Archiv der Kategorie: JNCIE-ENT exam topics

Configuring BFD for ISIS and OSPF

In this post I show you how to configure BFD Liveness Detection for your IGP. Again I use the topology of my post IGP loop prevention:

Redistribution between ISIS/OSPF
Redistribution between ISIS/OSPF

BFD is a very lightweight (small header, simple states) protocol to detect forwarding problems between two links(single-hop) or nodes(multi-hop). It uses UDP packets to encapsulate BFD control packets (single-hop uses port 3784, multi-hop uses 4784) and BFD echo packets (3785). It is specified in RFC 5880 and 5881.

BFD operates after session establishment. That means, if your adjacency came up and the router started exchanging hello packets, then additionally BFD starts to send periodic packets.

There exists 2 modes of BFD:

  • Async mode – every side send periodic hello packets, if x-packets not received take the session down
  • Demand mode – only send hello packets if needed, if x-packets not received take the session down

Additionally BFD implements a Echo function. Echo function should loop back the received packets. Echo function was designed for slow systems, if only one side (Router) could implement BFD and the slow systems (Host or CE) only loop the packet and doesn’t have to look at it. As far as I know JunOS currently have no support for BFD Echo function, so we must not think about it.

Usually you will implement BFD async mode with subsecond intervals. You configure BFD on interface level (sometimes on session level e.g.: BGP, targeted-LDP…) the interval of the packets in milliseconds and a multiplier.

Example configuration of R2 with interval 100ms and multiplier 3:

admin@router> 
admin@router> show configuration logical-systems R2 protocols | display set
 set logical-systems R2 protocols isis export export-OSPF-to-ISIS
 set logical-systems R2 protocols isis interface fe-0/2/3.50 bfd-liveness-detection minimum-interval 100
 set logical-systems R2 protocols isis interface fe-0/2/3.50 bfd-liveness-detection multiplier 3
 set logical-systems R2 protocols isis interface fe-0/2/3.50 level 1 disable
 set logical-systems R2 protocols isis interface lo0.2 passive
 set logical-systems R2 protocols ospf export export-ISIS-to-OSPF
 set logical-systems R2 protocols ospf area 0.0.0.0 interface lo0.2 passive
 set logical-systems R2 protocols ospf area 0.0.0.0 interface fe-0/2/3.53 bfd-liveness-detection minimum-interval 100
 set logical-systems R2 protocols ospf area 0.0.0.0 interface fe-0/2/3.53 bfd-liveness-detection multiplier 3

You can check the BFD state with the command „show bfd session <detail|extensive>“:

admin@router> show bfd session logical-system R2 extensive
 Detect Transmit
 Address State Interface Time Interval Multiplier
 10.0.1.13 Up fe-0/2/3.53 0.300 0.100 3
 Client OSPF realm ospf-v2 Area 0.0.0.0, TX interval 0.100, RX interval 0.100
 Session up time 00:31:39
 Local diagnostic None, remote diagnostic None
 Remote state Up, version 1
 Logical system 5, routing table index 29
 Min async interval 0.100, min slow interval 1.000
 Adaptive async TX interval 0.100, RX interval 0.100
 Local min TX interval 0.100, minimum RX interval 0.100, multiplier 3
 Remote min TX interval 0.100, min RX interval 0.100, multiplier 3
 Local discriminator 5, remote discriminator 6
 Echo mode disabled/inactive

 Detect Transmit
 Address State Interface Time Interval Multiplier
 10.0.1.1 Up fe-0/2/3.50 0.300 0.100 3
 Client ISIS L2, TX interval 0.100, RX interval 0.100
 Session up time 00:31:39
 Local diagnostic None, remote diagnostic NbrSignal
 Remote state Up, version 1
 Logical system 5, routing table index 29
 Min async interval 0.100, min slow interval 1.000
 Adaptive async TX interval 0.100, RX interval 0.100
 Local min TX interval 0.100, minimum RX interval 0.100, multiplier 3
 Remote min TX interval 0.100, min RX interval 0.100, multiplier 3
 Local discriminator 8, remote discriminator 2
 Echo mode disabled/inactive

  2 sessions, 2 clients
 Cumulative transmit rate 20.0 pps, cumulative receive rate 20.0 pps
admin@router>

If you lost more BFD packets than the configured multiplier is set, the BFD session goes down and also takes immediately your IGP adjacency down. This lead to faster failure detection and mostly faster convergence.

Most BFD sessions for single-hop run distributed on your FPC/MPC with the help of PPM. That means you could use very low intervals (maybe 3x15ms). But there are also limitations in the amount of such short-interval sessions, so call JTAC and ask about limits if you plan to use a heavy amount of sessions. BFD multi-hop session currently only works from RE, so you should never use intervals faster than 300ms.

Hint 1: Don’t forget to allow BFD control packets in your firewall filter!

Hint 2: If you clear your BFD session or deactivate the configuration, BFD signals a „Admin Down“ flag in the hello packets. This could lead to different results in convergence tests. If you really want to proove BFD function, you should pull the cable or add a firewall filter.

I hope that gave you short overview about the BFD protocol and functions.

Ping to multiple IPs permanently with RPM

In your exam you should always check the connectivity to all your devices, after configuration changes. Just to make sure everything working as expected. You can use RPM Services to send continually pings to the routers in your network. If the ping fails you can check it by an operational mode command or see it in your /var/log/messages.

Example configuration:

services {
    rpm {
        probe R1 {
            test ping-R1 {
                probe-type icmp-ping;
                target address 10.0.1.1;
                test-interval 30;
                thresholds {
                    successive-loss 1;
                }
            }
        }
        probe R2 {
            test ping-R2 {
                probe-type icmp-ping;
                target address 10.0.1.2;
                test-interval 30;
                thresholds { 
                    successive-loss 1;
                }
            }
        }
    }
}

Now your router send every 30 seconds (test-interval) a icmp request (probe-type) to your destinations (target address).

To monitor the operation and even see failures you can use the following commands:

  • show services rpm history-results
  • show services rpm probe-results
  • look in /var/log/messages for PING_TEST_FAILED

 

 

When you get a MTU Mismatch in OSPF….

…you will always see that the adjacency will stuck in ExStart/ExChange.

OSPF doesn’t check the configured MTU size on an interface with the hello packets. But it must make sure, that the OSPF database exchange works completly. To avoid an MTU problem, the MTU will be exchanged in the Database Description (DBD) packets. If the MTU doesn’t match (RFC 2328 section 10.6) the routers never start exchanging Link-State Advertisements (LSA).

The reason:
OSPF itself doesn’t define a fragmention, but every OSPF router should be able to split multiple LSAs into several packets (see RFC 2328 Appendix A.1).  The size of these LSAs is determined by the MTU of your outgoing interface. To avoid fragementation your router will always build smaller LSAs to fit into MTU.  But if your packets will be bigger as your neighbor could receive, they got lost and your neighbor could never get your database. 

Here is an example of an MTU mismatch beween R1 and R2.

MTU Mismatch between R1 and R2
MTU Mismatch between R1 and R2

We see that both routers stuck in ExStart:

admin@router> show ospf neighbor logical-system R1
Address Interface State ID Pri Dead
10.0.1.2 fe-0/2/2.50 ExStart 10.0.2.2 128 36

admin@router> show ospf neighbor logical-system R2
Address Interface State ID Pri Dead
10.0.1.1 fe-0/2/3.50 ExStart 10.0.2.1 128 35

The „show ospf interface“ command give us some hints:

admin@router> show ospf interface detail logical-system R1
Interface State Area DR ID BDR ID Nbrs
fe-0/2/2.50 BDR 0.0.0.0 10.0.2.2 10.0.2.1 1
 Type: LAN, Address: 10.0.1.1, Mask: 255.255.255.252, MTU: 1200, Cost: 1
 DR addr: 10.0.1.2, BDR addr: 10.0.1.1, Priority: 128
 Adj count: 0
 Hello: 10, Dead: 40, ReXmit: 5, Not Stub
 Auth type: None
 Protection type: None
 Topology default (ID 0) -> Cost: 1

admin@router> show ospf interface detail logical-system R2
Interface State Area DR ID BDR ID Nbrs
fe-0/2/3.50 DR 0.0.0.0 10.0.2.2 10.0.2.1 1
 Type: LAN, Address: 10.0.1.2, Mask: 255.255.255.252, MTU: 1500, Cost: 1
 DR addr: 10.0.1.2, BDR addr: 10.0.1.1, Priority: 128
 Adj count: 0
 Hello: 10, Dead: 40, ReXmit: 5, Not Stub
 Auth type: None
 Protection type: None
 Topology default (ID 0) -> Cost: 1
fe-0/2/3.53 Down 0.0.0.0 0.0.0.0 0.0.0

And we can see it in tcpdump in the DBD but not in the Hello packets:

admin@router> monitor traffic interface fe-0/2/3.50 no-resolve detail Address resolution is OFF. Listening on fe-0/2/3.50, capture size 1514 bytes

13:03:15.100618 In IP (tos 0xc0, ttl 1, id 23483, offset 0, flags [none], proto: OSPF (89), length: 68) 10.0.1.1 > 224.0.0.5: OSPFv2, Hello, length 48 Router-ID 10.0.2.1, Backbone Area, Authentication Type: none (0) Options [External] Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.252, Priority 128 Designated Router 10.0.1.2, Backup Designated Router 10.0.1.1 Neighbor List: 10.0.2.2

13:03:18.269589 Out IP (tos 0xc0, ttl 1, id 23514, offset 0, flags [none], proto: OSPF (89), length: 68) 10.0.1.2 > 224.0.0.5: OSPFv2, Hello, length 48 Router-ID 10.0.2.2, Backbone Area, Authentication Type: none (0) Options [External] Hello Timer 10s, Dead Timer 40s, Mask 255.255.255.252, Priority 128 Designated Router 10.0.1.2, Backup Designated Router 10.0.1.1 Neighbor List: 10.0.2.1

13:03:18.301879 Out IP (tos 0xc0, ttl 1, id 23517, offset 0, flags [none], proto: OSPF (89), length: 52) 10.0.1.2 > 10.0.1.1: OSPFv2, Database Description, length 32 Router-ID 10.0.2.2, Backbone Area, Authentication Type: none (0) Options [External, Opaque], DD Flags [Init, More, Master], MTU: 1500, Sequence: 0x0a01e9de

13:03:18.623449 In IP (tos 0xc0, ttl 1, id 23520, offset 0, flags [none], proto: OSPF (89), length: 52) 10.0.1.1 > 10.0.1.2: OSPFv2, Database Description, length 32 Router-ID 10.0.2.1, Backbone Area, Authentication Type: none (0) Options [External, Opaque], DD Flags [Init, More, Master], MTU: 1200, Sequence: 0x0a01cae3

 

Book list for JNCIE-ENT

Must read!

I would suggest the following books for your preparation towards JNCIE-ENT.

Free available:

Must buy:

What else?

I didn’t read any workbook from iNET Zero/Proteus or Twine, so I can’t suggest them. But maybe you have some experience with them and leave comment!  Do you know more good sources of informations for JNCIE-ENT?