Tag Archives: Routing

Routing Basics: Administrative Distance in action

[  “The distance is nothing; it is only the first step that is difficult.” – Mme Du Deffand ]

In a previous article, Quick Review of IP Routing, we presented the complementary concepts of building the routing table (related to the control plane) and using the table to forward packets (data plane). The current post focuses on the influence of the Administrative Distance (AD) parameter on selecting a route (a control plane task) that will be added to the routing table.

There are multiple routing protocols and each of them uses different units to evaluate how distant a certain destination is. For example, EIGRP costs employs a combination of delay and bandwidth, whereas OSPF bases its calculations solely on bandwidth. RIP, a protocol from the early days of internetworking, selects routes based on a very limited criterion called hop count.

A little reflection on the topic will show that it is not adequate to directly compare routes from different protocols. To somehow take into account the nature of each protocol and to produce a measure of how precise they are, the Administrative Distance concept was introduced.  For instance, the default point of view of a Cisco router is to consider EIGRP better than OSPF, which in turn takes precedence over RIP.

Some important aspects to keep in mind to better understand the Administrative Distance:

  • AD is only taken into account by a router to compare two equal length network prefixes available to a certain destination. Prefixes of distinct lengths are not comparable. For example, a router that knows the prefix 10.10.10.128/25 via OSPF and 10.10.10.0/24 via EIGRP will install both… (why ?)
  • AD is evaluated before any metric information. While AD establishes a comparison between routing protocols, the metric value (or cost) is used to contrast the routes of a certain protocol. This is emphasized by the fact that the AD is the first number inside the brackets that follow the prefix (Figure 1).

In the scenario of Figure 1, the CENTRAL router initially has an OSPF route (through R1) to 192.168.30.0/24. Figure 2, in turn, illustrates what happens when a second route to the same destination gets to be known by CENTRAL.

Figure 1: Initial Situation - Route known via OSPF

Figure 2 depicts a situation in which a new router (R2) started advertising an alternate path to the 192.168.30.0/24, originally reachable via OSPF. Upon receipt of this alternate route, the CENTRAL router detects the lower AD value (90 for EIGRP internal versus 110 for OSPF) and the original route is replaced. The information about this new route is also visible in the figure.

Figure 2: Route with lower Admin Distance becomes available

** Notes:

  • It is important not to confuse the activities of installing the routes in the routing table and using them to forward packets. If you have two routes installed, 10.10.10.0/24 and 10.10.10.128/25, the most specific (for a given destination) will be used. A packet destined to 10.10.10.200/32, for example, will be forwarded using the second route whereas a packet bound to 10.10.10.100 will use the first. ( – Can you explain why ? )
  • EIGRP was designed to support a composite metric that includes delay, bandwidth, reliability, load and MTU but, by default, uses only the first two. The EIGRP metric is deemed more precise because it refers to the minimum bandwidth and to the sum of delays along the path from the router to the destination.
  • As a reference, the default values for the Administrative Distance parameter for the main types of routes are presented in the following table:

    Type of Route

    (Default) Administrative Distance

    Connected (C)

    0

    Static (S)

    1

    eBGP (B)

    20

    EIGRP (D)

    90

    OSPF (O)

    110

    IS-IS (i)

    115

    RIP (R)

    120

    EIGRP External (D EX)

    170

    iBGP (B)

    200

 

** Related Posts:

Advertisements

Leave a comment

Filed under English, Routing

Quick Review of IP Routing

IP routing is concerned with the choice of a path over which the IP datagrams, destined to a given host, are sent. And it is important to emphasize the word destination here. Even though there may exist advanced techniques that rely on attributes such as the source address, the classic definition of routing considers the destination address as the sole criterion for path selection.

The main tasks pertaining to the routing process are listed in the following:

  1. Gathering routing information: either manually (static routing) or with the use of dynamic routing protocols.
  2. Installing entries in the routing table: before installing a path in the routing table, two comparisons are performed by a Cisco router: if two equal length network prefixes are available to a destination, the router prefers the one with the lowest Administrative Distance (AD). For two equal length prefixes that have the same AD value, that with the lowest cost (from the perspective of the routing protocol in place) is chosen.
  3. Searching for the longest prefix match: when a packet arrives at the incoming interface, its destination IP address is extracted and compared with each entry available in the routing table. The comparison that results in the longest bitwise match for the network mask will be selected. (The last possibility of finding a match is to use a Default Route, if one is available).
  4. Forwarding the packet on the outgoing interface: when a match happens in step 3, it points to an entry in the routing table that has an associated outgoing interface. This last step includes the construction of the appropriate L2 header for this interface.

To simplify matters, I normally divide the IP routing process in two parts: building the routing table (control plane) and using the table to forward packets (data plane).

The figure below depicts a scenario in which the host 172.16.16.16 is using the routing services  provided by the “blue” router to forward packets to the destination with address 192.168.1.200. After consulting its routing table, the router concludes that the intended host is reachable via its Ethernet1 interface (using R1 as the next-hop).

Overview of IP Routing

** Notes:

  • The simplest routing case happens when the incoming and outgoing interfaces are directly connected to the same router. In this type of situation steps 1 and 2 are not necessary.
  • When two routes to a given destination point to the same outgoing interface and have equalvalues for AD and cost, they are both installed in the routing table. In such a situation, load sharing takes place.

Leave a comment

Filed under English, Routing

Quick Review of Firewall Connectivity options: Routed Mode and Transparent Mode

Before it can start enforcing access control policies between domains of trust, firewalls need to be inserted in the network topology. The two basic firewall connectivity options, Routed Mode and Transparent Mode,  are briefly examined below:

  • Routed Mode: in such an arrangement, the firewall works as a Layer 3 element (much like a router) from the perspective of hosts connecting to it. Each of its interfaces is assigned to a different logical subnet and the packets are conditionally routed between them. In the reference scenario, the inside interface has the IP address 192.168.2.2, whereas the outside uses the address 172.20.20.2. Considering that the hosts are interconnected by the firewall, machines on the inside need to configure the address 192.168.2.2 as their L3 gateway in order to reach outside destinations.
  • Transparent Mode: the firewall acts as conditional (transparent) bridge, forwarding frames between interfaces using Layer 2 information. In this case, the two interfaces represented in the figure are connected to the same L3 subnet and the inside hosts use the external router (192.168.1.1) as their gateway to reach outside destinations. The great motivation for this connectivity model  relates to the fact that the firewall can be inserted in the network without impacting the existent IP addressing scheme (which may be quite convenient in various situations).

    Contrasting firewall connectivity options: routed-mode and transparent-mode

A technical term may sound not so intuitive the first time you hear it. For example, during a presentation, a customer once told me that he did not understand why “his transparent firewall was blocking everything“. “After all, it was supposed to be transparent…”

I just registered this situation to emphasize one key point: the term “transparent” relates with “transparent bridging” (the basic bridging technology for Ethernet interfaces). It is used with connectivity in mind and does not imply less security.

Actually, as we will see in other posts, the construction of firewall policies is basically the same for transparent and routed modes.

** Notes:

  • Transparent mode is often called bridge mode. (Why ?)
  • A transparent firewall is sometimes referred to as a stealth firewall (because it is not used as an L3 gateway).
  • A transparent firewall is very interesting to add filtering capabilities between elements that require L3 adjacency. This is the case for two neighbor routers running an Interior Gateway Protocol (IGP) such as OSPF or EIGRP.
  • Another common use of a transparent firewall is in a multicast routing scenario. The firewall just bridges the multicast packets and does not participate in multicast routing.

** Topics for Study:

  • Do a quick review of transparent bridging technology
  • What is a Bridged Virtual Interface (BVI) ?

** Related Posts:

 

Leave a comment

Filed under English, Firewalls, Security