernet2/0/1] quit [RouterA] interface ethernet 2/0/2 [RouterA-Ethernet2/0/2] port hybrid pvid vlan 10 [RouterA-Ethernet2/0/2] port hybrid untagged vlan 10 [RouterA-Ethernet2/0/2] quit [RouterA] interface ethernet 2/0/3 [RouterA-Ethernet2/0/3] port hybrid pvid vlan 10 [RouterA-Ethernet2/0/3] port hybrid untagged vlan 10 [RouterA-Ethernet2/0/3] quit # The configurations of RouterB, RouterC and RouterD are similar to the configuration of RouterA, and are not mentioned here.
2.
Enable IGMP snooping globally and in the VLAN on all the Routers. # Configure RouterA. [RouterA] igmp-snooping enable [RouterA] vlan 10 [RouterA-vlan10] igmp-snooping enable [RouterA-vlan10] quit # The configurations of RouterB, RouterC and RouterD are similar to the configuration of RouterA, and are not mentioned here.
3.
Configure RouterA as an IGMP snooping querier. [RouterA] vlan 10
Enable all the Routers to discard unknown multicast packets. # Configure RouterA. [RouterA] vlan 10 [RouterA-vlan10] multicast drop-unknown [RouterA-vlan10] quit # The configurations of RouterB, RouterC and RouterD are similar to the configuration of RouterA, and are not mentioned here.
5.
Verify the configuration. # When the IGMP snooping querier begins to work, all the Routers except the IGMP snooping querier receive IGMP General Query messages. Run the display igmp-snooping statistics vlan 10 command on RouterB to view IGMP message statistics. The command output is as follows: display igmp-snooping statistics vlan 10 IGMP Snooping Packets Counter Statistics for VLAN 10 Recv V1 Report
0
Recv V2 Report
32
Recv V3 Report
0
Recv V1 Query
0
Recv V2 Query
30
Recv V3 Query
0
Recv Leave
0
Recv Pim Hello
0
Send Query (S=0)
0
Send Query (S!=0)
-
Proxy Send General Query Proxy Send Group-Specific Query
11.6.9 Example for Configuring Multicast SSM Mapping
Networking Requirements As shown in Figure 11-6-9, RouterA connects to user hosts through a Layer 2 device RouterB. RouterA runs IGMPv3 and uses the ASM mode and SSM mode to provide multicast services. User hosts HostA, HostB, and HostC on the network run IGMPv2 and do not support IGMPv3. The multicast sources Source1 and Source2 send multicast data to the multicast group 225.1.1.1, but the user hosts want to receive only the multicast data sent from Source1.
2016-1-11
Huawei Confidential
Page 663 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-6-9 Networking diagram for the SSM mapping configuration
Configuration Roadmap To meet the preceding requirements, configure SSM mapping on RouterB. The configuration roadmap is as follows: 1.
On RouterB, create a VLAN and add interfaces to the VLAN.
2.
Enable IGMP snooping globally and in the VLAN.
3.
Configure an IGMP snooping SSM policy to add the multicast address of the ASM mode to the SSM group address range.
4.
Configure SSM mapping to allow the users to receive only multicast data sent from the specified source.
Procedure 1.
Create a VLAN and add interfaces to the VLAN. system-view [Huawei] sysname RouterB [RouterB] vlan 10 [RouterB-vlan10] quit [RouterB] interface ethernet 2/0/1 [RouterB-Ethernet2/0/1] port hybrid pvid vlan 10
2016-1-11
Huawei Confidential
Page 664 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterB-Ethernet2/0/1] port hybrid untagged vlan 10 [RouterB-Ethernet2/0/1] quit [RouterB] interface ethernet 2/0/3 [RouterB-Ethernet2/0/3] port hybrid pvid vlan 10 [RouterB-Ethernet2/0/3] port hybrid untagged vlan 10 [RouterB-Ethernet2/0/3] quit 2.
Configure an IGMP snooping SSM policy. # Create an ACL, and configure a rule that allows hosts to receive data of multicast group 225.1.1.1. [RouterB] acl number 2008 [RouterB-acl-basic-2008] rule 5 permit source 225.1.1.1 0 [RouterB-acl-basic-2008] quit # Apply the SSM mapping policy in the VLAN and treat the multicast group 225.1.1.1 as a member in the SSM groups. [RouterB] vlan 10 [RouterB-vlan10] igmp-snooping ssm-policy 2008
4.
Enable SSM mapping. # Configure RouterB to run IGMPv3, enable SSM mapping, and configure a mapping between the multicast group 225.1.1.1 and the source IP address 10.10.1.1. [RouterB-vlan10] igmp-snooping version 3 [RouterB-vlan10] igmp-snooping ssm-mapping enable [RouterB-vlan10] igmp-snooping ssm-mapping 225.1.1.1 32 10.10.1.1 [RouterB-vlan10] quit
5.
Verify the configuration. # Check the IGMP snooping configuration in the VLAN. display igmp-snooping vlan configuration IGMP Snooping Configuration for VLAN 10 igmp-snooping enable
2016-1-11
Huawei Confidential
Page 665 of 1210
HCIE-R&S Material
Confidentiality Level
igmp-snooping version 3 igmp-snooping ssm-mapping enable igmp-snooping ssm-policy 2008 igmp-snooping ssm-mapping 225.1.1.1 255.255.255.255 10.10.1.1 An SSM mapping policy has been configured in VLAN 10. # Check the Layer 2 multicast forwarding table. display l2-multicast forwarding-table vlan 10 VLAN ID : 10, Forwarding Mode : IP ---------------------------------------------------------------------------(Source, Group)
Total Group(s) : 1 ---------------------------------------------------------------------------The command output shows that a mapping entry (10.10.1.1, 225.1 .1.1) has been generated on RouterB. The mapping entry indicates that the data is sent by Source1.
# interface Ethernet2/0/1 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # interface Ethernet2/0/3 port hybrid pvid vlan 10 port hybrid untagged vlan 10 # return
11.6.10 Example for Configuring Basic PIM-DM Functions
Networking Requirements Figure 11-6-10 shows a small-scale network with densely distributed users. HostA and HostB need to receive VoD streams from Source.
Figure 11-6-10 Configuring basic PIM-DM functions
Router
2016-1-11
Interface and IP Address
Router
Huawei Confidential
Interface and IP Address
Page 667 of 1210
HCIE-R&S Material
Confidentiality Level
RouterA
RouterD
RouterB
RouterE
RouterC
Configuration Roadmap Since users are densely distributed on the network, PIM-DM can be deployed on the network to provide multicast services for the user hosts. After PIM-DM is configured on the network, all user hosts in a multicast group can receive VoD streams sent from the multicast source to the group. 1.
Configure IP addresses for interfaces and configure a unicast routing protocol on each router. PIM is an intra-domain multicast routing protocol that depends on a unicast routing protocol. The multicast routing protocol can work normally only when the unicast routing protocol works normally.
2.
Enable multicast routing on all the routers providing multicast services. Multicast routing is the prerequisite for PIM-DM configuration.
3.
Enable PIM-DM on all router interfaces. Other PIM-DM functions can be configured only after PIM-DM is enabled.
4.
Enable IGMP on the interfaces connected to user network segments. The IGMP protocol maintains group memberships. The leaf routers maintain group memberships using IGMP.
NOTE: If PIM-DM and IGMP need to be enabled on the same user-side interface, enable PIM-DM and then IGMP.
2016-1-11
Huawei Confidential
Page 668 of 1210
HCIE-R&S Material
Confidentiality Level
Procedure 1.
Configure IP addresses for interfaces and configure a unicast routing protocol on the routers. # Configure IP addresses and masks for router interfaces. Configure OSPF on the routers to implement IP interworking between the routers and enable the routers to dynamically update routes. (The configurations of the other routers are similar to the configuration of RouterA.) [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 192.168.5.1 24 [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] ip address 10.110.1.1 24 [RouterA-GigabitEthernet2/0/0] quit [RouterA] interface gigabitethernet 3/0/0 [RouterA-GigabitEthernet1/0/0] ip address 192.168.1.1 24 [RouterA-GigabitEthernet1/0/0] quit [RouterA] ospf 100 [RouterA-ospf-100] area 0 [RouterA-ospf-100-area-0.0.0.0] network 192.168.5.0 0.0.0.255 [RouterA-ospf-100-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [RouterA-ospf-100-area-0.0.0.0] network 10.110.1.0 0.0.0.255
2.
Enable multicast routing on all the routers and enable PIM-DM on all interfaces. # Enable multicast routing on all the routers and enable PIM-DM on all interfaces. (The configurations of the other routers are similar to the configuration of RouterA.) [RouterA] multicast routing-enable [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] pim dm [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] pim dm [RouterA-GigabitEthernet2/0/0] quit [RouterA] interface gigabitethernet 3/0/0 [RouterA-GigabitEthernet3/0/0] pim dm [RouterA-GigabitEthernet3/0/0] quit
3.
Enable IGMP on the interfaces connected to user hosts. # Enable IGMP on the user-side interface of RouterA. (The configurations of RouterB and RouterC are similar to the configuration of RouterA.) [RouterA] interface gigabitethernet 2/0/0
2016-1-11
Huawei Confidential
Page 669 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterA-GigabitEthernet2/0/0] igmp enable 4.
Verify the configuration. # Run the display pim interface command to check the PIM configuration and running status on router interfaces. The following is the command output on RouterC, indicating that PIM is running on the interfaces. display pim interface VPN-Instance: public net Interface
State
NbrCnt
HelloInt
DR-Pri
DR-Address
GE2/0/0
up
0
30
1
10.110.2.2
(local)
GE1/0/0
up
1
30
1
192.168.3.1
(local)
# Run the display pim routing-table command to check the PIM routing tables on the routers. You can see from the PIM routing tables that multicast source (10.110.3.100/24) to group (225.1.1.1/24), and HostA and HostB have joined group (225.1.1.1/24). The PIM routing tables of the routers are as follows: [RouterA] display pim routing-table VPN-Instance: public net Total 0 (*, G) entry; 1 (S, G) entry (10.110.3.100, 225.1.1.1) Protocol: pim-dm, Flag: ACT UpTime: 00:00:29 Upstream interface: GigabitEthernet1/0/0 Upstream neighbor: 192.168.1.2 RPF prime neighbor: 192.168.1.2 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet2/0/0 Protocol: pim-dm, UpTime: 00:00:29, Expires:[RouterB] display pim routing-table VPN-Instance: public net Total 0 (*, G) entry; 1 (S, G) entry (10.110.3.100, 225.1.1.1) Protocol: pim-dm, Flag: ACT UpTime: 00:00:29 Upstream interface: GigabitEthernet1/0/0 Upstream neighbor: 192.168.2.2 RPF prime neighbor: 192.168.2.2 Downstream interface(s) information: Total number of downstreams: 1 2016-1-11
Huawei Confidential
Page 670 of 1210
HCIE-R&S Material
Confidentiality Level
1: GigabitEthernet1/0/0 Protocol: pim-dm, UpTime: 00:00:30, Expires:[RouterD] display pim routing-table VPN-Instance: public net Total 0 (*, G) entry; 1 (S, G) entry (10.110.3.100, 225.1.1.1) Protocol: pim-dm, Flag: ACT UpTime: 00:00:29 Upstream interface: GigabitEthernet4/0/0 Upstream neighbor: 10.110.3.100 RPF prime neighbor: 10.110.3.100 Downstream interface(s) information: Total number of downstreams: 2 1: GigabitEthernet3/0/0 1: GigabitEthernet1/0/0 Protocol: pim-dm, UpTime: 00:00:29, Expires:[RouterE] display pim routing-table VPN-Instance: public net Total 0 (*, G) entry; 1 (S, G) entry (10.110.3.100, 225.1.1.1) Protocol: pim-dm, Flag: ACT UpTime: 00:01:22 Upstream interface: GigabitEthernet4/0/0 Upstream neighbor: 192.168.4.1 RPF prime neighbor: 192.168.4.1 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet1/0/0 Protocol: pim-dm, UpTime: 00:01:22, Expires:[RouterC] display pim routing-table VPN-Instance: public net Total 0 (*, G) entry; 1 (S, G) entry (10.110.3.100, 225.1.1.1) Protocol: pim-dm, Flag: ACT UpTime: 00:01:25 Upstream interface: GigabitEthernet2/0/0 Upstream neighbor: 192.168.3.2 RPF prime neighbor: 192.168.3.2 Downstream interface(s) information: 2016-1-11
Huawei Confidential
Page 671 of 1210
HCIE-R&S Material
Confidentiality Level
Total number of downstreams: 1 1: GigabitEthernet1/0/0 Protocol: igmp, UpTime: 00:01:25, Expires:-
11.6.11 Example for Configuring a PIM-SM (ASM Model) Network
Networking Requirements As shown in Figure 11-6-11, the network is connected to the Internet. Configure the PIM-SM protocol on the routers to enable them to provide ASM services for user hosts on the network. Then all the hosts in a multicast group can receive Voice on Demand (VoD) streams sent from any source to this group.
Figure 11-6-11 Networking diagram for configuring a PIM-SM (ASM model) network 2016-1-11
Huawei Confidential
Page 675 of 1210
HCIE-R&S Material
Confidentiality Level
Configuration Roadmap 1.
Configure an IP address for each interface on routers and a unicast routing protocol. PIM is an intra-domain multicast routing protocol that depends on a unicast routing protocol. The multicast routing protocol can work normally after the unicast routing protocol works normally.
2.
Enable the multicast function on all routers providing multicast services. Before configuring other PIM-SM functions, you must enable the multicast function.
3.
Enable PIM-SM on all interfaces of the routers. After PIM-SM is enabled, you can configure other PIM-SM functions.
4.
Enable IGMP on the interface connected to user hosts. A receiver can join or leave a multicast group by sending IGMP messages. The leaf routers maintain the multicast member relationship using IGMP.
NOTE: If PIM-SM and IGMP need to be enabled on the same user host, enable PIM-SM, and then enable IGMP. 5.
Configure the interface connected to hosts to be PIM silent to prevent malicious hosts from simulating PIM Hello messages. In this manner, security of the PIM-SM domain is ensured.
NOTE: If the user network segment is connected to multiple routers, such as RouterB and RouterC in this example, do not enable PIM silent on interfaces that connect these routers to user hosts. 6.
Configure the RP. The RP is the forwarding core of the PIM-SM network. It is recommended that you configure the RP on a router that has more multicast flows, for example, RouterE in Figure 11-6-11.
7.
Set the BSR boundary on the interface connected to the Internet. The Bootstrap message cannot pass through the BSR boundary. Therefore, the BSR serves only this PIM-SM domain. In this manner, multicast services can be controlled effectively.
Procedure 1.
Configure an IP address for each interface and configure the unicast routing protocol. # Configure an IP address and mask for each interface according to Figure 11-6-11. Configure OSPF on each router to ensure IP connectivity between them, and enable them to dynamically update routing information. The configuration of RouterB, RouterC, RouterD, and RouterE are similar to the configuration of RouterA, and are not provided here. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 192.168.5.1 24 [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/0
Enable multicast routing on all routers and PIM-SM on all interfaces. # Enable multicast routing on all routers and enable PIM-SM on all interfaces. The configurations of RouterB, RouterC, RouterD, and RouterE are similar to the configuration of RouterA, and are not mentioned here. [RouterA] multicast routing-enable [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] pim sm [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] pim sm [RouterA-GigabitEthernet2/0/0] quit [RouterA] interface gigabitethernet 3/0/0 [RouterA-GigabitEthernet3/0/0] pim sm [RouterA-GigabitEthernet3/0/0] quit
3.
Enable IGMP on the interface connected to user hosts. # Enable IGMP on the interface that connects RouterA to user hosts. The configurations of RouterB and RouterC are similar to the configuration of RouterA, and are not mentioned here. [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] igmp enable
4.
Enable PIM silent on the interface of RouterA. [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] pim silent
5.
Configure the RP.
NOTE: 2016-1-11
Huawei Confidential
Page 677 of 1210
HCIE-R&S Material
Confidentiality Level
The RP can be configured in two modes: the static RP and the dynamic RP. The static RP can be configured together with the dynamic RP. You can also configure only the static RP or the dynamic RP. When the static RP and the dynamic RP are configured simultaneously, you can adjust parameters to specify the preferred RP. This example shows how to configure a static RP and a dynamic RP together and to specify the dynamic RP as the preferred RP and the static RP as the standby RP. # Configure a dynamic RP. Configure one or more routers in the PIM-SM domain as the C-RP and C-BSR. In this example, RouterE is configured as both the C-RP and C-BSR. Set the service range of the RP and specify the locations of the C-BSR and C-RP on RouterE. [RouterE] acl number 2008 [RouterE-acl-basic-2008] rule permit source 225.1.1.0 0.0.0.255 [RouterE-acl-basic-2008] quit [RouterE] pim [RouterE-pim] c-bsr gigabitethernet 4/0/0 [RouterE-pim] c-rp gigabitethernet 4/0/0 group-policy 2008 # Configure a static RP. Specify IP addresses for RPs on all routers. The configuration of RouterA is used as an example. The configurations of RouterB, RouterC, RouterD, and RouterE are similar to the configuration of RouterA, and are not mentioned here.
NOTE: If you enter preferred to the right of static-rp X.X.X.X, the static RP is selected as the RP in the PIM-SM domain. [RouterA] pim [RouterA-pim] static-rp 192.168.2.2 6.
Configure the BSR boundary on the interface connecting RouterD to the Internet. [RouterD] interface gigabitethernet 2/0/0 [RouterD-GigabitEthernet2/0/0] pim bsr-boundary [RouterD-GigabitEthernet2/0/0] quit
7.
Verify the configuration. # Run the display pim interface command to view the configuration and running status of PIM on the interface. The PIM configuration on RouterC is as follows: display pim interface VPN-Instance: public net Interface
State
NbrCnt
HelloInt
DR-Pri
DR-Address
GE1/0/0
up
0
30
1
10.110.2.2
(local)
GE2/0/0
up
1
30
1
192.168.3.1
(local)
# Run the display pim bsr-info command to view information about BSR election on routers. For example, BSR information on RouterA and RouterE is as follows (C-BSR information is also displayed on RouterE): 2016-1-11
Huawei Confidential
Page 678 of 1210
HCIE-R&S Material
Confidentiality Level
display pim bsr-info VPN-Instance: public net Elected AdminScoped BSR Count: 0 Elected BSR Address: 192.168.4.2 Priority: 0 Hash mask length: 30 State: Accept Preferred Scope: Not scoped Uptime: 01:40:40 Expires: 00:01:42 C-RP Count: 1 display pim bsr-info VPN-Instance: public net Elected AdminScoped BSR Count: 0 Elected BSR Address: 192.168.4.2 Priority: 0 Mask length: 30 State: Elected Scope: Not scoped Uptime: 00:00:18 Next BSR message scheduled at :00:01:42 C-RP Count: 1 Candidate AdminScoped BSR Count: 0 Candidate BSR Address is: 192.168.4.2 Priority: 0 Hash mask length: 30 State:Elected Scope: Not scoped Wait to be BSR: 0 # Run the display pim rp-info command on routers to check RP information. RP information on RouterA is as follows: display pim rp-info VPN-Instance: public net PIM-SM BSR RP Number:1 Group/MaskLen: 225.1.1.0/24 RP: 192.168.4.2 Priority: 0 Uptime: 00:45:13 2016-1-11
Huawei Confidential
Page 679 of 1210
HCIE-R&S Material
Confidentiality Level
Expires: 00:02:17 PIM SM static RP Number:1 Static RP: 192.168.2.2 # Run the display pim routing-table command to view the PIM multicast routing table on the routers. The multicast source 10.110.3.100/24 sends messages to the multicast group 225.1.1.1/24. HostA and HostB join the multicast group 225.1.1.1/24. Take RouterA and RouterB as an example. The command output is as follows:
NOTE: By default, when the receiver's DR receives the first multicast packet, it triggers an SPT switchover and creates a new (S, G) entry. The (S, G) entry displayed on the router is the (S, G) entry created after the SPT switchover completes. [RouterA] display pim routing-table VPN-Instance: public net Total 1 (*, G) entry; 1 (S, G) entry
(*, 225.1.1.1) RP: 192.168.4.2 Protocol: pim-sm, Flag: WC UpTime: 00:13:46 Upstream interface: GigabitEthernet3/0/0, Upstream neighbor: 192.168.5.2 RPF prime neighbor: 192.168.5.2 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet2/0/0 Protocol: igmp, UpTime: 00:13:46, Expires:-
(10.110.3.100, 225.1.1.1) RP: 192.168.4.2 Protocol: pim-sm, Flag: SPT ACT UpTime: 00:00:42 Upstream interface: GigabitEthernet1/0/0 Upstream neighbor: 192.168.1.2 RPF prime neighbor: 192.168.1.2 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet2/0/0 Protocol: pim-sm, UpTime: 00:00:42, Expires:[RouterB] display pim routing-table 2016-1-11
Huawei Confidential
Page 680 of 1210
HCIE-R&S Material
Confidentiality Level
VPN-Instance: public net Total 1 (*, G) entry; 1 (S, G) entry
(*, 225.1.1.1) RP: 192.168.4.2 Protocol: pim-sm, Flag: WC UpTime: 00:10:12 Upstream interface: GigabitEthernet1/0/0, Upstream neighbor: 192.168.2.2 RPF prime neighbor: 192.168.2.2 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet2/0/0 Protocol: igmp, UpTime: 00:10:12, Expires:-
(10.110.3.100, 225.1.1.1) RP: 192.168.4.2 Protocol: pim-sm, Flag: SPT ACT UpTime: 00:00:42 Upstream interface: GigabitEthernet1/0/0 Upstream neighbor: 192.168.2.2 RPF prime neighbor: 192.168.2.2 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet2/0/0 Protocol: pim-sm, UpTime: 00:00:30, Expires:-
Configuration Files
Configuration file of RouterA # sysname RouterA # multicast routing-enable # interface GigabitEthernet1/0/0 ip address 192.168.5.1 255.255.255.0 pim sm 2016-1-11
Huawei Confidential
Page 681 of 1210
HCIE-R&S Material
Confidentiality Level
# interface GigabitEthernet2/0/0 ip address 10.110.1.1 255.255.255.0 pim silent pim sm igmp enable # interface GigabitEthernet3/0/0 ip address 192.168.1.1 255.255.255.0 pim sm # ospf 1 area 0.0.0.0 network 10.110.1.0 0.0.0.255 network 192.168.1.0 0.0.0.255 network 192.168.5.0 0.0.0.255 # pim static-rp 192.168.2.2 # return
Configuration file of RouterB # sysname RouterB # multicast routing-enable # interface GigabitEthernet1/0/0 ip address 192.168.2.1 255.255.255.0 pim sm # interface GigabitEthernet2/0/0 ip address 10.110.2.1 255.255.255.0 pim sm igmp enable # ospf 1 area 0.0.0.0 network 10.110.2.0 0.0.0.255 2016-1-11
Configuration file of RouterC # sysname RouterC # multicast routing-enable # interface GigabitEthernet1/0/0 ip address 10.110.2.2 255.255.255.0 pim sm igmp enable # interface GigabitEthernet2/0/0 ip address 192.168.3.1 255.255.255.0 pim sm # ospf 1 area 0.0.0.0 network 10.110.2.0 0.0.0.255 network 192.168.3.0 0.0.0.255 # pim static-rp 192.168.2.2 # return
Configuration file of RouterD # sysname RouterD # multicast routing-enable # interface GigabitEthernet1/0/0 ip address 10.110.3.1 255.255.255.0 2016-1-11
Huawei Confidential
Page 683 of 1210
HCIE-R&S Material
Confidentiality Level
pim sm # interface GigabitEthernet2/0/0 ip address 10.110.4.1 255.255.255.0 pim sm pim bsr-boundary # interface GigabitEthernet3/0/0 ip address 192.168.1.2 255.255.255.0 pim sm # interface GigabitEthernet4/0/0 ip address 192.168.4.1 255.255.255.0 pim sm # ospf 1 area 0.0.0.0 network 10.110.3.0 0.0.0.255 network 10.110.4.0 0.0.0.255 network 192.168.1.0 0.0.0.255 network 192.168.4.0 0.0.0.255 # pim static-rp 192.168.2.2 # return
Configuration file of RouterE # sysname RouterE # multicast routing-enable # acl number 2008 rule 5 permit source 225.1.1.0 0.0.0.255 # interface GigabitEthernet1/0/0 ip address 192.168.5.2 255.255.255.0 pim sm # 2016-1-11
Huawei Confidential
Page 684 of 1210
HCIE-R&S Material
Confidentiality Level
interface GigabitEthernet2/0/0 ip address 192.168.3.2 255.255.255.0 pim sm # interface GigabitEthernet3/0/0 ip address 192.168.2.2 255.255.255.0 pim sm # interface GigabitEthernet4/0/0 ip address 192.168.4.2 255.255.255.0 pim sm # ospf 1 area 0.0.0.0 network 192.168.2.0 0.0.0.255 network 192.168.3.0 0.0.0.255 network 192.168.4.0 0.0.0.255 network 192.168.5.0 0.0.0.255 # pim c-bsr GigabitEthernet4/0/0 c-rp GigabitEthernet4/0/0 group-policy 2008 static-rp 192.168.2.2 # return
11.6.12 Example for Configuring SPT Routerover in PIM-SM Domain
Networking Requirements Receivers can receive the VoD information in multicast mode. The entire PIM network adopts a single BSR administrative domain. By default, after receiving the first multicast data packet, the RP and the DR on the receiver side perform the SPT switchover, searching for an optimal path to receive the multicast information from the multicast source. If receivers require that the SPT switchover be performed after the traffic reaches the threshold, you need to configure the SPT switchover. As shown in Figure 11-6-12, you need to configure the routers properly, so that HostA on the leaf network can receive multicast data from the RP (GE1/0/0 of RouterA). When the transmission rate of multicast data packets reaches 1024 kbit/s, the SPT switchover is performed. After the SPT switchover, the path through which HostA receives multicast packets is Source-RouterB-RouterC-HostA. 2016-1-11
Huawei Confidential
Page 685 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-6-12 Networking diagram for performing SPT switchover in PIM-SM domain
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure an IP address for each interface on routers and a unicast routing protocol.
2.
Enable the multicast function on all routers, enable PIM-SM on all interfaces, and enable IGMP on the interface connected to user hosts.
3.
Configure the same static RP on each router.
4.
Configure the SPT switchover on RouterC.
Procedure 1.
Configure an IP address for each interface on routers and a unicast routing protocol. # Configure an IP address and mask for each interface according to Figure 11-6-12. Configure OSPF on RouterA, RouterB, and RouterC to ensure IP connectivity between them, and enable them to dynamically update routing information. The configuration of RouterA and RouterB are similar to the configuration of RouterC, and are not mentioned here. [RouterC] interface gigabitethernet 1/0/0 [RouterC-GigabitEthernet1/0/0] ip address 192.168.1.2 24 [RouterC-GigabitEthernet1/0/0] quit [RouterC] interface gigabitethernet 2/0/0 [RouterC-GigabitEthernet2/0/0] ip address 10.110.2.1 24
Enable the multicast function on all routers, enable PIM-SM on all interfaces, and enable IGMP on the interface connected to user hosts. # Enable the multicast function on all routers, PIM-SM on all interfaces, and IGMP on the interface that connects RouterC to the leaf network. The configurations of RouterA and RouterB are similar to the configuration of RouterC, and are not mentioned here. [RouterC] multicast routing-enable [RouterC] interface gigabitethernet 1/0/0 [RouterC-GigabitEthernet1/0/0] pim sm [RouterC-GigabitEthernet1/0/0] quit [RouterC] interface gigabitethernet 2/0/0 [RouterC-GigabitEthernet2/0/0] pim sm [RouterC-GigabitEthernet2/0/0] igmp enable [RouterC-GigabitEthernet2/0/0] quit [RouterC] interface gigabitethernet 3/0/0 [RouterC-GigabitEthernet3/0/0] pim sm [RouterC-GigabitEthernet3/0/0] quit
3.
Configure a static RP. # Configure a static RP on RouterA, RouterB, and RouterC. The configurations of RouterB and RouterC are similar to the configuration of RouterA, and are not mentioned here. [RouterA] pim [RouterA-pim] static-rp 192.168.1.1
4.
Configure the threshold for an SPT switchover. # Configure RouterC to perform an SPT switchover when the transmission rate of multicast packets reaches 1024 kbit/s. [RouterC] pim [RouterC-pim] spt-switch-threshold 1024
2016-1-11
Huawei Confidential
Page 687 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterC-pim] quit 5.
Verify the configuration. # The multicast source begins to send data to the multicast group, and HostA can receive the data from the source. When the rate is smaller than 1024 kbit/s, run the display pim routing-table command to view the PIM multicast routing table on RouterC. You can find that the upstream neighbor is RouterA. The command output is as follows: display pim routing-table VPN-Instance: public net Total 1 (*, G) entry; 1 (S, G) entry (*, 225.1.1.1) RP: 192.168.1.1 Protocol: pim-sm, Flag: WC UpTime: 00:13:46 Upstream interface: GigabitEthernet1/0/0 Upstream neighbor: 192.168.1.1 RPF prime neighbor: 192.168.1.1 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet2/0/0 Protocol: igmp, UpTime: 00:13:46, Expires:(10.110.5.100, 225.1.1.1) RP: 192.168.1.1 Protocol: pim-sm, Flag: ACT UpTime: 00:00:42 Upstream interface: GigabitEthernet1/0/0 Upstream neighbor: 192.168.1.1 RPF prime neighbor: 192.168.1.1 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet2/0/0 Protocol: pim-sm, UpTime: 00:00:42, Expires:# When the rate is higher than 1024 kbit/s, run the display pim routing-table command to view the PIM multicast routing table on RouterC. You can find that the upstream neighbor is RouterB. The command output is as follows: display pim routing-table VPN-Instance: public net Total 1 (*, G) entry; 1 (S, G) entry
2016-1-11
Huawei Confidential
Page 688 of 1210
HCIE-R&S Material
Confidentiality Level
(*, 225.1.1.1) RP: 192.168.1.1 Protocol: pim-sm, Flag: WC UpTime: 00:13:46 Upstream interface: GigabitEthernet3/0/0, Upstream neighbor: 192.168.2.1 RPF prime neighbor: 192.168.2.1 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet2/0/0, Protocol: igmp, UpTime: 00:13:46, Expires:(10.110.5.100, 225.1.1.1) RP: 192.168.1.1 Protocol: pim-sm, Flag:RPT SPT ACT UpTime: 00:00:42 Upstream interface: GigabitEthernet3/0/0 Upstream neighbor: 192.168.2.1 RPF prime neighbor: 192.168.2.1 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet2/0/0 Protocol: pim-sm, UpTime: 00:00:42, Expires:-
Configuration Files
Configuration file of RouterA # sysname RouterA # multicast routing-enable # interface GigabitEthernet1/0/0 ip address 192.168.1.1 255.255.255.0 pim sm # interface GigabitEthernet2/0/0 ip address 192.168.3.1 255.255.255.0 pim sm 2016-1-11
Configuration file of RouterB # sysname RouterB # multicast routing-enable # interface GigabitEthernet1/0/0 ip address 192.168.2.1 255.255.255.0 pim sm # interface GigabitEthernet2/0/0 ip address 192.168.3.2 255.255.255.0 pim sm # interface GigabitEthernet3/0/0 ip address 10.110.5.1 255.255.255.0 pim sm # pim static-rp 192.168.1.1 # ospf 1 area 0.0.0.0 network 10.110.5.0 0.0.0.255 network 192.168.2.0 0.0.0.255 network 192.168.3.0 0.0.0.255 # return
Configuration file of RouterC 2016-1-11
Huawei Confidential
Page 690 of 1210
HCIE-R&S Material
Confidentiality Level
# sysname RouterC # multicast routing-enable # interface GigabitEthernet1/0/0 ip address 192.168.1.2 255.255.255.0 pim sm # interface GigabitEthernet2/0/0 ip address 10.110.2.1 255.255.255.0 pim sm igmp enable # interface GigabitEthernet3/0/0 ip address 192.168.2.2 255.255.255.0 pim sm # pim spt-switch-threshold 1024 static-rp 192.168.1.1 # ospf 1 area 0.0.0.0 network 10.110.2.0 0.0.0.255 network 192.168.1.0 0.0.0.255 network 192.168.2.0 0.0.0.255 # return
11.6.13 Example for Configuring a PIM-SM (SSM Model) Network
Networking Requirements As shown in Figure 11-6-13, configure the PIM-SM protocol on routers to enable them to provide SSM services for user hosts on the network. Then hosts in a multicast group can receive Voice on Demand (VoD) streams sent from specified sources to this group.
2016-1-11
Huawei Confidential
Page 691 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-6-13 Networking diagram for configuring a PIM-SM (SSM model) network
Router
Interface and IP Address
Router
RouterA
RouterD
RouterB
RouterE
RouterC
RouterF
2016-1-11
Huawei Confidential
Interface and IP Address
Page 692 of 1210
HCIE-R&S Material
Confidentiality Level
Configuration Roadmap 1.
Configure an IP address for each interface on routers and a unicast routing protocol. PIM is an intra-domain multicast routing protocol that depends on a unicast routing protocol. The multicast routing protocol can work normally after the unicast routing protocol works normally.
2.
Enable the multicast function on all routers providing multicast services. Before configuring other PIM-SM functions, you must enable the multicast function.
3.
Enable PIM-SM on all interfaces of the routers. After PIM-SM is enabled, you can configure other PIM-SM functions.
4.
Enable IGMP on interfaces that connect routers to user hosts, and set the IGMP version to IGMPv3. A receiver can join or leave a multicast group by sending IGMP messages. The leaf routers maintain the multicast member relationship using IGMP.
NOTE: If PIM-SM and IGMP need to be enabled on the same user host, enable PIM-SM, and then enable IGMP. 5.
Configure the interface connected to hosts to be PIM silent to prevent malicious hosts from simulating PIM Hello messages. In this manner, security of the PIM-SM domain is ensured.
NOTE: If the user network segment is connected to multiple routers, such as RouterB and RouterC in this example, do not enable PIM silent on interfaces that connect routers to user hosts. 6.
Configure the SSM group address range on each router. Ensure that the routers in the PIM-SM domain provide services only for multicast groups in the range of SSM group addresses. In this manner, multicast can be controlled effectively.
NOTE: The SSM group address range configured on each router must be the same.
Procedure 1.
Configure an IP address for each interface and configure the unicast routing protocol. # Configure an IP address and mask for each interface according to Figure 11-6-13. Configure OSPF on each router to ensure IP connectivity between them, and enable them to dynamically update routing information. The configuration details are not provided here. The configuration of RouterB, RouterC, RouterD, RouterE, and RouterF are similar to the configuration of RouterA, and are not mentioned. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 192.168.5.1 24 [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/0
Enable multicast routing on all routers and PIM-SM on all interfaces. # Enable multicast routing on all routers and enable PIM-SM on all interfaces. The configurations of RouterB, RouterC, RouterD, RouterE, and RouterF are similar to the configuration of RouterA, and are not mentioned here. [RouterA] multicast routing-enable [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] pim sm [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] pim sm [RouterA-GigabitEthernet2/0/0] quit [RouterA] interface gigabitethernet 3/0/0 [RouterA-GigabitEthernet3/0/0] pim sm [RouterA-GigabitEthernet3/0/0] quit
3.
Enable IGMP on the router interface connected to user hosts, and set the IGMP version to IGMPv3. # Enable IGMP on the interface that connects RouterA to user hosts. The configurations of RouterB and RouterC are similar to the configuration of RouterA, and are not mentioned here. [RouterA] interface gigabitethernet 3/0/0 [RouterA-GigabitEthernet3/0/0] igmp enable [RouterA-GigabitEthernet3/0/0] igmp version 3
4.
Enable PIM silent on the interface of RouterA. [RouterA] interface gigabitethernet 3/0/0 [RouterA-GigabitEthernet3/0/0] pim silent
5.
Configure the SSM group address range.
2016-1-11
Huawei Confidential
Page 694 of 1210
HCIE-R&S Material
Confidentiality Level
# Configure the SSM group address range to 232.1.1.0/24 on all routers. The configurations of RouterB, RouterC, RouterD, RouterE, and RouterF are similar to those of RouterA, and the detailed configurations are not mentioned here. [RouterA] acl number 2000 [RouterA-acl-basic-2000] rule permit source 232.1.1.0 0.0.0.255 [RouterA-acl-basic-2000] quit [RouterA] pim [RouterA-pim] ssm-policy 2000 6.
Verify the configuration. # Run the display pim interface command to view the configuration and running status of PIM on the interface. The PIM configuration on RouterC is as follows: display pim interface VPN-Instance: public net Interface
State
NbrCnt
HelloInt
DR-Pri
DR-Address
GE1/0/0
up
0
30
1
10.110.2.2
(local)
GE2/0/0
up
1
30
1
192.168.3.1
(local)
# Run the display pim routing-table command to view the PIM multicast routing table on the routers. HostA needs to receive messages sent from multicast groups 10.110.3.100/24 and 10.110.4.100/24 to group 232.1.1.1/24. HostB needs to receive messages sent from only multicast group 10.110.3.100/24 to group 232.1.1.1/24. The command output is as follows: [RouterA] display pim routing-table VPN-Instance: public net Total 0 (*, G) entry; 2 (S, G) entry (10.110.3.100, 232.1.1.1) Protocol: pim-ssm, Flag: SPT ACT UpTime: 00:13:46 Upstream interface: GigabitEthernet2/0/0, Upstream neighbor: 192.168.5.2 RPF prime neighbor: 192.168.5.2 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet3/0/0 Protocol: igmp, UpTime: 00:13:46, Expires:-
RPF prime neighbor: 10.110.4.100 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet2/0/0 Protocol: pim-ssm, UpTime: 00:15:28, Expires: 00:05:21
Configuration Files
Configuration file of RouterA # sysname RouterA # multicast routing-enable # acl number 2000 rule 5 permit source 232.1.1.0 0.0.0.255 # interface GigabitEthernet1/0/0 ip address 192.168.5.1 255.255.255.0 pim sm # interface GigabitEthernet2/0/0 ip address 192.168.1.1 255.255.255.0 pim sm # interface GigabitEthernet3/0/0 ip address 10.110.1.1 255.255.255.0 pim silent pim sm igmp enable igmp version 3 # ospf 1 area 0.0.0.0 network 10.110.1.0 0.0.0.255 network 192.168.1.0 0.0.0.255 network 192.168.5.0 0.0.0.255 # pim 2016-1-11
Huawei Confidential
Page 698 of 1210
HCIE-R&S Material
Confidentiality Level
ssm-policy 2000 # return
Configuration file of RouterB # sysname RouterB # multicast routing-enable # acl number 2000 rule 5 permit source 232.1.1.0 0.0.0.255 # interface GigabitEthernet1/0/0 ip address 192.168.2.1 255.255.255.0 pim sm # interface GigabitEthernet2/0/0 ip address 10.110.2.1 255.255.255.0 pim sm igmp enable igmp version 3 # ospf 1 area 0.0.0.0 network 10.110.2.0 0.0.0.255 network 192.168.2.0 0.0.0.255 # pim ssm-policy 2000 # return
Configuration file of RouterC # sysname RouterC # multicast routing-enable # acl number 2000 2016-1-11
Huawei Confidential
Page 699 of 1210
HCIE-R&S Material
Confidentiality Level
rule 5 permit source 232.1.1.0 0.0.0.255 # interface GigabitEthernet1/0/0 ip address 10.110.2.2 255.255.255.0 pim sm igmp enable igmp version 3 # interface GigabitEthernet2/0/0 ip address 192.168.3.1 255.255.255.0 pim sm # ospf 1 area 0.0.0.0 network 10.110.2.0 0.0.0.255 network 192.168.3.0 0.0.0.255 # pim ssm-policy 2000 # return
Configuration file of RouterD # sysname RouterD # multicast routing-enable # acl number 2000 rule 5 permit source 232.1.1.0 0.0.0.255 # interface GigabitEthernet1/0/0 ip address 10.110.3.1 255.255.255.0 pim sm # interface GigabitEthernet2/0/0 ip address 192.168.4.1 255.255.255.0 pim sm # ospf 1 2016-1-11
Configuration file of RouterE # sysname RouterE # multicast routing-enable # acl number 2000 rule 5 permit source 232.1.1.0 0.0.0.255 # interface GigabitEthernet1/0/0 ip address 192.168.5.2 255.255.255.0 pim sm # interface GigabitEthernet2/0/0 ip address 192.168.3.2 255.255.255.0 pim sm # interface GigabitEthernet3/0/0 ip address 192.168.2.2 255.255.255.0 pim sm # interface GigabitEthernet4/0/0 ip address 192.168.4.2 255.255.255.0 pim sm # ospf 1 area 0.0.0.0 network 192.168.2.0 0.0.0.255 network 192.168.3.0 0.0.0.255 network 192.168.4.0 0.0.0.255 network 192.168.5.0 0.0.0.255 2016-1-11
Huawei Confidential
Page 701 of 1210
HCIE-R&S Material
Confidentiality Level
# pim ssm-policy 2000 # return
Configuration file of RouterF # sysname RouterF # multicast routing-enable # acl number 2000 rule 5 permit source 232.1.1.0 0.0.0.255 # interface GigabitEthernet1/0/0 ip address 10.110.4.1 255.255.255.0 pim sm # interface GigabitEthernet2/0/0 ip address 192.168.1.2 255.255.255.0 pim sm # ospf 1 area 0.0.0.0 network 10.110.4.0 0.0.0.255 network 192.168.1.0 0.0.0.255 # pim ssm-policy 2000 # return
11.6.14 Example for Configuring PIM for Anycast RP
Networking Requirements In a traditional PIM-SM domain, all multicast groups map to only one RP. When the network is overloaded or traffic is concentrated on the RP, the RP may be overburdened. If the RP fails, routes are converged slowly or multicast data are forwarded over non-optimal paths. Configuring Anycast RP in a 2016-1-11
Huawei Confidential
Page 702 of 1210
HCIE-R&S Material
Confidentiality Level
single PIM-SM domain can address this problem. IP routing will automatically select the closest RP for each source and receiver. This releases burdens on a single RP, implements RP backup, and optimizes multicast forwarding paths. As shown in Figure 11-6-14, there are multiple receivers in the PIM-SM domain. Receiver2 wants to receive multicast data from Source. You need to configure Anycast RP peering between RouterC and RouterD, so that Receiver2 can send a Join message to the closest RouterD. After RouterA receives multicast data from Source, it encapsulates the multicast data in a Register message and sends it to RouterC. On receiving the Register message, RouterC forwards it to RouterD, and Receiver2 can receive the multicast data from Source.
Figure 11-6-14 Networking diagram for configuring PIM for Anycast RP
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure IP addresses for interfaces of each router, and configure OSPF to implement IP interworking.
2016-1-11
Huawei Confidential
Page 703 of 1210
HCIE-R&S Material
Confidentiality Level
2.
Enable the multicast function and enable PIM-SM on each interface.
3.
Enable IGMP on the interfaces that connect router to hosts.
4.
Configure loopback 0 on RouterC and RouterD as C-RP and C-BSR respectively.
5.
Configure loopback 0 on RouterC and RouterD as Anycast RPs.
6.
Configure the addresses of loopback 0 on RouterC and RouterD as local addresses of Anycast RPs.
7.
Set an Anycast RP peer relationship between RouterC and RouterD.
Procedure 1.
Configure an IP address for each interface and configure the unicast routing protocol. # Configure an IP address and mask for each interface according to Figure 11-6-14. Configure OSPF on each router to ensure IP connectivity between them, and enable them to dynamically update routing information. The configuration of RouterB, RouterC, and RouterD are similar to the configuration of RouterA, and are not mentioned. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 10.110.1.1 24 [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] ip address 192.168.1.1 24 [RouterA-GigabitEthernet2/0/0] quit [RouterA] ospf [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 10.110.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit [RouterA-ospf-1] quit
2.
Enable multicast routing on all routers and PIM-SM on all interfaces. # Enable multicast routing on all routers and enable PIM-SM on all interfaces. The configurations of RouterB, RouterC, and RouterD are similar to the configuration of RouterA, and are not mentioned here. # Configure RouterA. [RouterA] multicast routing-enable [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] pim sm [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/0
2016-1-11
Huawei Confidential
Page 704 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterA-GigabitEthernet2/0/0] pim sm [RouterA-GigabitEthernet2/0/0] quit 3.
Enable IGMP on the interfaces that connect the router to hosts. # Enable IGMP on the interfaces that connect RouterC and RouterD to hosts. # Configure RouterC. [RouterC] interface gigabitethernet 3/0/0 [RouterC-GigabitEthernet3/0/0] igmp enable [RouterC-GigabitEthernet3/0/0] quit # Configure RouterD. [RouterD] interface gigabitethernet 2/0/0 [RouterD-GigabitEthernet2/0/0] igmp enable [RouterD-GigabitEthernet2/0/0] quit
4.
Configure loopback 0 on RouterC and RouterD as the C-RP and C-BSR respectively. # Configure RouterC. [RouterC] pim [RouterC-pim] c-bsr loopback 0 [RouterC-pim] c-rp loopback 0 [RouterC-pim] quit # Configure RouterD. [RouterD] pim [RouterD-pim] c-bsr loopback 0 [RouterD-pim] c-rp loopback 0 [RouterD-pim] quit
Configure the addresses of loopback 0 on RouterC and RouterD as local addresses of Anycast RPs. # Configure RouterC. [RouterC] pim [RouterC-pim] anycast-rp 1.1.1.1 [RouterC-pim-anycast-rp-1.1.1.1] local-address 2.2.2.2 [RouterC-pim-anycast-rp-1.1.1.1] quit [RouterC-pim] quit # Configure RouterD. [RouterD] pim [RouterC-pim] anycast-rp 1.1.1.1 [RouterC-pim-anycast-rp-1.1.1.1] local-address 3.3.3.3 [RouterC-pim-anycast-rp-1.1.1.1] quit [RouterD-pim] quit
7.
Set an Anycast RP peer relationship between RouterC and RouterD. # Configure RouterC. [RouterC] pim [RouterC-pim] anycast-rp 1.1.1.1 [RouterC-pim-anycast-rp-1.1.1.1] peer 3.3.3.3 [RouterC-pim-anycast-rp-1.1.1.1] quit [RouterC-pim] quit # Configure RouterD. [RouterD] pim [RouterD-pim] anycast-rp 1.1.1.1 [RouterD-pim-anycast-rp-1.1.1.1] peer 2.2.2.2 [RouterD-pim-anycast-rp-1.1.1.1] quit [RouterD-pim] quit
8.
Verify the configuration. # Run the display pim rp-info command on RouterC and RouterD to check RP information. display pim rp-info VPN-Instance: public net PIM-SM BSR RP Number:1 Group/MaskLen: 224.0.0.0/4 RP: 1.1.1.1 (local) Priority: 0 Uptime: 00:45:19
2016-1-11
Huawei Confidential
Page 706 of 1210
HCIE-R&S Material
Confidentiality Level
Expires: 00:02:11 display pim rp-info VPN-Instance: public net PIM-SM BSR RP Number:1 Group/MaskLen: 224.0.0.0/4 RP: 1.1.1.1 (local) Priority: 0 Uptime: 02:27:56 Expires: 00:01:39 The command output shows that RouterC and RouterD serve as RPs and forward the Register message from the multicast source to each other. # Run the display pim routing-table command to check PIM entries on each router. Source (10.110.1.2/24) in the PIM-SM domain sends multicast data to multicast group G (226.1.1.1). Receiver2 joins G and receives the multicast data sent to G. Source sends a Register message to RouterC and Receiver2 sends a Join message to RouterD. display pim routing-table VPN-Instance: public net Total 0 (*, G) entry; 1 (S, G) entries (10.110.1.2, 226.1.1.1) RP: 1.1.1.1 (local) Protocol: pim-sm, Flag: 2MSDP ACT UpTime: 00:00:38 Upstream interface: Register Upstream neighbor: NULL RPF prime neighbor: NULL Downstream interface(s) information: None display pim routing-table VPN-Instance: public net Total 1 (*, G) entry; 1 (S, G) entries (*, 226.1.1.1) RP: 1.1.1.1 (local) Protocol: pim-sm, Flag: WC UpTime: 00:01:25 Upstream interface: Register Upstream neighbor: NULL RPF prime neighbor: NULL Downstream interface(s) information: 2016-1-11
Huawei Confidential
Page 707 of 1210
HCIE-R&S Material
Confidentiality Level
Total number of downstreams: 1 1: GigabitEthernet2/0/0 Protocol: igmp, UpTime: 00:01:25, Expires: (10.110.1.2, 226.1.1.1) RP: 1.1.1.1 (local) Protocol: pim-sm, Flag: 2MSDP SWT ACT UpTime: 00:00:02 Upstream interface: Register Upstream neighbor: NULL RPF prime neighbor: NULL Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet2/0/0 Protocol: pim-sm, UpTime: 00:00:02, Expires: -
Configuration Files
Configuration file of RouterA # sysname RouterA # multicast routing-enable # interface GigabitEthernet1/0/0 ip address 10.110.1.1 255.255.255.0 pim sm # interface GigabitEthernet2/0/0 ip address 192.168.1.1 255.255.255.0 pim sm # ospf 1 area 0.0.0.0 network 10.110.1.0 0.0.0.255 network 192.168.1.0 0.0.0.255 # return
Configuration file of RouterB 2016-1-11
Huawei Confidential
Page 708 of 1210
HCIE-R&S Material
Confidentiality Level
# sysname RouterB # multicast routing-enable # interface GigabitEthernet1/0/0 ip address 192.168.2.1 255.255.255.0 pim sm # ospf 1 area 0.0.0.0 network 192.168.2.0 0.0.0.255 # return
Configuration file of RouterC # sysname RouterC # multicast routing-enable # interface GigabitEthernet1/0/0 ip address 192.168.3.1 255.255.255.0 pim sm # interface GigabitEthernet2/0/0 ip address 192.168.1.2 255.255.255.0 pim sm # interface GigabitEthernet3/0/0 ip address 10.110.2.1 255.255.255.0 pim sm igmp enable # interface LoopBack0 ip address 1.1.1.1 255.255.255.255 pim sm # interface LoopBack1 ip address 2.2.2.2 255.255.255.255 2016-1-11
Configuration file of RouterD # sysname RouterD # multicast routing-enable # # interface GigabitEthernet1/0/0 ip address 192.168.2.2 255.255.255.0 pim sm # interface GigabitEthernet2/0/0 ip address 10.110.3.1 255.255.255.0 pim sm igmp enable # interface GigabitEthernet3/0/0 ip address 192.168.3.2 255.255.255.0 pim sm # interface LoopBack0 2016-1-11
Huawei Confidential
Page 710 of 1210
HCIE-R&S Material
Confidentiality Level
ip address 1.1.1.1 255.255.255.255 pim sm # interface LoopBack1 ip address 3.3.3.3 255.255.255.0 pim sm # ospf 1 area 0.0.0.0 network 192.168.2.0 0.0.0.255 network 192.168.3.0 0.0.0.255 network 10.110.3.0 0.0.0.255 network 3.3.3.3 0.0.0.0 network 1.1.1.1 0.0.0.0 # pim c-bsr LoopBack0 c-rp LoopBack0 anycast-rp 1.1.1.1 local-address 3.3.3.3 peer 2.2.2.2 # return
11.6.15 Example for Configuring a Multicast Static Route to Change the RPF Route
Networking Requirements As shown in Figure 11-6-15, RouterA, RouterB, and RouterC run OSPF to implement IP interworking, and router interfaces use PIM-DM to provide multicast services. Data sent from the multicast source (Source) is forwarded to the receiver host (Receiver) through RouterA and RouterB. The link between RouterA and RouterB transmits unicast and multicast services simultaneously. To reduce the loads on this link, multicast data needs to be transmitted along the path RouterA→RouterC→RouterB.
2016-1-11
Huawei Confidential
Page 711 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-6-15 Configuring a static route to change the RPF route
Router
Interface and IP Address
RouterA
RouterB
RouterC
2016-1-11
Huawei Confidential
Page 712 of 1210
HCIE-R&S Material
Confidentiality Level
Configuration Roadmap The RPF interface used to receive multicast data can be changed by configuring a multicast static route. After the RPF route is changed, multicast and unicast services are transmitted through different links so that the load on a single link is reduced. The configuration roadmap is as follows: 1.
Configure IP addresses for interfaces and configure a unicast routing protocol (OSPF in this example) on each router. Multicast routing protocols depend on unicast routing protocols.
2.
Enable multicast routing on all routers, PIM-DM on all interfaces, and IGMP on the interface connected to the network segment of the receiver host. After these basic multicast functions are configured, the routers can establish a multicast distribution tree using default parameter settings. Then multicast data can be forwarded to Receiver along the multicast distribution tree.
3.
Configure a multicast RPF static route on RouterB and specify RouterC as the RPF neighbor.
Procedure 1.
Configure IP addresses for interfaces and configure OSPF on each router. # Configure IP addresses and masks for interfaces on the routers. (The configurations of the other routers are similar to the configuration of RouterB.) [RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] ip address 9.1.1.2 24 [RouterB-GigabitEthernet1/0/0] quit [RouterB] interface gigabitethernet 2/0/0 [RouterB-GigabitEthernet2/0/0] ip address 13.1.1.1 24 [RouterB-GigabitEthernet2/0/0] quit [RouterB] interface gigabitethernet 3/0/0 [RouterB-GigabitEthernet3/0/0] ip address 7.1.1.1 24 [RouterB-GigabitEthernet3/0/0] quit # Configure OSPF on the routers. (The configurations of the other routers are similar to the configuration of RouterB.) [RouterB] ospf [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 7.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] network 9.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] network 13.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] quit
2.
Enable multicast routing on the routers and enable PIM-DM on all interfaces.
2016-1-11
Huawei Confidential
Page 713 of 1210
HCIE-R&S Material
Confidentiality Level
# Enable multicast routing on all the routers and enable PIM-DM on all interfaces. Enable IGMP on the interface connected to the network segment of the receiver host. (The PIM-DM configurations on the other routers are similar to the PIM-DM configuration on RouterB.) [RouterB] multicast routing-enable [RouterB] interface gigabitethernet1/0/0 [RouterB-GigabitEthernet1/0/0] pim dm [RouterB-GigabitEthernet1/0/0] quit [RouterB] interface gigabitethernet2/0/0 [RouterB-GigabitEthernet2/0/0] pim dm [RouterB-GigabitEthernet2/0/0] quit [RouterB] interface gigabitethernet3/0/0 [RouterB-GigabitEthernet3/0/0] pim dm [RouterB-GigabitEthernet3/0/0] igmp enable [RouterB-GigabitEthernet3/0/0] quit # Run the display multicast rpf-info command on RouterB to check the RPF route to Source. The following command output shows that the RPF route is originated from a unicast routing protocol, and the RPF neighbor is RouterA. [RouterB] display multicast rpf-info 8.1.1.2 VPN-Instance: public net RPF information about source 8.1.1.2: RPF interface: GigabitEthernet1/0/0, RPF neighbor: 9.1.1.1 Referenced route/mask: 8.1.1.0/24 Referenced route type: unicast Route selection rule: preference-preferred Load splitting rule: disable 3.
Configure a multicast static route. # Configure a multicast RPF static route to Source on RouterB, and configure RouterC as the RPF neighbor. [RouterB] ip rpf-route-static 8.1.1.0 255.255.255.0 13.1.1.2
4.
Verify the configuration. # Run the display multicast rpf-info command on RouterB to check the RPF route to Source. The following information is displayed, indicating that the unicast RPF route has been replaced by the multicast static route and the RPF neighbor has changed to RouterC. [RouterB] display multicast rpf-info 8.1.1.2 VPN-Instance: public net RPF information about source 8.1.1.2: RPF interface: GigabitEthernet2/0/0, RPF neighbor: 13.1.1.2
ip address 9.1.1.2 255.255.255.0 pim dm # interface GigabitEthernet2/0/0 ip address 13.1.1.1 255.255.255.0 pim dm # interface GigabitEthernet3/0/0 ip address 7.1.1.1 255.255.255.0 pim dm igmp enable # ospf 1 area 0.0.0.0 network 7.1.1.0 0.0.0.255 network 9.1.1.0 0.0.0.255 network 13.1.1.0 0.0.0.255 # ip rpf-route-static 8.1.1.0 24 13.1.1.2 # return
Configuration file of RouterC # sysname RouterC # multicast routing-enable # interface GigabitEthernet2/0/0 ip address 13.1.1.2 255.255.255.0 pim dm # interface GigabitEthernet3/0/0 ip address 12.1.1.2 255.255.255.0 pim dm # ospf 1 area 0.0.0.0 network 12.1.1.0 0.0.0.255 network 13.1.1.0 0.0.0.255 2016-1-11
Huawei Confidential
Page 716 of 1210
HCIE-R&S Material
Confidentiality Level
# return
11.6.16 Example for Configuring Multicast Static Routes to Connect RPF Routes
Networking Requirements As shown in Figure 11-6-16, RouterB and RouterC run OSPF to implement IP interworking, but they have no unicast route to RouterA. Router interfaces need to run PIM-DM to provide multicast services. The receiver host (Receiver) can receive data from Source1. Now Receiver needs to receive data from Source2.
Figure 11-6-16 Configuring multicast static routes to connect RPF routes
Router
2016-1-11
Interface and IP Address
Huawei Confidential
Page 717 of 1210
HCIE-R&S Material
Confidentiality Level
RouterA
RouterB
RouterC
Configuration Roadmap An RPF route to Source2 can be established on the path RouterC→RouterB→RouterA by configuring multicast static routes on RouterB and RouterC. The configuration roadmap is as follows: 1.
Configure IP addresses for interfaces of the routers. Configure OSPF on RouterB and RouterC but not on RouterA, so that RouterB and RouterC have no unicast route to RouterA.
2.
Enable multicast routing on all routers, PIM-DM on all interfaces, and IGMP on the interface connected to the network segment of the receiver host. After these basic multicast functions are configured, the routers can establish a multicast distribution tree using default parameter settings. Then multicast data can be forwarded to Receiver along the multicast distribution tree.
3.
Configure multicast static routes to Source2 on RouterB and RouterC.
Procedure 1.
Configure IP addresses for interfaces and configure OSPF on each router. # Configure IP addresses and masks for interfaces on the routers. (The configurations of the other routers are similar to the configuration of RouterB.) [RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] ip address 10.1.2.2 24 [RouterB-GigabitEthernet1/0/0] quit [RouterB] interface gigabitethernet 2/0/0
2016-1-11
Huawei Confidential
Page 718 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterB-GigabitEthernet2/0/0] ip address 10.1.3.1 24 [RouterB-GigabitEthernet2/0/0] quit [RouterB] interface gigabitethernet 3/0/0 [RouterB-GigabitEthernet3/0/0] ip address 10.1.4.1 24 [RouterB-GigabitEthernet3/0/0] quit # Configure OSPF on RouterB and RouterC. (The configuration of RouterC is similar to the configuration of RouterB.) [RouterB] ospf [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] quit 2.
Enable multicast routing on the routers and enable PIM-DM on all interfaces. # Enable multicast routing on all routers, PIM-DM on all interfaces, and IGMP on the interface connected to the network segment of the receiver host. Configure RouterA. [RouterA] multicast routing-enable [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] pim dm [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 3/0/0 [RouterA-GigabitEthernet3/0/0] pim dm [RouterA-GigabitEthernet3/0/0] quit Configure RouterB. [RouterB] multicast routing-enable [RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] pim dm [RouterB-GigabitEthernet1/0/0] quit [RouterB] interface gigabitethernet 2/0/0 [RouterB-GigabitEthernet2/0/0] pim dm [RouterB-GigabitEthernet2/0/0] quit [RouterB] interface gigabitethernet 3/0/0 [RouterB-GigabitEthernet3/0/0] pim dm [RouterB-GigabitEthernet3/0/0] quit # Configure RouterC. [RouterC] multicast routing-enable
2016-1-11
Huawei Confidential
Page 719 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterC] interface gigabitethernet 1/0/0 [RouterC-GigabitEthernet1/0/0] pim dm [RouterC-GigabitEthernet1/0/0] quit [RouterC] interface gigabitethernet 2/0/0 [RouterC-GigabitEthernet2/0/0] pim dm [RouterC-GigabitEthernet2/0/0] igmp enable [RouterC-GigabitEthernet2/0/0] quit # Source1 (10.1.3.2/24) and Source2 (10.1.5.2/24) send multicast data to group G (225.1.1.1). After Receiver joins group G, it receives the multicast data sent by Source1 but cannot receive the multicast data sent by Source2. # Run the display multicast rpf-info 10.1.5.2 command on RouterB and RouterC. No information is displayed, indicating that the routers have no RPF route to Source2. 3.
Configure multicast static routes. # Configure a multicast RPF static route to Source2 on RouterB, and configure RouterA as the RPF neighbor. [RouterB] ip rpf-route-static 10.1.5.0 255.255.255.0 10.1.4.2 # Configure a multicast RPF static route to Source2 on RouterC, and configure RouterB as the RPF neighbor. [RouterC] ip rpf-route-static 10.1.5.0 255.255.255.0 10.1.2.2
4.
Verify the configuration. # Run the display multicast rpf-info 10.1.5.2 command on RouterB and RouterC to check the RPF route to Source2. The following information is displayed: [RouterB] display multicast rpf-info 10.1.5.2 VPN-Instance: public net RPF information about source: 10.1.5.2 RPF interface: GigabitEthernet3/0/0, RPF neighbor: 10.1.4.2 Referenced route/mask: 10.1.5.0/24 Referenced route type: mstatic Route selecting rule: preference-preferred Load splitting rule: disable [RouterC] display multicast rpf-info 10.1.5.2 VPN-Instance: public net RPF information about source 10.1.5.2: RPF interface: GigabitEthernet1/0/0, RPF neighbor: 10.1.2.2 Referenced route/mask: 10.1.5.0/24 Referenced route type: mstatic Route selection rule: preference-preferred
2016-1-11
Huawei Confidential
Page 720 of 1210
HCIE-R&S Material
Confidentiality Level
Load splitting rule: disable # Run the display pim routing-table command on RouterC to check the PIM routing table. RouterC has multicast entries of Source2, indicating that Receiver can receive multicast data from Source2. [RouterC] display pim routing-table VPN-Instance: public net Total 1 (*, G) entry; 2 (S, G) entry (*, 225.1.1.1) Protocol: pim-dm, Flag: WC UpTime: 03:54:19 Upstream interface: NULL Upstream neighbor: NULL RPF prime neighbor: NULL Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet2/0/0 Protocol: igmp, UpTime: 01:38:19, Expires: never
(10.1.3.2, 225.1.1.1) Protocol: pim-dm, Flag: ACT UpTime: 00:00:44 Upstream interface: GigabitEthernet1/0/0 Upstream neighbor: 10.1.2.2 RPF prime neighbor: 10.1.2.2 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet2/0/0 Protocol: pim-dm, UpTime: 00:00:44, Expires: never
(10.1.5.2, 225.1.1.1) Protocol: pim-dm, Flag: ACT UpTime: 00:00:44 Upstream interface: GigabitEthernet1/0/0 Upstream neighbor: 10.1.2.2 RPF prime neighbor: 10.1.2.2 Downstream interface(s) information: Total number of downstreams: 1 1: GigabitEthernet2/0/0 2016-1-11
Huawei Confidential
Page 721 of 1210
HCIE-R&S Material
Confidentiality Level
Protocol: pim-dm, UpTime: 00:00:44, Expires: never
Configuration Files
Configuration file of RouterA # sysname RouterA # multicast routing-enable # interface GigabitEthernet1/0/0 ip address 10.1.5.1 255.255.255.0 pim dm # interface GigabitEthernet3/0/0 ip address 10.1.4.2 255.255.255.0 pim dm # return
Configuration file of RouterB # sysname RouterB # multicast routing-enable # interface GigabitEthernet1/0/0 ip address 10.1.2.2 255.255.255.0 pim dm # interface GigabitEthernet2/0/0 ip address 10.1.3.1 255.255.255.0 pim dm # interface GigabitEthernet3/0/0 ip address 10.1.4.1 255.255.255.0 pim dm # ospf 1 area 0.0.0.0 2016-1-11
Configuration file of RouterC # sysname RouterC # multicast routing-enable # interface GigabitEthernet1/0/0 ip address 10.1.2.1 255.255.255.0 pim dm # interface GigabitEthernet2/0/0 ip address 10.1.1.1 255.255.255.0 pim dm igmp enable # ospf 1 area 0.0.0.0 network 10.1.1.0 0.0.0.255 network 10.1.2.0 0.0.0.255 # ip rpf-route-static 10.1.5.0 24 10.1.2.2 #
11.6.17 Example for Configuring Multicast Load Splitting
Networking Requirements As shown in Figure 11-6-17, RouterE connects to HostA and has three equal-cost routes to the multicast source (Source). According to the default RPF check policy, RouterE will select one of equal-cost routes to transmit multicast data. When the rate of multicast traffic is high, the network may be congested, degrading the quality of multicast services. To ensure the quality of multicast services, configure multicast load splitting so that multicast data can be transmitted through multiple equal-cost routes. 2016-1-11
Huawei Confidential
Page 723 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 11-6-17 Networking diagram of multicast load splitting Router
Interface and IP Address
Router
RouterA
RouterD
RouterB
RouterE
Interface and IP Address
RouterC
Configuration Roadmap The configuration roadmap is as follows:
Configure IP addresses for the interfaces on each router.
2016-1-11
Huawei Confidential
Page 724 of 1210
HCIE-R&S Material
Confidentiality Level
Configure a unicast routing protocol (IS-IS in this example) to implement interworking among all the routers and ensure that route costs are the same.
Enable multicast routing on all the routers, enable PIM-SM on all interfaces, and configure loopback 0 of RouterA as a C-BSR and C-RP.
On RouterE, configure stable-preferred multicast load splitting to ensure stable transmission of multicast services.
On RouterE, configure static multicast groups on the interface connected to HostA, because HostA needs to receive data of these groups for a long time.
On RouterE, configure different multicast load splitting weights for the interfaces connected to the upstream routers to implement unbalanced load splitting, because HostA needs to receive multicast data of new groups.
Procedure 1.
Configure IP addresses for the interfaces on the routers. # Configure IP addresses and masks for interfaces on the routers. (The configurations of the other routers are similar to the configuration of RouterA.) [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ip address 10.110.1.2 24 [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/1 [RouterA-GigabitEthernet2/0/1] ip address 192.168.1.1 24 [RouterA-GigabitEthernet2/0/1] quit [RouterA] interface gigabitethernet 2/0/2 [RouterA-GigabitEthernet2/0/2] ip address 192.168.2.1 24 [RouterA-GigabitEthernet2/0/2] quit [RouterA] interface gigabitethernet 2/0/3 [RouterA-GigabitEthernet2/0/3] ip address 192.168.3.1 24 [RouterA-GigabitEthernet2/0/3] quit [RouterA] interface loopback0 [RouterA-LoopBack0] ip address 1.1.1.1 32 [RouterA-LoopBack0] quit
2.
Configure IS-IS to implement interworking among all the routers and ensure that route costs are the same. # Configure RouterA. (The configurations of the other routers are similar to the configuration of RouterA.) [RouterA] isis [RouterA-isis-1] network-entity 10.0000.0000.0001.00
Enable multicast routing on all the routers and enable PIM-SM all interfaces. # Configure RouterA. (The configurations of the other routers are similar to the configuration of RouterA.) [RouterA] multicast routing-enable [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] pim sm [RouterA-GigabitEthernet1/0/0] quit [RouterA] interface gigabitethernet 2/0/1 [RouterA-GigabitEthernet2/0/1] pim sm [RouterA-GigabitEthernet2/0/1] quit [RouterA] interface gigabitethernet 2/0/2 [RouterA-GigabitEthernet2/0/2] pim sm [RouterA-GigabitEthernet2/0/2] quit [RouterA] interface gigabitethernet 2/0/3 [RouterA-GigabitEthernet2/0/3] pim sm [RouterA-GigabitEthernet2/0/3] quit [RouterA] interface loopback 0 [RouterA-LoopBack0] pim sm [RouterA-LoopBack0] quit
4.
Configure a C-RP on RouterA. # Configure Loopback0 of RouterA as a C-BSR and C-RP. [RouterA] pim
Configure static multicast groups on the interface of RouterE connected to HostA. # Configure static multicast groups 225.1.1.1 to 225.1.1.3 on GE2/0/0. [RouterE] interface gigabitethernet2/0/0 [RouterE-GigabitEthernet2/0/0] igmp static-group 225.1.1.1 inc-step-mask 32 number 3 [RouterE-GigabitEthernet2/0/0] quit
7.
Verify the configuration of stable-preferred multicast load splitting. # Source (10.110.1.1/24) sends multicast data to multicast groups 225.1.1.1 to 225.1.1.3. HostA can receive multicast data from Source. Check brief information about the PIM routing table on RouterE. display pim routing-table brief VPN-Instance: public net Total 3 (*, G) entries; 3 (S, G) entries 00001.(*, 225.1.1.1) Upstream interface:GE1/0/3 Number of downstream:1 00002.(10.110.1.1, 225.1.1.1) Upstream interface:GE1/0/3 Number of downstream:1 00003.(*, 225.1.1.2) Upstream interface:GE1/0/2 Number of downstream:1 00004.(10.110.1.1, 225.1.1.2) Upstream interface:GE1/0/2 Number of downstream:1 00005.(*, 225.1.1.3) Upstream interface:GE1/0/1 Number of downstream:1 00006.(10.110.1.1, 225.1.1.3) Upstream interface:GE1/0/1 Number of downstream:1
2016-1-11
Huawei Confidential
Page 727 of 1210
HCIE-R&S Material
Confidentiality Level
(*, G) and (S, G) entries are evenly distributed on the three equal-cost routes. The upstream interfaces of the routes are GE1/0/1, GE1/0/2, GE1/0/3 respectively.
NOTE: The load splitting algorithm processes (*, G) and (S, G) entries separately using the same rule. 8.
Set different multicast load splitting weights for upstream interfaces of RouterE to implement uneven multicast load splitting. # Set the multicast load splitting weight of GE1/0/1 to 3. [RouterE] interface gigabitethernet 1/0/1 [RouterE-GigabitEthernet1/0/1] multicast load-splitting weight 3 [RouterE-GigabitEthernet1/0/1] quit # Set the multicast load splitting weight of GE1/0/2 to 2. [RouterE] interface gigabitethernet 1/0/2 [RouterE-GigabitEthernet1/0/2] multicast load-splitting weight 2 [RouterE-GigabitEthernet1/0/2] quit
9.
Configure new static multicast groups on the interface of RouterE connected to HostA. # Configure static multicast groups 225.1.1.4 to 225.1.1.6 on GE2/0/0. [RouterE] interface gigabitethernet 2/0/0 [RouterE-GigabitEthernet2/0/0] igmp static-group 225.1.1.4 inc-step-mask 32 number 3 [RouterE-GigabitEthernet2/0/0] quit
10. Verify the configuration of uneven multicast load splitting. # Source (10.110.1.1/24) sends multicast data to multicast groups 225.1.1.1 to 225.1.1.6. HostA can receive multicast data from Source. Check brief information about the PIM routing table on RouterE. display pim routing-table brief VPN-Instance: public net Total 9 (*, G) entry; 9 (S, G) entries 00001.(*, 225.1.1.1) Upstream interface:GE1/0/3 Number of downstream:1 00002.(10.110.1.1, 225.1.1.1) Upstream interface:GE1/0/3 Number of downstream:1 00003.(*, 225.1.1.2) Upstream interface:GE1/0/2 Number of downstream:1 2016-1-11
Huawei Confidential
Page 728 of 1210
HCIE-R&S Material
Confidentiality Level
00004.(10.110.1.1, 225.1.1.2) Upstream interface:GE1/0/2 Number of downstream:1 00005.(*, 225.1.1.3) Upstream interface:GE1/0/1 Number of downstream:1 00006.(10.110.1.1, 225.1.1.3) Upstream interface:GE1/0/1 Number of downstream:1 00007.(*, 225.1.1.4) Upstream interface:GE1/0/1 Number of downstream:1 00008.(10.110.1.1, 225.1.1.4) Upstream interface:GE1/0/1 Number of downstream:1 00009.(*, 225.1.1.5) Upstream interface:GE1/0/1 Number of downstream:1 00010.(10.110.1.1, 225.1.1.5) Upstream interface:GE1/0/1 Number of downstream:1 00011.(*, 225.1.1.6) Upstream interface:GE1/0/1 Number of downstream:1 00012.(10.110.1.1, 225.1.1.6) Upstream interface:GE1/0/2 Number of downstream:1 00013.(*, 225.1.1.7) Upstream interface:GE1/0/1 Number of downstream:1 00014.(10.110.1.1, 225.1.1.7) Upstream interface:GE1/0/1 Number of downstream:1 00015.(*, 225.1.1.8) Upstream interface:GE1/0/1 Number of downstream:1 00016.(10.110.1.1, 225.1.1.8) Upstream interface:GE1/0/2 Number of downstream:1 2016-1-11
Huawei Confidential
Page 729 of 1210
HCIE-R&S Material
Confidentiality Level
00017.(*, 225.1.1.9) Upstream interface:GE1/0/1 Number of downstream:1 00018.(10.110.1.1, 225.1.1.9) Upstream interface:GE1/0/1 Number of downstream:1 The upstream interfaces of existing (*, G) and (S, G) entries remain unchanged. GE1/0/1 has a larger multicast load splitting weight (3) than GE1/0/2 (2). Therefore, more new (*, G) and (S, G) entries are distributed to the route with GE1/0/1 as the upstream interface. The multicast load splitting weight of GE1/0/3 is 1 (default value), smaller than the weights of GE1/0/1 and GE1/0/2. Therefore, the route with GE1/0/3 as the upstream interface does not have new entries.
Configuration Files
Configuration file of RouterA # sysname RouterA # multicast routing-enable # isis 1 network-entity 10.0000.0000.0001.00 # interface GigabitEthernet1/0/0 ip address 10.110.1.2 255.255.255.0 isis enable 1 pim sm # interface GigabitEthernet2/0/1 ip address 192.168.1.1 255.255.255.0 isis enable 1 pim sm # interface GigabitEthernet2/0/2 ip address 192.168.2.1 255.255.255.0 isis enable 1 pim sm # interface GigabitEthernet2/0/3 2016-1-11
Huawei Confidential
Page 730 of 1210
HCIE-R&S Material
Confidentiality Level
ip address 192.168.3.1 255.255.255.0 isis enable 1 pim sm # interface LoopBack0 ip address 1.1.1.1 255.255.255.255 isis enable 1 pim sm # pim c-bsr LoopBack0 c-rp LoopBack0 # return
Configuration file of RouterB # sysname RouterB # multicast routing-enable # isis 1 network-entity 10.0000.0000.0002.00 # interface GigabitEthernet1/0/0 ip address 192.168.1.2 255.255.255.0 isis enable 1 pim sm # interface GigabitEthernet2/0/0 ip address 192.168.4.1 255.255.255.0 isis enable 1 pim sm # return
Configuration file of RouterC # sysname RouterC # 2016-1-11
Huawei Confidential
Page 731 of 1210
HCIE-R&S Material
Confidentiality Level
multicast routing-enable # isis 1 network-entity 10.0000.0000.0003.00 # interface GigabitEthernet1/0/0 ip address 192.168.2.2 255.255.255.0 isis enable 1 pim sm # interface GigabitEthernet2/0/0 ip address 192.168.5.1 255.255.255.0 isis enable 1 pim sm # return
Configuration file of RouterD # sysname RouterD # multicast routing-enable # isis 1 network-entity 10.0000.0000.0004.00 # interface GigabitEthernet1/0/0 ip address 192.168.3.2 255.255.255.0 isis enable 1 pim sm # interface GigabitEthernet2/0/0 ip address 192.168.6.1 255.255.255.0 isis enable 1 pim sm # return
Configuration file of RouterE # 2016-1-11
Huawei Confidential
Page 732 of 1210
HCIE-R&S Material
Confidentiality Level
sysname RouterE # multicast routing-enable multicast load-splitting stable-preferred # isis 1 network-entity 10.0000.0000.0005.00 # interface GigabitEthernet1/0/1 ip address 192.168.4.2 255.255.255.0 isis enable 1 pim sm multicast load-splitting weight 3 # interface GigabitEthernet1/0/2 ip address 192.168.5.2 255.255.255.0 isis enable 1 pim sm multicast load-splitting weight 2 # interface GigabitEthernet1/0/3 ip address 192.168.6.2 255.255.255.0 isis enable 1 pim sm # interface GigabitEthernet2/0/0 ip address 10.110.2.2 255.255.255.0 isis enable 1 pim sm igmp static-group 225.1.1.1 inc-step-mask 0.0.0.1 number 3 igmp static-group 225.1.1.4 inc-step-mask 0.0.0.1 number 3 # return
2016-1-11
Huawei Confidential
Page 733 of 1210
HCIE-R&S Material
Confidentiality Level
Chapter 12 IPv6 12.1
IPv6 Addresses 12.1.1 IPv6 Address Formats An IPv6 address is 128 bits long. It is written as eight groups of four hexadecimal digits (0 to 9, A to F), where each group is separated by a colon (:). For example, 2031:0000:130F:0000:0000:09C0:876A:130B is a valid IPv6 address. This IPv6 address format is the preferred format. For convenience, IPv6 provides the compressed format. The following uses IPv6 address 2031:0000:130F:0000:0000:09C0:876A:130B as an example to describe the compressed format:
Any zeros at the beginning of a group can be omitted. Then the given example becomes 2031:0:130F:0:0:9C0:876A:130B.
A double colon (::) can be used in an IPv6 address when two or more consecutive groups contain all zeros. Then the given example can be written as 2031:0:130F::9C0:876A:130B.
NOTE: An IPv6 address can contain only one double colon (::). Otherwise, a computer cannot determine the number of zeros in a group when restoring the compressed address to the original 128-bit address.
12.1.2 IPv6 Address Structure An IPv6 address has two parts:
Network prefix: corresponds to the network ID of an IPv4 address. It is of n bits.
Interface identifier (interface ID): corresponds to the host ID of an IPv4 address. It is of 128-n bits.
NOTE: If the first 3 bits of an IPv6 unicast address are not 000, the interface ID must be of 64 bits. If the first 3 bits are 000, there is no such limitation. The interface ID can be manually configured, generated through the system software, or generated in IEEE 64-bit Extended Unique Identifier (EUI-64) format. It is most common to generate the interface ID in EUI-64 format. IEEE EUI-64 standards convert an interface MAC address into an IPv6 interface ID. As shown in Figure 12-1-1, if a 48-bit MAC address is used as an interface ID, the first 24 bits (expressed by c) is a vendor identifier, and the last 24 bits (expressed by m) is an extension identifier. If the higher seventh bit is 0, the MAC address is locally unique. During conversion, EUI-64 inserts FFFE between the vendor identifier and extension identifier of the MAC address, and then the higher seventh bit 0 is changed to 1 to indicate that the interface ID is globally unique. 2016-1-11
Huawei Confidential
Page 734 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 12-1-1 EUI-64 format For example, if the MAC address is 00-0E-0C-82-C4-D4, the interface ID is 020E:0CFF:FE:82:C4D4 after the conversion. The method for converting MAC addresses into IPv6 interface IDs reduces the configuration workload. When stateless address autoconfiguration is used, you only need an IPv6 network prefix before obtaining an IPv6 address. The defect of this method is that an IPv6 address can be easily calculated based on a MAC address.
12.1.3 IPv6 Address Types IPv6 addresses are classified into unicast, anycast, and multicast addresses. Compared to IPv4, IPv6 has no broadcast address, uses multicast addresses as broadcast addresses, and introduces a new address type anycast address.
IPv6 Unicast Address An IPv6 unicast address identifies an interface. Each interface belongs to a node. Therefore, the IPv6 unicast address of any interface on a node can identify the node. Packets sent to an IPv6 unicast address are delivered to the interface identified by the unicast address. IPv6 defines multiple unicast addresses, including unspecified address, loopback address, global unicast address, link-local address, and unique local address.
Unspecified address An IPv6 unspecified address is 0:0:0:0:0:0:0:0/128 or ::/128, indicating that an interface or a node does not have an IP address. It can be used as the source IP address of some packets, such as Neighbor Solicitation (NS) message in duplicate address detection. Routers do not forward the packets with the source IP address as an unspecified address.
Loopback address An IPv6 loopback address is 0:0:0:0:0:0:0:1/128 or ::1/128. Similar to IPv4 loopback address 127.0.0.1, IPv6 loopback address is used when a node needs to send IPv6 packets to itself. This IPv6 loopback address is usually used as the IP address of a virtual interface (a loopback
2016-1-11
Huawei Confidential
Page 735 of 1210
HCIE-R&S Material
Confidentiality Level
interface for example). The loopback address cannot be used as the source or destination IP address of packets that need to be forwarded.
Global unicast address An IPv6 global unicast address is an IPv6 address with a global unicast prefix, which is similar to an IPv4 public address. IPv6 global unicast addresses support route prefix summarization, helping limit the number of global routing entries. A global unicast address consists of a global routing prefix, subnet ID, and interface ID, as shown in Figure 12-1-2.
Figure 12-1-2 Global unicast address format Global routing prefix: is assigned by a service provider to an organization. A global routing prefix is of at least 48 bits. Currently, the first 3 bits of all the assigned global routing prefixes are 001. Subnet ID: is used by organizations to construct a local network (site). There are a maximum of 64 bits for both the global routing prefix and subnet ID. It is similar to an IPv4 subnet number. Interface ID: identifies a device (host).
Link-local address Link-local addresses are used only in communication between nodes on the same local link. A link-local address uses a link-local prefix FE80::/10 as the first 10 bits (1111111010 in binary) and an interface ID as the last 64 bits. When IPv6 runs on a node, each interface of the node is automatically assigned a link-local address that consists of a fixed prefix and an interface ID in EUI-64 format. This mechanism enables two IPv6 nodes on the same link to communicate without any configuration. Therefore, link-local addresses are widely used in neighbor discovery and stateless address configuration. Routers do not forward IPv6 packets with the link-local address as a source or destination address to devices on different links. Figure 12-1-3 shows the link-local address format.
2016-1-11
Huawei Confidential
Page 736 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 12-1-3 Link-local address format
Unique local address Unique local addresses are used only within a site. Site-local addresses are deprecated in RFC 3879 and replaced by unique local addresses in RFC 4193. Unique local addresses are similar to IPv4 private addresses. Any organization that does not obtain a global unicast address from a service provider can use a unique local address. Unique local addresses are routable only within a local network but not the Internet. Figure 12-1-4 shows the unique local address format.
Figure 12-1-4 Unique local address format Prefix: is fixed as FC00::/7. L: is set to 1 if the address is valid within a local network. The value 0 is reserved for future expansion. Global ID: indicates a globally unique prefix, which is pseudo-randomly allocated (for details, see RFC 4193). Subnet ID: identifies a subnet within the site. Interface ID: identifies an interface. A unique local address has the following characteristics:
Has a globally unique prefix. The prefix is pseudo-randomly allocated and has a high probability of uniqueness.
Allows private connections between sites without creating address conflicts.
Has a well-known prefix (FC00::/7) that allows for easy route filtering at site boundaries.
Does not conflict with any other addresses if it is leaked outside of the site through routing.
Functions as a global unicast address to applications.
2016-1-11
Huawei Confidential
Page 737 of 1210
HCIE-R&S Material
Confidentiality Level
Is independent of the Internet Service Provider (ISP).
IPv6 Multicast Address Like an IPv4 multicast address, an IPv6 multicast address identifies a group of interfaces, which usually belong to different nodes. A node may belong to any number of multicast groups. Packets sent to an IPv6 multicast address are delivered to all the interfaces identified by the multicast address. An IPv6 multicast address is composed of a prefix, flag, scope, and group ID (global ID):
Prefix: is fixed as FF00::/8 (1111 1111).
Flag: is 4 bits long. The high-order 3 bits are reserved and must be set to 0s. The last bit 0 indicates a permanently-assigned (well-known) multicast address allocated by the Internet Assigned Numbers Authority (IANA). The last bit 1 indicates a non-permanently-assigned (transient) multicast address.
Scope: is 4 bits long. It limits the scope where multicast data flows are sent on the network. Figure 12-1-5 shows the field values and meanings.
Group ID (global ID): is 112 bits long. It identifies a multicast group. RFC 2373 does not define all the 112 bits as a group ID but recommends using the low-order 32 bits as the group ID and setting all the remaining 80 bits to 0s. In this case, each multicast group ID maps to a unique Ethernet multicast MAC address (for details, see RFC 2464).
Figure 12-1-5 shows the IPv6 multicast address format.
Figure 12-1-5 IPv6 multicast address format
Solicited-node multicast address A solicited-node multicast address is generated using an IPv6 unicast or anycast address of a node. When a node has an IPv6 unicast or anycast address, a solicited-node multicast address is generated for the node, and the node joins the multicast group that corresponds to the IPv6 unicast or anycast address. A unicast or anycast address corresponds to a solicited-node multicast address, which is often used in neighbor discovery and duplicate address detection. 2016-1-11
Huawei Confidential
Page 738 of 1210
HCIE-R&S Material
Confidentiality Level
IPv6 does not support broadcast addresses or Address Resolution Protocol (ARP). In IPv6, Neighbor Solicitation (NS) packets are used to resolve IP addresses to MAC addresses. When a node needs to resolve an IPv6 address to a MAC address, it sends an NS packet in which the destination IP address is the solicited-node multicast address corresponding to the IPv6 address. The solicited-node multicast address consists of the prefix FF02::1:FF00:0/104 and the last 24 bits of the corresponding unicast address.
IPv6 Anycast Address An anycast address identifies a group of network interfaces, which usually belong to different nodes. Packets sent to an anycast address are delivered to the nearest interface that is identified by the anycast address, depending on the routing protocols. Anycast addresses are designed to implement the redundancy and load balancing functions when multiple hosts or nodes are provided with the same services. Currently, a unicast address is assigned to more than one interface to make a unicast address become an anycast address. When a unicast address is assigned to multiple hosts or nodes, the sender cannot determine which device can receive the sent data packets with the destination IP address as the anycast address, if there are multiple routes to the anycast address. This depends on the routing protocols running on the network. Anycast addresses are used in stateless applications, such as Domain Name Service (DNS). IPv6 anycast addresses are allocated from the unicast address space. Anycast addresses are used in mobile IPv6 applications. Anycast prefix (2002:c058:6301::) is also used in IPv6-to-IPv4 relay.
NOTE: IPv6 anycast addresses can be assigned only to routers but not hosts. Anycast addresses cannot be used as the source IP addresses of IPv6 packets.
Subnet-router anycast address A subnet-router anycast address is predefined in RFC 3513. Packets sent to a subnet-router anycast address are delivered to the nearest router on the subnet identified by the anycast address, depending on the routing protocols. All routers must support subnet-router anycast addresses. A subnet-router anycast address is used when a node needs to communicate with any of the routers on the subnet identified by the anycast address. For example, a mobile node needs to communicate with one of the mobile agents on the home subnet. In a subnet-router anycast address, the n-bit subnet prefix identifies a subnet and the remaining bits are padded with 0s. Figure 12-1-6 shows the subnet-router anycast address format.
Figure 12-1-6 Subnet-router anycast address format
2016-1-11
Huawei Confidential
Page 739 of 1210
HCIE-R&S Material
12.2
Confidentiality Level
IPv6 Packet Format An IPv6 packet has three parts: an IPv6 basic header, one or more IPv6 extension headers, and an upper-layer protocol data unit (PDU). An upper-layer PDU is composed of the upper-layer protocol header and its payload such as an ICMPv6 packet, a TCP packet, or a UDP packet.
12.2.1 IPv6 Basic Header An IPv6 basic header is fixed as 40 bytes long and has eight fields. Each IPv6 packet must have an IPv6 basic header. The IPv6 basic header provides basic packet forwarding information and will be parsed by all routers on the forwarding path. Figure 12-2-1 shows the IPv6 basic header.
Figure 12-2-1 IPv6 basic header An IPv6 basic header contains the following fields:
Version: is 4 bits long. In IPv6, the Version field value is 6.
Traffic Class: is 8 bits long. It indicates the class or priority of an IPv6 packet. The Traffic Class field is similar to the TOS field in an IPv4 packet and is mainly used in QoS control.
Flow Label: is 20 bits long. This field is added in IPv6 to differentiate traffic. A flow label and source IP address identify a data flow. Intermediate network devices can effectively differentiate data flows based on this field.
Payload Length: is 16 bits long, which indicates the length of the IPv6 payload. The payload is the rest of the IPv6 packet following this basic header, including the extension header and upper-layer PDU. This field indicates only the payload with the maximum length of 65535 bytes. 2016-1-11
Huawei Confidential
Page 740 of 1210
HCIE-R&S Material
Confidentiality Level
If the payload length exceeds 65535 bytes, the field is set to 0. The payload length is expressed by the Jumbo Payload option in the Hop-by-Hop Options header.
Next Header: is 8 bits long. This field identifies the type of the first extension header that follows the IPv6 basic header or the protocol type in the upper-layer PDU.
Hop Limit: is 8 bits long. This field is similar to the Time to Live field in an IPv4 packet, defining the maximum number of hops that an IP packet can pass through. The field value is decremented by 1 by each device that forwards the IP packet. When the field value becomes 0, the packet is discarded.
Source Address: is 128 bits long, which indicates the address of the packet originator.
Destination Address: is 128 bits long, which indicates the address of the packet recipient.
Compared with the IPv4 packet header, the IPv6 packet header does not carry IHL, identifier, flag, fragment offset, header checksum, option, and paddiing fields but carries the flow label field. This facilitates IPv6 packet processing and improves processing efficiency. To support various options without changing the existing packet format, the Extension Header information field is added to the IPv6 packet header. This improves IPv6 flexibility. The following describes IPv6 extension headers.
12.2.2 IPv6 Extension Header An IPv4 packet header has an optional field (Options), which includes security, timestamp, and record route options. The variable length of the Options field makes the IPv4 packet header length range from 20 bytes to 60 bytes. When routers forward IPv4 packets with the Options field, many resources need to be used. Therefore, these IPv4 packets are rarely used in practice. To improve packet processing efficiency, IPv6 uses extension headers to replace the Options field in the IPv4 header. Extension headers are placed between the IPv6 basic header and upper-layer PDU. An IPv6 packet may carry zero, one, or more extension headers. The sender of a packet adds one or more extension headers to the packet only when the sender requests other routers or the destination router to perform special handling. Unlike IPv4, IPv6 has variable-length extension headers, which are not limited to 40 bytes. This facilitates further extension. To improve extension header processing efficiency and transport protocol performance, IPv6 requires that the extension header length be an integer multiple of 8 bytes. When multiple extension headers are used, the Next Header field of an extension header indicates the type of the next header following this extension header. As shown in Figure 12-2-2, the Next Header field in the IPv6 basic header indicates the type of the first extension header, and the Next Header field in the first extension header indicates the type of the next extension header. If the next extension header does not exist, the Next Header field indicates the upper-layer protocol type. Figure 12-2-2 shows the IPv6 extension header format.
2016-1-11
Huawei Confidential
Page 741 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 12-2-2 IPv6 extension header format An IPv6 extension header contains the following fields:
Next Header: is 8 bits long. It is similar to the Next Header field in the IPv6 basic header, indicating the type of the next extension header (if existing) or the upper-layer protocol type.
Extension Header Len: is 8 bits long, which indicates the extension header length excluding the Next Header field.
Extension Head Data: is of variable length. It includes a series of options and the padding field.
RFC 2460 defines six IPv6 extension headers: Hop-by-Hop Options header, Destination Options header, Routing header, Fragment header, Authentication header, and Encapsulating Security Payload header. Table 12-2-1 IPv6 extension headers Header Type
Next Header Field Value
Hop-by-Hop Options header
0
Description
This header carries information that must be examined by every node along the delivery path of a packet. This header is used in the following applications:
Jumbo payload (the payload length exceeds 65535 bytes)
Prompting routers to check this option before the routers forward packets.
Destination 2016-1-11
60
Resource Reservation Protocol (RSVP)
This header carries information that needs to be examined only by the Huawei Confidential
Page 742 of 1210
HCIE-R&S Material
Confidentiality Level
Table 12-2-1 IPv6 extension headers Header Type
Next Header Field Value
Options header
Description
destination node of a packet. Currently, this header is used in mobile IPv6.
Routing header
43
Similar to the Loose Source and Record Route option in IPv4, this header is used by an IPv6 source node to specify the intermediate nodes that a packet must pass through on the way to the destination of the packet.
Fragment header
44
Like IPv4 packets, IPv6 packets to be forwarded cannot exceed the MTU. When the packet length exceeds the MTU, the packet needs to be fragmented. In IPv6, the Fragment header is used by an IPv6 source node to send a packet larger than the MTU.
Authentication 51 header
This header is used in IPSec to provide data origin authentication, data integrity check, and packet anti-replay. It also protects some fields in the IPv6 basic header.
Encapsulating Security Payload header
Similar to the Authentication header, this header is used in IPSec to provide data origin authentication, data integrity check, packet anti-replay, and IPv6 packet encryption.
50
12.2.3 Conventions on IPv6 extension headers When more than one extension header is used in the same packet, the headers must be listed in the following order:
IPv6 basic header
Hop-by-Hop Options header
Destination Options header
Routing header
Fragment header
Authentication header
Encapsulating Security Payload header
Destination Options header (for options to be processed only by the final destination of the packet)
Upper-layer header
2016-1-11
Huawei Confidential
Page 743 of 1210
HCIE-R&S Material
Confidentiality Level
Intermediate routers determine whether to process extension headers according to the Next Header field value in the IPv6 basic header. Not all extension headers need to be examined and processed by intermediate routers. Each extension header can only occur once in an IPv6 packet, except for the Destination Options header. The Destination Options header may occur at most twice (once before a Routing header and once before the upper-layer header).
12.3
ICMPv6 The Internet Control Message Protocol version 6 (ICMPv6) is one of the basic IPv6 protocols. In IPv4, ICMP reports IP packet forwarding information and errors to the source node. ICMP defines certain messages such as Destination Unreachable, Packet Too Big, Time Exceeded, and Echo Request or Echo Reply to facilitate fault diagnosis and information management. In addition to the common functions provided by ICMPv4, ICMPv6 provides mechanisms such as Neighbor Discovery (ID), stateless address configuration including duplicate address detection, and Path Maximum Transmission Unit (PMTU) discovery. The protocol number of ICMPv6, namely, the value of the Next Header field in an IPv6 packet is 58. Figure 12-3-1 shows the ICMPv6 packet format.
Figure 12-3-1 Format of an ICMPv6 packet Each field is described as follows:
Type: specifies the message type. Values 0 to 127 indicate the error message type, and values 128 to 255 indicate the informational message type.
Code: indicates a specific message type.
Checksum: indicates the checksum of an ICMPv6 packet.
2016-1-11
Huawei Confidential
Page 744 of 1210
HCIE-R&S Material
Confidentiality Level
12.3.1 Classification of ICMPv6 Error Messages Error messages report errors generated during IPv6 packet forwarding. ICMPv6 error messages are classified into the following four types:
Destination Unreachable message During IPv6 packet forwarding, if an IPv6 node detects that the destination address of a packet is unreachable, it sends an ICMPv6 Destination Unreachable message to the source node. Information about the causes for the error message is carried in the message. In an ICMPv6 Destination Unreachable message, the value of the Type field is 1. Based on different causes, the value of the Code field can be:
Code=0: No route to the destination device.
Code=1: Communication with the destination device is administratively prohibited.
Code=2: Not assigned.
Code=3: Destination IP address is unreachable.
Code=4: Destination port is unreachable.
Packet Too Big message During IPv6 packet forwarding, if an IPv6 node detects that the size of a packet exceeds the link MTU of the outbound interface, it sends an ICMPv6 Packet Too Big message to the source node. The link MTU of the outbound interface is carried in the message. PMTU discovery is implemented based on Packet Too Big messages. In a Packet Too Big message, the value of the Type field is 2 and the value of the Code field is 0.
Time Exceeded message During the transmission of IPv6 packets, when a router receives a packet with the hop limit being 0 or a router reduces the hop limit to 0, it sends an ICMPv6 Time Exceeded message to the source node. During the processing of a packet to be fragmented and reassembled, an ICMPv6 Time Exceeded message is also generated when the reassembly time is longer than the specified period. In a Time Exceeded message, the value of the Type field is 3. Based on different causes, the value of the Code field can be:
Code=0: Hop limit exceeded in packet transmission.
Code=1: Fragment reassembly timeout.
Parameter Problem message When a destination node receives an IPv6 packet, it checks the validity of the packet. If an error is detected, it sends an ICMPv6 Parameter Problem message to the source node.
2016-1-11
Huawei Confidential
Page 745 of 1210
HCIE-R&S Material
Confidentiality Level
In a Parameter Problem message, the value of the Type field is 4. Based on different causes, the value of the Code field can be:
Code=0: A field in the IPv6 basic header or extension header is incorrect.
Code=1: The Next Header field in the IPv6 basic header or extension header cannot be identified.
Code=2: Unknown options exist in the extension header.
12.3.2 Classification of ICMPv6 Information Messages ICMPv6 information messages provide the diagnosis and additional host functions such as Multicast Listener Discovery (MLD) and ND. Common ICMPv6 information messages include Ping messages that consist of Echo Request and Echo Reply messages.
Echo Request messages: Echo Request messages are sent to destination nodes. After receiving an Echo Request message, the destination node responds with an Echo Reply message. In an Echo Request message, the value of the Type field is 128 and the value of the Code field is 0.
Echo Reply messages: After receiving an Echo Request message, the destination node responds with an Echo Reply message. In an Echo Reply message, the value of the Type field is 129 and the value of the Code field is 0.
12.4
Neighbor Discovery The Neighbor Discovery Protocol (NDP) is one important IPv6 basic protocol. It is an enhancement of the Address Resolution Protocol (ARP) and Internet Control Management Protocol (ICMP) router discovery. In addition to the function of ICMPv6 address resolution, NDP also provides the following functions: neighbor tracking, duplicate address detection, router discovery, and redirection.
12.4.1 Address Resolution In IPv4, a host needs to obtain the link-layer address of the destination host through the ARP protocol for communication. Similar to IPv4, the IPv6 NDP protocol parses the IP address to obtain the link-layer address. ARP packets are encapsulated in Ethernet packets. The Ethernet type value is 0x0806. ARP is defined as a protocol that runs between Layer 2 and Layer 3. ND is implemented through ICMPv6 packets. The IPv6 type value is 0x86dd. The Next Header value in the IPv6 header is 58, indicating that the packets are ICMPv6 packets. NDP packets are encapsulated in ICMPv6 packets. Therefore, NDP is taken as a Layer 3 protocol. Layer 3 address resolution brings the following advantages:
Layer 3 address resolution enables Layer 2 devices to use the same address resolution protocol.
Layer 3 security mechanisms such as IPSec are used to prevent address resolution attacks.
Request packets are sent in multicast mode, reducing performance requirements on Layer 2 networks. 2016-1-11
Huawei Confidential
Page 746 of 1210
HCIE-R&S Material
Confidentiality Level
Neighbor Solicitation (NS) packets and Neighbor Advertisement (NA) packets are used during address resolution.
In an NS packet, the value of the Type field is 135 and the value of the Code field is 0. An NS packet is similar to the ARP Request packet in IPv4.
In an NA packet, the value of the Type field is 136 and the value of the Code field is 0. An NA packet is similar to the ARP Reply packet in IPv4.
Figure 12-4-1 shows the process of address resolution.
Figure 12-4-1 IPv6 address resolution Host A needs to parse the link-layer address of Host B before sending packets to Host B. Therefore, Host A sends an NS message on the network. In the NS message, the source IP address is the IPv6 address of Host A, and the destination IP address is the solicited-node multicast address of Host B. The destination IP address to be parsed is the IPv6 address of Host B. This indicates that Host A wants to know the link-layer address of Host B. The Options field in the NS message carries the link-layer address of Host A. After receiving the NS message, Host B replies with an NA Reply message. In the NA reply message, the source address is the IPv6 address of Host B, and the destination address is the IPv6 address of Host A (the NS message is sent to Host A in unicast mode using the link-layer address of Host A). The Options field carries the link-layer address of Host B. This is the whole address resolution process.
12.4.2 Neighbor Tracking Communication with neighboring devices will be interrupted because of various reasons such as hardware fault and hot swapping of interface cards. If the destination address of a neighboring device becomes invalid, communication cannot be restored. If the path fails, communication can be restored. Therefore, nodes need to maintain the neighbor table to monitor the status of each neighboring device. A neighbor state can transit from one to another. 2016-1-11
Huawei Confidential
Page 747 of 1210
HCIE-R&S Material
Confidentiality Level
Five neighbor states are defined in RFC2461: Incomplete, Reachable, Stale, Delay, and Probe. Figure 12-4-2 shows the transition of neighbor states.
Figure 12-4-2 Neighbor state transition The following example describes the neighbor state changes of node A during the first communication with node B. 1.
Node A sends an NS message and generates a cache entry. The neighbor state of node A is Incomplete.
2.
If node B replies with an NA message, the neighbor state of node A changes from Incomplete to Reachable; otherwise, the neighbor state changes from Incomplete to Empty after a certain period of time. Node A deletes this entry.
3.
After the neighbor reachable time times out, the neighbor state changes from Reachable to Stale, indicating that whether the neighbor is reachable is unknown.
4.
If node A in the Reachable state receives a non-NA Request message from node B, and the link-layer address of node B carried in the message is different from that learned by node A, the neighbor state of node A immediately goes to Stale.
5.
If node A in the Stale state sends data to node B, the state of node A changes from Stale to Delay. Node A sends an NS Request message.
6.
After a certain period of time, the neighbor state changes from Delay to Probe. During this time, if node A receives an NA Reply message, the neighbor state of node A changes to Reachable.
7.
Node A in the Probe state sends unicast NS messages at the configured interval for several times. If node A receives a Reply message, the neighbor state of node A changes from Probe to Reachable; otherwise, the state changes to Empty. Node A deletes this entry.
12.4.3 Duplicate Address Detection Before an IPv6 unicast address is assigned to an interface, duplicate address detection (DAD) is performed to check whether the address is used by another node. DAD is required if IP addresses are configured automatically. An IPv6 unicast address that is assigned to an interface but has not been verified by DAD is called a tentative address. An interface cannot use the tentative address for unicast communication but will join two multicast groups: ALL-nodes multicast group and Solicited-node multicast group. 2016-1-11
Huawei Confidential
Page 748 of 1210
HCIE-R&S Material
Confidentiality Level
IPv6 DAD is similar to IPv4 free ARP. A node sends an NS message that requests the tentative address as the destination address to the Solicited-node multicast group. If the node receives an NA Reply message, the tentative address is being used by another node. This node will not use this tentative address for communication. Figure 12-4-3 shows the DAD working principle.
Figure 12-4-3 DAD example An IPv6 address 2000::1 is assigned to Host A as a tentative IPv6 address. To check the validity of 2000::1, Host A sends an NS message to the Solicited-node multicast group to which 2000::1 belongs. The NS message contains the requested address 2000::1. Since 2000::1 is not specified, the source address of the NS message is an unspecified address. After receiving the NS message, Host B processes the message in the following ways:
If 2000::1 is one tentative address of Host B, Host B will not use this address as an interface address and not send the NA message.
If 2000::1 is being used on Host B, Host B sends an NA message to the Solicited-node multicast group to which 2000::1 belongs. The NA message carries IP address 2000::1. Host A receives the message, finding that the tentative address is being used. Then, Host A abandons the address.
12.4.4 Router Discovery Router discovery is used to locate a neighboring router and learn the address prefix and configuration parameters for address autoconfiguration. IPv6 supports stateless address autoconfiguration. Hosts obtain IPv6 prefixes and automatically generate interface IDs. Router Discovery is the basics for IPv6 address autoconfiguration and is implemented through the following two packets:
Router Advertisement (RA) message: Each router periodically sends multicast RA messages that carry network prefixes and identifiers on the network to declare its existence to Layer 2 hosts and routers. An RA message has a value of 134 in the Type field. 2016-1-11
Huawei Confidential
Page 749 of 1210
HCIE-R&S Material
Confidentiality Level
Router Solicitation (RS) message: After being connected to the network, a host immediately sends an RS message to obtain network prefixes. Routers on the network reply with an RA message. An RS message has a value of 133 in the Type field.
Figure 12-4-4 shows the router discovery function.
Figure 12-4-4 Router discovery example
12.4.5 Address Autoconfiguration IPv4 uses DHCP to automatically configure IP addresses and default gateways. This simplifies network management. The length of an IPv6 address is increased to 128 bits. Multiple terminal nodes require the function of automatic configuration. IPv6 allows both stateful and stateless address autoconfiguration. Stateless autoconfiguration enables hosts to automatically generate link-local addresses. Based on the prefixes in the RA message, hosts automatically configure global unicast addresses and obtain other information. The process of IPv6 stateless autoconfiguration is as follows: 1.
A host automatically configures the link-local address based on the interface ID.
2.
The host sends an NS message for duplicate address detection.
3.
If address conflict occurs, the host stops address autoconfiguration. Then addresses need to be configured manually.
4.
If addresses do not conflict, the link-local address takes effect. The host is connected to the network and can communicate with the local node.
5.
The host sends an RS message or receives RA messages routers periodically send.
6.
The host obtains the IPv6 address based on the prefixes carried in the RA message and the configured interface ID specified by EUI-64.
12.4.6 Default Router Priority and Route Information Discovery If multiple routers exist on the Internet where hosts reside, hosts need to select forwarding routers based on the destination address of the packet. In such a case, routers advertise default router priorities 2016-1-11
Huawei Confidential
Page 750 of 1210
HCIE-R&S Material
Confidentiality Level
and route information, which allows hosts to select the optimal forwarding router based on the packet destination address. The fields of default router priority and route information are defined in an RA message. These two fields enable hosts to select the optimal forwarding router. After receiving an RA message that contains route information, hosts update their routing tables. When sending packets to other devices, hosts check the route in the routing table and select the optimal route. When receiving an RA message that carries default router priorities, hosts update their default router lists. When sending packets to other devices, hosts check the router list to select the router with the highest priority to forward packets. If the selected router does not work, hosts select the router in descending order of priorities.
12.4.7 Redirection To choose an optimal gateway router, the gateway router sends a Redirection message to notify the sender that packets can be sent from another gateway router. A Redirection message is contained in an ICMPv6 message. A Redirection message has the value of 137 in the Type field and carries a better next hop address and destination address of packets that need to be redirected. Figure 12-4-5 shows the process of redirecting packets.
Figure 12-4-5 Packet redirection example Host A needs to communicate with Host B. By default, packets sent from Host A to Host B are sent through RouterA. After receiving packets from Host A, RouterA finds that sending packets to RouterB 2016-1-11
Huawei Confidential
Page 751 of 1210
HCIE-R&S Material
Confidentiality Level
is much better. RouterA sends a Redirection message to Host A to notify Host A that RouterB is a better next hop address. The destination address of Host B is carried in the Redirection message. After receiving the Redirection message, Host A adds a host route to the default routing table. Packets sent to Host B will be directly sent to RouterB. A router sends a Redirection message in the following situations:
The destination address of the packet is not a multicast address.
Packets are not forwarded to the router through the route.
After route calculation, the outbound interface of the next hop is the interface that receives the packets.
The router finds that a better next hop IP address of the packet is on the same network segment as the source IP address of the packet.
After checking the source address of the packet, the router finds a neighboring device in the neighbor entries that uses this address as the global unicast address or the link-local unicast address.
12.5
Path MTU In IPv4, a packet needs to be fragmented if it is oversized. When the transit device receives from a source node a packet whose size exceeds the maximum transmission unit (MTU) of its outbound interface, the transit device fragments the packet before forwarding it to the destination node. In IPv6, however, packets are fragmented on the source node to reduce the pressure on the transit device. When an interface on the transit device receives a packet whose size exceeds the MTU, the transit device discards the packet and sends an ICMPv6 Packet Too Big message to the source node. The ICMPv6 Packet Too Big message contains the MTU value of the outbound interface. The source node fragments the packet based on the MTU and sends the packet again. This increases traffic overhead. The Path MTU Discovery (PMTUD) protocol dynamically discovers the MTU value of each link on the transmission path, reducing excessive traffic overhead. The PMTU protocol is implemented through ICMPv6 Packet Too Big messages. A source node first uses the MTU of its outbound interface as the PMTU and sends a probe packet. If a smaller PMTU exists on the transmission path, the transit device sends a Packet Too Big message to the source node. The Packet Too Big message contains the MTU value of the outbound interface on the transit device. After receiving the message, the source node changes the PMTU value to the received MTU value and sends packets based on the new MTU. This process is repeated until packets are sent to the destination address. Then the source node obtains the PMTU of the destination address.
NOTE: The switch supports the MTU setting on a VLANIF interface. Then packets sent by the protocol stack are fragmented based on the configured MTU. However, the hardware chip does not support the MTU setting, and the default MTU is 12K. Figure 12-5-1 shows the process of PMTU discovery. 2016-1-11
Huawei Confidential
Page 752 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 12-5-1 PMTU discovery Packets are transmitted through four links. The MTU values of the four links are 1500, 1500, 1400, and 1300 bytes respectively. Before sending a packet, the source node fragments the packet based on PMTU 1500. When the packet is sent to the outbound interface with MTU 1400, the router returns a Packet Too Big message that carries MTU 1400. After receiving the message, the source node fragments the packet based on MTU 1400 and sends the fragmented packet again. When the packet is sent to the outbound interface with MTU 1300, the router returns another Packet Too Big message that carries MTU 1300. The source node receives the message and fragments the packet based on MTU 1300. In this way, the source node sends the packet to the destination address and discovers the PMTU of the transmission path.
NOTE: IPv6 allows a minimum MTU of 1280 bytes. Therefore, the PMTU must be greater than 1280 bytes. PMTU of 1500 bytes is recommended.
12.6
Dual Protocol Stack Dual protocol stack is a technology used for the transition from the IPv4 to IPv6 network. Nodes on a dual stack network support both IPv4 and IPv6 protocol stacks. A source node and a destination node use the same protocol stack. Network devices use protocol stacks to process and forward packets based on the protocol type of packets. You can implement a dual protocol stack on a unique device or a dual stack backbone network. On the dual stack backbone network, all devices must support both IPv4 and IPv6 protocol stacks. Interfaces connecting to the dual stack network must be configured with both IPv4 and IPv6 addresses. Figure 12-6-1 shows the structures of a single protocol stack and a dual protocol stack.
2016-1-11
Huawei Confidential
Page 753 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 12-6-1 Dual protocol stack A dual protocol stack has the following advantages:
Supported by multiple link protocols. Multiple link protocols, such as Ethernet, support dual protocol stacks. In Figure 12-6-1, the link protocol is Ethernet. In an Ethernet frame, if the value of the Protocol ID field is 0x0800, the network layer receives IPv4 packets. If the value of the Protocol ID field is 0x86DD, the network layer receives IPv6 packets.
Supported by multiple applications. Multiple applications, such as the DNS, FTP, and Telnet, support dual protocol stacks. The upper layer applications, such as the DNS, can use TCP or UDP as the transport layer protocol. However, they prefer the IPv6 protocol stack rather than the IPv4 protocol stack as the network layer protocol.
Figure 12-6-2 shows a typical application of the dual IPv4/IPv6 protocol stack.
Figure 12-6-2 Networking diagram for applying a dual protocol stack As shown in Figure 12-6-2, an application that supports dual protocol stack requests an IP address corresponding to the domain name www.example.com from the DNS server. As shown in the figure, a host sends a DNS request packet to the DNS server, requesting the IP address corresponding to the domain name www.example.com. The DNS server responds with the requested IP address. The IP address can be 10.1.1.1 or 3ffe:yyyy::1. If the host sends a class A query packet, it requests the IPv4 address from the DNS server. If the host sends a class AAAA query packet, it requests the IPv6 address from the DNS server. 2016-1-11
Huawei Confidential
Page 754 of 1210
HCIE-R&S Material
Confidentiality Level
Router in the figure supports the dual protocol stack. Router uses the IPv4 protocol stack to connect the host to the network server with the IPv4 address 10.1.1.1. Router uses the IPv6 protocol stack to connect the host to the network server with the IPv6 address 3ffe:yyyy::1.
12.7
IPv6 over IPv4 Tunnel Tunnel is an encapsulation technology. Tunnel technology encapsulates packets of a network layer protocol as packets of another one for transmission. A tunnel is a virtual point-to-point (P2P) connection. It provides a path through which encapsulated packets are transmitted. Datagrams are encapsulated at one end and then decapsulated at the other end of the tunnel. Tunnel technology refers to the process that datagrams are encapsulated, transmitted, and decapsulated. It is of great importance for the transition from IPv4 to IPv6. Exhaustion of IPv4 addresses brings an urgent demand for transition to IPv6. As IPv6 is not compatible with IPv4, you need to replace devices on the original IPv4 network. Replacing a large number of devices on the IPv4 network costs a lot and causes service interruption of the current network. Therefore, transition from IPv4 networks to IPv6 networks must be performed step by step. During the early transition, a large number of IPv4 networks have been deployed, whereas IPv6 networks are isolated sites over the world. You can create tunnels on the IPv4 networks to connect to IPv6 isolated sites. These tunnels are called IPv6 over IPv4 tunnels. Figure 12-7-1 shows how to apply the IPv6 over IPv4 tunnel.
Figure 12-7-1 Networking diagram for applying the IPv6 over IPv4 tunnel 1.
On the border router, the dual IPv4/IPv6 protocol stack is enabled, and an IPv6 over IPv4 tunnel is configured.
2.
After the border router receives a packet from the IPv6 network, the router appends an IPv4 header to the IPv6 packet to encapsulate the IPv6 packet as an IPv4 packet if the destination address of the IPv6 packet is not the router and the outbound interface of the next hop is the tunnel interface.
3.
On the IPv4 network, the encapsulated packet is transmitted to the remote border router.
4.
The remote border router decapsulates the packet, removes the IPv4 header, and sends the decapsulated IPv6 packet to the IPv6 network.
A tunnel is established when its start and end points are determined. You must manually configure an IPv4 address at the start point of an IPv6 over IPv4 tunnel. The IPv4 address at the end point of the 2016-1-11
Huawei Confidential
Page 755 of 1210
HCIE-R&S Material
Confidentiality Level
tunnel can be determined manually or automatically. Based on the mode in which the end point IPv4 address is obtained, IPv6 over IPv4 tunnels are classified into manual tunnels and automatic tunnels.
Manual tunnel: If a tunnel is created manually, a border router cannot automatically obtain an IPv4 address at the end point. You must manually configure an end point IPv4 address before packets can be transmitted to the remote border router.
Automatic tunnel: If a tunnel is created automatically, a border router can automatically obtain an IPv4 address at the end point. The addresses of two interfaces on both ends of the tunnel are IPv6 addresses with IPv4 addresses embedded. The border router extracts IPv4 addresses from destination IPv6 addresses.
12.7.1 Manual Tunnel Based on encapsulation modes of IPv6 packets, manual tunnels are classified into IPv6 over IPv4 manual tunnels and IPv6 over IPv4 Generic Routing Encapsulation (GRE) tunnels.
12.7.2 IPv6 over IPv4 Manual Tunnel The border router uses the received IPv6 packet as the payload and encapsulates the IPv6 packet as an IPv4 packet. You must manually specify the source and destination addresses of a manual tunnel. A manual tunnel is a P2P connection. It can be created between two border routers to connect IPv4 isolated IPv6 sites, or created between a border router and a host to enable the host to access an IPv6 network. Hosts and border routers on both ends of a manual tunnel must support the IPv4/IPv6 dual protocol stack. Other devices only need to support a single protocol stack. If you create multiple IPv6 over IPv4 manual tunnels between one border router and multiple hosts, the configuration workload is heavy. Therefore, an IPv6 over IPv4 manual tunnel is commonly created between two border routers to connect IPv6 networks. Figure 12-7-2 shows the encapsulation format of an IPv6 over IPv4 packet.
Figure 12-7-2 Encapsulation format of an IPv6 over IPv4 packet The forwarding mechanism of an IPv6 over IPv4 manual tunnel is as follows: After a border router receives a packet from the IPv6 network, it searches the destination address of the IPv6 packet in the routing and forwarding table. If the packet is forwarded from this virtual tunnel interface, the router encapsulates the packet based on the source and destination IPv4 addresses configured on the interface. The IPv6 packet is encapsulated as an IPv4 packet and processed by the IPv4 protocol stack. The encapsulated packet is forwarded through the IPv4 network to the remote end of the tunnel. After the border router on the remote end of the tunnel receives the encapsulated packet, it decapsulates the packet and processes the packet using the IPv6 protocol stack. 12.7.3 IPv6 over IPv4 GRE Tunnel An IPv6 over IPv4 GRE tunnel uses the standard GRE tunnel technology to provide P2P connections. You must manually specify addresses for both ends of the tunnel. Any types of protocol packets that 2016-1-11
Huawei Confidential
Page 756 of 1210
HCIE-R&S Material
Confidentiality Level
GRE supports can be encapsulated and transmitted through a GRE tunnel. The protocols may include IPv4, IPv6, Open Systems Interconnection (OSI), and Multiprotocol Label Switching (MPLS). Figure 12-7-3 shows the encapsulation and transmission process on an IPv6 over IPv4 GRE tunnel.
Figure 12-7-3 IPv6 over IPv4 GRE tunnel The forwarding mechanism of an IPv6 over IPv4 GRE tunnel is the same as that of an IPv6 over IPv4 manual tunnel. For details, see the Feature Description - VPN.
12.7.4 Automatic Tunnel You only need to configure the start point of an automatic tunnel, and the device automatically obtains the end point of the tunnel. The tunnel interface uses a special form of IPv6 address with an IPv4 address embedded. The device obtains the IPv4 address from the destination IPv6 address and uses the IPv4 address as the end point address of the tunnel. Based on the encapsulation modes of IPv6 packets, automatic tunnels are classified into IPv4-compatible IPv6 automatic tunnels, IPv6-to-IPv4 tunnels, and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunnels.
IPv4-compatible IPv6 Automatic Tunnel For an IPv4-compatible IPv6 automatic tunnel, the destination address contained in an IPv6 packet is an IPv4-compatible IPv6 address. The first 96 bits of an IPv4-compatible IPv6 address are all 0s and the last 32 bits are the IPv4 address. Figure 12-7-4 shows the format of an IPv4-compatible IPv6 address. Figure 12-7-4 IPv4-compatible IPv6 address
Figure 12-7-4 shows the forwarding mechanism of an IPv4-compatible IPv6 automatic tunnel.
2016-1-11
Huawei Confidential
Page 757 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 12-7-5 Forwarding mechanism of an IPv4-compatible IPv6 automatic tunnel After receiving an IPv6 packet, RouterA searches the routing table for the destination address ::2.1.1.1 and finds that the next hop address is a virtual tunnel interface address. RouterA then encapsulates the IPv6 packet as an IPv4 address because the tunnel configured on RouterA is an IPv4-compatible IPv6 automatic tunnel. The source address of the encapsulated IPv4 address is the start point address of the tunnel 1.1.1.1, and the destination address is 2.1.1.1, which is the last 32 bits of the IPv4-compatible IPv6 address. RouterA sends the packet through the tunnel interface and forwards it on an IPv4 network to the destination address 2.1.1.1 (RouterB). RouterB receives the packet, obtains the IPv6 packet, and processes the IPv6 packet using the IPv6 protocol stack. RouterB returns packets to RouterA in the same way.
NOTE: If the IPv4 address contained in an IPv4-compatible IPv6 address is a broadcast address, multicast address, network broadcast address, subnet broadcast address of an outbound interface, address of all 0s, or loopback address, the IPv6 packet will be discarded. To deploy an IPv4-compatible IPv6 tunnel, each host must have a valid IP address, and hosts that communicate with each other must support dual protocol stacks and IPv4-compatible IPv6 tunnels. Therefore, it is unsuitable for large-scale networks. Currently, the IPv4-compatible IPv6 tunnel has been replaced by the IPv6-to-IPv4 tunnel.
IPv6-to-IPv4 Tunnel An IPv6-to-IPv4 tunnel also uses an IPv4 address that is embedded in an IPv6 address. Unlike IPv4-compatible IPv6 tunnels, you can create IPv6-to-IPv4 tunnels between two routers, a router and a host, and two hosts. An IPv6-to-IPv4 address uses the IPv4 address as the network ID. Figure 12-7-6 shows the format of an IPv6-to-IPv4 address.
Figure 12-7-6 Format of an IPv6-to-IPv4 address
FP: format prefix of a global unicast address. The value is 001.
TLA ID: top level aggregation identifier. The value is 0x0002.
SLA ID: site level aggregation identifier.
2016-1-11
Huawei Confidential
Page 758 of 1210
HCIE-R&S Material
Confidentiality Level
An IPv6-to-IPv4 address is expressed in the format of 2002::/16. An IPv6-to-IPv4 network is expressed as 2002:IPv4 address::/48. An IPv6-to-IPv4 address has a 64-bit prefix composed of 48-bit 2002:IPv4 address and 16-bit SLA. 2002:IPv4 address in the format of 2002:a.b.c.d is determined by the IPv4 address allocated to the router and the SLA is defined by the user. Figure 12-7-7 shows the encapsulation and forwarding process of the IPv6-to-IPv4 tunnel. It is the same as that of the IPv4-compatible IPv6 automatic tunnel, and therefore it is not mentioned here.
Figure 12-7-7 Example of an IPv6-to-IPv4 tunnel (1) One IPv4 address can be used as the source address of only one IPv6-to-IPv4 tunnel. When a border router is connected to multiple IPv6-to-IPv4 networks that use the same IPv4 address as the source address of the tunnel, the IPv6-to-IPv4 networks share a tunnel and are identified by SLA ID in the IPv6-to-IPv4 address. Figure 12-7-8 shows the case.
Figure 12-7-8 Example of an IPv6-to-IPv4 tunnel (2) Backed by the advance of IPv6 networks, IPv6 hosts need to communicate with IPv4 hosts through IPv6-to-IPv4 networks. It can be implemented by deploying IPv6-to-IPv4 relays. When the destination address of an IPv6 packet forwarded through an IPv6-to-IPv4 tunnel is not an IPv6-to-IPv4 address, but the next hop address is an IPv6-to-IPv4 address, the next hop router is an IPv6-to-IPv4 relay. The device obtains the destination IPv4 address from the next hop IPv6-to-IPv4 address. Figure 12-7-9 shows an IPv6-to-IPv4 relay.
2016-1-11
Huawei Confidential
Page 759 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 12-7-9 IPv6-to-IPv4 relay When hosts on IPv6-to-IPv4 network 2 want to communicate with hosts on the IPv6 network, configure the next hop address as the IPv6-to-IPv4 address of the IPv6-to-IPv4 relay on the border router. The IPv6-to-IPv4 address matches the source address of the IPv6-to-IPv4 tunnel. Packets sent from IPv6-to-IPv4 network 2 to the IPv6 network are sent to the IPv6-to-IPv4 relay router according to the routing table. The IPv6-to-IPv4 relay router then forwards packets to the pure IPv6 network. When hosts on the IPv6 network send packets to IPv6-to-IPv4 network 2, the IPv6-to-IPv4 relay router appends IPv4 headers to the packets and forwards the packets to the destination addresses (IPv6-to-IPv4 addresses).
ISATAP Tunnel ISATAP is another automatic tunnel technology. The ISATAP tunnel uses a special format of IPv6 address with an IPv4 address embedded. Different from the IPv6-to-IPv4 address that uses the IPv4 address as the network prefix, the ISATAP address uses the IPv4 address as the interface ID. Figure 12-7-10 shows the format of the interface ID of an ISATAP address.
Figure 12-7-10 Format of the interface ID of an ISATAP address The "u" bit in the IPv4 address that is globally unique is set to 1. Otherwise, the "u" bit is set to 0. "g" is the individual/group bit. An ISATAP address contains an interface ID and it can be a global unicast address, link-local address, ULA address, or multicast address. The device obtains the first 64 bits of an ISATAP address by sending Request packets to the ISATAP router. Devices on both ends of the ISATAP tunnel run the Neighbor Discovery (ND) protocol. The ISATAP tunnel considers the IPv4 network as a non-broadcast multiple access (NBMA) network. ISATAP allows IPv6 networks to be deployed within existing IPv4 networks. The deployment is simple and networks can be easily expanded. Therefore, ISATAP is suitable for transition of local sites. ISATAP supports local routing within IPv6 sites, global IPv6 routing domains, and automatic IPv6 tunnels. ISATAP can be used together with NAT to allow the use of an IPv4 address that is not 2016-1-11
Huawei Confidential
Page 760 of 1210
HCIE-R&S Material
Confidentiality Level
globally unique within the site. Typically, an ISATAP tunnel is used within the site, and does not require a globally unique IPv4 address embedded. Figure 12-7-11 shows a typical application of the ISATAP tunnel.
Figure 12-7-11 Typical application of the ISATAP tunnel As shown in Figure 12-7-11, Host B and Host C are located on an IPv4 network. They both support dual protocol stacks and have private IPv4 addresses. Perform the following operations to enable the ISATAP function on Host B and Host C: 1.
Configure an ISATAP tunnel interface to generate an interface ID based on the IPv4 address.
2.
Encapsulate a link-local IPv6 address based on the interface ID. When a host obtains the link-local IPv6 address, it can access the IPv6 network on the local link.
3.
The host automatically obtains a global unicast IPv6 address and ULA address.
4.
The host obtains an IPv4 address from the next hop IPv6 address as the destination address, and forwards packets through the tunnel interface to communicate with another IPv6 host. When the destination host is located on the same site as the source host, the next hop address is the address of the source host. When the destination host is not located on the local site, the next hop address is the address of the ISATAP router.
12.7.5 6PE IPv6 Provider Edge (6PE) is a transition technology from the IPv4 to IPv6 network. With 6PE routers, Independent Service Providers (ISPs) can provide access services for the IPv6 networks of isolated users over the existing IPv4 backbone network. The 6PE router labels IPv6 routing information and floods the information onto the ISP's IPv4 backbone network through Internal Border Gateway Protocol (IBGP) sessions. The IPv6 packets are labeled before flowing into tunnels on the backbone network. The tunnels can be GRE tunnels or MPLS LSPs. To allow IPv6 packet exchange on 2016-1-11
Huawei Confidential
Page 761 of 1210
HCIE-R&S Material
Confidentiality Level
IPv4/MPLS networks through MPLS, LSPs can just update the PE routers. Therefore, using the 6PE technology as an IPv6 transition mechanism is a cost-effective solution for ISPs. Figure 12-7-12 shows the typical 6PE networking diagram.
Figure 12-7-12 Typical 6PE networking diagram
12.8
IPv4 over IPv6 Tunnel During the later transition from IPv4 networks to IPv6 networks, a large number of IPv6 networks are deployed. IPv4 networks, however, are isolated sites over the world. You can create tunnels on the IPv6 networks to connect IPv4 isolated sites so that IPv4 isolated sites can access other IPv4 networks through the IPv6 public network. Figure 12-8-1 shows how to apply the IPv4 over IPv6 tunnel.
Figure 12-8-1 Networking diagram for applying the IPv4 over IPv6 tunnel 1.
On the border router, the IPv4/IPv6 dual protocol stack is enabled and the IPv4 over IPv6 tunnel is configured.
2016-1-11
Huawei Confidential
Page 762 of 1210
HCIE-R&S Material
2.
Confidentiality Level
After the border router receives a packet not destined for the router from the IPv4 network, the router appends an IPv6 header to the IPv4 packet and encapsulates the IPv4 packet as an IPv6 packet.
3.
On the IPv6 network, the encapsulated packet is transmitted to the remote border router.
4.
The remote border router decapsulates the packet, removes the IPv6 header, and sends the decapsulated IPv4 packet to the IPv4 network.
12.9
RIPng
12.9.1 RIPng Features In addition to IPv4 networks, RIP is also applicable to IPv6 networks to provide accurate route information for IPv6 packets. IETF has defined RIP next generation (RIPng) based on RIP for IPv6 networks. RIPng is an important protocol for IPv6 networks.
12.9.2 Comparison between RIPng and RIP RIPng made the following modifications to RIP:
RIPng uses UDP port 521 to send and receive routing information.
RIPng uses the destination addresses with 128-bit prefixes (mask length).
RIPng uses 128-bit IPv6 addresses as next hop addresses.
RIPng uses the local link address FE80::/10 as the source address to send RIPng Update packets.
RIPng periodically sends routing information in multicast mode and uses FF02::9 as multicast address.
A RIPng packet consists of a header and multiple route table entries (RTEs). In a RIPng packet, the maximum number of RTEs depends on the MTU on the interface.
12.10
OSPFv3
12.10.1 Principle of OSPFv3 Running on IPv6, OSPFv3 (defined in RFC 2740) is an independent routing protocol whose functions are enhanced on the basis of OSPFv2.
OSPFv3 and OSPFv2 are the same in respect of the working principles of the Hello message, state machine, link-state database (LSDB), flooding, and route calculation.
OSPFv3 divides an Autonomous System (AS) into one or more logical areas and advertises routes through LSAs. 2016-1-11
Huawei Confidential
Page 763 of 1210
HCIE-R&S Material
Confidentiality Level
OSPFv3 achieves unity of routing information by exchanging OSPFv3 packets between routers within an OSPFv3 area.
OSPFv3 packets are encapsulated into IPv6 packets, which can be transmitted in unicast or multicast mode.
Formats of OSPFv3 Packets
Table 12-10-1 Formats of OSPFv3 packets Packet Type
Description
Hello message
Hello messages are sent regularly to discover and maintain OSPFv3 neighbor relationships.
Database Description (DD) packet
A DD packet contains the summary of the local LSDB. It is exchanged between two OSPFv3 routers to update the LSDBs.
Link State Request (LSR) packet
LSR packets are sent to the neighbor to request the required LSAs. An OSPFv3 router sends LSR packets to its neighbor only after they exchange DD packets.
Link State Update (LSU) packet
The LSU packet is used to transmit required LSAs to the neighbor.
Link State Acknowledgment (LSAck) The LSAck packet is used to acknowledge the received LSA packet packets.
LSA Type
Table 12-10-2 LSA type LSA Type
Description
Router-LSA (Type1)
Generated by a router for each area to which an OSPFv3 interface belongs, the router LSA describes the status and costs of links of the router and is advertised in the area where the OSPFv3 interface belongs.
Network-LSA (Type2)
Generated by a designated router (DR), the network LSA describes the link status and is broadcast in the area that the DR belongs to.
Inter-Area-Prefix-LSA (Type3)
Generated on the area border router (ABR), an inter-area prefix LSA describes the route of a certain network segment within the local area and is used to inform other areas of the route.
Inter-Area-Router-LSA (Type4)
Generated on the ABR, an inter-area router LSA describes the route to the autonomous system boundary router (ASBR) and is advertised to all related areas except the area that the ASBR belongs to.
2016-1-11
Huawei Confidential
Page 764 of 1210
HCIE-R&S Material
Confidentiality Level
Table 12-10-2 LSA type LSA Type
Description
AS-external-LSA (Type5)
Generated on the ASBR, the AS-external LSA describes the route to a destination outside the AS and is advertised to all areas except the stub area and NSSA area.
NSSA-LSA (Type7)
Describes routes to a destination outside the AS. It is generated by an ASBR and advertised in NSSAs only.
Link-LSA (Type8)
Each router generates a link LSA for each link. A link LSA describes the link-local address and IPv6 address prefix associated with the link and the link option set in the network LSA. It is transmitted only on the link.
Intra-Area-Prefix-LSA (Type9)
Each router or DR generates one or more intra-area prefix LSAs and transmits it in the local area.
An LSA generated on a router describes the IPv6 address prefix associated with the router LSA.
An LSA generated on a DR describes the IPv6 address prefix associated with the network LSA.
Router Type
Figure 12-10-1 Router type
Table 4-10-3 Router types and descriptions Router Type
2016-1-11
Description
Huawei Confidential
Page 765 of 1210
HCIE-R&S Material
Confidentiality Level
Table 4-10-3 Router types and descriptions Router Type
Description
Internal router
All interfaces on an internal router belong to the same OSPFv3 area.
Area border router (ABR)
An ABR can belong to two or more areas, but one of the areas must be a backbone area. An ABR is used to connect the backbone area and the non-backbone areas. It can be physically or logically connected to the backbone area.
Backbone router
At least one interface on a backbone router belongs to the backbone area. All ABRs and internal routers in Area 0, therefore, are backbone routers.
AS boundary router (ASBR)
A router that exchanges routing information with other ASs is called an ASBR. An ASBR may not locate on the boundary of an AS. It can be an internal router or an ABR.
OSPFv3 Route Type Inter-area routes and intra-area routes describe the network structure of an AS. External routes describe how to select a route to the destination outside an AS. OSPFv3 classifies the imported AS external routes into Type 1 routes and Type 2 routes. Table 12-10-4 lists route types in a descending order of priority. Table 12-10-4 Types of OSPFv3 routes Route Type
Description
Intra Area
Intra-area routes
Inter Area
Inter-area routes
Type1 external routes
Because of the high reliability of Type 1 external routes, the calculated cost of external routes is equal to that of AS internal routes, and can be compared with the cost of OSPFv3 routes. That is, the cost of a Type1 external route equals the cost of the route from the router to the corresponding ASBR plus the cost of the route from the ASBR to the destination address.
Type2 external routes
Because of the low reliability of Type2 external routes, the cost of the route from the ASBR to a destination outside the AS is considered far greater than the cost of any internal path to an ASBR.
2016-1-11
Huawei Confidential
Page 766 of 1210
HCIE-R&S Material
Confidentiality Level
Table 12-10-4 Types of OSPFv3 routes Route Type
Description Therefore, OSPFv3 only takes the cost of the route from the ASBR to a destination outside the AS into account when calculating route costs. That is, the cost of a Type2 external route equals the cost of the route from the ASBR to the destination of the route.
Area Type
Table 12-10-5 Types of OSPFv3 areas Area Type
Description
Totally stub area
A totally stub area allows the Type3 default routes advertised by the ABR, and disallows the routes outside the AS and inter-area routes.
Stub area
A stub area allows inter-area routes, which is different from a totally stub area.
NSSA
Imports routes outside an AS, which is different from a stub area. An ASBR advertises Type7 LSAs in the local area. These Type 7 LSAs are translated into Type 5 LSAs on an ABR, and are then flooded in the entire OSPFv3 AS.
Network Types Supported by OSPFv3 OSPFv3 classifies networks into the following types according to link layer protocols. Table 12-10-6 Types of OSPFv3 networks Network Type Broadcast
Description If the link layer protocol is Ethernet or FDDI, OSPFv3 defaults the network type to broadcast. In this type of networks, the following situations occur:
Hello messages, LSU packets, and LSAck packets are transmitted in multicast mode (FF02::5 is the reserved IPv6 multicast address of the OSPFv3 router; FF02::6 is the reserved IPv6 multicast address of the OSPFv3 DR or BDR).
Non-broadcast Access (NBMA) 2016-1-11
DD packets and LSR packets are transmitted in unicast mode.
Multiple If the link layer protocol is frame relay, ATM, or X.25, OSPFv3 defaults the network type to NBMA. In this type of networks, protocol packets such as Hello messages, DD Huawei Confidential
Page 767 of 1210
HCIE-R&S Material
Confidentiality Level
Table 12-10-6 Types of OSPFv3 networks Network Type
Description packets, LSR packets, LSU packets, and LSAck packets, are transmitted in unicast mode.
Point-to-Multipoint (P2MP)
Regardless of the link layer protocol, OSPFv3 does not default the network type to P2MP. A P2MP network must be forcibly changed from other network types. The common practice is to change a non-fully connected NBMA to a P2MP network. In this type of networks, the following situations occur:
Hello messages are transmitted in multicast mode with the multicast address as FF02::5.
Other protocol packets, including DD packets, LSR packets, LSU packets, and LSAck packets, are transmitted in unicast mode.
Point-to-point (P2P)
If the link layer protocol is PPP, HDLC, or LAPB, OSPFv3 defaults the network type to P2P. In this type of network, the protocol packets, including Hello messages, DD packets, LSR packets, LSU packets, and LSAck packets, are transmitted to the multicast address FF02::5.
Stub Area A stub area is a special area where the ABRs do not flood the received external routes. In stub areas, the size of the routing table of the routers and the routing information in transmission are reduced. Configuring a stub area is optional. Not all areas can be configured as stub areas. Usually, a stub area is a non-backbone area with only one ABR and is located at the AS boundary. To ensure the reachability of a destination outside the AS, the ABR in the stub area generates a default route and advertises it to the non-ABR routers in the stub area. Note the following when configuring a stub area:
The backbone area cannot be configured as a stub area.
If an area needs to be configured as a stub area, all the routers in this area must be configured with the stub command.
An ASBR cannot exist in a stub area. That is, external routes are not flooded in the stub area.
A virtual link cannot pass through the stub area.
OSPFv3 Route Summarization Routing information can be decreased after route aggregation so that the size of routing tables is reduced, which improves the performance of routers. 2016-1-11
Huawei Confidential
Page 768 of 1210
HCIE-R&S Material
Confidentiality Level
The procedure for OSPFv3 route aggregation is as follows:
Route summarization on an ABR An ABR can summarize routes with the same prefix into one route and advertise the summarized route in other areas. When sending routing information to other areas, an ABR generates Type 3 LSAs based on IPv6 prefixes. If consecutive IPv6 prefixes exist in an area and route summarization is enabled on the ABR of the area, the IPv6 prefixes can be summarized into one prefix. If there are multiple LSAs that have the same prefix, the ABR summarizes these LSAs and advertises only one summarized LSA. The ABR does not advertise any specific LSAs.
Route summarization on an ASBR An ASBR can summarize imported routes with the same prefix into one route and then advertise the summarized route to other areas. After being enabled with route summarization, an ASBR summarizes imported Type 5 LSAs within the summarized address range. After route summarization, the ASBR does not generate a separate Type 5 LSA for each specific prefix within the configured range. Instead, the ASBR generates a Type 5 LSA for only the summarized prefix. In an NSSA, an ASBR summarizes multiple imported Type 7 LSAs within the summarized address range into one Type 7 LSA.
OSPFv3 Virtual Link A virtual link refers to a logical channel established between two ABRs through a non-backbone area.
A virtual link must be set up on both ends of the link; otherwise, it does not take effect.
The transmit area refers to the area that provides an internal route of a non-backbone area for both the ends of the virtual link.
In actual applications, the physical connectivity between non-backbone areas and the backbone area cannot be ensured owing to various limitations. To solve this problem, you can configure OSPFv3 virtual links. The virtual link is similar to a point-to-point connection between two ABRs. Similar to physical interfaces, the interfaces on the virtual link can be configured with parameters such as the hello interval.
Figure 12-10-2 OSPFv3 virtual link 2016-1-11
Huawei Confidential
Page 769 of 1210
HCIE-R&S Material
Confidentiality Level
As shown in Figure 12-10-2, OSPFv3 packets transmitted between two ABRs are only forwarded by the OSPFv3 devices that reside between the two ABRs. The OSPFv3 devices detect that they are not the destinations of the packets, so they forward the packets as common IP packets.
12.10.2 Comparison between OSPFv3 and OSPFv2 OSPFv3 and OSPFv2 are the same in the following aspects:
Network type and interface type
Interface state machine and neighbor state machine
LSDB
Flooding mechanism
Five types of packets, including Hello, DD, LSR, LSU, and LSAck packets
Route calculation
OSPFv3 and OSPFv2 are different in the following aspects:
OSPFv3 is based on links rather than network segments. OSPFv3 runs on IPv6, which is based on links rather than network segments. Therefore, you need not to configure OSPFv3 on the interfaces in the same network segment. It is only required that the interfaces enabled with OSPFv3 are on the same link. In addition, the interfaces can set up OSPFv3 sessions without IPv6 global addresses.
OSPFv3 does not depend on IP addresses. This is to separate topology calculation from IP addresses. That is, OSPFv3 can calculate the OSPFv3 topology without knowing the IPv6 global address, which only applies to virtual link interfaces for packet forwarding.
OSPFv3 packets and LSA format change.
OSPFv3 packets do not contain IP addresses.
OSPFv3 router LSAs and network LSAs do not contain IP addresses, which are advertised by link LSAs and intra-area prefix LSAs.
In OSPFv3, Router IDs, area IDs, and LSA link state IDs no longer indicate IP addresses, but the IPv4 address format is still reserved.
Neighbors are identified by Router IDs instead of IP addresses in broadcast, NBMA, or P2MP networks.
Information about the flooding scope is added in LSAs of OSPFv3. Information about the flooding scope is added in the LSA Type field of LSAs of OSPFv3. Thus, OSPFv3 routers can process LSAs of unidentified types, which makes the processing more flexible. 2016-1-11
Huawei Confidential
Page 770 of 1210
HCIE-R&S Material
Confidentiality Level
OSPFv3 can store or flood unidentified packets, whereas OSPFv2 just discards unidentified packets.
OSPFv3 floods packets in an OSPF area or on a link. It sets the U flag bit of packets (the flooding area is based on the link local) so that unidentified packets are stored or forwarded to the stub area.
For example, RouterA and RouterB can identify LSAs of a certain type. They are connected through RouterC, which, however, cannot identify this type of LSAs. When RouterA floods an LSA of this type, RouterC can still flood the received LSA to RouterB although it does not identify this LSA. RouterB then processes the LSA. If OSPFv2 is run, RouterC discards the unidentified LSA so that the LSA cannot reach RouterB.
OSPFv3 supports multi-process on a link. Only one OSPF process can be configured on a physical interface. In OSPFv3, one physical interface can be configured with multiple processes that are identified by different instance IDs. That is, multiple OSPFv3 instances can run on one physical link. They establish neighbor relationships with the other end of the link and transmit packets to the other end without interfering with each other. Thus, the resources of a link can be shared among OSPFv3 instances that simulate multiple OSPFv3 routers, which improves the utilization of limited router resources.
OSPFv3 uses IPv6 link-local addresses. IPv6 implements neighbor discovery and automatic configuration based on link-local addresses. Routers running IPv6 do not forward IPv6 packets whose destination address is a link-local address. Those packets can only be exchanged on the same link. The unicast link-local address starts from FE80/10. As a routing protocol running on IPv6, OSPFv3 also uses link-local addresses to maintain neighbor relationships and update LSDBs. Except virtual link interfaces, all OSPFv3 interfaces use link-local addresses as the source address and that of the next hop to transmit OSPFv3 packets. The advantages are as follows:
The OSPFv3 can calculate the topology without knowing the global IPv6 addresses so that topology calculation is not based on IP addresses.
The packets flooded on a link are not transmitted to other links, which prevents unnecessary flooding and saves bandwidth.
OSPFv3 packets do not contain authentication fields. OSPFv3 directly adopts IPv6 authentication and security measures. Thus, OSPFv3 does not need to perform authentication. It only focuses on the processing of packets.
OSPFv3 supports two new LSAs.
2016-1-11
Huawei Confidential
Page 771 of 1210
HCIE-R&S Material
Confidentiality Level
Link LSA: A router floods a link LSA on the link where it resides to advertise its link-local address and the configured global IPv6 address.
Intra-area prefix LSA: A router advertises an intra-area prefix LSA in the local OSPF area to inform the other routers in the area or the network, which can be a broadcast network or a NBMA network, of its IPv6 global address.
OSPFv3 identifies neighbors based on router IDs only. On broadcast, NBMA, and P2MP networks, OSPFv2 identifies neighbors based on IPv4 addresses of interfaces. OSPFv3 identifies neighbors based on router IDs only. Thus, even if global IPv6 addresses are not configured or they are configured in different network segments, OSPFv3 can still establish and maintain neighbor relationships so that topology calculation is not based on IP addresses.
12.11
MP-BGP
12.11.1 MP-BGP Traditional BGP-4 manages only IPv4 routing information. Inter-AS transmission of other network layer protocol packets (such as IPv6 and multicast packets) is limited. To support multiple network layer protocols, Multiprotocol BGP (MP-BGP) is designed in RFC 4760 as an extension to BGP-4. MP-BGP uses extended attributes and address families to support IPv6, multicast, and VPN, without changing the existing BGP packet forwarding and routing mechanism. MP-BGP is called BGP4+ on IPv6 unicast networks or called multicast BGP (MBGP) on IPv4 multicast networks. MP-BGP establishes separate topologies for IPv6 unicast networks and IPv4 multicast networks, and stores IPv6 unicast and IPv4 multicast routing information in different routing tables. This ensures that routing information of IPv6 unicast networks and IPv4 multicast networks is separated from each other, and allows routes of different networks to be maintained using different routing policies.
Extended Attributes In BGP, an Update message carries three IPv4-related attributes: NLRI, Next_Hop, and Aggregator. To support multiple network layer protocols, BGP requires NLRI and Next_Hop attributes to carry information about network layer protocols. Therefore, MP-BGP uses the following new optional non-transitive attributes:
MP_REACH_NLRI: indicates the multiprotocol reachable NLRI. It is used to advertise reachable routes and next hop information.
MP_UNREACH_NLRI: indicates the multiprotocol unreachable NLRI. It is used to withdraw unreachable routes.
2016-1-11
Huawei Confidential
Page 772 of 1210
HCIE-R&S Material
Confidentiality Level
Address Families MP-BGP uses address families to differentiate network layer protocols. For the values of address families, see RFC 3232 (Assigned Numbers). Currently, devices support the following address family views:
BGP-IPv4 unicast address family view
BGP-IPv4 multicast address family view
BGP-VPN instance IPv4 address family view
BGP-VPNv4 address family view
BGP-IPv6 unicast address family view
BGP-IPv6 unicast address family view
BGP-VPN instance IPv6 address family view
BGP-VPNv6 address family view
12.12
Examples for Configuring of IPv6
12.12.1 Example for Configuring Basic IPv6 Functions
Networking Requirements As shown in Figure 12-12-1, RouterA and RouterB are connected using GE1/0/0. RouterA and RouterB need to establish a neighbor relationship, and RouterB can obtain an IPv6 address using the neighbor discovery function.
Figure 12-12-1 Networking diagram for configuring basic IPv6 functions
Configuration Roadmap The configuration roadmap is as follows: 1.
Enable the IPv6 forwarding function on RouterA and configure an IPv6 address for RouterA so that RouterA can forward IPv6 packets.
2.
Configure RouterA to send RA packets and allow GE1/0/0 of RouterB to automatically configure an IPv6 address based on the route prefix carried in the received RA packets.
2016-1-11
Huawei Confidential
Page 773 of 1210
HCIE-R&S Material
Confidentiality Level
Procedure 1.
Configure RouterA. # Configure an IPv6 address for GE1/0/0 of RouterA. system-view [Huawei] sysname RouterA [RouterA] ipv6 [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ipv6 enable [RouterA-GigabitEthernet1/0/0] ipv6 address 3001::1/64 [RouterA-GigabitEthernet1/0/0] quit # Configure the neighbor discovery function on RouterA. [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] undo ipv6 nd ra halt [RouterA-GigabitEthernet1/0/0] quit
2.
# Configure RouterB. # Configure GE1/0/0 of RouterB to automatically generate an IPv6 address through stateless autoconfiguration. system-view [Huawei] sysname RouterB [RouterB] ipv6 [RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] ipv6 enable [RouterB-GigabitEthernet1/0/0] ipv6 address auto link-local [RouterB-GigabitEthernet1/0/0] ipv6 address auto global [RouterB-GigabitEthernet1/0/0] quit
3.
Verify the configuration. If the preceding configurations are successful, you can view the configured global unicast addresses. The interface status and the IPv6 protocol are Up. You can also check the neighbor of the interfaces. # Check interface information on RouterA. display ipv6 interface gigabitethernet 1/0/0 GigabitEthernet1/0/0 current state : UP IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::A19:A6FF:FECD:A897 Global unicast address(es):
2016-1-11
Huawei Confidential
Page 774 of 1210
HCIE-R&S Material
Confidentiality Level
3000::1, subnet is 3000::/64 Joined group address(es): FF02::1:2 FF02::1:FF00:1 FF02::2 FF02::1 FF02::1:FFCD:A897 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisement max interval 600 seconds, min interval 200 seconds ND router advertisements live for 1800 seconds ND router advertisements hop-limit 64 ND default router preference medium Hosts use stateless autoconfig for addresses # Check interface information on RouterB. display ipv6 interface gigabitethernet 1/0/0 GigabitEthernet1/0/0 current state : UP IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::2D6F:0:7AF3:1 Global unicast address(es): 3001::15B:E0EA:3524:E791 subnet is 3001::/64 [SLAAC 2012-07-19 17:30:55 2592000S] Joined group address(es): FF02::1:FF00:2 FF02::1:FFF3:1 FF02::2 FF02::1 MTU is 1500 bytes ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses # Check neighbor information on GE1/0/0 of RouterA. display ipv6 neighbors gigabitethernet 1/0/0 2016-1-11
Secure FLAG : UN-SECURE --------------------------------------------------------Total: 1
Dynamic: 1
Static: 0
Configuration File
Configuration file of RouterA # sysname RouterA # ipv6 # interface GigabitEthernet1/0/0 ipv6 enable ipv6 address 3001::1/64 undo ipv6 nd ra halt # return
Configuration file of RouterB # sysname RouterB # ipv6 # interface GigabitEthernet1/0/0 ipv6 enable ipv6 address auto link-local ipv6 address auto global # return
2016-1-11
Huawei Confidential
Page 776 of 1210
HCIE-R&S Material
Confidentiality Level
12.12.2 Example for Configuring a Manual IPv6 over IPv4 Tunnel
Networking Requirements As shown in Figure 12-12-2, two IPv6 networks connect to RouterB on an IPv4 backbone network through RouterA and RouterC respectively. Hosts on the two IPv6 networks are required to communicate through the IPv4 backbone network.
Figure 12-12-2 Networking diagram for configuring a manual IPv6 over IPv4 tunnel
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure IP addresses for physical interfaces so that devices can communicate on the IPv4 backbone network.
2.
Configure IPv6 addresses, source interfaces, and destination addresses for tunnel interfaces so that devices can communicate with hosts on the two IPv6 networks.
3.
Set the tunnel protocol to IPv6-IPv4 so that hosts on the two IPv6 networks can communicate through the IPv4 backbone network.
Procedure 1.
Configure RouterA. # Configure an IP address for an interface. system-view [Huawei] sysname RouterA [RouterA] ipv6 [RouterA] interface gigabitethernet 1/0/0
2016-1-11
Huawei Confidential
Page 777 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterA-GigabitEthernet1/0/0] ip address 192.168.50.2 255.255.255.0 [RouterA-GigabitEthernet1/0/0] quit # Set the tunnel protocol to IPv6-IPv4. [RouterA] interface tunnel 0/0/1 [RouterA-Tunnel0/0/1] tunnel-protocol ipv6-ipv4 # Configure an IPv6 address, a source interface, and a destination address for the tunnel interface. [RouterA-Tunnel0/0/1] ipv6 enable [RouterA-Tunnel0/0/1] ipv6 address 3001::1/64 [RouterA-Tunnel0/0/1] source gigabitethernet 1/0/0 [RouterA-Tunnel0/0/1] destination 192.168.51.2 [RouterA-Tunnel0/0/1] quit # Configure a static route. [RouterA] ip route-static 192.168.51.2 255.255.255.0 192.168.50.1 2.
Configure RouterB. # Configure IP addresses for interfaces. system-view [Huawei] sysname RouterB [RouterB] interface gigabitethernet 1/0/0 [RouterB-GigabitEthernet1/0/0] ip address 192.168.50.1 255.255.255.0 [RouterB-GigabitEthernet1/0/0] quit [RouterB] interface gigabitethernet 2/0/0 [RouterB-GigabitEthernet2/0/0] ip address 192.168.51.1 255.255.255.0 [RouterB-GigabitEthernet2/0/0] quit
3.
Configure RouterC. # Configure an IP address for an interface. system-view [Huawei] sysname RouterC [RouterC] ipv6 [RouterC] interface gigabitethernet 1/0/0 [RouterC-GigabitEthernet1/0/0] ip address 192.168.51.2 255.255.255.0 [RouterC-GigabitEthernet1/0/0] quit # Set the tunnel protocol to IPv6-IPv4. [RouterC] interface tunnel 0/0/1 [RouterC-Tunnel0/0/1] tunnel-protocol ipv6-ipv4
2016-1-11
Huawei Confidential
Page 778 of 1210
HCIE-R&S Material
Confidentiality Level
# Configure an IPv6 address, a source interface, and a destination address for the tunnel interface. [RouterC-Tunnel0/0/1] ipv6 enable [RouterC-Tunnel0/0/1] ipv6 address 3001::2/64 [RouterC-Tunnel0/0/1] source gigabitethernet 1/0/0 [RouterC-Tunnel0/0/1] destination 192.168.50.2 [RouterC-Tunnel0/0/1] quit # Configure a static route. [RouterC] ip route-static 192.168.50.2 255.255.255.0 192.168.51.1 4.
Verify the configuration. # Ping the IPv4 address of GE1/0/0 on RouterA from RouterC. RouterC can receive a Reply packet from RouterA. [RouterC] ping 192.168.50.2 PING 192.168.50.2: 56 data bytes, press CTRL_C to break Reply from 192.168.50.2: bytes=56 Sequence=1 ttl=255 time=84 ms Reply from 192.168.50.2: bytes=56 Sequence=2 ttl=255 time=27 ms Reply from 192.168.50.2: bytes=56 Sequence=3 ttl=255 time=25 ms Reply from 192.168.50.2: bytes=56 Sequence=4 ttl=255 time=3 ms Reply from 192.168.50.2: bytes=56 Sequence=5 ttl=255 time=24 ms --- 192.168.50.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/32/84 ms # Ping the IPv6 address of Tunnel0/0/1 on RouterA from RouterC. RouterC can receive a Reply packet from RouterA. [RouterC] ping ipv6 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Reply from 3001::1 bytes=56 Sequence=1 hop limit=64 time = 28 ms Reply from 3001::1 bytes=56 Sequence=2 hop limit=64 time = 27 ms Reply from 3001::1 bytes=56 Sequence=3 hop limit=64 time = 26 ms Reply from 3001::1 bytes=56 Sequence=4 hop limit=64 time = 27 ms Reply from 3001::1
2016-1-11
Huawei Confidential
Page 779 of 1210
HCIE-R&S Material
Confidentiality Level
bytes=56 Sequence=5 hop limit=64 time = 26 ms --- 3001::1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 26/26/28 ms
12.12.3 Example for Configuring an IPv6 over IPv4 GRE Tunnel
Networking Requirements As shown in Figure 12-12-3, two IPv6 networks connect to RouterB on an IPv4 backbone network respectively through RouterA and RouterC. An IPv6 over IPv4 GRE tunnel needs to be set up between RouterA and RouterC so that hosts on the two IPv6 networks can communicate.
Figure 12-12-3 Networking diagram for configuring an IPv6 over IPv4 GRE tunnel 2016-1-11
Huawei Confidential
Page 781 of 1210
HCIE-R&S Material
Confidentiality Level
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure IP addresses for physical interfaces so that devices can communicate on the IPv4 backbone network.
2.
Configure IPv6 addresses, source interfaces, and destination addresses for tunnel interfaces so that devices can communicate with hosts on the two IPv6 networks.
3.
Set the tunnel protocol to GRE so that hosts on the two IPv6 networks can communicate through the IPv4 backbone network.
Procedure 1.
Configure RouterA. # Configure an IP address for an interface. system-view [Huawei] sysname RouterA [RouterA] ipv6 [RouterA] interface pos 1/0/0 [RouterA-Pos1/0/0] ip address 192.168.50.2 255.255.255.0 [RouterA-Pos1/0/0] quit # Set the tunnel protocol to GRE. [RouterA] interface tunnel 0/0/1 [RouterA-Tunnel0/0/1] tunnel-protocol gre # Configure an IPv6 address, a source interface, and a destination address for the tunnel interface. [RouterA-Tunnel0/0/1] ipv6 enable [RouterA-Tunnel0/0/1] ipv6 address 3001::1 64 [RouterA-Tunnel0/0/1] source pos 1/0/0 [RouterA-Tunnel0/0/1] destination 192.168.51.2 [RouterA-Tunnel0/0/1] quit # Configure a static route. [RouterA] ip route-static 192.168.51.2 255.255.255.0 192.168.50.1
2.
Configure RouterB. # Configure IP addresses for interfaces. system-view [Huawei] sysname RouterB
Configure RouterC. # Configure an IP address for an interface. system-view [Huawei] sysname RouterC [RouterC] ipv6 [RouterC] interface pos 1/0/0 [RouterC-Pos1/0/0] ip address 192.168.51.2 255.255.255.0 [RouterC-Pos1/0/0] quit # Set the tunnel protocol to GRE. [RouterC] interface tunnel 0/0/1 [RouterC-Tunnel0/0/1] tunnel-protocol gre # Configure an IPv6 address, a source interface, and a destination address for the tunnel interface. [RouterC-Tunnel0/0/1] ipv6 enable [RouterC-Tunnel0/0/1] ipv6 address 3001::2 64 [RouterC-Tunnel0/0/1] source pos 1/0/0 [RouterC-Tunnel0/0/1] destination 192.168.50.2 [RouterC-Tunnel0/0/1] quit # Configure a static route. [RouterC] ip route-static 192.168.50.2 255.255.255.0 192.168.51.1
4.
Verify the configuration. # Ping the IPv4 address of Pos 1/0/0 on RouterA from RouterC. RouterC can receive a Reply packet from RouterA. [RouterC] ping 192.168.50.2 PING 192.168.50.2: 56 data bytes, press CTRL_C to break Reply from 192.168.50.2: bytes=56 Sequence=1 ttl=255 time=84 ms Reply from 192.168.50.2: bytes=56 Sequence=2 ttl=255 time=27 ms Reply from 192.168.50.2: bytes=56 Sequence=3 ttl=255 time=25 ms Reply from 192.168.50.2: bytes=56 Sequence=4 ttl=255 time=3 ms Reply from 192.168.50.2: bytes=56 Sequence=5 ttl=255 time=24 ms
2016-1-11
Huawei Confidential
Page 783 of 1210
HCIE-R&S Material
Confidentiality Level
--- 192.168.50.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 3/32/84 ms # Ping the IPv6 address of Tunnel1/0/0 on RouterA from RouterC. RouterC can receive a Reply packet from RouterA. [RouterC] ping ipv6 3001::1 PING 3001::1 : 56 data bytes, press CTRL_C to break Reply from 3001::1 bytes=56 Sequence=1 hop limit=64 time = 28 ms Reply from 3001::1 bytes=56 Sequence=2 hop limit=64 time = 27 ms Reply from 3001::1 bytes=56 Sequence=3 hop limit=64 time = 26 ms Reply from 3001::1 bytes=56 Sequence=4 hop limit=64 time = 27 ms Reply from 3001::1 bytes=56 Sequence=5 hop limit=64 time = 26 ms --- 3001::1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 26/26/28 ms
ip route-static 192.168.50.0 255.255.255.0 192.168.51.1 # return
12.12.4 Example for Configuring an Automatic IPv6 over IPv4 Tunnel
Networking Requirements As shown in Figure 12-12-3 Networking diagram for configuring an IPv6 over IPv4 GRE tunnel, two IPv6 networks connect to an IPv4 backbone network through RouterA and RouterB respectively. An automatic IPv6 over IPv4 tunnel needs to be set up between RouterA and RouterB so that devices on the two IPv6 networks can communicate.
Figure 12-12-4 Networking diagram for configuring an automatic IPv6 over IPv4 tunnel
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure IP addresses for physical interfaces so that devices can communicate on the IPv4 backbone network.
2.
Configure IPv6 addresses and source interfaces for tunnel interfaces so that devices can communicate with hosts on the two IPv6 networks.
3.
Set the tunnel protocol to automatic so that hosts on the two IPv6 networks can communicate through the IPv4 network.
Verify the configuration. # View the IPv6 status of tunnel0/0/1 on RouterA. You can see that the tunnel status is Up. [RouterA] display ipv6 interface tunnel 0/0/1 Tunnel0/0/1 current state : UP IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::201:101 Global unicast address(es): ::2.1.1.1, subnet is ::/96 Joined group address(es): FF02::1:FF01:101 FF02::2
2016-1-11
Huawei Confidential
Page 787 of 1210
HCIE-R&S Material
Confidentiality Level
FF02::1 MTU is 1500 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds Hosts use stateless autoconfig for addresses # Ping the IPv6 address of the peer device that is compatible with the IPv4 address from RouterA. The IPv6 address is pinged successfully. [RouterA] ping ipv6 ::2.1.1.2 PING ::2.1.1.2 : 56 data bytes, press CTRL_C to break Reply from ::2.1.1.2 bytes=56 Sequence=1 hop limit=64 time = 30 ms Reply from ::2.1.1.2 bytes=56 Sequence=2 hop limit=64 time = 40 ms Reply from ::2.1.1.2 bytes=56 Sequence=3 hop limit=64 time = 50 ms Reply from ::2.1.1.2 bytes=56 Sequence=4 hop limit=64 time = 1 ms Reply from ::2.1.1.2 bytes=56 Sequence=5 hop limit=64 time = 50 ms --- ::2.1.1.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 1/34/50 ms
Networking Requirements As shown in Figure 12-12-5, the IPv6 network-side interface of 6to4 router RouterA connects to a 6to4 network. RouterB is a 6to4 relay agent and connects to the IPv6 Internet (2001::/64). RouterA and RouterB are connected through an IPv4 backbone network. A 6to4 tunnel needs to be set up between RouterA and RouterB so that hosts on the 6to4 network and the IPv6 network can communicate.
2016-1-11
Huawei Confidential
Page 789 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 12-12-5 Networking diagram for configuring 6to4 relay.
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure an IPv4/IPv6 dual stack on routers so that they can access the IPv4 network and the IPv6 network.
2.
Configure a 6to4 tunnel on routers to connect IPv6 networks through the IPv4 backbone network.
3.
Configure a static route between RouterA and RouterB so that they can communicate through the IPv4 backbone network.
Verify the configuration. # Ping the IPv6 address of GE2/0/0 on RouterB from RouterA. The IPv6 address is pinged successfully.
2016-1-11
Huawei Confidential
Page 791 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterA] ping ipv6 2001::1 PING 2001::1 : 56 data bytes, press CTRL_C to break Reply from 2001::1 bytes=56 Sequence=1 hop limit=64 time = 29 ms Reply from 2001::1 bytes=56 Sequence=2 hop limit=64 time = 5 ms Reply from 2001::1 bytes=56 Sequence=3 hop limit=64 time = 5 ms Reply from 2001::1 bytes=56 Sequence=4 hop limit=64 time = 5 ms Reply from 2001::1 bytes=56 Sequence=5 hop limit=64 time = 26 ms --- 2001::1 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 5/14/29 ms
Networking Requirements As shown in Figure 12-12-6, an IPv6 host on the IPv4 network runs Windows XP. The IPv6 host needs to be connected to the IPv6 network through a border router. The IPv6 host and border router support ISATAP. An ISATAP tunnel needs to be set up between the IPv6 host and the border router.
2016-1-11
Huawei Confidential
Page 793 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 12-12-6 Networking diagram for configuring an ISATAP tunnel
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure an IPv4/IPv6 dual stack on the router so that the router can communicate with devices on the IPv4 network and the IPv6 network.
2.
Configure an ISATAP tunnel on the router so that IPv6 hosts on the IPv4 network can communicate with IPv6 hosts on the IPv6 network.
3.
Configure a static route.
Procedure 1.
Configure the ISATAP router. # Enable the IPv4/IPv6 dual stack and configure an IP address for each interface. system-view [Huawei] sysname Router [Router] ipv6 [Router] interface gigabitethernet 1/0/0 [Router-GigabitEthernet1/0/0] ipv6 enable [Router-GigabitEthernet1/0/0] ipv6 address 3001::1/64 [Router-GigabitEthernet1/0/0] quit [Router] interface gigabitethernet 2/0/0 [Router-GigabitEthernet2/0/0] ip address 2.1.1.1 255.0.0.0 [Router-GigabitEthernet2/0/0] quit # Configure an ISATAP tunnel. [Router] interface tunnel 0/0/2 [Router-Tunnel0/0/2] tunnel-protocol ipv6-ipv4 isatap [Router-Tunnel0/0/2] ipv6 enable [Router-Tunnel0/0/2] ipv6 address 2001::/64 eui-64 [Router-Tunnel0/0/2] source gigabitethernet 2/0/0
2016-1-11
Huawei Confidential
Page 794 of 1210
HCIE-R&S Material
Confidentiality Level
[Router-Tunnel0/0/2] undo ipv6 nd ra halt [Router-Tunnel0/0/2] quit 2.
Configure the ISATAP host. The ISATAP host is relevant to the operating system.
When the ISATAP host runs Windows XP operating system, perform the following operations: # Configure the IPv6 protocol. C:\> ipv6 install # Run the following command to add a static route to the border router. The number of the pseudo interface on the host is 2. You can run the ipv6 if command to check the interface corresponding to Automatic Tunneling Pseudo-Interface. C:\> ipv6 rlu 2 2.1.1.1 # Check ISATAP interface information on the host. C:\>ipv6 if Interface 2: Automatic Tunneling Pseudo-Interface Guid {48FCE3FC-EC30-E50E-F1A7-71172AEEE3AE} does not use Neighbor Discovery uses Router Discovery routing preference 1 EUI-64 embedded IPv4 address: 2.1.1.2 router link-layer address: 2.1.1.1 preferred global 2001::5efe:2.1.1.2, life 29d23h59m50s/6d23h59m50s (pu blic) preferred link-local fe80::5efe:2.1.1.2, life infinite link MTU 1280 (true link MTU 65515) current hop limit 64 reachable time 16500ms (base 30000ms) retransmission interval 1000ms DAD transmits 0 default site prefix length 48 The preceding information shows that the host obtains the prefix 2001::/64 and generates the address 2001::5efe:2.1.1.2, router discovery has been enabled, and the ISATAP tunnel has been set up successfully.
When the ISATAP host runs Windows 7 operating system, perform the following operations: # Run the following command to add a static route to the border router. IPv6 has been installed by default in Windows 7 operating system.
2016-1-11
Huawei Confidential
Page 795 of 1210
HCIE-R&S Material
Confidentiality Level
C:\> netsh interface ipv6 isatap set router 2.1.1.1 C:\> netsh interface ipv6 isatap set router 2.1.1.1 enabled # Check ISATAP interface information on the host. C:\>ipconfig/all Tunnel adapter Automatic Tunneling Pseudo-Interface isatap.{895CA398-8C4F-4332-9558-642844FCB01B}: Connection-specific DNS Suffix . . . . . . . : Description . . . . . . . . . . . . . . . : Microsoft ISATAP Adapter #5 Physical Address. . . . . . . . . . . . . : 00-00-00-00-00-00-00-E0 Dhcp Enabled . . . . . . . . . . . :No Automatic configuration. . . . . . . . . . : YES IP Address . . . . . . . . . . . . : 2001::200:5efe:2.1.1.2 IP Address. . . . . . . . : fe80::200:5efe:2.1.1.2%30 Default Gateway. . . . . . . . . . . . . : fe80::5efe:2.1.1.1%30 DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1 NetBIOS over Tcpip . . . . . . . : Disabled The preceding information shows that the host obtains the prefix 2001::/64 and generates the address 2001::200:5efe:2.1.1.2, and the ISATAP tunnel has been set up successfully. 3.
Configure the IPv6 host. # Configure a static route to the border router tunnel on the IPv6 host so that PCs on two different networks can communicate through the ISATAP tunnel. C:\> ipv6 rtu 2001::/64 6/3001::1
4.
Verify the configuration. # View the IPv6 status of Tunnel0/0/2 on the ISATAP router. You can see that the tunnel status is Up. [Router] display ipv6 interface Tunnel 0/0/2 Tunnel0/0/2 current state : UP IPv6 protocol current state : UP IPv6 is enabled, link-local address is FE80::5EFE:201:101 Global unicast address(es): 2001::5EFE:201:101, subnet is 2001::/64 Joined group address(es): FF02::1:FF01:101 FF02::2 FF02::1
2016-1-11
Huawei Confidential
Page 796 of 1210
HCIE-R&S Material
Confidentiality Level
MTU is 1500 bytes ND reachable time is 30000 milliseconds ND retransmit interval is 1000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisement max interval 600 seconds, min interval 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses # Ping the global unicast address of the tunnel interface on the ISATAP host running Windows XP operating system from the ISATAP router. [Router] ping ipv6 2001::5efe:2.1.1.2 PING 2001::5efe:2.1.1.2 : 56 data bytes, press CTRL_C to break Reply from 2001::5EFE:201:102 bytes=56 Sequence=1 hop limit=64 time = 4 ms Reply from 2001::5EFE:201:102 bytes=56 Sequence=2 hop limit=64 time = 3 ms Reply from 2001::5EFE:201:102 bytes=56 Sequence=3 hop limit=64 time = 2 ms Reply from 2001::5EFE:201:102 bytes=56 Sequence=4 hop limit=64 time = 2 ms Reply from 2001::5EFE:201:102 bytes=56 Sequence=5 hop limit=64 time = 2 ms --- 2001::5efe:2.1.1.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 2/2/4 ms # Ping the global unicast address of the ISATAP router from the ISATAP host running Windows XP operating system. C:\> ping6 2001::5efe:2.1.1.1 Pinging 2001::5efe:2.1.1.1 from 2001::5efe:2.1.1.2 with 32 bytes of data: Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms Ping statistics for 2001::5efe:2.1.1.1: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: 2016-1-11
Huawei Confidential
Page 797 of 1210
HCIE-R&S Material
Confidentiality Level
Minimum = 1ms, Maximum = 1ms, Average = 1ms # Ping the IPv6 host from the ISATAP host running Windows XP operating system. They can ping each other. C:\> ping6 3001::2 Pinging 3001::2 with 32 bytes of data: Reply from 3001::2: time<1ms Reply from 3001::2: time<1ms Reply from 3001::2: time<1ms Reply from 3001::2: time<1ms Ping statistics for 3001::2: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
Configuration Files Configuration file of the ISATAP router # sysname ISATAP # ipv6 # interface GigabitEthernet1/0/0 ipv6 enable ipv6 address 3001::1/64 # interface GigabitEthernet2/0/0 ip address 2.1.1.1 255.0.0.0 # interface Tunnel0/0/2 ipv6 enable ipv6 address 2001::/64 eui-64 undo ipv6 nd ra halt tunnel-protocol ipv6-ipv4 isatap source GigabitEthernet2/0/0 # return
2016-1-11
Huawei Confidential
Page 798 of 1210
HCIE-R&S Material
Confidentiality Level
12.12.7 Example for Configuring an IPv4 over IPv6 Tunnel
Networking Requirements As shown in Figure 12-12-7, two IPv4 networks are connected to an IPv6 network through RT1 and RT5. Border devices RT2 and RT4 on the IPv6 network support the IPv4/IPv6 dual stack. An IPv4 over IPv6 tunnel needs to be set up between RT2 and RT4 so that physically isolated IPv4 networks can communicate.
Figure 12-12-7 Networking diagram for configuring an IPv4 over IPv6 tunnel
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure an IPv4 over IPv6 tunnel on the border devices at both ends of the IPv6 network.
2.
Use a dynamic routing protocol to configure a route for the tunnel interface to forward packets.
Configuration Procedures 1.
Configure an IPv6 address for the physical interface and enable IPv6 capability for IS-IS on the IPv6 network to implement IP connectivity of the IPv6 network. # Configure RT2. system-view [Huawei] sysname RT2 [RT2] ipv6 [RT2] interface pos 2/0/0
Configure a tunnel interface. # Create a tunnel interface, and configure an IPv4 address, a source IPv6 address (or source interface), and a destination IPv6 address for the tunnel interface. # Configure RT2. system-view [RT2] interface tunnel 0/0/2 [RT2-Tunnel0/0/2] tunnel-protocol ipv4-ipv6 [RT2-Tunnel0/0/2] ip address 10.1.1.1 30 [RT2-Tunnel0/0/2] source pos 2/0/0 [ET2-Tunnel0/0/2] destination 2002::2 # Configure RT4. system-view [RT4] interface tunnel 0/0/1 [RT4-Tunnel0/0/1] tunnel-protocol ipv4-ipv6 [RT4-Tunnel0/0/1] ip address 10.1.1.2 30 [RT4-Tunnel0/0/1] source pos 1/0/0 [ET4-Tunnel0/0/1] destination 2001::1
4.
Use a dynamic routing protocol to configure a route for the tunnel interface to forward packets. # Configure RT2. system-view [RT2] ospf 1 [RT2-ospf-1] area 0 [RT2-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.3 [RT2-ospf-1-area-0.0.0.0] quit [RT2-ospf-1] quit # Configure RT4. system-view [RT4] ospf 1 [RT4-ospf-1] area 0
Verify the configuration. After the preceding configurations are complete, check the tunnel interface status on RT2 and RT4. You can see that the protocol status of the tunnel interface is Up. [RT2] display interface tunnel 0/0/2 Tunnel0/0/2 current state : UP Line protocol current state : UP Last line protocol up time: 2010-06-22, 19:33:19 Description : HUAWEI, AR Series, Tunnel0/0/2 Interface Route Port,The Maximum Transmit Unit is 1500 Internet Address is 10.1.1.1/30 Encapsulation is TUNNEL6, loopback not set Tunnel protocol/transport (IPv6 or IPV4) over IPv6 Tunnel Source 2001::1 (Pos2/0/0) Tunnel Destination 2002::2 Tunnel Encapsulation limit 4 Tunnel Traffic class not set Tunnel Flow label not set Tunnel Hop limit 64 Current system time: 2012-09-05 10:28:33 300 seconds input rate 0 bits/sec, 0 packets/sec 300 seconds output rate 0 bits/sec, 0 packets/sec 102 seconds input rate 0 bits/sec, 0 packets/sec 102 seconds output rate 0 bits/sec, 0 packets/sec 0 packets input, 0 bytes 0 input error 0 packets output, 0 bytes 0 output error Input bandwidth utilization : -Output bandwidth utilization : -Check the IPv4 routing table on RT2 and RT4. You can see that the outbound interface of the route to the remote IPv4 network is a tunnel interface. [RT2] display ip routing-table Routing Tables: Public Destinations : 9 Destination/Mask
2016-1-11
Routes : 9
Proto Pre Cost
NextHop
Interface
1.1.1.1/32 Direct 0
0
127.0.0.1
InLoopBack0
10.1.1.0/30 Direct 0
0
10.1.1.1
Tunnel0/0/2
Huawei Confidential
Page 803 of 1210
HCIE-R&S Material
Confidentiality Level
10.1.1.1/32 Direct 0
0
127.0.0.1
Tunnel2/0/0
10.1.2.0/30 Direct 0
0
10.1.2.1
Pos1/0/0
10.1.2.1/32 Direct 0
0
127.0.0.1
Pos1/0/0
10.1.2.2/32 Direct 0
0
10.1.2.2
Pos1/0/0
10.1.3.0/24 OSPF 127.0.0.0/8
10
2
10.1.1.2
Tunnel0/0/2
Direct 0
0
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
127.0.0.1
InLoopBack0
RT1 and RT5 can ping each other.
Configuration Files
Configuration file of RT1 # sysname RT1 # interface Pos1/0/0 link-protocol ppp ip address 10.1.2.2 255.255.255.252 # ospf 1 area 0.0.0.0 network 10.1.2.0 0.0.0.3 # return
Configuration file of RT5 # sysname RT1 # interface Pos1/0/0 link-protocol ppp ip address 10.1.3.2 255.255.255.252 # ospf 1 area 0.0.0.0 network 10.1.3.0 0.0.0.3 # return
12.12.8 Example for Configuring Basic RIPng Functions
Networking Requirements As shown in Figure 12-12-8, three routers (RouterA, RouterB, and RouterC) reside on a small IPv6 network. RouterA, RouterB, and RouterC must communicate with each other.
Figure 12-12-8 Networking diagram of configuring basic RIPng functions
Configuration Roadmap The configuration roadmap is as follows: 1.
Assign IP addresses to interfaces to ensure network reachability.
2.
Enable RIPng on routers to implement network interconnection.
Procedure 1.
Assign an IPv6 address to each interface. # Configure RouterA.
2016-1-11
Huawei Confidential
Page 807 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterA] ipv6 [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ipv6 enable [RouterA-GigabitEthernet1/0/0] ipv6 address 2::1 64 [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] ipv6 enable [RouterA-GigabitEthernet2/0/0] ipv6 address 1::1 64 The configurations of RouterB and RouterC are similar to the configuration of RouterA, and are not mentioned here. 2.
A - Aging, G - Garbage-collect ---------------------------------------------------------------Peer FE80::200:5EFF:FE04:B602 on GigabitEthernet1/0/0 Dest 3::/64, via FE80::200:5EFF:FE04:B602, cost
1, tag 0, RA, 10 Sec
# Check the RIPng routing table of RouterB. [RouterB] display ripng 1 route Route Flags: R - RIPng A - Aging, G - Garbage-collect ---------------------------------------------------------------Peer FE80::A19:A6FF:FECE:7D4C on GigabitEthernet1/0/0 Dest 1::/64, via FE80::A19:A6FF:FECE:7D4C, cost
1, tag 0, RA, 25 Sec
# Check the RIPng routing table of RouterC. [RouterC] display ripng 1 route Route Flags: R - RIPng A - Aging, G - Garbage-collect ---------------------------------------------------------------Peer FE80::2E0:FCFF:FE01:9 on GigabitEthernet1/0/0 Dest 1::/64, via FE80::2E0:FCFF:FE01:9, cost
Networking Requirements As shown in Figure 12-12-9, all routers run OSPFv3. The entire autonomous system is divided into three areas. RouterB and RouterC serve as ABRs to forward the inter-area routes. It is required that Area 2 be configured to decrease the LSAs advertised to this area, without affecting route reachability.
Figure 12-12-9 Networking diagram of configuring OSPFv3 areas
Configuration Roadmap The configuration roadmap is as follows: 1.
Enable basic OSPFv3 function on each router.
2.
Configure Area 2 as a stub area to decrease the LSAs advertised to this area, without affecting route reachability.
Procedure 1.
Assign an IPv6 address for each interface. The details are not mentioned here.
[RouterD-ospfv3-1] router-id 4.4.4.4 [RouterD-ospfv3-1] quit [RouterD] interface gigabitethernet 1/0/0 [RouterD-GigabitEthernet1/0/0] ospfv3 1 area 2 [RouterD-GigabitEthernet1/0/0] quit # Display the OSPFv3 neighbors of RouterB. [RouterB] display ospfv3 peer OSPFv3 Process (1) OSPFv3 Area (0.0.0.1) Neighbor ID
Pri
1.1.1.1
State
1 Full/ -
Dead Time Interface
Instance ID
00:00:34 GE2/0/0
0
OSPFv3 Area (0.0.0.0) Neighbor ID
Pri
3.3.3.3
State
1 Full/ -
Dead Time Interface
Instance ID
00:00:32 GE1/0/0
0
# Display OSPFv3 neighbors of RouterC. [RouterC] display ospfv3 peer OSPFv3 Process (1) OSPFv3 Area (0.0.0.0) Neighbor ID
Pri
2.2.2.2
State
1 Full/ -
Dead Time Interface
Instance ID
00:00:37 GE1/0/0
0
OSPFv3 Area (0.0.0.2) Neighbor ID
Pri
4.4.4.4
State
1 Full/ -
Dead Time Interface 00:00:33 GE2/0/0
Instance ID 0
# Display the OSPFv3 routing table of RouterD. [RouterD] display ospfv3 routing Codes : E2 - Type 2 External, E1 - Type 1 External, IA - Inter-Area, N - NSSA, U - Uninstalled OSPFv3 Process (1) OSPFv3 Process (1) Destination
Metric
Next-hop IA 1000::/64
2
via FE80::1572:0:5EF4:1, GigabitEthernet1/0/0 IA 1001::/64
3
via FE80::1572:0:5EF4:1, GigabitEthernet1/0/0 1002::/64
1
directly-connected, GigabitEthernet1/0/0 IA 2000::/64 2016-1-11
4 Huawei Confidential
Page 813 of 1210
HCIE-R&S Material
Confidentiality Level
via FE80::1572:0:5EF4:1, GigabitEthernet1/0/0 3.
Configure stub areas. # Configure the stub area of RouterD. [RouterD] ospfv3 [RouterD-ospfv3-1] area 2 [RouterD-ospfv3-1-area-0.0.0.2] stub [RouterD-ospfv3-1-area-0.0.0.2] quit # Configure the stub area of RouterC, and set the cost of the default route advertised to the stub area to 10. [RouterC] ospfv3 [RouterC-ospfv3-1] area 2 [RouterC-ospfv3-1-area-0.0.0.2] stub [RouterC-ospfv3-1-area-0.0.0.2] default-cost 10 [RouterC-ospfv3-1-area-0.0.0.2] quit # Display the OSPFv3 routing table of RouterD, and you can view a new default route in the routing table. Its cost is the sum of the cost of the directly connected routes and the configured cost. [RouterD] display ospfv3 routing Codes : E2 - Type 2 External, E1 - Type 1 External, IA - Inter-Area, N - NSSA, U - Uninstalled OSPFv3 Process (1) OSPFv3 Process (1) Destination
Metric
Next-hop IA ::/0
11 via FE80::1572:0:5EF4:1, GigabitEthernet1/0/0
IA 1000::/64
2
via FE80::1572:0:5EF4:1, GigabitEthernet1/0/0 IA 1001::/64
3
via FE80::1572:0:5EF4:1, GigabitEthernet1/0/0 1002::/64
1
directly-connected, GigabitEthernet1/0/0 IA 2000::/64
4
via FE80::1572:0:5EF4:1, GigabitEthernet1/0/0 4.
Configure totally stub areas. # Configure RouterC and configure Area 2 as a totally stub area. [RouterC] ospfv3
2016-1-11
Huawei Confidential
Page 814 of 1210
HCIE-R&S Material
Confidentiality Level
[RouterC-ospfv3-1] area 2 [RouterC-ospfv3-1-area-0.0.0.2] stub no-summary [RouterC-ospfv3-1-area-0.0.0.2] quit 5.
Verify the configuration. # Display the OSPFv3 routing table of RouterD, and you can view that the entries in the routing table decrease; other non-directly connected routes are suppressed; only the default route is reserved. [RouterD] display ospfv3 routing Codes : E2 - Type 2 External, E1 - Type 1 External, IA - Inter-Area, N - NSSA, U - Uninstalled OSPFv3 Process (1) OSPFv3 Process (1) Destination
12.12.10 Example for Configuring Basic BGP4+ Functions
Networking Requirements As shown in Figure 12-12-10, there are two ASs: 65008 and 65009. RouterA belongs to AS 65008; RouterB, and RouterC belong to AS65009. Routing Protocol is required to exchange the routing information between the two ASs.
2016-1-11
Huawei Confidential
Page 817 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 12-12-10 Networking diagram of configuring BGP4+ route reflection
Configuration Roadmap The configuration roadmap is as follows: 1.
Configure the IBGP connection between RouterB and RouterC.
2.
Configure the EBGP connection between RouterA and RouterB.
Procedure 1.
Assign an IPv6 address for each interface. The details are not mentioned here.
[RouterA-bgp-af-ipv6] network 8:: 64 # Configure RouterB. [RouterB] bgp 65009 [RouterB-bgp] peer 10::2 as-number 65008 [RouterB-bgp] ipv6-family unicast [RouterB-bgp-af-ipv6] peer 10::2 enable [RouterB-bgp-af-ipv6] network 10:: 64 # Check the connection status of BGP4+ peers. [RouterB] display bgp ipv6 peer BGP local router ID : 2.2.2.2 Local AS number : 65009 Total number of peers : 2 Peer
Peers in established state : 2
V
AS MsgRcvd MsgSent
OutQ Up/Down
State PrefRcv 9:1::2
4
65009
10
14
0 00:07:10 Established
10::2
4
65008
6
6
0 00:02:17 Established
1 2 The routing table shows that RouterB has set up BGP4+ connections with other routers. # Display the routing table of RouterA. [RouterA] display bgp ipv6 routing-table BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history,
i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 4 *>
Network : 8::
PrefixLen : 64
NextHop : ::
LocPrf
MED Label
:0
:
PrefVal
:0
:
Path/Ogn : i *>
Network : 9:1::
PrefixLen : 64
NextHop : 10::1 2016-1-11
LocPrf Huawei Confidential
: Page 819 of 1210
HCIE-R&S Material
MED Label
Confidentiality Level
:0
PrefVal
:0
:
Path/Ogn : 65009 i *>
Network : 10::
PrefixLen : 64
NextHop : ::
LocPrf
MED Label
:0
:
PrefVal
:0
:
Path/Ogn : i NextHop : 10::1 MED Label
LocPrf
:0
:
PrefVal
:0
:
Path/Ogn : 65009 i The routing table shows that RouterA has learned the route from AS 65009. AS 65008 and AS 65009 can exchange their routing information.
MPLS Network Structure On a typical MPLS network shown in Figure 13-1-1, all routers function as label switching routers (LSRs) that exchange labels and forward packets. These LSRs construct an MPLS domain.LSRs that reside at the edge of the MPLS domain and connect to other networks are called label edge routers (LERs). LSRs within an MPLS domain are core LSRs.
2016-1-11
Huawei Confidential
Page 822 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 13-1-1 MPLS network structure On IP networks, packets are forwarded based on IP addresses; in MPLS domains, packets are forwarded based on labels. When receiving IP packets from the connected IP network, an LER tags labels on the packets and then forwards the labeled packets to a core LSR. When receiving labeled packets from the core LSR, the LER removes the labels and forwards the packets to the IP network. LSRs only forward packets based on labels. LSPs are determined using different protocols and are established before packet forwarding. IP packets are transmitted through the specified label switched paths (LSPs) on an MPLS network. As shown in Figure 13-1-2, an LSP is a unidirectional path whose direction is the same as the data flow. The nodes on an LSP include the ingress, transit, and egress nodes. The number of transit nodes on an LSP varies (none, one, or multiple), but only one ingress node and one egress node exist on the LSP. To an LSR, all LSRs that send MPLS packets to the LSR are the upstream LSRs, and all next-hop LSRs that receive MPLS packets from the LSR are the downstream LSRs. As shown in Figure 13-1-2, for the data flow that are destined for 192.168.1.0/24, the ingress node is the upstream to the transit node, and the transit node is the downstream to the ingress node. Similarly, the transit node is the upstream to the egress node, and the egress node is the downstream to the transit node.
Figure 13-1-2 Upstream and downstream LSRs
MPLS Architecture The MPLS architecture consists of a control plane and a forwarding plane. Figure 13-1-3 shows the MPLS architecture. 2016-1-11
Huawei Confidential
Page 823 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 13-1-3 MPLS architecture
The connectionless control plane generates and maintains routing information and labels. On the control plane, the IP Routing Protocol module transmits routing information and generates a routing information base (RIB); the Label Distribution Protocol module switches labels and establishes LSPs.
The forwarding plane, also called data plane, is connection-oriented and forwards common IP packets and labeled MPLS packets. The forwarding plane consists of the modules IP forwarding information base (FIB) and label forwarding information base (LFIB). When receiving common IP packets, the forwarding plane forwards the packets based on the IP FIB or LFIB as required. When receiving labeled packets, the forwarding plane forwards the packets based on the LFIB. If the destination locates on an IP network, the data plane removes the labels and forwards the packets based on the IP FIB.
13.1.2 MPLS Label
Forwarding Equivalence Class Forwarding equivalence class (FEC) is a class-based forwarding technology that classifies the packets with the same forwarding mode based on the destination address or mask. Packets with the same FEC are forwarded in the same way on an MPLS network. FEC can be defined based on the destination IP address and mask. For example, during IP forwarding, packets with the same destination belong to a FEC according to the longest match algorithm.
2016-1-11
Huawei Confidential
Page 824 of 1210
HCIE-R&S Material
Confidentiality Level
Label A label is a short identifier that is 4 bytes long and has only local significance. It uniquely identifies a FEC to which a packet belongs. In some cases, such as load balancing, a FEC can be mapped to multiple incoming labels. Each label, however, represents only one FEC on a device. Figure 13-1-4 shows the encapsulation structure of the label.
Figure 13-1-4 Structure of an MPLS label A label contains the following fields:
Label: indicates the value field of a label. The length is 20 bits.
Exp: indicates the bits used for extension. The length is 3 bits. Generally, this field is used for the class of service (CoS) that serves in a manner similar to Ethernet 802.1p.
S: identifies the bottom of a label stack. The length is 1 bit. MPLS supports multiple labels, namely, the label nesting. When the S field is 1, the label is at the bottom of the label stack.
TTL: indicates the time to live. The length is 8 bits. This field is the same as the TTL in IP packets.
Labels are encapsulated between the data link layer and the network layer. Labels can be supported by all data link layer protocols. Figure 13-1-5 shows the position of the label in a packet.
Figure 13-1-5 Position of a label in a packet
Label Space The label space is the value range of the label. The following describes the label space classification:
0 to 15: indicates special labels. For details about special labels, see Table 13-1-1. Table 13-1-1 Special labels Label Value 0
2016-1-11
Label
Description
IPv4 Explicit The label must be popped out, and the packets must be NULL Label forwarded based on IPv4. If the egress node allocates a label whose value is 0 to the LSR at the penultimate hop, the LSR at the penultimate hop pushes label 0 to the top of the label stack and forwards the packet to the egress node. When the egress node recognizes that the value of the label carried in the packet is 0, the egress node pops it out. The label 0 is valid only at the bottom of the label stack. Huawei Confidential
Page 825 of 1210
HCIE-R&S Material
Confidentiality Level
Table 13-1-1 Special labels Label Value
Label
Description
1
Router Label
Alert A label that is only valid when it is not at the bottom of a label stack. The label is similar to the Router Alert Option field in IP packets. After receiving such a label, the node sends it to a local software module for further processing. Packet forwarding is determined by the next-layer label. If the packet needs to be forwarded continuously, the node pushes the Router Alert Label to the top of the label stack again.
2
IPv6 Explicit The label must be popped out, and the packets must be NULL Label forwarded based on IPv6. If the egress node allocates a label with the value of 2 to the LSR at the penultimate hop, the LSR pushes label 2 to the top of the label stack and forwards the packet to the egress node. When the egress node recognizes that the value of the label carried in the packet is 2, the egress node immediately pops it out. The label 2 is valid only at the bottom of the label stack.
3
Implicit Label
4 to 13
Reserved
14
OAM Router A label for operation, administration and maintenance (OAM) Alert Label packets over an MPLS network. MPLS OAM sends OAM packets to monitor LSPs and notify faults. OAM packets are transparent on transit nodes and the penultimate LSR.
15
Reserved
NULL When the label with the value of 3 is swapped on an LSR at the penultimate hop, the LSR pops the label out and forwards the packet to the egress node. Upon receiving the packet, the egress node forwards the IP or VPN packet. None.
None.
16 to 1023: indicates the label space shared by static LSPs and static constraint-based routed LSPs (CR-LSPs).
1024 or above: indicates the label space for dynamic signaling protocols, such as Label Distribution Protocol (LDP), Resource Reservation Protocol-Traffic Engineering (RSVP-TE), and Multiprotocol Extensions for BGP (MP-BGP).
Label Stack A label stack is a set of arranged labels. An MPLS packet can carry multiple labels at the same time. The label next to the Layer 2 header is called the top label or the outer label. The label next to the Layer 3 header is called the bottom label or inner label. Theoretically, MPLS labels can be nested without any limit.
2016-1-11
Huawei Confidential
Page 826 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 13-1-6 Label stack The label stack organizes labels according to the rule of Last-In, First-Out. The labels are processed from the top of the stack.
Label Operations Information about basic label operations is a part of the label forwarding table. The operations are described as follows:
Push: When an IP packet enters an MPLS domain, the ingress node adds a new label to the packet between the Layer 2 header and the IP header. Alternatively, an LSR adds a new label to the top of the label stack, namely, the label nesting.
Swap: When a packet is transferred within the MPLS domain, a local node swaps the label at the top of the label stack in the MPLS packet for the label allocated by the next hop according to the label forwarding table.
Pop: When a packet leaves the MPLS domain, the label is popped out of the MPLS packet. Alternatively, the top label of the label stack is popped out at the penultimate hop on an MPLS network to decrease the number of labels in the stack. In fact, the label is useless at the last hop of an MPLS domain. The penultimate hop popping (PHP) feature applies. On the penultimate node, the label is popped out of the packet to reduce the size of the packet that is forwarded to the last hop. Then, the last hop directly forwards the IP packet or forwards the packet by using the second label. PHP is configured on the egress node. The egress node supporting PHP allocates the label with the value of 3 to the penultimate hop.
13.1.3 Establishing LSPs
Procedure for Establishing LSPs Usually, MPLS allocates labels to packets and establishes an LSP through which MPLS forwards packets. The downstream LSR allocate labels to packets sent to the upstream LSR. As shown in Figure 13-1-7, the downstream LSR identifies FEC based on the destination address, allocates a label to the specified FEC, and records the mapping between the label and FEC. The downstream LSR then encapsulates the mapping relationship into a message and sends it to the upstream LSR. A label forwarding table and an LSP are established. 2016-1-11
Huawei Confidential
Page 827 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 13-1-7 Establishment of an LSP LSPs are classified into the following types:
Static LSP: set up by the administrator.
Dynamic LSP: set up using the routing protocols and label distribution protocols.
Establishing Static LSPs You can manually allocate labels to set up static LSPs. The value of the outgoing label of the upstream node is equal to the value of the incoming label of the downstream node. The availability of a static LSP makes sense only for the local node that cannot detect the entire LSP. A static LSP is set up without label distribution protocols or the exchanging of control packets. The static LSP costs little and is recommended for small-scale networks with the simple and stable topology. The static LSP cannot change with the network topology. Instead, it needs to be configured by an administrator.
Establishing Dynamic LSPs Dynamic LSPs are established using label distribution protocols. As the control protocol or signaling protocol for MPLS, a label distribution protocol defines FECs, distributes labels, and establishes and maintains LSPs. The following label distribution protocols apply to an MPLS network.
LDP LDP is defined to distribute labels and used to dynamically establish LSPs. An LSR can use LDP to map routing information on the network layer to the LSP on the data link layer. For details about LDP, see MPLS LDP.
RSVP-TE RSVP-TE is an extension to RSVP and used to establish or delete constraint-based LSPs. For details about RSVP-TE, see MPLS TE.
MP-BGP
2016-1-11
Huawei Confidential
Page 828 of 1210
HCIE-R&S Material
Confidentiality Level
MP-BGP is an extension to BGP and allocates labels to MPLS VPN routes and inter-AS VPN routes. For details about MP-BGP, see Feature Description - IP Routing.
13.1.4 MPLS Forwarding
MPLS Forwarding Principle The LSP that supports the PHP is used in the following example to describe how MPLS packets are forwarded.
Figure 13-1-8 MPLS label distribution and packet forwarding As shown in Figure 13-1-8, an LSP whose FEC is identified by the destination address 4.4.4.2/24 is set up on an MPLS network. MPLS packets are forwarded as follows: 1.
The ingress node receives an IP packet destined for 4.4.4.2. Then, the ingress node adds Label Z to the packet and forwards it.
2.
The transit node receives the labeled packet and swaps labels by popping Label Z out and pushing Label Y into the packet.
3.
A transit node at the penultimate hop receives the packet with Label Y. The transit node pops Label Y out because the label value is 3. The transit node then forwards the packet to the egress node as an IP packet.
4.
The egress node receives the IP packet and forwards it to 4.4.4.2/24.
Process of MPLS Packet Forwarding
NHLFE The next hop label forwarding entry (NHLFE) can guide MPLS packet forwarding. 2016-1-11
Huawei Confidential
Page 829 of 1210
HCIE-R&S Material
Confidentiality Level
An NHLFE contains the following information:
Tunnel ID
Outbound interface
Next hop
Outgoing label
Label operation
FTN FTN is a short form of FEC-to-NHLFE. The FTN indicates the mapping between a FEC and a set of NHLFEs. Details about the FTN can be obtained by searching for the Tunnel ID values that are not 0x0 in a FIB. The FTN is available on the ingress only.
ILM The incoming label map (ILM) indicates the mapping between an incoming label and a set of NHLFEs. The ILM contains the following information:
Tunnel ID
Incoming label
Inbound interface
Label operation
The ILM on a transit node can bind the labels to NHLFEs. The function of an ILM table is similar to the FIB that is searched according to destination IP addresses. Therefore, you can obtain all label forwarding information by searching an ILM table.
Tunnel ID To provide the same interface of a tunnel used by upper layer applications such as the VPN and route management, the system automatically allocates an ID to each tunnel, referred to as the tunnel ID. The tunnel ID is 32 bits long and is valid only on the local end.
When an IP packet enters an MPLS domain, the ingress node searches the FIB to check whether the tunnel ID corresponding to the destination IP address is 0x0.
If the tunnel ID is 0x0, the packet is forwarded along the IP link.
If the tunnel ID is not 0x0, the packet is forwarded along an LSP.
2016-1-11
Huawei Confidential
Page 830 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 13-1-9 Process of MPLS packet forwarding MPLS packets are forwarded as follows on nodes along an LSP:
The ingress node searches the FIB and NHLFE tables.
The transit node searches the ILM and NHLFE tables.
The egress node searches the ILM table or RIB.
During MPLS forwarding, FIB entries, ILM entries, and NHLFEs are associated with each other through the tunnel ID.
Forwarding on the ingress node The ingress node processes the forwarding of MPLS packets as follows: 1.
Searches the FIB and finds the tunnel ID corresponding to the destination IP address.
2.
Finds the NHLFE corresponding to the tunnel ID in the FIB and associates the FIB entry with the NHLFE entry.
3.
Checks the NHLFE for information about the outbound interface, next hop, outgoing label, and label operation type. The label operation type is Push.
4.
Pushes the obtained label into IP packets, processes the EXP field according to QoS policy and TTL field, and sends the encapsulated MPLS packets to the next hop.
Forwarding on the transit node The transit node forwards the received MPLS packets as follows: 1.
Checks the ILM table corresponding to an MPLS label and finds the Tunnel ID.
2.
Finds the NHLFE corresponding to the Tunnel ID in the ILM table.
3.
Checks the NHLFE for information about the outbound interface, next hop, outgoing label, and label operation type.
2016-1-11
Huawei Confidential
Page 831 of 1210
HCIE-R&S Material
4.
Confidentiality Level
Processes the MPLS packets according to the specific label value:
If the label value is equal to or greater than 16, a new label replaces the label in the MPLS packet. At the same time, the EXP field and TTL field are processed. The MPLS packet with the new label is forwarded to the next hop.
If the label value is 3, the label is popped out of the MPLS packet. At the same time, the EXP field and TTL field are processed. The packet is forwarded through IP routes, or in accordance with its next layer label.
Forwarding on the egress node
When the egress node receives IP packets, it checks the FIB and performs IP forwarding.
When the egress node receives MPLS packets, it checks the ILM table for the label operation type. At the same time, the egress node processes the EXP field and TTL field.
When the S field in the label is equal to 1, the label is the stack's bottom label and the packet is directly forwarded through IP routes.
When the S field in the label is equal to 0, a next-layer label exists and the packet is forwarded according to the next layer label.
13.1.5 MPLS TTL Processing This section describes how MPLS processes the TTL and responds to TTL timeout.
MPLS TTL Processing Modes The TTL field in an MPLS label is 8 bits long. The TTL field is the same as that in an IP packet header. MPLS processes the TTL to prevent loops and implement traceroute. RFC 3443 defines two modes to process the TTL in MPLS packets: Uniform mode and Pipe mode. By default, MPLS processes the TTL in Uniform mode.
Uniform mode When IP packets enter an MPLS network, the ingress node decreases the IP TTL by one and copies it to the MPLS TTL field. The TTL field in MPLS packets is processed in standard mode. The egress node decreases the MPLS TTL by one and maps it to the IP TTL field. Figure 13-1-10 shows how the TTL field is processed on the transmission path.
2016-1-11
Huawei Confidential
Page 832 of 1210
HCIE-R&S Material
Confidentiality Level
Figure 13-1-10 TTL processing in Uniform mode
Pipe mode As shown in Figure 13-1-11, the ingress node decreases the IP TTL by one and the MPLS TTL is constant. The TTL field in MPLS packets is processed in standard mode. The egress node decreases the IP TTL by one. In Pipe mode, the IP TTL only decreases by one on the ingress node and one on the egress node when packets travels across an MPLS network.
Figure 13-1-11 TTL processing in Pipe mode In MPLS VPN applications, the MPLS backbone network needs to be hidden to ensure network security. The Pipe mode is recommended for private network packets.
TTL Timeout Responding On an MPLS network, an LSR receives labeled MPLS packets. The LSR generates an ICMP TTL-expired message when the TTL of an MPLS packet times out. The LSR returns the TTL-expired message to the sender in the following ways: 2016-1-11
Huawei Confidential
Page 833 of 1210
HCIE-R&S Material
Confidentiality Level
If the LSR has a reachable route to the sender, it directly sends the TTL-expired message to the sender through the IP route.
If the LSR has no reachable route to the sender, it forwards the TTL-expired message along the LSP. The egress node forwards the TTL-expired message to the sender.
In most cases, the received MPLS packet contains only one label and the LSR responds to the sender with the TTL-expired message using the first method. If the MPLS packet contains multiple labels, the LSR uses the second method. The MPLS VPN packets may contain only one label when they arrive at an autonomous system boundary router (ASBR) on the MPLS VPN, a superstratum PE (SPE) device in HoVPN networking, or a PE device in the VPN nesting networking. These devices have no IP routes to the sender, so they use the second method to reply to the TTL-expired messages.
13.1.6 MPLS QoS Implementation MPLS QoS, an important part in the deployment of QoS services, implements QoS using the Differentiated Services (DiffServ) model in actual MPLS networking. MPLS QoS differentiates data flows based on the EXP field value, which ensures low delay and low packet loss ratio for voice and video data streams and increases network resource efficiency.
MPLS DiffServ In the DiffServ model, network edge nodes map a service to a service class based on the QoS requirements of the service and use the DS field (ToS field) in IP packets to identify the service. Nodes on the backbone network apply preset policies to the service based on the DS field to ensure service quality. The service classification and label mechanism of DiffServ are similar to label distribution of MPLS. MPLS DiffServ combines DS distribution and MPLS label distribution. MPLS DiffServ is implemented as the EXP field in an MPLS packet header carriers DiffServ per-hop behavior (PHB). An LSR must consider the MPLS EXP value when determining the forwarding policy. MPLS DiffServ provides the following plans for determining PHBs:
E-LSP: an LSP whose PHB is determined by the EXP field. E-LSP applies to a network with less than eight PHBs. In this plan, a differentiated services code point (DSCP) is mapped to a specified EXP that identifies a PHB. Packets are forwarded based on labels, while the EXP field determines the scheduling type and drop priority at each hop. An LSP transmits a maximum of eight PHB flows that are differentiated based on the EXP field in the MPLS packet header. The EXP field can be determined by the ISP or mapped from the DSCP value in a packet. In this plan, PHB information does not need to be transmitted by signaling protocols, the label efficiency is high, and the label status is easy to maintain.
L-LSP: an LSP whose PHB is determined by both the label and EXP field. L-LSP applies to a network with any number of PHBs. During packet forwarding, the label of a packet determines the forwarding path and scheduling type, while the EXP field determines the drop priority of the 2016-1-11
Huawei Confidential
Page 834 of 1210
HCIE-R&S Material
Confidentiality Level
packet. Labels differentiate service flows, so multiple service flows can be transmitted over one LSP. This plan requires more labels and so occupies a large number of system resources.
NOTE: Currently, only the E-LSP plan is supported.
MPLS DiffServ Modes An MPLS network provides tunnels for services. MPLS L3VPN DiffServ modes include: pipe, short pipe, and uniform.
Pipe: The EXP field value that the ingress node adds to the MPLS label of packets is specified by the user. If the EXP field value of the packet is changed on the MPLS network, the change is valid only on the MPLS network. The egress node selects the PHB according to the EXP field value of the packet. When the packet leaves the MPLS network, the previous DSCP value becomes effective again.
Short pipe: The EXP field value that the ingress node adds to the MPLS label of packets is specified by the user. If the EXP field value of the packet is changed on the MPLS network, the change is valid only on the MPLS network. The egress node selects the PHB according to the DSCP field value of the packet. When the packet leaves the MPLS network, the previous DSCP value becomes effective again.
Uniform: The priorities of packets on the IP network and the MPLS network are uniformly defined, so the priorities of the packets on the two networks are globally valid. At the ingress node, each packet is assigned a label and the lower 3 bits in the DSCP field are mapped to the EXP field. A change in the value of the EXP field on the MPLS network determines the PHB used when the packet leaves the MPLS network. The egress node maps the EXP field to the DSCP field.
On an L2VPN, the MPLS label is in the outer layer of an encapsulated packet. Therefore, the 802.1p field of VLAN packets needs to be mapped to the EXP field.
13.1.7 MPLS Ping/Tracert
Introduction to MPLS Ping/Tracert On an MPLS network, the control panel used for setting up an LSP cannot detect the failure in data forwarding of the LSP. This makes network maintenance difficult. The MPLS ping and tracert mechanisms detect LSP errors and locate faulty nodes. MPLS ping is used to check network connectivity and host reachability. MPLS tracert is used to check the network connectivity and host reachability, and to locate network faults. Similar to IP ping and tracert, MPLS ping and tracert use MPLS echo request packets and MPLS echo reply packets to check LSP availability. MPLS echo request packets and echo reply packets are both encapsulated into User 2016-1-11
Huawei Confidential
Page 835 of 1210
HCIE-R&S Material
Confidentiality Level
Datagram Protocol (UDP) packets. The UDP port number of the MPLS echo request packet is 3503, which can be identified only by MPLS-enabled devices. An MPLS echo request packet carries FEC information to be detected, and is sent along the same LSP as other packets with the same FEC. In this manner, the connectivity of the LSP is checked. MPLS echo request packets are forwarded to the destination end using MPLS, while MPLS echo reply packets are forwarded to the source end using IP. Routers set the destination address in the IP header of the MPLS echo request packets to 127.0.0.1/8 (local loopback address) and the TTL value is 1. In this way, MPLS echo request packets are not forwarded using IP forwarding when the LSP fails so that the failure of the LPS can be detected.
MPLS Ping
Figure 13-1-12 MPLS network As shown in Figure 13-1-12, RouterA establishes an LSP to RouterD. RouterA performs MPLS ping on the LSP by performing the following steps: 1.
RouterA checks whether the LSP exists. (On a TE tunnel, the router checks whether the tunnel interface exists and the CR-LSP has been established.) If the LSP does not exist, an error message is displayed and the MPLS ping stops. If the LSP exists, RouterA performs the following operations.
2.
RouterA creates an MPLS echo request packet and adds 4.4.4.4 to the destination FEC stack in the packet. In the IP header of the MPLS echo request packet, the destination address is 127.0.0.1/8 and the TTL value is 1. RouterA searches for the corresponding LSP, adds the LSP label to the MPLS echo request packet, and sends the packet to RouterB.
3.
Transit nodes RouterB and RouterC forward the MPLS echo request packet based on MPLS. If MPLS forwarding on a transit node fails, the transit node returns an MPLS echo reply packet carrying the error code to RouterA.
4.
If no fault exists along the MPLS forwarding path, the MPLS echo request packet reaches the LSP egress node RouterD. RouterD returns a correct MPLS echo reply packet after verifying that the destination IP address 4.4.4.4 is the loopback interface address. MPLS ping is complete.
MPLS Tracert As shown in Figure 13-1-12, RouterA performs MPLS tracert on RouterD (4.4.4.4/32) by performing the following steps: 2016-1-11
Huawei Confidential
Page 836 of 1210
HCIE-R&S Material
1.
Confidentiality Level
RouterA checks whether an LSP exists to RouterD. (On a TE tunnel, the router checks whether the tunnel interface exists and the CR-LSP has been established.) If the LSP does not exist, an error message is displayed and the tracert stops. If the LSP exists, RouterA performs the following operations.
2.
RouterA creates an MPLS echo request packet and adds 4.4.4.4 to the destination FEC stack in the packet. In the IP header of the MPLS echo request packet, the destination address is 127.0.0.1/8. Then RouterA adds the LSP label to the packet, sets the TTL value to 1, and sends the packet to RouterB. The MPLS echo request packet contains a downstream mapping TLV that carries downstream information about the LSP at the current node, such as next-hop address and outgoing label.
3.
Upon receiving the MPLS echo request packet, RouterB decreases the TTL by one and finds that TTL times out. RouterB then checks whether the LSP exists and the next-hop address and whether the outgoing label of the downstream mapping TLV in the packet is correct. If so, RouterB returns a correct MPLS echo reply packet that carries the downstream mapping TLV of RouterB. If not, RouterB returns an incorrect MPLS echo reply packet.
4.
After receiving the correct MPLS echo reply packet, RouterA resends the MPLS echo request packet that is encapsulated in the same way as step 2 and sets the TTL value to 2. The downstream mapping TLV of this MPLS echo request packet is replicated from the MPLS echo reply packet. RouterB performs common MPLS forwarding on this MPLS echo request packet. If TTL times out when RouterC receives the MPLS echo request packet, RouterC processes the MPLS echo request packet and returns an MPLS echo reply packet in the same way as step 3.
5.
After receiving a correct MPLS echo reply packet, RouterA repeats step 4, sets the TTL value to 3, replicates the downstream mapping TLV in the MPLS echo reply packet, and sends the MPLS echo request packet. RouterB and RouterC perform common MPLS forwarding on this MPLS echo request packet. Upon receiving the MPLS echo request packet, RouterD repeats step 3 and verifies that the destination IP address 4.4.4.4 is the loopback interface address. RouterD returns an MPLS echo reply packet that does not carry the downstream mapping TLV. MPLS tracert is complete.
When routers return the MPLS echo reply packet that carries the downstream mapping TLV, RouterA obtains information about each node along the LSP.
13.2
MPLS LDP
13.2.1 Basic Concepts
LDP Adjacency When an LSR receives a Hello message from a peer, an LDP peer may exist. An LDP adjacency can be created to maintain the presence of the peer. There are two types of LDP adjacencies:
Local adjacency: The adjacency is discovered by exchanging Link Hello messages. 2016-1-11
Huawei Confidential
Page 837 of 1210
HCIE-R&S Material
Confidentiality Level
Remote adjacency: The adjacency is discovered by exchanging Target Hello messages.
LDP Peers LDP peers refer to two LSRs that use LDP to set up an LDP session and then exchange label messages. LDP peers learn labels from each other using the LDP session between them.
LDP Session LSRs in an LDP session exchange messages such as label mapping messages and label release messages. LDP sessions are classified into the following types:
Local LDP session: The LDP session is set up between local adjacencies. The two LSRs setting up the local LDP session are directly connected.
Remote LDP session: The LDP session is set up between remote adjacencies. The two LSRs setting up the remote LDP session can be either directly or indirectly connected.
NOTE: LDP maintains the presence of peers using adjacencies. The type of peers depends on the type of adjacencies. A pair of peers can be maintained by multiple adjacencies. If a pair of peers is maintained by both local and remote adjacencies, the peers support coexistence of the local and remote adjacencies. An LDP session can only be established if such pairs of peers exist. A local and a remote LDP session can be set up simultaneously. The principle is that the local and remote LDP adjacencies can be connected to the same peer so that the peer is maintained by both the local and remote LDP adjacencies. As shown in Figure 13-2-1, when the local LDP adjacency is deleted due to a failure on the link to which the adjacency is connected, the peer's type may change without affecting its presence or status. (The peer type is determined by the adjacency type. The types of adjacencies include local, remote, and coexistent local and remote.) If the link becomes faulty or is recovering from a fault, the peer type may change while the type of the session associated with the peer changes accordingly. However, the session is not deleted and does not become Down. Instead, the session remains Up.
Figure 13-2-1 Networking diagram for a coexistent local and remote LDP session 2016-1-11
Huawei Confidential
Page 838 of 1210
HCIE-R&S Material
Confidentiality Level
A coexistent local and remote LDP session is typically applied to L2VPN. As shown in Figure 13-2-1, L2VPN services are transmitted between PE1 and PE2. When the directly-connected link between PE1 and PE2 recovers after being disconnected, the processing is as follows: 1.
MPLS LDP is enabled on the directly-connected PE1 and PE2, and a local LDP session is set up between PE1 and PE2. PE1 and PE2 are configured as the remote peer of each other, and a remote LDP session is set up between PE1 and PE2. Local and remote adjacencies are then set up between PE1 and PE2. Since now, both local and remote LDP sessions exist between PE1 and PE2. L2VPN signaling messages are transmitted through the compatible local and remote LDP session.
2.
When the physical link between PE1 and PE2 becomes Down, the local LDP adjacency also goes Down. The route between PE1 and PE2 is still reachable through the P, indicating that the remote LDP adjacency remains Up. The session changes to a remote session so that it can remain Up. The L2VPN does not detect the change in session status and therefore does not delete the session. This prevents the L2VPN from having to disconnect and recover services, and shortens service interruption time.
3.
When the fault is rectified, the link between PE1 and PE2 as well as the local LDP adjacency can go Up again. The session changes to the compatible local and remote LDP session and remains Up. Again, the L2VPN will not detect the change in session status and therefore does not delete the session. This shortens service interruption time.
Type of LDP Messages LDP messages are classified into the following types:
Discovery message: used to notify and maintain the existence of an LSR on a network.
Session message: used to establish, maintain, and terminate sessions between LDP peers.
Advertisement message: used to create, modify, and delete label mappings for FECs.
Notification message: used to provide advisory and error information.
To ensure the reliability of message transmission, LDP uses the TCP transport for Session, Advertisement, and Notification messages. LDP uses the UDP transport only for transmitting the Discovery message.
Label space A label space is a range of labels allocated between LDP peers, which can be categorized as follows:
Per-platform label space: An entire LSR uses one label space. Currently, per-platform label space is mostly used.
Per-interface label space: Each interface of an LSR is assigned a label space.
2016-1-11
Huawei Confidential
Page 839 of 1210
HCIE-R&S Material
Confidentiality Level
LDP identifier An LDP identifier identifies the label space used by a specified LSR. An LDP identifier is 6 bytes in the format :