1 00:00:00,000 --> 00:00:01,650 In this video, we're going to discuss 2 00:00:01,650 --> 00:00:02,483 routing issues 3 00:00:02,483 --> 00:00:04,290 that you may come across in your networks, 4 00:00:04,290 --> 00:00:05,880 including multicast flooding, 5 00:00:05,880 --> 00:00:08,400 asymmetrical routing, and missing routes. 6 00:00:08,400 --> 00:00:11,220 Now, first we're going to talk about multicast flooding. 7 00:00:11,220 --> 00:00:13,470 If you remember, multicast networks operate 8 00:00:13,470 --> 00:00:15,780 by sending out group communications that are addressed 9 00:00:15,780 --> 00:00:18,930 to a group of destination computers simultaneously. 10 00:00:18,930 --> 00:00:21,210 For this to work, the multicast message is sent 11 00:00:21,210 --> 00:00:22,920 to a single multicast address, 12 00:00:22,920 --> 00:00:25,920 and then the message can be distributed to the entire group. 13 00:00:25,920 --> 00:00:27,600 This is great most of the time, 14 00:00:27,600 --> 00:00:29,550 but sometimes things can malfunction 15 00:00:29,550 --> 00:00:31,740 and a multicast flood can occur. 16 00:00:31,740 --> 00:00:34,710 Now, multicast flooding happens when no specific host is 17 00:00:34,710 --> 00:00:37,466 associated with the multicast MAC address 18 00:00:37,466 --> 00:00:39,247 inside the CAM table of the switch. 19 00:00:39,247 --> 00:00:41,280 When this occurs, multitask traffic is going to be flooded 20 00:00:41,280 --> 00:00:42,840 throughout the entire local area network 21 00:00:42,840 --> 00:00:44,877 or VLAN, creating unnecessary traffic 22 00:00:44,877 --> 00:00:47,070 and wasting network resources. 23 00:00:47,070 --> 00:00:49,560 To prevent this issue, you need to configure your switch 24 00:00:49,560 --> 00:00:51,840 to block unknown multicast packets. 25 00:00:51,840 --> 00:00:53,460 Now for the exam, you don't need 26 00:00:53,460 --> 00:00:54,930 to know the specific commands on how 27 00:00:54,930 --> 00:00:57,120 to block multicast traffic on a switchboard, 28 00:00:57,120 --> 00:00:59,850 but you do need to know that blocking it will solve this 29 00:00:59,850 --> 00:01:01,830 type of multitask flood issue. 30 00:01:01,830 --> 00:01:04,200 Next, we have asymmetrical routing. 31 00:01:04,200 --> 00:01:07,050 Asymmetrical routing occurs when network packets leave via 32 00:01:07,050 --> 00:01:09,187 one path and they return via a different path. 33 00:01:09,187 --> 00:01:12,540 This can occur when traffic is flowing across two different 34 00:01:12,540 --> 00:01:15,930 layer two bridge pair interfaces on a router or a firewall, 35 00:01:15,930 --> 00:01:18,210 or when there's flows across different routers 36 00:01:18,210 --> 00:01:21,090 or firewalls in a high availability cluster. 37 00:01:21,090 --> 00:01:22,800 Now, if you're using load balancing 38 00:01:22,800 --> 00:01:26,517 and using a protocol like HSRP, asymmetric routing can occur 39 00:01:26,517 --> 00:01:28,710 and it's something you need to think about. 40 00:01:28,710 --> 00:01:30,690 This is a problem if you're using security devices 41 00:01:30,690 --> 00:01:33,660 and network appliances to perform deep packet inspection 42 00:01:33,660 --> 00:01:35,760 or you're using a stateful firewall 43 00:01:35,760 --> 00:01:38,850 because these devices need to see all the packets associated 44 00:01:38,850 --> 00:01:42,210 with a given packet flow, otherwise, issues happen. 45 00:01:42,210 --> 00:01:44,040 Now, well, modern routers will attempt 46 00:01:44,040 --> 00:01:46,080 to forward packets in a consistent next top 47 00:01:46,080 --> 00:01:47,550 for each packet in the flow. 48 00:01:47,550 --> 00:01:49,050 This only applies in one 49 00:01:49,050 --> 00:01:50,910 direction when they do their forwarding. 50 00:01:50,910 --> 00:01:53,760 Our routers will make no attempt in directing return traffic 51 00:01:53,760 --> 00:01:55,080 to the originating router 52 00:01:55,080 --> 00:01:56,970 because they only want to ensure the fastest 53 00:01:56,970 --> 00:01:59,250 and most efficient delivery of those packets. 54 00:01:59,250 --> 00:02:01,459 Now, this behavior presents problems for our firewalls 55 00:02:01,459 --> 00:02:03,600 and our security appliance clusters 56 00:02:03,600 --> 00:02:05,850 because they don't support asymmetric routing 57 00:02:05,850 --> 00:02:08,660 because of the set of cluster nodes all provide a path 58 00:02:08,660 --> 00:02:10,199 to the same networks. 59 00:02:10,199 --> 00:02:12,540 So routers forwarding packets to networks 60 00:02:12,540 --> 00:02:14,850 through the cluster can choose any of the cluster nodes 61 00:02:14,850 --> 00:02:18,533 as their next hop, and this causes asymmetric routing 62 00:02:18,533 --> 00:02:20,580 to occur, and the flow packets in one direction goes out a 63 00:02:20,580 --> 00:02:23,520 different node than what comes back in the return path. 64 00:02:23,520 --> 00:02:25,440 Because of this difference in packet flow, 65 00:02:25,440 --> 00:02:27,060 network traffic can be dropped by one 66 00:02:27,060 --> 00:02:28,830 or both of the firewalls in the cluster 67 00:02:28,830 --> 00:02:30,210 because they aren't seeing all the 68 00:02:30,210 --> 00:02:31,830 traffic from the packet flow. 69 00:02:31,830 --> 00:02:33,810 So how do we solve this problem? 70 00:02:33,810 --> 00:02:36,120 Well, the solution to this is to adjust the placement 71 00:02:36,120 --> 00:02:37,923 of your firewalls and internal routing so 72 00:02:37,923 --> 00:02:40,320 that the traffic will flow in both directions 73 00:02:40,320 --> 00:02:41,670 to the same firewall, 74 00:02:41,670 --> 00:02:44,100 even if the incoming traffic is entering the networks 75 00:02:44,100 --> 00:02:45,690 through a different router than the router 76 00:02:45,690 --> 00:02:47,970 that handled the matching outgoing traffic. 77 00:02:47,970 --> 00:02:50,342 Essentially, we need to put all of our firewalls closer 78 00:02:50,342 --> 00:02:53,250 to the systems they're protecting instead of at the edge 79 00:02:53,250 --> 00:02:54,840 of the network, and this will avoid 80 00:02:54,840 --> 00:02:56,640 asymmetric routing problems. 81 00:02:56,640 --> 00:02:58,920 Remember, asymmetric routing doesn't cause 82 00:02:58,920 --> 00:03:00,660 any routing issues necessarily, 83 00:03:00,660 --> 00:03:02,970 but they do cause issues with drop packet flows 84 00:03:02,970 --> 00:03:05,010 because our security devices like firewalls 85 00:03:05,010 --> 00:03:07,230 and unified threat management system need to be able 86 00:03:07,230 --> 00:03:08,880 to see the entire flow. 87 00:03:08,880 --> 00:03:10,680 So you need to consider the design 88 00:03:10,680 --> 00:03:11,940 of your network architecture 89 00:03:11,940 --> 00:03:13,770 to prevent this issue from occurring. 90 00:03:13,770 --> 00:03:16,289 If you don't, then packet flow drops are going to occur 91 00:03:16,289 --> 00:03:18,330 and your clients can experience network 92 00:03:18,330 --> 00:03:20,070 intermittent connectivity. 93 00:03:20,070 --> 00:03:22,740 Finally, we need to talk about missing routes. 94 00:03:22,740 --> 00:03:25,080 Now, missing routes occur when a router cannot reach a 95 00:03:25,080 --> 00:03:27,060 destination because there's a missing route 96 00:03:27,060 --> 00:03:28,710 inside the routing table. 97 00:03:28,710 --> 00:03:30,510 These missing routes can occur for lots 98 00:03:30,510 --> 00:03:31,980 of different reasons depending on 99 00:03:31,980 --> 00:03:33,870 what routing protocol is being used to share 100 00:03:33,870 --> 00:03:35,430 that routing information. 101 00:03:35,430 --> 00:03:37,290 Now, missing routes are commonly found 102 00:03:37,290 --> 00:03:39,660 as an issue when network administrators are using static 103 00:03:39,660 --> 00:03:42,690 routes and manually adding them to the routing tables. 104 00:03:42,690 --> 00:03:44,340 If the administrator mistypes a route 105 00:03:44,340 --> 00:03:46,740 or the command, the proper route will not get added 106 00:03:46,740 --> 00:03:48,827 to the routing table, and this causes problems. 107 00:03:48,827 --> 00:03:51,206 So if you suspect you're missing a route, 108 00:03:51,206 --> 00:03:54,540 you should enter the show ip route command from the command 109 00:03:54,540 --> 00:03:55,920 line interface of your switch, 110 00:03:55,920 --> 00:03:58,380 and that'll display the routes available to it. 111 00:03:58,380 --> 00:04:00,180 Now, if you're working on a Windows client 112 00:04:00,180 --> 00:04:02,539 or server, you can enter the route print command 113 00:04:02,539 --> 00:04:04,980 to see the routing table for your system. 114 00:04:04,980 --> 00:04:07,883 If you're using dynamic routing protocols like OSPF 115 00:04:07,883 --> 00:04:09,600 or BGP, there may also be issues 116 00:04:09,600 --> 00:04:11,550 where the routers are not properly establishing their 117 00:04:11,550 --> 00:04:13,830 neighbor states, and this can cause the routers 118 00:04:13,830 --> 00:04:16,860 to not reach convergence across their routing tables. 119 00:04:16,860 --> 00:04:18,534 To troubleshoot this kind of issue, you need 120 00:04:18,534 --> 00:04:20,950 to verify the dynamic routing protocol is enabled 121 00:04:20,950 --> 00:04:23,670 and that the two routers can communicate with each other. 122 00:04:23,670 --> 00:04:26,370 To verify this, you should run the ping command from one 123 00:04:26,370 --> 00:04:27,970 router to the destination router 124 00:04:28,846 --> 00:04:30,270 and validate the connectivity exists. 125 00:04:30,270 --> 00:04:32,190 If you identify that a router is missing, 126 00:04:32,190 --> 00:04:34,650 you can statically add that route from the command line, 127 00:04:34,650 --> 00:04:36,600 or you can work with a network administrator 128 00:04:36,600 --> 00:04:39,360 or network engineer to troubleshoot the underlying dynamic 129 00:04:39,360 --> 00:04:42,110 routing protocols that are being used by these routers.