Browsed by
Category: Cisco

Data Center: Nexus vPC Technology

Data Center: Nexus vPC Technology

Hi Cisco friends! I had a great question from a customer today regarding failure scenarios and vPC. On the surface, I thought this is an easy one. However, when I really gave it deep thought it really depends on the type of failure. Was the failure on the peer-link, peer keepalive, vPC member port, or the worst case dual active/double failure?

Let’s go through some of the failure examples.

vPC Member Port Failure
If one vPC member port goes down – for instance, if a link from a NIC goes down – the member is removed from the PortChannel without bringing down the vPC entirely. Conversely, the switch on which the remaining port is located will allow frames to be sent from the peer link to the vPC orphan port. The Layer 2 forwarding table for the switch that detected the failure is also updated to point the MAC addresses that were associated with the vPC port to the peer link.

vPC Complete Dual-Active Failure (Double Failure)
If both the peer link and the peer-keepalive link are disconnected, the Cisco Nexus switch does not bring down the vPC, because each Cisco Nexus switch cannot discriminate between a vPC device reload and a combined peer-link and peer-keepalive-link failure.

The main problem with a dual-active scenario is the lack of synchronization between the vPC peers over the peer link. This behavior causes IGMP snooping to malfunction, which in turn causes multicast traffic to drop. As described previously, a vPC topology intrinsically protects against loops in dual-active scenarios. Each vPC peer, upon losing peer-link connectivity, starts forwarding BPDUs on vPC member ports. With the peer-switch feature, both vPC peers send BPDUs with the same bridge ID to help ensure that the downstream device does not detect a spanning-tree misconfiguration. When the peer link and the peer-keepalive link are simultaneously lost, both vPC peers become operational primary.

vPC Peer-Link Failure
To prevent problems caused by dual-active devices, vPC shuts down vPC member ports on the secondary switch when the peer link is lost but the peer keepalive is still present.

When the peer link fails, the vPC peers verify their reachability over the peer-keepalive link, and if they can
communicate they take the following actions:

● The operational secondary vPC peer (which may not match the configured secondary because vPC is
nonpreemptive) brings down the vPC member ports, including the vPC member ports located on the fabric
extenders in the case of a Cisco Nexus 5000 Series design with fabric extenders in straight-through mode.

● The secondary vPC peer brings down the vPC VLAN SVIs: that is, all SVIs for the VLANs that happen to be configured on the vPC peer link, whether or not they are used on a vPC member port.

Note: To keep the SVI interface up when a peer link fails, use the command dual-active exclude interface-vlan.

At the time of this writing, if the peer link is lost first, the vPC secondary shuts down the vPC member ports. If this failure is followed by a vPC peer-keepalive failure, the vPC secondary keeps the interfaces shut down. This behavior may change in the future with the introduction of the autorecovery feature, which will allow the secondary device to bring up the vPC ports as a result of this sequence of events.

vPC Peer-Keepalive Failure

If connectivity of the peer-keepalive link is lost but peer-link connectivity is not changed, nothing happens; both vPC peers continue to synchronize MAC address tables, IGMP entries, and so on. The peer-keepalive link is mostly used when the peer link is lost, and the vPC peers use the peer keepalive to resolve the failure and determine which device should shut down the vPC member ports.

 Best Practices: 

Define a vPC domain (should match between peers, MUST NOT MATCH BETWEEN 7K and 5K in Double-Sided vPC) This Step is Required! “(config>vpc>domain)#vpc domain <id>
Define Role Priority: Lower Priority wins Primary Role, try and match your STP root bridge with the primary role. If using “peer-switch” the STP root will be the same on both peers. “(config>vpc>domain)# role priority <xxx>”

If roles shift (they are not preemptive) you would need to change the operational primary after a failure to a value of 36767 and shut/no shut the peerlink to restore the originally configured primary. 

If the Peer Switch is also preforming L3 switching the “peer-gateway” command is recommended.

The “vpc peer-gateway” allows HSRP routers to accept frames destined for their vPC peers.  This feature extends the virtual MAC address functionality to the paired router’s MAC address.  The feature is needed when certain storage/load balancing vendors break RFC rules by ignoring the ARP reply by an HSRP active router and reply directly to the host. Without this enabled packets could traverse the peer link and end up being dropped.

Enable vPC AutoRecovery
“(config-vpc-domain)# auto-recovery”

Beginning with Cisco NX-OS Release 5.2(1), you can configure the Cisco Nexus 7000 Series device to restore vPC services when its peer fails to come online by using the auto-recovery command. You must save this setting in the startup configuration. On reload, if the peer link is down and three consecutive peer-keepalive messages are lost, the secondary device assumes the primary STP role and the primary LACP role. The software reinitializes the vPCs, bringing up its local ports. Because there are no peers, the consistency check is bypassed for the local vPC ports. The device elects itself to be STP primary regardless of its role priority and also acts as the master for LACP port roles.

ARP SYNC
The ARP table sync feature overcomes the delay involved in ARP table restoration that can be triggered when one of the switches in the vPC domain goes offline and comes back online and also when there are peer-link port channel flaps. Enabling ARP on a vPC domain improves convergence times for unicast traffic.

To enable Address Resolution Protocol (ARP) synchronization between the virtual port channel (vPC) peers, use the ip arp synchronizecomand. To disable ARP synchronization, use the no form of this command.

(config-vpc-domain)# ip arp synchronize

Content Source:
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9670/design_guide_c07-625857.pdf
http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/command/reference/vpc/n5k-vpc_cmds_i.html#wp1316724

Cisco: Algo Boost Nexus 3548 Preview/Unbox

Cisco: Algo Boost Nexus 3548 Preview/Unbox

I got something very cool last week. It came overnight from my good friend Frank in NY. What we have here is a very special privilege folks. It’s a prototype of the Nexus 3548 ultra low latency switch using our custom ASIC called Algo Boost/Monticello. Instead of killing you with all the details I decided to create a video of the un-boxing and special features walkthrough. Enjoy!

https://www.youtube.com/user/4g1vn/featured

 

 

Private VLANs (PVLANs)

Private VLANs (PVLANs)

I recently had one of my customers asked about private VLANs and the benefits/use cases. I thought this was a good opportunity to refresh my knowledge of PVLANs because it was a weak area of mine during my last CCIE lab.

What are Private VLANs?

The main objective with PVLANs is conserving IP space, but still allowing L2 separation for security purposes. Typically, VLAN design calls for a single IP subnet for each VLAN. Here we are able to create multiple (secondary VLAN/s) VLANs for isolation, but conserve space by using a single subnet for all the secondary VLANs.

 

Terminology:
Primary VLAN: These are promiscious ports that can send and recieve frames with any other port Type (P-Port,C-Port,I-Port).
Secondary VLAN or VLANs:

  • Isolated: Any switch ports associated with an Isolated VLAN can reach the primary VLAN, but not any other Secondary VLAN. In addition, hosts associated with the same Isolated VLAN cannot reach each other. Only one Isolated VLAN is allowed in one Private VLAN domain.
  • Community: Any switch ports associated with a common community VLAN can communicate with each other and with the primary VLAN but not with any other secondary VLAN. There can be multiple distinct community VLANs within one Private VLAN domain.

Port Types: Promiscuous, Community, Isolated (easy way to remember this is PCI).

What is the use case?
Service Providers with multi-tenant buildings- HSRP Routers, switch, and multiple SMB customers sharing the same public IP space.
Hotel Internet Access- It would be undesired for the guests to see each other.
DMZ- Instead of creating multiple DMZ’s you could isolated the hosts within a DMZ from each other.
Cloud/Co-location Facilities- You want to use the same subnet but restrict traffic between customers/services.

Are there any vulnerabilities or exploits?
Here is the deal, I’ll be the first to say while by design this is not possible. I have found with network/data security to NEVER say NEVER. That being said. I-Ports are not allowed to send frames/IP packets to any other destination other than the P-Port (uplink). So, even if the D-MAC address, or  VLAN ID is changed, it will only flow to the P-port.

KEEP THIS SIMPLE FACT IN MIND. ALL PROTECTION IS AT L2 for PVLANs.
For more infomration on what I’m talking about, take a look at this link describing “Private VLAN attack”.
*** “Local-Proxy-arp” would have to be enabled on the router for the same subnet, “Proxy-Arp” for different subnets. ***
For the best protection make sure you leverage ACL’s to block unnecessary L3 communications between hosts.  

Summary:
If a SP was going to use a separate VLAN ID for every customer we would be limited to 4000+ customers and that would really waste IP space if we were assigning separate subnet to each VLAN like best practice dictates. With PVLANs the broadcast domain of a single VLAN is split into sub-domains (I-ports and C-Ports). What does all this mean? Well for one you block L2 frames (CDP/STP/etc..) from the isolated hosts and are able to scale multi-tenant solutions while conserving IP space.

“If the private VLAN feature is properly deployed, it can be used at
Layer 2 to segregate individual users or groups of users from each
other: this segregation allows a network designer to more effectively
constrain Layer 2 forwarding so as to, for instance, block or contain
unwanted inter-device communication like port scans or Address
Resolution Protocol (ARP) poisoning attacks.” – RFC5517

My Test Configuration:
Private VLANs can ONLY be configured in VTP TRANSPARENT or VTPv3 mode.

VLAN 500 (Primary VLAN P-Port)
VLAN 501 (Secondary VLAN I-Ports)
VLAN 502 (Secondary VLAN C-Ports)
FA0/1 is the promiscuous port with the router attached. 

sw1#sh vlan private-vlan

Primary Secondary Type Ports
——- ——— —————– ——————————————
500 501 isolated Fa0/1, Fa0/31, Fa0/32
500 502 community Fa0/1, Fa0/33, Fa0/34, Fa0/35

sw1#ip routing

vlan 500
private-vlan primary
private-vlan association 501-502
!
vlan 501
private-vlan isolated
!
vlan 502
private-vlan community

interface FastEthernet0/1
switchport private-vlan mapping 500 501-502
switchport mode private-vlan promiscuous

interface FastEthernet0/31
switchport private-vlan host-association 500 501
switchport mode private-vlan host
!
interface FastEthernet0/32
switchport private-vlan host-association 500 501
switchport mode private-vlan host
!
interface FastEthernet0/33
switchport private-vlan host-association 500 502
switchport mode private-vlan host
!
interface FastEthernet0/34
switchport private-vlan host-association 500 502
switchport mode private-vlan host
!
interface FastEthernet0/35
switchport private-vlan host-association 500 502
switchport mode private-vlan host

interface Vlan500
ip address 10.1.1.1 255.255.255.0
private-vlan mapping 501,502 (optional if the SVI is the gateway)

end 

Verify port mapping with “sh vlan private”
Verify isolation with a ping to 255.255.255.255 from each router/host.

References:
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml 
http://en.wikipedia.org/wiki/Private_VLAN
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_52_se/configuration/guide/swpvlan.html
http://tools.ietf.org/html/rfc5517 

 

Cisco: Nexus 2000 (FEX) Configurations

Cisco: Nexus 2000 (FEX) Configurations

It’s been way too long since I posted on my blog. Well, I have been studying for the CCIE Data Center lab and wanted to pass on some very critical information on fabric extender (FEX) configurations. One of the most common questions that our Cisco friends ask me is “Why do I need to create a port channel for the FEX-Fabric links?”. Well let’s dive into the WHY, and then explore the HOW.

Let’s first start with a foundation on what FEX is and how it works. FEX is a highly scalable, low latency data center access layer solution. What makes it so awesome? The fact that is managed as a line card vs. a separate ToR/EoR/MoR switch. Take your Nexus 7000 (core) or 5000 (agg/access) and they play the role of the “PARENT” switch. The FEX 2000 is essentially a remote line card to the parent switch. The FEX supports 1/10G and FCoE for consolidated I/O.

Nexus 2000 Comparison:

2248-TP (E) : This is the most common FEX, 48 ports of 100/1000 BASE-T host interfaces and 4 x 10G (SFP+) fabric uplinks. The (E) varient has additional shared buffer (32MB) locally vs. using what’s on the parent switch.

2224-TP: Same as above just 24 host ports instead of 48.

2148T: First generation FEX. The host interface can only operate at 1G. Not recommended any longer, go with the 2248-TP instead.

2232PP:  This is our de-facto 10G FEX. It has 32 x 1/10G and FCoE host interfaces (SFP+) and 8 fabric uplinks (SFP+). This switch also supports DCB.

2232TM: There is also a 10G BASE-T varient of the above FEX. THIS ONE DOES NOT SUPPORT FCoE, but does support DCB. 

OK, now that that is out of the way, let’s get back to the question at hand. How do I configure the connectivity to the parent switch?

I’ll get stright to the point. Use EtherChannel for the fabric uplink interfaces.

So, what are my options anyways?

Static Pinning and EtherChannel are your two options.

Why do we like EtherChannel fabric interfaces anyways?

Well the bottom line is that with Static Pinning you do not have automatic failover capability. Sure it’s deterministic, but if one of those fabric links goes down, so do the associated host interfaces. Let’s say your using two links and set the ‘pinning max-links 2’, half of the FEX host interfaces are mapped to one fabric uplink and the other half of the host ports is mapped to the other fabric uplink. Let’s look at a visual representation of static pinning.

The major issue with this configuration is that if the fabric uplink goes down, so do the ports associated to that interface. There is NO failover. This is WHY we want to use EtherChannel instead of static pinning.

Now let’s talk about the other (preferred) solution. EtherChannel is 110% the way to go. Let’s look at the visual representation.


As you can see from this diagram, we are load balancing the host interfaces (HIF) across all the fabric uplinks. Here is a note from the Cisco Configuration Guide.

Note

A fabric interface that fails in the EtherChannel will not trigger a change to the host interfaces. Traffic is automatically redistributed across the remaining links in the EtherChannel fabric interface.

When you configure the Fabric Extender to use an EtherChannel fabric interface connection to its parent switch, the switch load balances the traffic from the hosts that are connected to the host interface ports by using the following load-balancing criteria to select the link:

  • For a Layer 2 frame, the switch uses the source and destination MAC addresses.
  • For a Layer 3 frame, the switch uses the source and destination MAC addresses and the source and destination IP addresses.
    And finally the configuration (HOW) for all this awesomeness.

    1) ENABLE FEX GLOBALLY:
    N5K(config)# feature fex
    2) Configure the member interfaces for FEX connectivity:
    N5K(config)# interface e1/1, e1/2
    N5K(config-if)# switchport mode fex-fabric
    N5K(config-if)# fex associate 100
    N5K(config-if)# channel-group 100
    3) Create the EtherChannel Interface: This probably is done already based on the previous command, but it doesn’t hurt to make sure.
    N5K(config)# interface po100
    N5K(config-if)# switchport mode fex-fabric
    N5K(config-if)# fex associate 100
    4) Create the FEX:
    N5K(config)# fex 100
    N5K(config-fex)# description FEX_100<<PO100>>
    N5K(config-fex)# pinning max-links 1 (This must 1 for an EtherChannel configuration, if you change this to any other number you cannot use EC and your using static pinning instead)
    FOUR EASY STEPS!!!!
    Here are some good troubleshooting commands.
    sh fex”
    sh fex detail” – This command will show the HIF to Fabric Uplink Mappings and the version of code running on the FEX.
    sh interface fex-fabric”  – This command will display all the FEX units attached to the parent switch.
    sh inventory fex xxx” Display the inventory information about a specific FEX.
    show diagnostic result fex 100″ – Display diagnostic test results for a specific FEX.

NOTE: Nexus 7000 (Parent) FEX

If your trying to use FEX on the N7K be certain to issue the following commands or FEX WILL NOT BE ENABLED.

In the DEFAULT VDC issue this command “install feature-set fex
Now switch to the VDC that you want to enable FEX on and issue this command “feature-set fex

Your all set now.

Cisco.com Configuration Guide for Nexus 2000:
http://tinyurl.com/36uojrv

CCIE: Blueprint Practice Configs – IP Services

CCIE: Blueprint Practice Configs – IP Services

IP Services

ARP:

ARP is the process of resolving unknown L2 (MAC) information FROM known L3 (IP) information. Inverse ARP is learning unknown L3 (IP) information from known L2 (DLCI) information. 

Proxy ARP, as defined in RFC 1027, was implemented to enable devices that are separated into physical network segments connected by a router in the same IP network or subnetwork to resolve the IP-to-MAC addresses. When devices are not in the same data link layer network but in the same IP network, they try to transmit data to each other as if they are on the local network. However, the router that separates the devices will not send a broadcast message because routers do not pass hardware-layer broadcasts. The addresses cannot be resolved.

Proxy ARP is enabled by default so the “proxy router” that resides between the local networks will respond with its MAC address as if it is the router to which the broadcast is addressed. When the sending device receives the MAC address of the proxy router, it sends the datagram to the proxy router that in turns sends the datagram to the designated device.

Proxy ARP is invoked by the following conditions:

  • The target IP address is not on the same physical network (LAN) on which the request is received.
  • The networking device has one or more routes to the target IP address.
  • All of the routes to the target IP address go through interfaces other than the one on which the request is received.

When proxy ARP is disabled, a device will respond to ARP requests received on its interface only if the target IP address is the same as its IP address, or the target IP address in the ARP request has a statically configured ARP alias.

Sample Proxy ARP Configuration:

interface fa0/0
ip proxy-arp (no ip proxy-arp to disable)
ip local-proxy-arp

The local proxy ARP feature allows the Multilayer Switching Feature Card (MSFC) to respond to ARP requests for IP addresses within a subnet where normally no routing is required. With the local proxy ARP feature enabled, the MSFC responds to all ARP requests for IP addresses within the subnet and forwards all traffic between hosts in the subnet. Use this feature only on subnets where hosts are intentionally prevented (isolated/pVLAN) from communicating directly to the switch on which they are connected.

Before the local proxy ARP feature can be used, the IP proxy ARP feature must be enabled. The IP proxy ARP feature is enabled by default.

Internet Control Message Protocol (ICMP) redirects are disabled on interfaces where the local proxy ARP feature is enabled.

HSRP:

Preemption is recommend for deterministic behavior.
Use groups that relate to VLAN ID or IP addressing scheme.
HSRP vV1: Virtual MAC address is 0000:0c07:ac XX where XX = the group ID.
For example group 146 would be 0000:0c07:ac92
HEX to DEC 142 = 92 or Binary 1001 0010

HSRP version 2 is designed to address the following issues relative to HSRP version 1:

Previously, millisecond timer values are not advertised or learned. HSRP version 2 advertises and learns millisecond timer values. This change ensures stability of the HSRP groups in all cases.

Group numbers are restricted to the range from 0 to 255. HSRP version 2 expands the group number range from 0 to 4095.

HSRP version 2 provides improved management and troubleshooting. With HSRP version 1, there is no method to identify from HSRP active hello messages which physical router sent the message because the source MAC address is the HSRP virtual MAC address. The HSRP version 2 packet format includes a 6-byte identifier field that is used to uniquely identify the sender of the message. Typically, this field is populated with the interface MAC address.

The multicast address 224.0.0.2 is used to send HSRP hello messages. This address can conflict with Cisco Group Management Protocol (CGMP) leave processing.

Version 1 is the default version of HSRP.

HSRP version 2 permits an expanded group number range, 0 to 4095, and consequently uses a new MAC address range 0000.0C9F.F000 to 0000.0C9F.FFFF. The increased group number range does not imply that an interface can, or should, support that many HSRP groups. The expanded group number range was changed to allow the group number to match the VLAN number on subinterfaces.

 

 

 

 

 

 

CCIE: R&S Lab Attempt and Next Steps

CCIE: R&S Lab Attempt and Next Steps

So, it’s been over a week since my last lab attempt and I have had plenty of time to reflect.

I will say that I underestimated the troubleshooting section considerably. My advise is when you hit a difficult question, do not linger on it, move on and try to come back if you have time. It’s hard to assess which tickets are the challenging ones without a little investigation. I will say that if you cannot solve the ticket within 10-15 minutes… MOVE ON. Next the configuration section was challenging, but very very passable. This is the CCIE lab after all, should we expect anything less that a formidable challenge?

I’m bummed out, but now it’s time to hit my study material and work on areas that need attention such as PfR, 802.1s, IPv6, ZBF, IPS, 802.1x, WCCP, EEM, and LAN QoS.

I’m going to try things a little different. I have used INE, CCBOOTCAMP, and Narbik materials in the past. This time I’m using two things. The Blueprint, and Cisco documentation. I’m going to work my way through (bottom up) the blueprint and after I’ve completed go back to my INE Mock Labs and see the results. My plan is to so engrain the theory and configs into my head, that I don’t need to worry about accessing the reference material when I take my next lab. I would highly recommend the vendors workbooks (INE’s worked the best for me) as the starting point, but I need to try something a little different and the Cisco documentation goes into much more detail.

 

Cisco: Jabber Video for TelePresence

Cisco: Jabber Video for TelePresence

Experience telepresence with your family/friends/coworkers. Try our free Jabber Video client today. HD video camera recommended.

https://www.ciscojabbervideo.com/home

http://www.cisco.com/en/US/prod/collateral/ps7060/ps11303/ps11310/ps11328/data_sheet_c78-628609.html

Jabber Video system requirements

Windows

Windows 7, Vista, or XP (SP 2 or newer), with:
• OpenGL 1.2 or newer
• For 720p HD calls, Intel Core2Duo @ 1.2 GHz or better
• For VGA calls, Intel Atom @ 1.6 GHz or better

Webcam (built-in or external; you’ll need an HD webcam for the other side to see you in HD)

Broadband Internet connection with a recommended bandwidth of 768 kbps upstream and downstream. A 720p HD call will require approximately 1.2 Mbps upstream and downstream.

Mac

Apple Intel x86 processor computer, running OS X 10.6 (Snow Leopard) or newer, with:
• For 720p HD calls, Intel Core2Duo @ 1.2 GHz or better
• For optimal performance, we recommend Intel Core2Duo @ 2 GHz, with 2MB L2 cache per core

Webcam (built-in or external; you’ll need an HD webcam for the other side to see you in HD)

Broadband Internet connection with a recommended bandwidth of 768 kbps upstream and downstream. A 720p HD call will require approximately 1.2 Mbps upstream and downstream.

 

 

 

 

 

 

CCIE: Multicast

CCIE: Multicast

Preface: To clear old entries in the multicast table, use “clear ip mroute *”. This command usually will allow changes to be sync:ed, but not always. In the worst case scenario, you may have to reload the device. Modifications to a working multicast environment is not recommended if you cannot interrupt traffic forwarding. Be sure to schedule maintenance window in a REAL production environment. 

PIM: Signaling protocol that uses the unicast routing table to preform RPF checks.

Dense mode: Flood to all multicast enabled interfaces and downstream routers prune back. Interface is excluded from the OIL for the pruned group. This results in excessive flooding as the state expires in 3 minutes by default and then flooding out that interface will resume. This is a plug & play method, but is not scaleable. State Refresh is enabled by default to send control messages (60 seconds) and keep interfaces pruned if necessary.

RPF Failure: This is one of the most common issues in a multicast routing domain. Unicast shortest paths not matching the multicast distribution tree is a common example. Simple fix would be a static mroute.”ip mroute 0.0.0.0 0.0.0.0 x.x.x.x (correct RPF interface).

Be very careful of static routes in a multicast environment as they change the local routers perception of shortest path.

In the output of “sh ip mroute” look for an S,G entry that has an incoming (towards the source) interface of NULL. This is an indication that the multicast path is different from the unicast route table entry for the source.

“debug ip mpacket”
enable process switching on the multicast interface
“no ip mroute-cache”

PIM Assert Message vs. PIM DR:
This is something that took me sometime to fully understand. On a multi-access (LAN) network, one router may win the assert process, while another may become the IGMP querier (PIM DR or IGMP Querier v2). The winner of the Assert is the one responsible for forwarding multicast one the LAN and the IGMP querier is responsible for managing the IGMp process and sending IGMP query messages on the LAN.

IGMP v1 had not querier, so it required a PIM-DR. 

Auto-RP:

interface loopback 0
ip pim sparse-dense-mode (required dense mode SPT for 224.0.1.40 and 224.0.1.39), make sure to use “no ip pim dm-fallback” in a live network. You could also define static RP for the Auto-RP groups with “override” option. The best option for Auto-RP is SM with auto-rp listener.

ip pim send-rp-announce loopback 0 scope 12 (cRP)
ip pim send-rp-discovery loopback 0 scope 12  (Mapping Agent) selects best RP for group range

Negative ACL: “DENY” will cause group to fall back to dense mode. Effectively, a single cRP could announce a deny any and cause all groups to be treated as dense. The reason being is in the order process negative/deny are first.

Filter Auto-RP Messages with TTL Scoping (low number for boundary threshold) or “ip multicast boundary”. Multicast boundary filters at control plane (PIM/IGMP/Auto-RP) and data plane (multicast route state). WIth IOS 12.3(17)T and higher the in/out keywords are possible. In affects control and Out affects the data plane.

Bootstrap Router (BSR): 

Standards based for PIMv2, does not use any dense mode groups like Auto-RP.

Configure candidate RP with “ip pim rp-candidate interface | group-list | interval | priority ”
Configure BSR (MAPPING) with ” ip pim bsr-candidate interface | hash | priority|

Filtering BSR: Filter RP info with “ip pim bsr-border” on the edge of the multicast domain.

Stub Multicast (IGMP Helper):

Head-end/Hub runs sparse mode pim. Remote/stub uses dense mode. Remote router acts as a “dumb” packet forwarder.

R1: Stub/Remote

int fa0/0
ip pim dense-mode
ip igmp helper-address 10.0.0.5

int ser 0/0/0
ip pim dense-mode
ip add 10.0.0.1 255.255.255.0

R5: Hub
int ser 0/0/0
ip pim sparse-mode
ip add 10.0.0.5
ip pim neighbor-filter 7

access-list 7 deny 10.0.0.3
access-list 7 permit any

SW1: Client side
int fa 0/1
ip pim dense-mode
ip pim neighbor-filter 8 (disallows R1 and SW1 to become PIM neighbor)

access-list 8 deny any

IGMP Timers:

Reports are sent ASYNC, so some might be missed by the router. On a shared segment, one IGMP querier is elected designated and send membership queries to hosts. Lowest IP address win election. This is confusing because the DR is elected by highest IP. 60 seconds is the default query time and the timeout is 2x that value (120). IGMP v1 has no leave group message and introduces leave latency.

“ip igmp querier-timeout”

MTRACE: Trace from the leaf to the root. mtrace 150.17.10.10 (leaf) 239.1.1.1 (group) output will trace back to the root (RP). Preform on the RP.