Chapter 5. IP Routing

Network devices use a routing decision to identify which interface and gateway should be used to forward packets for a specific destination. To make this decision, they use dynamic routing protocols or static entries configured on such devices. This chapter covers the different routing capabilities of Cisco ASA. Cisco ASA supports the following routing mechanisms and protocols:

• Static routes

• Routing Information Protocol (RIP)

• Open Shortest Path First (OSPF)

• Enhanced Interior Gateway Routing Protocol (EIGRP)

This chapter also covers the Cisco ASA IP multicast routing capabilities.

Configuring Static Routes

Deployment and configuration of static routes is appropriate when the Cisco ASAs cannot dynamically build a route to a specific destination. This may be because the device to which the Cisco ASA is forwarding the packets might not support any dynamic routing protocols. Another example when static routes are appropriate is when the network topology is small and uncomplicated. Static routes are easy to configure. However, they do not scale well in large environments. Dynamic routing protocols, such as RIP, OSPF or EIGRP, must be considered if the network is fairly large and complex.

It is strongly recommended that you have a complete understanding of your network topology before configuring routing in your Cisco ASA. A best practice is to have a network topology diagram on hand to refer to when configuring your Cisco ASA.

Figure 5-1 shows a simple static route topology that includes a Cisco ASA with two interfaces configured (outside and inside).

Figure 5-1 Basic IP Routing Configuration Using Static Routes

The goal in this example is to configure a static default route for the Cisco ASA to be able to forward packets to the Internet through the Internet router. Additionally, the Cisco ASA must be configured with a static route on the inside interface to be able to reach the 10.10.2.0/24 network.

To complete these tasks with the Cisco Adaptive Security Device Manager (ASDM), complete the following steps:

Step 1. Launch ASDM and login to the Cisco ASA.

Step 2. Navigate to Configuration > Device Setup > Routing > Static Routes.

Step 3. Click on Add.

Step 4. The dialog box illustrated in Figure 5-2 is shown. First add a default route to the Internet Router (209.165.201.2), as shown in Figure 5-2.

Figure 5-2 Adding a Default Route in ASDM

Step 5. Select the outside interface under the Interface field.

Step 6. Enter 0.0.0.0 in the IP Address field.

Step 7. Enter 0.0.0.0 in the Netmask field.

Step 8. The IP address of the Internet Router is 209.165.201.2. Enter 209.165.201.2 in the Gateway IP field.

Step 9. Leave all other options with their default values and Click Ok.

Step 10. Add a static route so the Cisco ASA can reach the 10.10.2.0/24 network. To do this, navigate to Configuration > Device Setup > Routing Static Routes and click on Add to add a new static route, as shown on Figure 5-3.

Figure 5-3 Adding a Static Route in ASDM

Step 11. Select the inside interface under the Interface field.

Step 12. Enter 10.10.2.0 in the IP Address field.

Step 13. Enter 255.255.255.0 in the Netmask field.

Step 14. The IP address of the inside router is 10.10.1.2. Enter 10.10.1.2 in the Gateway IP field.

Step 15. Leave all other options with their default values and click OK.

Step 16. Click Apply to apply the changes to the configuration.

Step 17. Click Save to save the configuration on the Cisco ASA.

Alternatively, you can use the command-line interface (CLI) route command to add a static route. The following example shows how the default route is added on the Cisco ASA:

route outside 0.0.0.0 0.0.0.0 209.165.201.2 1

You configure static routes by using the route command, as shown in the following syntax:

route interface network netmask gateway metric [tunneled]

Table 5-1 details the options available within the route command.

Table 5-1 route Command Options

A new feature was added in Cisco ASA software version 7.2(1) to allow for monitoring of the availability of a static route and installing a backup route if the primary route should fail. The following section provides more details about the tracking option.

Static Route Monitoring

Initially, there was no mechanism for determining whether a route was “up” or “down” on the Cisco ASA. Static routes stayed in the routing table even if the next hop gateway became unavailable, and they were removed from the routing table only if the corresponding interface went down. The ability to track the availability of a static route and installing a backup route was added in Cisco ASA software version 7.2(1).

The security appliance does this by associating a static route with a monitoring target that you define. It uses ICMP echo requests to monitor the target. If an echo reply is not received within a specified time period, the object is considered down and the associated route is removed from the routing table. A previously configured backup route is used in place of the removed route.

The network topology illustrated in Figure 5-4 shows a Cisco ASA configured with three interfaces (inside, outside, and DMZ). The goal in this example is to configure the route monitoring feature to track the default route to the Internet service provider (ISP) number 1 connection. If the connection to ISP number 1 fails, the Cisco ASA should use the connection to ISP number 2 in the DMZ interface.

Figure 5-4 Route Monitoring Example

In ASDM, configure route monitoring as follows:

Step 1. Navigate to Configuration > Device Setup > Routing > Static Routes. Click on Add to add a new static route or Edit to edit an existing route.

Step 2. The dialog box illustrated in Figure 5-5 is displayed. In this example, the default route is edited. To enable route monitoring, select the Tracked option, as shown in Figure 5-5.

Figure 5-5 Configuring Route Monitoring in ASDM

Step 3. The Track ID is a unique identifier for the route tracking process. The number 1 is entered in this example.

Step 4. The Track IP Address defines the target host being tracked. Usually, the IP address of the next-hop gateway for the route is defined here; however, this could be any host in the network off the interface where this route is configured. In this example, an upstream IP address residing in ISP 1 network (209.165.201.2) is entered.

Step 5. The SLA ID is a unique identifier for the SLA monitoring process. The SLA process is used to monitor the availability of the IP address defined under the Track IP Address option. This allows the Cisco ASA to use a pre-configured backup route. In this example the value entered is 123.

Step 6. The Target Interface is the interface where the selected host resides. In this example the outside interface is selected.

(Optional) You can customize several optional monitoring options. To customize these options click the Monitor Options button. The Route Monitoring Options dialog box shown in Figure 5-6 is displayed.

Figure 5-6 Route Monitoring Options in ASDM

Step 7. You can specify how often the Cisco ASA should check that the tracking target is reachable by using the Frequency field. The default value of 60 seconds is used in this example; however, you can configure this value from 1 to 604,800 seconds.

Step 8. The Threshold field enables you to specify a lifetime (in milliseconds) for this route. The default value is used in this example (5000 milliseconds).

Step 9. The Timeout field enables you to specify the amount of time the Cisco ASA waits for a response from the tracked host. The default value is used in this example (5000 milliseconds); however, valid values are from 0 to 604,800,000 milliseconds.

Step 10. The Cisco ASA uses Internet Control Message Protocol (ICMP) echo request packets to verify that the tracked host is alive. The Data Size field specifies the size of data payload to use in such ICMP echo request packets. The default value of 28 bytes is used in this example; however, the value can be any number from 0 to 16384.

Step 11. The ToS field enables you to specify a value for the type of service (ToS) byte in the IP header of the echo request. The default value of 0 is used in this example; however, you can specify any number from 0 to 255.

Step 12. You can specify the number of ICMP echo requests to be sent for each test by using the Number of Packets field. The default value is used in this example (1 packet); however, this can be any number from 1 to 100. Be aware that specifying several packets per test may have a direct impact on network performance.

Step 13. Click OK on the Route Monitoring Options dialog box.

Step 14. Click OK on the Edit Static Route box.

Step 15. The dialog box shown in Figure 5-7 is displayed. This is an informational message that reminds the administrator that the primary route is set up for tracking. Subsequently, you should define another route (the backup route) with the same parameters, but with a higher metric value on the interface chosen as the backup interface (in this case, the DMZ interface).

Figure 5-7 Route Monitoring Alert Message

Example 5-1 shows the CLI commands sent to the Cisco ASA from ASDM.

Example 5-1 Static Routing Commands Sent by ASDM

Displaying the Routing Table

To display the Cisco ASA’s routing table in ASDM, navigate to Monitoring > Routing > Routes. Alternatively, in the CLI you can use the show route command in the Cisco ASA’s routing table and verify the configuration. Example 5-2 shows the output of the show route command after the previously mentioned static route statements have been configured.

Example 5-2 Displaying the Routing Table via the CLI

The letter S by each route statement indicates that it is a statically configured route entry. The letter C indicates that it is a directly connected route. The first number in the brackets is the administrative distance of the information source; the second number is the metric for the route. Administrative distance is the feature used by routing devices to select the best path when there are two or more different routes to the same destination from two different routing protocols.

The show route command can be used with an interface name to display only the routes going out of the specified interface.

Static routes do not provide a scalable solution for medium and large networks. To achieve better scalability use dynamic routing protocols. The Cisco ASA supports RIP, OSPF, and EIGRP. The following sections discuss these dynamic routing protocols in more detail.

RIP

RIP is a fairly old Interior Gateway Protocol (IGP), but it is still deployed in many networks. It is typically used in small and homogeneous networks. RIP is a distance-vector routing protocol, and it is defined in RFC 1058, “Routing Information Protocol.” Its second version is defined in RFC 2453, “RIP Version 2.”

RIP uses broadcast or multicast packets—depending on the version—to communicate with its neighbors and exchange routing information. It uses the hop-count methodology to calculate its metric. Hop count is the number of routing devices that the packets forwarded by a router or a Cisco ASA (in this case) will traverse. RIP has a limit of 15 hops. A route to a network that is directly connected to the Cisco ASA has a metric of 0. A route with a metric reaching or exceeding 16 is considered unreachable. Two versions of the RIP routing protocol are available (Cisco ASA supports both versions):

• RIP version 1 (RIPv1)—Does not support classless interdomain routing (CIDR) and variable-length subnet masks (VLSMs). VLSMs enable routing protocols to define different subnet masks for the same major network. For example, 10.0.0.0 is a Class A network. Its mask is 255.0.0.0. VLSM makes it possible to divide this network into smaller segments (i.e., 10.1.1.0/24, 10.1.2.0/24, etc.). Because RIPv1 does not support VLSM, no subnet mask information is present in its routing updates. RIP uses various techniques, such as holddowns, count-to-infinity, split horizon, and poison reverse, to prevent loops.

• RIP version 2 (RIPv2)—Supports CIDR and VLSMs. RIPv2 also converges faster than its predecessor. It also supports peer or neighbor authentication (plain-text or MD5 authentication), which provides additional security. RIPv2 uses multicast for communication between peers, in contrast to RIPv1, which uses broadcast.

Configuring RIP

The configuration of the Cisco ASA is simple, but somewhat limited. Figure 5-8 illustrates the first example topology.

Figure 5-8 Basic RIP Configuration

In the example shown in Figure 5-8, the Cisco ASA is connected to a router (R1) running RIPv2. This router is learning routes from two other routers (R2 and R3). Subsequently, routes to all these networks are being advertised by the router connected to the Cisco ASA. The Cisco ASA is also injecting a default route to the inside router.

To configure RIP using ASDM, complete the following steps:

Step 1. Navigate to Configuration > Device Setup > Routing > RIP > Setup and click Enable RIP routing, as shown in Figure 5-9. When you enable RIP, it is enabled on all interfaces. When you select this check box, the other fields on this page are also available.

Figure 5-9 Enabling RIP in ASDM

Step 2. To enable automatic route summarization, click on Enable RIP Routing. This option is enabled by default when you enable RIP in ASDM.

Step 3. To specify the RIP version used by the Cisco ASA, check Enable RIP Version then select Version 1 or Version 2. In this example, RIP version 2 is used. This setting can be also configured on a per-interface basis in the ASDM Interface configuration section.

Step 4. In this example, the Cisco ASA should generate a route advertisement, so the internal routers use the Cisco ASA as their default gateway. Check the Enable Default Information Originate check box to generate a default route into the RIP routing process.

Step 5. Define the network(s) for the RIP routing process under the IP Network to Add section. The network number specified must not contain any subnet information. There is no limit to the number of networks you can add to the RIP configuration. RIP routing updates are sent and received through only those interfaces on the networks you define in this section. In this example the 10.10.1.0 network is used.

Step 6. You can configure the Cisco ASA to listen for RIP routing broadcasts globally on all interfaces and use that information to populate the routing tables, but to not broadcast routing updates with the Global Passive option under the Passive Interfaces section. In this example, only the inside interface is selected as a passive RIP interface, using the options under the Passive Interfaces table.

Step 7. Click Apply to apply the configuration changes in ASDM.

Step 8. Click Save to send the configuration to the Cisco ASA.

Example 5-3 shows the CLI commands configured in the Cisco ASA by ASDM.

Example 5-3 RIP CLI commands

The rip command enables RIP on the Cisco ASA. The networks specified for the RIP routing process are defined by the network command. Note that in this example the ASA has configured 10.10.1.0; however, the Cisco ASA CLI automatically summarizes this network to 10.0.0.0.

With the passive-interface command, the Cisco ASA interface listens for RIP routing packets and uses that information to update its routing table, but it does not advertise any routing updates through the specified interface.

The desired result is for the Cisco ASA to learn the internal routes and advertise default route information. To do this, the default-information originate command is used. The version command specifies what RIP version is used. RIP version 2 is used in this example.

Example 5-4 shows the output of the show route command after learning the routes from R1.

Example 5-4 Output of the show route Command After Learning RIP Routes

RIP Authentication

RIPv1 does not support authentication. Cisco ASA supports two modes of RIPv2 authentication: plain-text authentication and Message Digest 5 (MD5) authentication.

RIP authentication using MD5 is added in Figure 5-10.

Figure 5-10 MD5 RIP Authentication Example

To enable RIP authentication using MD5, complete the following steps:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > RIP > Interface.

Step 2. Select the interface where RIP is enabled and click on Edit, as shown in Figure 5-11. In this example, the inside interface is used.

Figure 5-11 Enabling MD5 RIP Authentication in ASDM

Step 3. The Edit RIP Interface Entry dialog box is shown, as illustrated in Figure 5-11.

Step 4. (Optional) Check the Override Global Send Version check box to select the RIP version sent by the interface. In this example, RIP version 2 is used. You can disable this option to restore the global setting.

Step 5. Check the Enable Authentication check box to enable RIP authentication.

Step 6. Enter the key to be used for RIP authentication under the Key field. In this example the key supersecretkey is used. This key can contain up to 16 characters.

Step 7. Enter the Key ID used by the RIP authentication process. In this example the key ID value of 1 is used. The valid values are from 0 to 255.

Step 8. Under the Authentication Mode select MD5.

Step 9. Click Apply to apply the configuration changes in ASDM.

Step 10. Click Save to save the configuration on the Cisco ASA.

Example 5-5 shows the commands sent by ASDM to the Cisco ASA.

Example 5-5 Output of the show route Command After Learning RIP Routes

RIP Route Filtering

The Cisco ASA can be configured to prevent other routers on the local network from learning specific RIP routes. Similarly, it can be configured to filter routes from other routing devices in the network. Figure 5-12 illustrates the topology used for the next example. The goal in this example is to configure the Cisco ASA to filter the route for the 10.10.4.0/24 network from the RIP neighbor router (R1).

Figure 5-12 Filtering RIP Routes

To configure the Cisco ASA to filter the route for the 10.10.4.0/24 network from R1, complete the following steps:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > RIP > Filter Rules.

Step 2. Click on Add to create a new filter rule.

Step 3. The dialog box shown in Figure 5-13 is displayed.

Figure 5-13 RIP Filtering Rules in ASDM

Step 4. Select in under the Direction field to filter incoming RIP updates from another routing device (in this case R1). To prevent other routing devices from learning one or more RIP routes, you can suppress routes from being advertised in routing updates by selecting out in the Direction field. However, in this example the goal is to filter incoming routes from R1.

Step 5. Select the interface where the routes will be filtered. In this example R1 resides in the inside interface.

Step 6. Click on Add to add the filter rule. The Network Rule dialog box shown in Figure 5-14 is displayed.

Figure 5-14 Network Rule Dialog Box

Step 7. Select Deny under the Action field to deny a specific network or IP address.

Step 8. The goal is to filter the incoming route advertisement for the 10.10.4.0/24 network. Enter 10.10.4.0 under the IP Address field, as shown in Figure 5-14.

Step 9. The 10.10.4.0 is a 24 bit network. Enter 255.255.255.0 in the Netmask field, as shown in Figure 5-14.

Step 10. Click OK to add the new rule in the Network Rule dialog box.

Step 11. Click OK to add the new filter in the Add Filter Rules dialog box.

Step 12. Click Apply to apply the configuration changes in ASDM and add them to the Cisco ASA’s running-configuration.

Step 13. Click Save to save the configuration in the Cisco ASA.

Example 5-6 shows the CLI commands configured in the Cisco ASA by ASDM when creating these RIP filtering rules.

Example 5-6 CLI Commands for Filtering Incoming RIP Routes

Example 5-7 shows the Cisco ASA routing table, using the show route command, after the filter configured in the previous example has been applied.

Example 5-7 Routing Table After Application of Route Filtering Rules

As you see in Example 5-7, the route to the 10.10.4.0/24 network is no longer shown.

Configuring RIP Redistribution

The Cisco ASA can be configured to redistribute routes from other routing processes into RIP. Complete the following steps to configure RIP redistribution using ASDM.

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > RIP > Redistribution.

Step 2. Select the routing protocol being redistributed into the RIP routing process under the Protocol section. You can select from the following protocols:

• Static—Used to redistribute static routes.

• Connected—Used to redistribute directly connected networks.

• OSPF—Used to redistribute routes learned by a specific OSPF routing process.

• EIGRP—Used to redistribute routes learned by a specific EIGRP routing process.

Step 3. Enter the metric type and value under the Metric section. This is the RIP metric being applied to the redistributed routes. The metric in this example is set to the number 10.

Step 4. (Optional) You can configure route maps to specify with more granularity which routes from the specified routing process are redistributed into RIP.

Step 5. Click OK on the Add Redistribution dialog box.

Step 6. Click Apply to apply the configuration changes in ASDM and add them to the Cisco ASA’s running-configuration.

Step 7. Click on Save to save the configuration in the Cisco ASA.

Alternatively, you can configure RIP redistribution with the redistribute RIP subcommand. The following example shows the options for the redistribute command.

Troubleshooting RIP

This section includes several commands and techniques that you can use while troubleshooting different issues that may arise throughout your deployment of RIP. A number of scenarios are provided to exemplify these troubleshooting techniques.

Scenario 1: RIP Version Mismatch

Using the same network topology illustrated in Figure 5-12, the internal router was intentionally configured with the incorrect RIP version. The Cisco ASA was configured with RIP version 2 on the inside interface (as previously shown) and the internal router was configured with RIP version 1. The output of the show route command does not display any routes learned via RIP. Example 5-7 shows the output of this command.

Example 5-8 Output of show route Command Missing RIP Routes

The debug command debug rip events is used as a troubleshooting tool for this problem, as demonstrated in Example 5-9.

Example 5-9 Output of debug rip events Showing Incorrect RIP Version During Negotiation

In the highlighted line, the Cisco ASA displays an error message indicating that the router (10.10.1.2) is sending the incorrect RIP version (v1). The solution to this problem is to configure RIP version 2 on the internal router. Example 5-10 shows the output of the debug rip events messages when the correct information is received from the inside router.

Example 5-10 Output of debug rip events Showing Correct RIP Version During Negotiation

Notice that the Cisco ASA receives a RIP version 2 (v2) update from the router (10.10.1.2) on the inside interface. Additionally, the routes learned are also displayed.

Scenario 2: RIP Authentication Mismatch

The topology shown in Figure 5-12 is also used in this example. The internal router and the Cisco ASA were configured to perform RIP authentication using MD5. The MD5 password was configured incorrectly in the inside router (R1). Example 5-11 shows the output of debug rip events on the Cisco ASA, which shows that there is a problem with MD5 authentication.

Example 5-11 Output of debug rip events Showing Invalid Authentication During Negotiation

This message also appears if the incorrect authentication method or mode is selected.

Scenario 3: Multicast or Broadcast Packets Blocked

RIPv1 uses broadcast packets and RIPv2 uses multicast packets. If broadcast or multicast packets (respectively) are blocked, the Cisco ASA will never be able to successfully establish a RIP neighbor relationship with its peers. The debug rip events command is also useful to troubleshoot this problem. Example 5-12 shows the output of debug rip events while RIPv2 multicast packets were being blocked.

Example 5-12 Output of debug rip events While Multicast Packets Are Being Dropped or Blocked

As you can see from this example, the Cisco ASA is sending the RIPv2 packets to the address 224.0.0.9 without receiving anything back from its peers. You will also see this behavior when RIP is not enabled on any other routing device on that segment.

OSPF

The OSPF routing protocol was drafted by the IGP Working Group of the Internet Engineering Task Force (IETF). It was developed because RIP was not able to scale for large, heterogeneous networks. The OSPF specification is defined in RFC 2328, “OSPF Version 2.” It is based on the Shortest Path First (SPF) algorithm (usually referred to as the Dijkstra algorithm after its author).

OSPF is a link-state routing protocol. It sends information about attached interfaces, metrics used, and other variables to its peers or neighbors. This information is called link-state advertisements (LSAs). They are sent to all the peers within a specific hierarchical area.

OSPF operates in hierarchies of separate autonomous systems. These autonomous systems can be divided into groups of contiguous networks called areas. Routers that are part of more than one area are referred to as Area Border Routers (ABRs). Figure 5-15 illustrates an example of this concept.

Figure 5-15 Areas in OSPF

As shown in Figure 5-15, more than one OSPF area can be joined together by an ABR. On the other hand, an OSPF backbone, OSPF area 0, must be present to propagate routing information to all other areas. The Cisco ASA can be configured to act as an ABR. It then can provide not only connectivity, but also security while performing type 3 LSA filtering. Type 3 LSAs refer to summary links and are sent by ABRs to advertise destinations outside an area. The OSPF ABR type 3 LSA filtering feature gives the user improved control of route distribution between OSPF areas. This feature also provides the capability of hiding the private networks by using Network Address Translation (NAT) without advertising them.

Figure 5-16 provides an example of how the Cisco ASA can be configured as an ABR and provide LSA type 3 filtering.

Figure 5-16 Cisco ASA LSA Type 3 Filtering

The following section provides different sample configurations explaining all the OSPF features supported by Cisco ASA.

Configuring OSPF

Cisco ASA supports several OSPF features and capabilities. The following summarizes the Cisco ASA OSPF support:

• Intra-area, inter-area, and external (Type 1 and Type 2) routes

• Support to act as a designated router (DR)

• Support to act as a backup designated router (BDR)

• Support to act as an ABR

• Support to act as an ASBR, with route redistribution between OSPF processes including OSPF, static, and connected routes

• Virtual links

• OSPF authentication (both clear-text and MD5 authentication)

• Stub areas and not-so-stubby areas (NSSAs)

• LSA flooding

• ABR type 3 LSA filtering

• OSPF neighbor command and dynamic routing over VPN

• Load balancing between a maximum of three peers on a single interface, using equal-cost multipath (ECMP) routes

The following sections provide configuration examples for most of these features.

Enabling OSPF

The topology illustrated in Figure 5-17 is used in this example. It includes a Cisco ASA connected to a router named R1 on its inside interface. This router is also connected to two other routers (R2 and R3).

Figure 5-17 Basic OSPF Configuration

In this first example, the Cisco ASA, R1, R2, and R3 are all configured in area 0.

To initially configure OSPF, perform these tasks:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > OSPF > Setup.

Step 2. The Cisco ASA supports up to only two OSPF process instances on its configuration. Each OSPF process has its own associated areas and networks. To enable an OSPF process select Enable this OSPF Process for one of the two available processes as shown in Figure 5-18. In this example the OSPF Process 1 is used.

Figure 5-18 Enabling an OSPF Process

Step 3. Under the OSPF Process ID field enter a unique numeric identifier for the respective OSPF process. In this example the process ID is the number 1. The Cisco ASA uses this process ID internally and does not need to match the OSPF process ID on any other routing device. You can select any value from 1 to 65535.

Step 4. (Optional) You can click on the Advanced button to configure additional OSPF parameters such as the Router ID, Adjacency Changes, Administrative Route Distances, Timers, and Default Information Originate settings. The Edit OSPF Process Advanced Properties dialog box shown in Figure 5-19 is displayed. Figure 5-19 shows the default options. In this example, the default values are configured for simplicity.

Figure 5-19 OSPF Process Advanced Properties

Step 5. Configure the area properties and area network for the OSPF process by navigating to the Area/Networks tab.

Step 6. Click Add to add the specific networks. The screen is shown in Figure 5-20.

Figure 5-20 Enabling an OSPF Process

Step 7. Select the OSPF Process you want to edit. In this example, the OSPF process 1 is used.

Step 8. Enter the area ID in the Area ID field. In this example Area 0 is used; however, area values range from 0 to 4294967295. You can also enter the area ID using an IP address.

Step 9. There are three different area types:

• Normal makes the area a standard OSPF area. This is the default option when an area is initially created and the one used in this example.

• Stub makes the area a stub area. Stub areas stop AS External LSAs (type 5 LSAs) from being flooded into the stub area. When you create a stub area, the Summary check box is available. You can prevent summary LSAs (type 3 and 4) from being flooded into the area by not selecting the Summary check box.

• NSSA makes the area a not-so-stubby area. NSSA areas accept type 7 LSAs. As with stub area configuration, you can uncheck the Summary check box to stop summary LSAs from being flooded into the area. Route redistribution can also be disabled if you don’t select the Redistribute check box and do enable Default Information Originate.

The Default Information Originate option enables the Cisco ASA to generate a type 7 default into the NSSA. This option is disabled by default. You can also specify the OSPF metric value for the default route (in the range from 0 to 16777214). The default value is 1. The Metric Type option is used to specify the OSPF metric type for the default route. You can select the number 1 for type 1; or 2 for type 2. If Default Information Originate is configured the default value is 2.

Step 10. Define the networks in the area by entering the IP address and Mask of the networks under the Area Networks section. In this example the 10.10.1.0/24 network is added.

Step 11. Click on the Add button to add the network defined in the Enter IP Address and Netmask sections to the area. These networks appear in the Area Networks table.

Example 5-13 shows the CLI commands generated by ASDM and sent to the Cisco ASA.

Example 5-13 Basic CLI OSPF Configuration

The router ospf command is used to enable OSPF and define the OSPF process. The number 1 is used as an identification parameter for the OSPF routing process. The network command specifies the interfaces that will run OSPF. Furthermore, it specifies the area to be associated with that interface. You can use the network address or the address of the interface where you want to enable OSPF.

Example 5-14 shows the output of the show route inside command after OSPF was configured in the Cisco ASA.

Example 5-14 Output of show route inside Command After Basic OSPF Configuration

The show ospf command can be used to display the general information about the OSPF routing processes. Example 5-15 shows the output of the show ospf command in the Cisco ASA.

Example 5-15 Output of show ospf Command After Basic OSPF Configuration

The highlighted lines in Example 5-15 show the OSPF process information and show that area 0 is associated to this process and active in only one interface (the inside interface in this case).

OSPF Virtual Links

All areas must talk to area 0 (the backbone area). It’s likely that this will not always be possible. However, in OSPF, virtual links can be configured to connect an area through a non-backbone area. They can also be used to connect two parts of a segmented backbone through non-backbone areas.

Figure 5-21 illustrates the topology of the network used in the following example. The Cisco ASA is configured with a virtual link to a router located on a DMZ interface.

Figure 5-21 Virtual Link Example

To configure a virtual link on the Cisco ASA, complete the following steps:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > OSPF > Virtual Link.

Step 2. Click Add to add a new virtual link.

Step 3. The dialog box shown in Figure 5-22 is displayed.

Figure 5-22 Configuring Virtual Links in ASDM

Step 4. Select the OSPF Process associated with the virtual link. In this example, the OSPF process 1 is selected.

Step 5. Select the area shared by the neighbor OSPF devices, under the Area ID pull-down menu. Please note that NSSA or Stub areas cannot be associated with a virtual link. In this example, area 1 is selected.

Step 6. Enter the router ID of the virtual link neighbor under the Peer Router ID field. The virtual link peer is the router with the ID of 10.10.5.1 (DMZ-R2).

At first, the virtual link is down because the Cisco ASA does not know how to reach the router labeled DMZ-R2. All the LSAs in area 1 need to be flooded, and the shortest path first (SPF) algorithm must run within area 1 for the Cisco ASA to successfully reach DMZ-R2 through area 1. In this example, area 1 is the transit area. After the Cisco ASA reaches DMZ-R2, the router and the Cisco ASA try to form an adjacency across the virtual link. After the Cisco ASA and the DMZ-R2 router become adjacent on the virtual link, DMZ-R2 becomes an ABR because it now has a link in area 0. Consequently, a summary LSA for the networks in area 0 and area 1 is created.

Example 5-16 shows the CLI command sent by ASDM to the Cisco ASA to create the virtual link to the DMZ-R2 router.

Example 5-16 OSPF Virtual Link CLI Configuration

The highlighted line in Example 5-16 shows how the area 1 virtual-link command is used to create the virtual link to 10.10.5.1.

The show ospf virtual-links command can be used to display statistical information about an OSPF virtual link. The output of the show ospf virtual-links is included in Example 5-17.

Example 5-17 Output of the show ospf virtual-links Command

The highlighted lines in Example 5-17 show that the virtual link to the DMZ-R2 router (10.10.5.1) is up.

Configuring OSPF Authentication

Cisco ASA supports both plain-text and MD5 OSPF authentication. MD5 authentication is recommended because it is more secure than plain-text authentication. When configuring authentication, an entire area must be configured with the same type of authentication. For example, if area 1 is configured for MD5 authentication, all devices running OSPF must run MD5 authentication. Figure 5-23 includes an example of a Cisco ASA performing MD5 authentication on its inside interface. All routers and the Cisco ASA reside in area 0, and they must use the same authentication type and shared secret (password) to learn routes from each other.

Figure 5-23 OSPF MD5 Authentication Example

Complete the following steps to configure OSPF MD5 authentication using ASDM:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > OSPF > Setup.

Step 2. Click on the Area / Networks tab and select the OSPF Process where MD5 authentication is to be enabled. In this example, OSPF process 1 is selected.

Step 3. Click on Edit to edit the OSPF process settings. The dialog box shown in Figure 5-24 is displayed.

Figure 5-24 Configuring OSPF MD5 Authentication in ASDM

Step 4. Select MD5 under the Authentication section.

Step 5. Click OK.

Step 6. Click Apply to apply the OSPF process changes.

Step 7. Navigate to Configuration > Device Setup > Routing > OSPF > Interface.

Step 8. Select the interface where OSPF MD5 authentication is to be enabled and click Edit. In this example, OSPF MD5 authentication is enabled in the inside interface.

Step 9. The dialog box shown in Figure 5-25 is displayed. Click on MD5 authentication under the Authentication section.

Figure 5-25 OSPF Interface Authentication Settings

Step 10. Enter the MD5 Key ID under the MD5 IDs and Keys section. The MD5 Key ID is numerical identifier. This identifier can be any number from 1 to 255. The number 1 is used in this example.

Step 11. Enter the MD5 Key, which is the shared secret used by the Cisco ASA and the OSPF peer. This is an alphanumeric character string of up to 16 bytes. The key supersecret is used in this example.

Step 12. Click on Add to add the MD5 Key ID and MD5 Key settings.

Step 13. Click OK.

Step 14. Click Apply to apply the configuration changes.

Step 15. Click Save to save the configuration in the Cisco ASA.

Example 5-18 shows the CLI commands sent by ASDM to the Cisco ASA to enable OSPF MD5 authentication.

Example 5-18 OSPF MD5 Authentication CLI Commands

OSPF virtual links can also be authenticated with MD5 or plain-text authentication. The following steps show how to enable MD5 authentication in the virtual link configuration previously discussed:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > OSPF > Virtual Link.

Step 2. Select the virtual link that was previously configured and click on Edit.

Step 3. Click on Advanced to configure the advanced OSPF virtual link properties. The dialog box shown in Figure 5-26 is displayed.

Figure 5-26 Virtual Link Authentication

Step 4. Select MD5 authentication under the Authentication section.

Step 5. Enter the MD5 Key ID and MD5 Key under the MD5 IDs and Keys section. In this example, the MD5 Key ID is the number 1 and the MD5 Key is supersecret.

Step 6. Click Add to add the MD5 Key ID and the MD5 Key to the table on the right.

Step 7. Click OK on the Advanced OSPF Virtual Link Properties dialog box.

Step 8. Click OK on the Edit OSPF Virtual Link dialog box.

Step 9. Click Apply to apply the configuration changes in ASDM and add them to the Cisco ASA’s running-configuration.

Step 10. Click on Save to save the configuration in the Cisco ASA.

Example 5-19 shows the CLI commands sent by ASDM to the Cisco ASA to enable OSPF Virtual Link MD5 authentication.

Example 5-19 OSPF Virtual Link MD5 Authentication CLI Commands

The first highlighted line in Example 5-19 shows how MD5 (message-digest) authentication is enabled in the virtual link to 10.10.5.1. The second highlighted line shows how the MD5 key ID 1 is added with the message-digest-key keyword, as well as the MD5 key (supersecret) with the md5 keyword.

Configuring OSPF Redistribution

The Cisco ASA can be configured to act as an ASBR. It can perform route redistribution between different OSPF processes, static routes, or directly connected subnets. Complete the following steps to configure OSPF redistribution using ASDM.

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > OSPF > Redistribution.

Step 2. Click on Add to add an OSPF redistribution Entry. The dialog box shown in Figure 5-27 is displayed.

Figure 5-27 OSPF Redistribution Entry

Step 3. Select the OSPF process where redistribution will be configured. OSPF Process 1 is used in this example.

Step 4. Select the protocol to be redistributed under the Protocol section. This example shows how to redistribute all the static routes into OSPF.

Step 5. Enter the metric that is used for the redistribute routes under the Metric Value field. This column is blank for redistribution entries if the default metric is used. In this example, the metric value entered is 10.

Step 6. Select the metric type under the Metric Type pull-down menu. One (1) specifies that the route is a Type 1 external route; the number (2) specifies that the metric is a Type 2 external route. Type 2 routes are selected in this example.

Step 7. (Optional) You can configure a 32-bit decimal tag under the Tag Value field. This is an identifier used on each external route. This value is not used by the Cisco ASA itself; however, it may be used by other routing devices to communicate information between ASBRs. You can configure this tag with any value from 0 to 4294967295.

Step 8. (Optional) You can configure route maps to specify with more granularity which routes from the specified routing process are redistributed into RIP.

Step 9. Click OK on the Add OSPF Redistribution Entry dialog box.

Step 10. Click Apply to apply the configuration changes.

Step 11. Click on Save to save the configuration in the Cisco ASA.

Example 5-20 shows the CLI commands sent by ASDM to the Cisco ASA to enable OSPF Virtual Link MD5 authentication.

Example 5-20 OSPF Virtual Link MD5 Authentication CLI Commands

Static routes are redistributed into OSPF as shown in the highlighted line. The redistribute static command is used to enable OSPF redistribution for static routes. In this example, the static routes are redistributed with a metric value of 10.

Stub Areas and NSSAs

An ASBR advertises external routes throughout the OSPF autonomous system. However, in some situations, there is no need to advertise external routes into an area to reduce the size of the OSPF database. A stub area is an area that does not allow the advertisements of external routes. In stub areas, a default summary route is injected along with information about networks that belong to other areas within the same OSPF network.

To use ASDM to configure an area as a stub area, complete the following steps:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > OSPF > Setup.

Step 2. Select the Area / Networks tab.

Step 3. Click on Add to add an area or Edit to edit an area.

Step 4. Under the Area Type section select Stub.

Step 5. Click OK.

Step 6. Click Apply to apply the configuration changes.

Step 7. Click on Save to save the configuration in the Cisco ASA.

Alternatively, you can use the CLI stub option with the area OSPF subcommand to configure this feature in the Cisco ASA. The following is the command syntax:

area area-id stub [no-summary]

If an area is configured as a stub, all the routers within the area must also be configured as stub routers. Otherwise, the neighbor relationship will not be established.

The OSPF NSSA feature is defined in RFC 3101 as “The OSPF Not-So-Stubby Area (NSSA) Option.” Redistribution of routes into an NSSA generates a special type of LSA known as LSA type 7. This type only exists in NSSAs.

To use ASDM to configure an area as an NSSA, complete the following steps:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > OSPF > Setup.

Step 2. Select the Area / Networks tab.

Step 3. Click on Add to add an area or Edit to edit an area.

Step 4. Under the Area Type section select NSSA.

Step 5. Click OK.

Step 6. Click Apply to apply the configuration changes.

Step 7. Click on Save to save the configuration in the Cisco ASA.

In the CLI, you can use the nssa option with the area OSPF subcommand to configure this feature in the Cisco ASA. The following is the command syntax:

OSPF Type 3 LSA Filtering

The Cisco ASA supports OSPF Type 3 LSA filtering. Follow these steps to use ASDM to configure OSPF Type 3 LSA filtering:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > OSPF > Filtering.

Step 2. Click on Add to add OSPF filtering rules. The dialog box shown in Figure 5-28 is displayed.

Figure 5-28 OSPF Filtering Entry

Step 3. Select the OSPF Process to be associated with the filter entry; in this example the OSPF process 1 is selected.

Step 4. Select the Area ID to be associated with the filter entry. In this example, area 0 is selected.

Step 5. Enter the network address and subnet mask bit to be filtered in the Filtered Network field. In this example the network 10.10.6.0/24 is filtered.

Step 6. Select the direction on how the filter is applied, using the Traffic Direction pull-down menu. The Inbound direction is used in this example; with this configuration the Cisco ASA filter entry applies to LSAs coming into area 0.

Step 7. Enter the sequence number to be used for the filter entry under the Sequence # field. In this example, the sequence number used is the number 1. This sequence number is used if multiple filters are configured on the Cisco ASA; the filter with the lowest sequence number is applied first.

The Cisco ASA begins the search at the top of the prefix list. After a match or deny occurs, the Cisco ASA does not need to go through the rest of the prefix list.

Step 8. Select the Action to be applied to this filter. In this example, the deny action is selected to deny any route advertisements for the 10.10.6.0/24 network.

Step 9. (Optional) You can specify the minimum prefix length to be matched with an OSPF filter in the Lower Range field. In this example, this field is left blank.

Step 10. (Optional) You can specify the maximum prefix length to be matched with an OSPF filter in the Upper Range field. In this example, this field is left blank.

Step 11. Click OK.

Step 12. Click Apply to apply the configuration changes.

Step 13. Click on Save to save the configuration in the Cisco ASA.

To filter Type 3 LSAs in the Cisco ASA via the CLI, use the prefix-list command. After it is configured, the Cisco ASA can control which prefixes are sent from one area to another. The syntax of the prefix-list command is as follows:

Table 5-2 lists all the options of the prefix-list command.

Table 5-2 prefix-list Command Options

OSPF neighbor Command and Dynamic Routing over VPN

OSPF Hello messages are sent over multicast by default. However, IPSec does not support multicast over a VPN tunnel. Consequently, OSPF adjacency using multicast cannot be established over IPSec VPN tunnels. Cisco ASA provides a solution to this problem by supporting the configuration of statically defined neighbors. When you configure a statically defined neighbor, the Cisco ASA communicates with its peers using unicast packets. This enables the OSPF messages to be successfully encrypted and sent over the VPN tunnel.

The OSPF neighbors can be defined only on nonbroadcast media. Because the underlying physical media is Ethernet (broadcast), the media type must be changed to nonbroadcast under the interface configuration. This would override the default physical broadcast media type.

To configure a static OSPF neighbor using ASDM, complete the following steps:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > OSPF > Static Neighbor.

Step 2. Click on Add to add a new neighbor.

Step 3. Select the OSPF Process to be used for this entry.

Step 4. Enter the neighbor IP address under the Neighbor field.

Step 5. Select the interface where the neighbor resides in the Interface pull-down menu.

Step 6. Click OK.

Step 7. Click Apply to apply the configuration changes.

Step 8. Click on Save to save the configuration in the Cisco ASA.

Alternatively, you can use the neighbor command to specify an OSPF neighbor.

Example 5-21 demonstrates how to use the neighbor command for an IPSec peer located at 209.165.201.2.

Example 5-21 OSPF Static Neighbors

Notice the warning message in Example 5-21. The command does not take effect until the network type is changed to nonbroadcast under the interface. Use the ospf network point-to-point non-broadcast interface command to accomplish this. Example 5-22 demonstrates this command.

Example 5-22 Changing the Default Physical Media Type to Nonbroadcast

Additionally, OSPF expects neighbors to belong to the same subnet. The subnet requirement is overlooked for point-to-point links. Because the IPSec site-to-site VPN tunnels are considered a point-to-point connection, the previous command provides the solution to this problem. Only one neighbor can be configured on a point-to-point link.

On IPSec site-to-site and remote-access VPN configurations, you can optionally use reverse route injection (RRI). RRI is a feature on the Cisco ASA that provides a solution for topologies that require encrypted traffic to be diverted to the Cisco ASA and all other traffic to be sent to a separate router. In other words, RRI eliminates the need to manually define static routes on internal routers or hosts to be able to send traffic to remote site-to-site connections or remote-access VPN connections. RRI is not required if the Cisco ASA is used as the default gateway and all traffic passes through it to get into and out of the network.

There are several advantages to running OSPF over an IPSec VPN tunnel instead of using RRI. One of the major advantages is that when RRI is used, the routes to the remote networks or hosts are always advertised to the internal network, regardless of whether or not the VPN tunnel is operational. When using OSPF over an IPSec site-to-site tunnel, the routes to the remote networks or hosts are advertised only if the VPN tunnel is operational.

Troubleshooting OSPF

This section includes many mechanisms and techniques that are used to troubleshoot OSPF problems, such as several show and debug commands.

Useful Troubleshooting Commands

A commonly used command is show ospf [process-id]. It displays general information about OSPF routing-process IDs. The process-ID option displays information for a specific OSPF routing process. Example 5-23 shows the output of this command.

Example 5-23 Output of the show ospf [process-id] Command

As demonstrated in Example 5-23, the show ospf command gives you details about the OSPF configuration, LSA information, OSPF router ID, and number of areas configured in the Cisco ASA.

To display OSPF-related interface information, use the show ospf interface command. Example 5-24 includes the output of this command for the inside interface.

Example 5-24 Output of the show ospf interface Command

The output of the show ospf interface command shows not only information about the OSPF communication on that specific interface, but also other information, such as the network type, cost, designated router information, and so on.

To display OSPF neighbor information, use the show ospf neighbor command. The following is the command syntax:

show ospf neighbor [interface-name] [neighbor-id] [detail]

To show neighbor information on a per-interface basis, use the interface-name argument. Use the neighbor-id option to display information about a specific neighbor, and use the detail option to display detailed neighbor information. The interface-name and neighbor-id options are mutually exclusive. Example 5-25 shows the output of the show ospf neighbor command.

Example 5-25 Output of the show ospf neighbor Command

When OSPF adjacency is formed, the Cisco ASA goes through several state changes before it becomes fully adjacent with its neighbor. The information that these states represent is crucial when troubleshooting OSPF problems in the Cisco ASA. These states are as follows:

• Down—The first OSPF neighbor state. It means that no Hello packets have been received from this neighbor, but Hello packets can still be sent to the neighbor in this state.

• Attempt—Only valid for manually configured neighbors in a non-broadcast multi-access (NBMA) environment. In Attempt state, the Cisco ASA sends unicast Hello packets every poll interval to the neighbor, if it has not received any Hello packets within the dead interval.

• Init—Specifies that the Cisco ASA has received a Hello packet from its neighbor, but the receiving router’s ID was not included in the Hello packet. When the Cisco ASA or any router running OSPF receives a Hello packet from a neighbor, the neighbor’s router ID is received in the Hello packet..

• 2Way—Designates that bidirectional communication has been established between the Cisco ASA and its neighbor.

• Exstart—The Cisco ASA is exchanging information to select who will be the DR and BDR (master-slave relationship) and chooses the initial sequence number for adjacency formation. The device with the higher router ID becomes the master and starts the exchange and, as such, is the only device that can increment the sequence number.

• Exchange—Indicates the exchange of database descriptor (DBD) packets. Database descriptors contain LSA headers only and describe the contents of the entire link-state database used to determine whether new or more current link-state information is available.

• Loading—The Cisco ASA is doing the actual exchange of link-state information with its neighbor.

• Full—The Cisco ASA and its neighbor are fully adjacent with each other. All the router and network LSAs are exchanged and the routing databases are fully synchronized.

Example 5-26 shows the output of the show ospf neighbor command with the detail option. The neighbor in this example is a router with IP address 192.168.10.2. In this example, you can see that the OSPF state is Full and that there were six state changes. Additionally, you can see that the neighbor has been up for 26 minutes and 21 seconds.

Example 5-26 Output of the show ospf neighbor detail Command

Use the show ospf database command to display information related to the Cisco ASA OSPF database. The command displays information about the different OSPF LSAs. It displays detailed information about the neighbor router and the state of the neighbor relationship. Example 5-27 shows the output of the show ospf database command.

Example 5-27 Output of the show ospf database Command

As demonstrated in Example 5-27, several external routes are learned from router 192.168.10.2. The 192.168.10.2 neighbor is advertising two routes for networks 192.168.20.0/24 and 192.168.13.0/24. Example 5-28 shows the output of the show route command for this example. The O by the route statement indicates that the route is learned via OSPF, and the E2 indicates that it is an external type 2 route.

Example 5-28 Output of the show route Command

Table 5-3 lists some of the common reasons why OSPF neighbors have problems forming an adjacency and suggests the show commands that you can use to troubleshoot the problem.

Table 5-3 OSPF Common Problems and Useful show Commands

The debug ospf command is extremely useful for troubleshooting OSPF problems. However, turn on debug commands only if any of the show commands discussed cannot help you solve the problem. Table 5-4 lists all the options of the debug ospf command.

Table 5-4 debug ospf Options

Example 5-29 shows the output of the debug ospf events command during a new adjacency. The first highlighted line shows that a two-way communication has been started to the router 192.168.10.2 on the inside interface and the state is 2WAY. The second highlighted line shows that non-broadcast (NBR) negotiation has been completed and the Cisco ASA is classified as the slave. The third and fourth highlighted lines indicate that the exchange has been completed and that the state is now FULL.

Example 5-29 Output of the debug ospf events Command

Mismatched Areas

Example 5-30 shows the output of the debug ospf events command during an OSPF transaction where the Cisco ASA was configured with area 0 and the adjacent router was configured with area 1. Consequently, the mismatch area message is displayed in the debug output.

Example 5-30 Mismatched OSPF Areas

OSPF Authentication Mismatch

In the next example, the Cisco ASA was configured to perform OSPF authentication. OSPF authentication was not enabled on the neighbor router. Example 5-31 shows the output of the debug ospf event command.

Example 5-31 Mismatched OSPF Authentication Parameters

Troubleshooting Virtual Link Problems

To display parameters and the current state of OSPF virtual links configured in the Cisco ASA, use the show ospf virtual-links command. Example 5-32 shows the output of the show ospf virtual-links command while the state of the virtual link to router 192.168.10.2 is down.

Example 5-32 Output of the show ospf virtual-links Command During a Configuration Mismatch in the Neighbor Router

The problem is a configuration error on the Cisco ASA’s neighbor router. The administrator notices, by looking at the running configuration with the show running-config command, that the router does not have the Cisco ASA’s IP address in its configuration.

EIGRP

EIGRP is an enhanced version of the Interior Gateway Protocol (IGRP), which is a distance vector routing protocol. The distance vector routing technology defines that each router does not need to know all the router/link relationships for the entire network because each router advertises destinations with a corresponding distance. Each router, hearing the information, adjusts the distance and propagates it to neighboring routers. The same distance vector technology found in IGRP is also used in EIGRP. However, one of the major differences is the enhanced convergence properties and operating efficiency.

EIGRP uses the Diffusing Update Algorithm (DUAL). This algorithm is used to calculate route options while maintaining loop-freedom at every instant.

EIGRP has four basic components:

• Neighbor Discovery/Recovery—This is the process that routers use to dynamically learn of other routing devices within the adjacent network, and when they become unreachable or inoperative.

• Reliable Transport Protocol—Guarantees the ordered delivery of EIGRP packets to all neighbors.

• DUAL Finite State Machine—This is what does all route computations. It tracks all routes advertised by all neighbors. The distance information, known as a metric, is used to calculate the best (loop free) path.

• Protocol Dependent Modules—Responsible for network layer, protocol-specific requirements (i.e., packet encapsulation).

Configuring EIGRP

The following sections cover the configuration of EIGRP in the Cisco ASA.

Enabling EIGRP

The first step is to configure basic EIGRP on the Cisco ASA. The topology illustrated in Figure 5-29 is used for the following examples. The goal is to configure the Cisco ASA to learn routes from the inside router (R1) via EIGRP.

Figure 5-29 EIGRP Example Topology

Complete the following steps to enable EIGRP in the Cisco ASA using ASDM:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > EIGRP > Setup. The screen shown in Figure 5-30 is displayed.

Figure 5-30 Enabling EIGRP

Step 2. To enable EIGRP, select Enable this EIGRP Process under the EIGRP Process section.

Step 3. Enter the EIGRP autonomous system (AS) number under the EIGRP Process field. The number 10 is used in this example. This number must match in all EIGRP neighbors. The AS number can be any value from 1 to 65535.

Step 4. (Optional) You can click on the Advanced button to configure EIGRP advanced properties, such as automatic route summarization, router ID, metric parameters, stub configuration, administrative distance, and others. The Edit EIGRP Process Advanced Properties dialog box shown in Figure 5-31 is displayed. In this example, automatic summarization is disabled; all other default values are used.

Figure 5-31 EIGRP Process Advanced Properties

Step 5. Click OK.

Step 6. Navigate to the Networks tab to configure the networks for the EIGRP process.

Step 7. Click on Add to add the EIGRP networks. The dialog box displayed in Figure 5-32.

Figure 5-32 Adding Networks to the EIGRP Process

Step 8. In this example, the inside network 10.10.1.0 with netmask 255.255.255.0 is used.

Step 9. Click OK.

Step 10. Click Apply to apply the configuration changes.

Step 11. Click on Save to save the configuration in the Cisco ASA.

Alternatively, you can use the CLI to configure EIGRP. Example 5-33 shows the CLI commands sent by ASDM to the Cisco ASA.

Example 5-33 Enabling EIGRP via the CLI

Use the router eigrp 10 command to enable EIGRP, using the AS number 10. The no auto-summary command disables automatic route summarization. The network command is used to configure all networks for the EIGRP process.

Example 5-34 shows the output of the show route inside command after the EIGRP routes have been learned from R1.

Example 5-34 Output of show route inside Command Showing EIGRP Routes

In this example, three routes are learned for the internal networks via R1 (10.10.1.2). The letter D indicates that these routes are learned via EIGRP.

Configuring Route Filtering for EIGRP

The Cisco ASA supports EIGRP route filtering. You can filter routes learned via EIGRP or prevent specific routes from being advertised to EIGRP neighbors. The goal in the following example is to configure the Cisco ASA to filter the route to the network 10.10.4.0/24 learned from R1. To achieve this goal complete the following steps:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > EIGRP > Filter Rules.

Step 2. Click on Add to add a filter rule. The dialog box shown in Figure 5-33 is displayed.

Figure 5-33 Adding EIGRP Filter Rules

Step 3. Select the respective EIGRP AS from the pull-down menu. In this example, the EIGRP AS number 10 is used.

Step 4. Select the direction on how the filter is to be applied. In this example, the filter is applied inbound (in).

Step 5. Select the interface where the filter is to be applied. In this example, the inside interface is selected.

Step 6. Click on Add to enter the routes/networks to be allowed or denied. In this example, the action is set to deny incoming route advertisements for the 10.10.4.0/24 network.

Step 7. Click OK.

Step 8. Click Apply to apply the configuration changes.

Step 9. Click on Save to save the configuration in the Cisco ASA.

Example 5-35 shows the CLI commands sent by ASDM to the Cisco ASA for EIGRP route filtering.

Example 5-35 Configuring EIGRP Route Filtering via the CLI

In Example 5-35, a standard ACL (eigrpACL_FR) is configured to deny the 10.10.4.0 network. This ACL is then applied inbound to the distribute-list command in the inside interface.

EIGRP Authentication

The Cisco ASA supports EIGRP authentication using MD5 hashing. Complete the following steps to enable EIGRP MD5 authentication:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > EIGRP > Interface.

Step 2. Select the interface where EIGRP MD5 authentication is to be enabled and click on Edit. The Edit EIGRP Interface Entry dialog box shown in Figure 5-34 is displayed.

Figure 5-34 Edit EIGRP Interface Entry Dialog Box

Step 3. Under the Authentication section, select Enable MD5 Authentication.

Step 4. Enter the key (password) to be used under the Key field. The key supersecret is used in this example.

Step 5. Enter the key identifier under the Key ID field. The Key ID 1 is used in this example.

Step 6. Click OK.

Step 7. Click Apply to apply the configuration changes.

Step 8. Click on Save to save the configuration in the Cisco ASA.

Example 5-36 shows the CLI commands sent by ASDM to the Cisco ASA to enable EIGRP MD5 authentication.

Example 5-36 Configuring EIGRP MD5 Authentication Using the CLI

EIGRP authentication is enabled under the inside interface (GigabitEthernet0/1). The first highlighted line defines the key supersecret and key ID 1 for the EIGRP AS number 10. The second highlighted line enables MD5 authentication. The authentication key is removed and labeled as <removed> when you view the configuration, using the show running-config or show configuration commands.

Defining Static EIGRP Neighbors

The Cisco ASA supports statically defined EIGRP neighbors. Typically, EIGRP neighbors are dynamically discovered; however, on point-to-point, non-broadcast networks, you must statically define the neighbors.

Configure a static neighbor in the Cisco ASA by completing the following steps:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > EIGRP > Static Neighbor.

Step 2. Click on Add to add a new EIGRP static neighbor.

Step 3. Enter the EIGRP neighbor IP address in the Add EIGRP Neighbor Entry dialog box.

Step 4. Click OK.

Step 5. Click Apply to apply the configuration changes.

Step 6. Click on Save to save the configuration in the Cisco ASA.

Alternatively, in the CLI you can use the neighbor command, as shown in Example 5-37.

Example 5-37 Configuring a Static EIGRP Neighbor

In Example 5-37 the neighbor 10.10.1.2 is statically defined.

Route Summarization in EIGRP

The Cisco ASA supports EIGRP route summarization. This is used to manually define summary addresses if you want to create summary addresses that do not occur at a network number boundary. In other words, if any specific routes are in the routing table, EIGRP advertises the summary address out the specified interface with a metric equal to the minimum of all the more specific routes.

EIGRP route summarization is configured on the Cisco ASA when automatic route summarization is disabled. Summary addresses are configured in the Cisco ASA on a per-interface basis.

Complete the following steps to create a summary address:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > EIGRP > Summary Address.

Step 2. Click on Add to add a summary address entry. The dialog box shown in Figure 5-35 is displayed.

Figure 5-35 Add EIGRP Summary Address Entry Dialog Box

Step 3. Select the EIGRP AS where summarization is applied. The EIGRP AS used in this example is 10.

Step 4. Enter the IP Address and the Netmask of the summary address. In this example, the 10.10.0.0 network address and 255.255.0.0 netmask are used. Subsequently, the 10.10.1.0/24, 10.10.2.0/24, 10.10.3.0/24, and 10.10.4.0/24 networks will be summarized as 10.10.0.0/16.

Step 5. Enter the Administrative distance used for this summary address. In this example, the administrative distance used is 10. The default is 5.

Step 6. Click OK.

Step 7. Click Apply to apply the configuration changes.

Step 8. Click on Save to save the configuration in the Cisco ASA.

Alternatively, you can use the summary-address interface subcommand to configure summarization under a specific interface. Example 5-38 shows the CLI commands sent by ASDM to the Cisco ASA.

Example 5-38 Configuring an EIGRP Summary Address

In this example, the summary-address interface subcommand defines the summary address 10.10.0.0 with netmask 255.255.0.0 applied to the EIGRP AS number 10. The administrative distance is set to 10 at the end of the command.

Split Horizon

The Cisco ASA supports split horizon. Split horizon is enabled on all interfaces by default. When you configure split horizon, EIGRP update and query packets are not sent for destinations for which the specified interface is the next hop. This is used to minimize the potential of routing loops.

In some cases, for instance in nonbroadcast networks, split horizon may not be necessary and may need to be disabled. You can disable split horizon with ASDM by completing the following steps:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > EIGRP > Interface.

Step 2. Select the respective interface and click on Edit.

Step 3. The Edit EIGRP Interface Entry dialog box is displayed. This dialog box was illustrated earlier in Figure 5-34. Uncheck the Enable box in the Split Horizon field.

Step 4. Click OK.

Step 5. Click Apply to apply the configuration changes.

Step 6. Click on Save to save the configuration in the Cisco ASA.

Alternatively, you can use the no split-horizon eigrp <as number> interface subcommand to disable split horizon on a specific interface.

Route Redistribution in EIGRP

As with RIP and OSPF, in EIGRP you can redistribute routes from other routing protocols. To configure route redistribution in ASDM, complete the following steps:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > EIGRP > Redistribution.

Step 2. Click on Add to add an EIGRP redistribution entry. The dialog box shown in Figure 5-36 is displayed.

Figure 5-36 Add EIGRP Redistribution Entry Dialog Box

Step 3. Select the AS number where route redistribution will be applied. In this example, the EIGRP AS number 10 is selected.

Step 4. Select the Protocol to be redistributed into EIGRP. In this example, static routes are redistributed into EIGRP. The Static option is selected.

Step 5. You can configure several optional metrics and OSPF redistribution parameters. In this example, the defaults are used. However, the following are all the supported advanced options:

• Bandwidth—Used to specify the EIGRP bandwidth metric in Kilobits per second.

• Delay—Used to specify the EIGRP delay metric, in 10-microsecond units.

• Reliability—Used to specify the EIGRP reliability metric.

• Loading—Used to specify the EIGRP loading bandwidth metric.

• MTU—Used to specify the minimum MTU of the path.

• Route Map—Used to granularly define which routes are redistributed into the EIGRP.

You can also (optionally) specify which OSPF routes are redistributed into the EIGRP routing process by selecting any of the following options under the Optional OSPF Redistribution section:

• Match Internal—Used for internal OSPF routes.

• Match External 1—Used to match external type 1 routes.

• Match External 2—Used to match external type 2 routes.

• Match NSSA-External 1—Used to match NSSA external type 1 routes.

• Match NSSA-External 2—Used to match NSSA external type 2 routes.

Step 6. Click OK.

Step 7. Click Apply to apply the configuration changes.

Step 8. Click on Save to save the configuration in the Cisco ASA.

Example 5-39 includes the commands sent by ASDM to the Cisco ASA.

Example 5-39 Redistributing Static Routes into EIGRP

In this example, the redistribute static command is used to redistribute static routes into the EIGRP process.

You can use the redistribute connected command to redistribute connected routes into the EIGRP routing process, as shown below:

To redistribute routes from an OSPF routing process into the EIGRP routing process, use the redistribute ospf command as follows:

To redistribute routes from a RIP routing process into the EIGRP routing process, use the redistribute rip command as follows:

Controlling Default Information

When EIGRP is enabled, default routes are sent and accepted in the Cisco ASA by default, which is a configurable behavior. To configure a set of rules for controlling the sending and receiving of default route information in EIGRP updates, complete the following steps:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > EIGRP > Default Information.

Step 2. You can have one in and one out rule for each EIGRP routing process. However, only one process is currently supported. In this example, the goal is to deny any default route to be learned by the EIGRP process. Select the direction of the filter rule that reads in and click on Edit. The Edit Default Information dialog box is displayed.

Step 3. Select the EIGRP process.

Step 4. Make sure that the Direction is set to in.

Step 5. Click on Add to add the new rule. The Network Rule dialog box is displayed.

Step 6. Select deny from the Action pull down menu.

Step 7. Enter 0.0.0.0 in the IP address field.

Step 8. Enter 0.0.0.0 in the Netmask field.

Step 9. Click OK in the Network Rule dialog box.

Step 10. Click OK in the Add Default Information dialog box.

Step 11. Click OK.

Step 12. Click Apply to apply the configuration changes.

Step 13. Click on Save to save the configuration in the Cisco ASA.

Example 5-40 shows the CLI commands sent by ASDM to the Cisco ASA.

Example 5-40 Default Information Filtering in EIGRP

In Example 5-40 a standard ACL named eigrpACL_DI is configured denying any. Then the default-information router subcommand is used with the in keyword to deny the default routes inbound. The eigrpACL_DI ACL name is entered at the end of the default-information command.

Troubleshooting EIGRP

This section covers detailed information for troubleshooting problems in EIGRP.

Useful Troubleshooting Commands

The show eigrp topology command can be used to display the EIGRP topology in the Cisco ASA. Example 5-41 shows the output of this command.

Example 5-41 Displaying the EIGRP Topology

In Example 5-41, the three routes learned from 10.10.1.2 are displayed.

The show eigrp neighbors command provides the details of current EIGRP neighbors. Example 5-42 shows the output of this command.

Example 5-42 Output of show eigrp neighbors Command

In Example 5-42 the inside router (10.10.1.2) is displayed. You can also see the interface where the neighbor resides (Gi0/1 in this example). You can also see the Hold timer, which is the length of time (in seconds) that the Cisco ASA waits to receive a hello packet from the neighbor routing device before declaring it down.

The Uptime value is the elapsed time since the Cisco ASA first heard from this neighbor. This is displayed in hours:minutes:seconds.

The smooth round-trip time (SRTT) is the number of milliseconds required for an EIGRP packet to be sent to this neighbor and for the Cisco ASA to receive a reply.

Retransmission timeout (RTO) is the amount of time the Cisco ASA waits before resending a hello packet to a neighbor. The Q Cnt is the number of EIGRP packets that are in queue to be sent by the Cisco ASA. The Seq Num is the sequence number of the last EIGRP packet received from the neighbor.

The show eigrp events command displays the EIGRP event log. This output is limited to 500 events. New events are added to the bottom of the output and old events are removed from the top of the output. Example 5-43 shows the output of the show eigrp events command.

Example 5-43 Output of show eigrp events Command

In Example 5-43, updates are sent and received from the neighbor router. In this example the route to the network 10.10.4.0/24 is received and installed in the routing table.

Use the show eigrp interfaces command to display the interfaces where EIGRP is enabled. Example 5-44 shows the output of the show eigrp interfaces command.

Example 5-44 Output of show eigrp interfaces Command

In this example EIGRP is enabled only on the inside interface and it currently has one peer.

Use the show eigrp traffic command to display EIGRP traffic statistics. Example 5-45 shows the output of the show eigrp traffic command.

Example 5-45 Output of show eigrp traffic Command

As shown in Example 5-45, the show eigrp traffic command displays the number of EIGRP packets sent and received in the Cisco ASA. These packets include hellos, updates, queries, replies, acknowledgements, and other statistical information.

The debug eigrp fsm command is one of the most useful debug commands used to troubleshoot EIGRP problems. Example 5-46 shows the output of the debug eigrp fsm command during normal operations.

Example 5-46 Output of debug eigrp fsm Command During Normal Operations

In Example 5-46, the updates are received from the EIGRP neighbor 10.10.1.2 and the routes received are installed on the routing table.

Stability and failure in the EIGRP neighbor relationship are some of the most common issues. The following are some of the reasons why EIGRP neighbors may fail (flap):

• Underlying link flaps.

• Misconfigured hello and hold intervals.

• Loss of hello packets.

• Existence of unidirectional links.

• Route goes stuck-in-active. When a router enters the stuck-in-active state, the neighbors from which the reply was expected are reinitialized, and the router goes active on all routes learned from those neighbors and is able to process all routing updates.

• Provision of insufficient bandwidth for the EIGRP process and improperly set bandwidth statements.

• One-way multicast traffic.

• Routes that are stuck in active.

• Query storms.

• Authentication problems.

The following sections cover different common scenarios encountered while troubleshooting EIGRP issues.

Scenario 1: Link Failures

When an interface goes down, EIGRP takes down the neighbors that are reachable through that interface and flushes all routes learned through that neighbor. The debug eigrp fsm command is very useful while troubleshooting these kinds of problems. In the following example the link between the Cisco ASA and the inside router (10.10.1.2) failed. Example 5-47 shows the output of the debug iegrp fsm when the link went down.

Example 5-47 Output of debug eigrp fsm Command During a Link Failure

In Example 5-47, the Cisco ASA detected that the link was down and removed all the entries for the routes learned from the neighbor (10.10.1.2).

Scenario 2: Misconfigured Hello and Hold Intervals

In the Cisco ASA and Cisco IOS routers, the EIGRP hold interval can be set independently of the hello interval. This is done with the hold-time eigrp interface subcommand. If you set a hold interval smaller than the hello interval, it results in the neighbors flapping continuously. Therefore, it is recommended that the hold time be at least three times the hello interval.

In the following example the hold interval was set to 2 seconds on the neighbor router (10.10.1.2). Example 5-48 shows the output of the debug eigrp fsm while the neighbor relationship between the Cisco ASA and the inside router was flapping continuously.

Example 5-45 Output of debug eigrp fsm Command While Neighbors Are Flapping

The output of Example 5-48 is truncated; however, you can see the neighbor relationship between the Cisco ASA and the inside router flapping continuously. Routes first are learned and then removed.

The output of the show eigrp events command also displays the neighbor relationship flapping. One of the advantages of the show eigrp events is that it includes a timestamp at the beginning of each log entry. Example 5-49 includes the output of the show eigrp events command while the neighbors were flapping.

Example 5-49 Output of show eigrp events Command While Neighbors Are Flapping

The output shown in Example 5-49 is truncated; however, you can see the number of times the neighbor relationship flapped. Note the events in the highlighted lines are repeated within the command output.

Scenario 3: Misconfigured Authentication Parameters

In the following sample scenario, authentication was configured in the Cisco ASA, but it was not configured in the inside router (10.10.1.2). The debug eigrp fsm is not useful for authentication problems. The debug eigrp packets can be used to show the transactions between the Cisco ASA and the inside router. Example 5-50 shows the output of the debug eigrp packets.

Example 5-50 Output of debug eigrp packets Command During EIGRP Authentication Failures

In Example 5-50, you can see the Cisco ASA sending an EIGRP hello packet on the interface GigabitEthernet0/1 and then ignoring a packet received from 10.10.1.2 because it was not an authenticated packet (missing authentication).

IP Multicast

IP multicast provides the capability to transmit information to multiple devices in the network by efficiently utilizing bandwidth. Several video and audio applications use IP multicast as their method of communication. Additionally, some of the routing protocols covered earlier use multicast. These routing protocols include OSPF, EIGRP, and RIP version 2. Many other applications, such as database replication software and emergency alert systems, also use IP multicast.

Traditionally, a multicast device communicates with a group of receivers by using an associated Layer 3 Class D address. The lowest bit of the first byte of the Ethernet multicast destination addresses must be a 1, which allows the device to differentiate between multicast and unicast packets.

Multicast has a mechanism that tells the network about what hosts are members of a specific group. This technique prevents unnecessary flooding. The Internet Group Multicast Protocol (IGMP) is the protocol used to prevent unnecessary flooding. IGMP version 2 is defined in RFC 2236 and IGMP version 3 is defined by RFC 3376. The Cisco ASA can operate in two different multicast modes: IGMP stub mode and PIM sparse mode.

IGMP Stub Mode

To join a specific multicast group, a host sends an IGMP report or join message to the routing device. The routing device sends query messages to discover which devices are still associated to a specific group. The host sends a response to the router query if it wants to continue to be a member of the specific group. If the router does not receive a response, it prunes the group list. This minimizes unnecessary transmissions.

The Cisco ASA can be configured as an IGMP proxy. When configured as an IGMP proxy, the Cisco ASA forwards only IGMP messages from the downstream hosts. Additionally, it can send multicast transmissions from upstream routers. It can also be configured to statically join a multicast group.

PIM Sparse Mode

In IP multicast routing, the network must be able to assemble packet distribution trees that identify a unique forwarding path between the source and each subnet containing members of the multicast group. One of the key objectives in the creation of distribution trees is to allow at least one copy of each packet to be forwarded to each branch of the tree. Several IP multicast protocols exist, but the most commonly used is Protocol Independent Multicast (PIM).

There are two different flavors of PIM routing protocols:

• Dense mode (PIM-DM)—Routers running DM routing protocols are required to forward multicast traffic to each group by assembling distribution trees. They do so by flooding the entire network even if the receivers do not request such updates. Subsequently, they prune all the paths that do not have any receivers. Dense mode is not widely used or recommended.

• Sparse mode (PIM-SM)—The SM protocols require that each router participating in the PIM domain be explicitly configured with a rendezvous point, which controls group membership and is initially the root of the distribution tree. SM IP multicast routing protocols start with an empty distribution tree and add only devices that specifically request to join the distribution.

Cisco ASA supports PIM-SM as the multicast routing protocol. It can use unicast routing information base (RIB) or multicast-capable RIB (MRIB) to route multicast packets. PIM-SM assembles unidirectional shared trees rooted at a rendezvous point (RP) per multicast group. Additionally, it can create shortest-path trees (SPTs) per each source.

Configuring Multicast Routing

This section includes the necessary steps to configure multicast routing with ASDM and the CLI.

Enabling Multicast Routing

The first step to configure IP multicast routing on the Cisco ASA is to enable it. To enable multicast routing using ASDM, navigate to Configuration > Device Setup > Routing > Multicast and check the Enable Multicast Routing check box.

Alternatively, you can enable multicast routing via the CLI by invoking the multicast-routing command in global configuration mode. To disable IP multicast routing, use the no multicast-routing command.

Statically Assigning an IGMP Group

You can configure the Cisco ASA to statically join a specific multicast group. Complete the following steps to statically join a specific multicast group with ASDM.

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > Multicast > IGMP > Join Group.

Step 2. Click on Add to add an IGMP join group.

Step 3. Select the interface where the multicast group address is to be configured.

Step 4. Enter the multicast group address under the Multicast Group Address field. In this example the 239.0.10.1 multicast group address is used.

Step 5. Click OK.

Step 6. Click Apply to apply the configuration changes.

Step 7. Click on Save to save the configuration in the Cisco ASA.

You can also accomplish this via the CLI by using the igmp static-group command in interface configuration mode. Example 5-51 shows how to statically assign an IGMP group in the Cisco ASA.

Example 5-51 Statically Assigning an IGMP Group

In Example 5-51, the statically configured group in interface GigabitEthernet0/1 is 239.0.10.1. The igmp static-group command only adds the interface to the multicast group. This is different from the join-group command. The join-group command adds the configured interface to the outgoing interface list (OIL), also sending an IGMP report for the configured group via such interface.

Limiting IGMP States

The IGMP State Limit feature provides protection against DoS attacks when attackers use IGMP packets. Complete the following steps to configure the IGMP State Limit (group limit) to limit the number of hosts allowed to join the multicast group on a per-interface basis.

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > Multicast > IGMP > Protocol.

Step 2. Select the interface where the group limit will be configured and click Edit.

Step 3. Configure the group limit under the Group Limit field. In this example the limit is set to 100 states.

Step 4. Click OK.

Step 5. Click Apply to apply the configuration changes.

Step 6. Click on Save to save the configuration in the Cisco ASA.

Alternatively, you can use the igmp limit command in interface configuration mode to limit the number of hosts allowed to join the multicast group on a per-interface basis. Example 5-52 shows how to configure this feature.

Example 5-52 Limiting IGMP States

In Example 5-52, the limit is set to 100 hosts. The maximum number of IGMP states allowed on an interface is 500 and it is the default value.

IGMP Query Timeout

In the Cisco ASA, you can configure the timeout period before the Cisco ASA takes over as the multicast query router for the configured interface. The Cisco ASA waits for any query messages to be received on the configured interface. If a query message is not received within the timeout period, the Cisco ASA takes over as the multicast query routing device. You can configure the IGMP query timeout in ASDM by also navigating to Configuration > Device Setup > Routing > Multicast > IGMP > Protocol and editing the interface IGMP parameters.

To do this via the CLI, use the igmp query-timeout command in interface configuration mode. The range is from 60 to 300 seconds. The default is 255 seconds. Example 5-53 shows how to configure this feature with the query timeout value of 100 seconds.

Example 5-53 IGMP Query Timeout

Defining the IGMP Version

Cisco ASA supports IGMP versions 1 and 2. IGMP version 2 is the default. To specify the version you want in ASDM, navigate to Configuration > Device Setup > Routing > Multicast > IGMP > Protocol and edit the interface IGMP parameters. In the CLI use the igmp version interface subcommand. Example 5-54 demonstrates how to specify IGMP version 1 on the GigabitEthernet0/1 interface.

Example 5-54 Defining the IGMP Version

Enabling PIM

Complete the following steps to enable PIM under a specific interface when using ASDM:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > Multicast > PIM > Protocol.

Step 2. Select the interface where PIM is to be enabled and click Edit.

Step 3. Check the Enable PIM option.

Step 4. Click OK.

Step 5. Click Apply to apply the configuration changes.

Step 6. Click on Save to save the configuration in the Cisco ASA.

The same screen in ASDM enables you to configure the PIM designated router (DR) priority, hello interval, and join-prune intervals.

PIM elects a designated router (DR), which is similar to the mechanism in OSPF. Via the CLI you can use the pim dr-priority command in interface configuration mode to set the priority for which a router is elected as the DR. The following is the command syntax:

pim dr-priority value

The priority value can range from 1 to 4,294,967,295, and the default is 1. The highest value is the priority in the DR election process.

The Cisco ASA sends PIM hello messages to the neighbor routers. To configure the frequency of PIM hello messages, use the pim hello-interval command in interface configuration mode. The following is the command syntax:

pim hello-interval seconds

The number of seconds that the router waits before sending a hello message can vary from 1 to 3600 seconds. The default is 30 seconds. Example 5-55 demonstrates all the PIM subcommand options.

Example 5-55 Customizing PIM Values at the Interface Level

In Example 5-55, the PIM hello interval is set to 100 seconds, the DR priority to 5, and the PIM join and prune interval to 120 seconds on interface GigabitEthernet0/1.

Configuring Rendezvous Points

Rendezvous points (RPs) are used as a temporary way to connect a multicast receiver to an existing shared multicast tree. RPs are required only when PIM stub mode is enabled. To configure an RP in ASDM, complete the following steps:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > Multicast > PIM > Rendezvous Points.

Step 2. If your RP is a Cisco IOS router, check the Generate IOS Compatible Register Messages check box.

Step 3. Click Add to add the RP.

Step 4. Enter the IP address of the RP under the Rendezvous Point IP Address field.

Step 5. PIM can be configured in bidirectional mode. When configured in bidirectional mode, if the Cisco ASA receives a multicast packet and has no directly connected members or PIM neighbors present, it sends a Prune message back to the source. You configure bidirectional mode by checking the Use Bi-directional Forwarding check box. If you want the specified multicast groups to operate in sparse mode, you must uncheck this box.

Step 6. If the RP is associated with all multicast groups on the interface, select the Use this RP for All Multicast Groups option. This is the default option and it is the one used in this example. However, you can also specify the multicast groups to be used by the RP. To do this, select the Use this RP for the Multicast Groups as Specified Below option and define the specific groups.

Step 7. Click OK.

Step 8. Click Apply to apply the configuration changes.

Step 9. Click on Save to save the configuration in the Cisco ASA.

If using the CLI, you can use the pim rp-address command to configure the address of a PIM RP for a particular group. Example 5-56 demonstrates how to configure a PIM RP for a particular group.

Example 5-56 Configuring a PIM RP

In Example 5-56, a PIM RP with IP address 10.10.1.2 is configured. The bidir keyword indicates that the specified multicast groups operate in bidirectional mode. If the command is configured without this option, the specified groups operate in PIM sparse mode.

Filtering PIM Neighbors

Specific multicast sources can be filtered when the Cisco ASA is acting as an RP. This can be used as a security mechanism to allow only trusted sources to register with the RP. Complete the following steps to define the multicast sources from which the Cisco ASA will accept PIM register messages:

Step 1. Log in to ASDM and navigate to Configuration > Device Setup > Routing > Multicast > PIM > Neighbor Filter.

Step 2. Click Add to add a filter entry.

Step 3. Select the interface name where the filter is to be applied.

Step 4. Select the action (permit or deny) to be taken. In this example, we allow only the 10.10.1.2 router to register.

Step 5. Enter the IP address of the device(s) to filter. In this example, the 10.10.1.2 address is used.

Step 6. Enter the Netmask of the host or subnet. In this example 255.255.255.255 is used.

Step 7. Click OK.

Step 8. Click Apply to apply the configuration changes.

Step 9. Click on Save to save the configuration in the Cisco ASA.

Example 5-57 shows the commands sent by ASDM to the Cisco ASA.

Example 5-57 Filtering PIM Neighbors

A standard ACL named inside_multicast is configured to define what hosts or networks are to be filtered. In this example, 10.10.1.2 is the only host allowed to register to the Cisco ASA. The ACL is then applied to the pim neighbor-filter interface subcommand, as shown in Example 5-53.

Configuring a Static Multicast Route

You can configure a static multicast route entry with ASDM by navigating to Configuration > Device Setup > Routing > Multicast > MRoute. Alternatively, you can use the mroute CLI command. The following is the command syntax:

mroute src mask [in-interface-name] [dense out-interface-name] [distance]

Table 5-4 lists and explains all the available options for the mroute command.

Table 5-4 mroute Command Options

Troubleshooting IP Multicast Routing

This section includes detailed information on several commands and mechanisms that are useful while troubleshooting IP multicast routing problems in the Cisco ASA.

Useful show Commands

The following show commands help you to monitor and view the current multicast (PIM or IGMP) configuration information:

• show pim df—Shows bidirectional PIM designated forwarder (DF) information

• show pim group-map—Displays PIM group-to-protocol mapping information

• show pim interface—Displays PIM interface information

• show pim join-prune statistic—Shows PIM join/prune information

• show pim neighbor—Displays PIM neighbor information

• show pim range-list—Shows PIM range-list information

• show pim topology—Displays the PIM topology table information

• show pim traffic—Displays PIM traffic counters

• show pim tunnel—Lists information about the PIM tunnel interfaces

• show igmp groups—Displays group membership information

• show igmp interface—Provides interface IGMP information

• show igmp traffic—Displays traffic counters

• show mroute—Displays the contents of the multicast routing table

• show mfib—Displays the details of the multicast forwarding information base (MFIB)

show mroute source-address group-address [summary] [count] [pruned]

To display the active multicast streams, use the show mroute [group] active [kbps] syntax of this command. The active multicast streams whose data rate is greater or equal to the specified value in Kbps are displayed. The default Kbps is 4. The show mroute command (without any additional arguments) can also be used.

• show mroute summary—Displays a summary of the multicast routing table

Useful debug Commands

The following commands are crucial for debugging IP multicast routing problems:

• debug pim—Enables debugging for PIM events

• debug pim neighbor—Enables debugging of PIM neighbor events

• debug pim group group—Enables PIM protocol activity debugging for only the matching group

• debug pim interface interface—Enables debugging of PIM protocol activity for only the specified interface

• debug pim df-election—Enables debugging of PIM DF election exchange messages

• debug mrib route [group]—Enables debugging of MRIB routing activity

• debug mrib client—Enables debugging of MRIB client management activity

• debug mrib io—Enables debugging of MRIB I/O events

• debug mrib table—Enables debugging of MRIB table management activity

Take into consideration the amount of traffic that is passing through the Cisco ASA and other features enabled within your network before enabling any of the previously mentioned debug commands. For example, if the Hot Standby Router Protocol (HSRP) feature is enabled in an upstream router, PIM messages may be dropped and not shown within the previous debug commands.

Summary

This chapter covered the different routing protocols supported by Cisco ASA. Configuration examples included information on how to add a static route and configure dynamic routing protocols such as RIP, OSPF, and EIGRP, using ASDM and the CLI. Detailed sample configurations were provided, as well as tips on how to troubleshoot common problems when deploying these dynamic routing protocols.

Cisco ASA also supports IP multicast routing protocols. IGMP versions 1 and 2 are supported, as well as PIM-SM. PIM-SM allows Cisco ASA to have direct participation in the creation of a multicast tree. This technique enhances the multicast support for IGMP forwarding and provides an alternative to multicast transparent-mode operations. At the end of the chapter, deployment scenarios were added to enhance the level of learning.