1 00:00:08,380 --> 00:00:13,140 So in the previous video, we looked at how to configure a router to advertise 2 00:00:13,140 --> 00:00:18,140 its capability of being a candidate RP and send out these RP-announced 3 00:00:18,140 --> 00:00:22,540 messages. But those messages don't do any good unless there's another 4 00:00:22,540 --> 00:00:25,740 router playing the role of the mapping agent who can collect all of them. 5 00:00:25,740 --> 00:00:29,840 And then from all the messages he gets, elect which RP is going to be 6 00:00:29,840 --> 00:00:32,260 the RP for any particular group. 7 00:00:32,260 --> 00:00:34,840 So now we're going to talk about that, the mapping agent. 8 00:00:34,840 --> 00:00:40,300 So they collect those RP-announced messages and elect an RP for each group. 9 00:00:40,300 --> 00:00:43,380 And it's just simply whoever has the highest IP address. 10 00:00:43,380 --> 00:00:44,480 That's the winner. 11 00:00:44,480 --> 00:00:51,680 You may remember that back when I configured my command for the RP candidate, 12 00:00:51,680 --> 00:00:56,460 if I make this a little bit bigger here, nothing in here for priority. 13 00:00:56,460 --> 00:00:57,720 So there's no priority. 14 00:00:57,720 --> 00:01:01,940 It's simply highest IP address is the winner for any given group. 15 00:01:01,940 --> 00:01:10,020 So the mapping agent will then, after it elects each RP for a given group 16 00:01:10,020 --> 00:01:15,280 as the winner, it will put those into an RP discovery message and send 17 00:01:15,280 --> 00:01:20,900 those out to the address of 224.0.1.40. 18 00:01:20,900 --> 00:01:23,080 Also encapsulate in UDP. 19 00:01:23,080 --> 00:01:27,480 And notice all PIM routers automatically listen to this group. 20 00:01:27,480 --> 00:01:29,960 So you may have noticed if you're watching my labs in all the previous 21 00:01:29,960 --> 00:01:34,340 videos on PIMS sparse mode, that as soon as I configured sparse mode on 22 00:01:34,340 --> 00:01:39,220 any interface, and I enabled multicast routing globally automatically 23 00:01:39,220 --> 00:01:45,480 without doing anything, every router started listening to 224.0.1.40. 24 00:01:45,480 --> 00:01:50,780 So Cisco routers by default are listening for RP discovery messages without 25 00:01:50,780 --> 00:01:52,400 you doing anything. 26 00:01:52,400 --> 00:02:00,020 And just like the RP announced messages, these are sent out as dense mode. 27 00:02:00,020 --> 00:02:02,500 They're flooded via dense mode. 28 00:02:02,500 --> 00:02:04,460 So here's actually the body. 29 00:02:04,460 --> 00:02:10,480 Here's actually a sniffer trace of what the RP discover message looks 30 00:02:10,480 --> 00:02:19,240 like. They show up as RP mapping messages. 31 00:02:19,240 --> 00:02:23,840 And they'll say in here, they'll say, okay, here's the RP's. 32 00:02:23,840 --> 00:02:29,400 And notice this looks pretty much almost identical to the RP announced 33 00:02:29,400 --> 00:02:31,660 message that we just saw. 34 00:02:31,660 --> 00:02:35,940 It's a different packet type, RP mapping, but the body of it is pretty 35 00:02:35,940 --> 00:02:40,020 much the same. It's listing, you know, who's the RP, what group, and is 36 00:02:40,020 --> 00:02:44,780 that group a positive or a negative prefix? 37 00:02:44,780 --> 00:02:49,880 But whereas there might be six or seven potential RP's out there all wanted 38 00:02:49,880 --> 00:02:51,900 to be the RP for 224.0. 39 00:02:51,900 --> 00:02:55,000 Everything, only one of them will be the winner. 40 00:02:55,000 --> 00:02:58,980 And only the winner will be in this message right here. 41 00:02:58,980 --> 00:03:02,300 And this is what routers are listening for to select which RP they're 42 00:03:02,300 --> 00:03:10,440 going to use. So to configure routers, the mapping agent is the IPPIM 43 00:03:10,440 --> 00:03:15,220 send RP discovery command. 44 00:03:15,220 --> 00:03:20,200 And how do we verify on the router that is the mapping agent that he knows 45 00:03:20,200 --> 00:03:21,880 that he's supposed to do that? 46 00:03:21,880 --> 00:03:24,900 Well, show IPPIM RP mapping. 47 00:03:24,900 --> 00:03:30,420 And I'll actually say this system is an RP mapping agent. 48 00:03:30,420 --> 00:03:37,380 Now another sort of gotcha or thing to be aware of is that while there 49 00:03:37,380 --> 00:03:42,920 is an election of which router can be a rendezvous point for any given 50 00:03:42,920 --> 00:03:47,420 group, there is no such election when it comes to mapping agents. 51 00:03:47,420 --> 00:03:51,700 So you might think, okay, well, I'm actually going to configure two or 52 00:03:51,700 --> 00:03:54,680 three routers in my company as mapping agents. 53 00:03:54,680 --> 00:03:59,480 So if one fails, all the other routers out there can listen to the other 54 00:03:59,480 --> 00:04:02,420 one. You can do that, but be aware of this. 55 00:04:02,420 --> 00:04:05,880 Every router that configures a mapping agent is going to be sending out 56 00:04:05,880 --> 00:04:09,460 these RP discover messages. 57 00:04:09,460 --> 00:04:15,080 And so for that reason, the mapping agents have to be configured identically. 58 00:04:15,080 --> 00:04:20,100 And every mapping agent has to be able to receive these RP announced messages 59 00:04:20,100 --> 00:04:26,460 from every RP. Because what could happen is, you know, imagine for a second 60 00:04:26,460 --> 00:04:28,480 that you've got two mapping agents here. 61 00:04:28,480 --> 00:04:32,500 And there's two different RP's, okay, RPA and RPB. 62 00:04:32,500 --> 00:04:35,160 And they're both announcing their candidacy for the exact same group. 63 00:04:35,160 --> 00:04:38,260 They're both saying, I want to be the RP for everything. 64 00:04:38,260 --> 00:04:39,840 Okay, let's say that. 65 00:04:39,840 --> 00:04:45,220 So ideally, both of those RP's would be learned by the first mapping agent. 66 00:04:45,220 --> 00:04:47,840 Both of those RP's would be learned by the second mapping agent. 67 00:04:47,840 --> 00:04:51,560 So when those mapping agents send out their messages, they look identical. 68 00:04:51,560 --> 00:04:54,740 They've got the same elected RP's inside of them. 69 00:04:54,740 --> 00:04:56,400 But what happens if they don't? 70 00:04:56,400 --> 00:05:01,080 What happens if mapping agent number one, for some reason can't hear this 71 00:05:01,080 --> 00:05:04,740 RP over here? There's some sort of filter or access list or something 72 00:05:04,740 --> 00:05:07,520 and he's not getting that RP announced message. 73 00:05:07,520 --> 00:05:11,460 And just the opposite of mapping agent number two, he can't hear that 74 00:05:11,460 --> 00:05:15,820 RP. So now you've got mapping agents that we now in our network, as a 75 00:05:15,820 --> 00:05:20,640 router, as a normal router, I'm getting two RP discovery messages from 76 00:05:20,640 --> 00:05:24,060 two different mapping agents, which normally would not be a problem. 77 00:05:24,060 --> 00:05:25,500 But here's my issue. 78 00:05:25,500 --> 00:05:31,680 As one comes in, it says, oh, here, you should use the RP of 1.1.1.1. 79 00:05:31,680 --> 00:05:33,780 He should be your RP for everything. 80 00:05:33,780 --> 00:05:37,380 So I say, okay, and I start registering with him or I start sending my 81 00:05:37,380 --> 00:05:41,920 joins to him. And then a split second later, I get another discovery message 82 00:05:41,920 --> 00:05:46,820 that says, oh, you should use router 2.2.2 as your RP for everything. 83 00:05:46,820 --> 00:05:48,060 Well, now it's going to happen. 84 00:05:48,060 --> 00:05:50,180 I'm going to start flip flopping between them. 85 00:05:50,180 --> 00:05:54,020 I'm going to be tearing down trees, sending joins up other trees, and 86 00:05:54,020 --> 00:05:56,880 it's going to totally mess with my multicast. 87 00:05:56,880 --> 00:05:59,900 So that's why if you have two or more mapping agents, the information 88 00:05:59,900 --> 00:06:04,660 they're containing inside their discover packets has to be identical. 89 00:06:04,660 --> 00:06:11,620 Otherwise, you could get really weird behavior within your network. 90 00:06:11,620 --> 00:06:19,660 Now, in the PIMS sparse mode section, I talked about how one potential 91 00:06:19,660 --> 00:06:25,940 threat to a network could be that the rendezvous point will accept incoming 92 00:06:25,940 --> 00:06:28,220 register messages from anybody. 93 00:06:28,220 --> 00:06:30,360 He doesn't discriminate. 94 00:06:30,360 --> 00:06:34,600 And I showed you a command where I could say, okay, only these authorized 95 00:06:34,600 --> 00:06:40,800 routers are actually allowed to send the RP register messages. 96 00:06:40,800 --> 00:06:43,060 Well, something similar could happen here. 97 00:06:43,060 --> 00:06:48,560 There's nothing by default to prevent somebody from inserting a rogue 98 00:06:48,560 --> 00:06:55,320 router into the network, configuring it as a candidate RP, configuring 99 00:06:55,320 --> 00:06:58,840 it with a really high IP address, like what happens if they configure 100 00:06:58,840 --> 00:07:03,780 a loopback address with the highest unit cast address possible? 101 00:07:03,780 --> 00:07:08,480 223.255, 255, 254. 102 00:07:08,480 --> 00:07:11,620 The address just beneath the class D range. 103 00:07:11,620 --> 00:07:16,140 Well, that rogue router will probably be elected as the RP over anything 104 00:07:16,140 --> 00:07:20,360 else. And so now everybody will be pointing the traffic to him and that 105 00:07:20,360 --> 00:07:22,080 could really screw up your multicast. 106 00:07:22,080 --> 00:07:27,400 So we need to have some way of saying, okay, mapping agent, you're only 107 00:07:27,400 --> 00:07:32,700 allowed to receive incoming RP announced messages from certain authorized 108 00:07:32,700 --> 00:07:37,100 candidate RP's. And that's what we're looking at right here when we talk 109 00:07:37,100 --> 00:07:39,600 about auto RP filters. 110 00:07:39,600 --> 00:07:44,880 So you can configure the mapping agent in one of several ways. 111 00:07:44,880 --> 00:07:50,480 You can do only from certain authorized RP's or you could say, hey, look, 112 00:07:50,480 --> 00:07:54,180 anybody can send their RP announcement to me, but I'm only listening for 113 00:07:54,180 --> 00:07:57,140 certain groups. I'm only going to tell the rest of the world about certain 114 00:07:57,140 --> 00:08:00,240 groups or you could do both. 115 00:08:00,240 --> 00:08:04,280 And here's the way you would do this on the mapping agent. 116 00:08:04,280 --> 00:08:10,400 At the global level, you'd say IPPIM RP announced filter. 117 00:08:10,400 --> 00:08:12,520 RP list one group list two. 118 00:08:12,520 --> 00:08:15,720 So this is referencing two different access lists. 119 00:08:15,720 --> 00:08:20,920 So access list one, which is in red, is giving us the list of authorized 120 00:08:20,920 --> 00:08:26,540 candidate RP's. So there's a router out there with the name of 10, 001 121 00:08:26,540 --> 00:08:28,460 and another one with 10, 002. 122 00:08:28,460 --> 00:08:31,460 Those are the only ones we're going to listen to when they send in an 123 00:08:31,460 --> 00:08:35,460 RP announce. So there's any other router out there announcing its capability 124 00:08:35,460 --> 00:08:39,740 of being an RP, the mapping agent will not listen to that guy. 125 00:08:39,740 --> 00:08:46,160 And as far as these two routers are concerned, in this particular case, 126 00:08:46,160 --> 00:08:49,800 we're saying, okay, we will allow those two routers to announce their 127 00:08:49,800 --> 00:08:53,040 candidacy for any class D. 128 00:08:53,040 --> 00:08:56,580 I could have limited that down to a certain range. 129 00:08:56,580 --> 00:09:01,500 So that's how you would use that command to filter out and protect yourself 130 00:09:01,500 --> 00:09:05,480 against potential attacks. 131 00:09:05,480 --> 00:09:11,400 So let's go ahead and configure this and see how this works. 132 00:09:11,400 --> 00:09:22,480 So so far, I've got router three who's announcing his candidacy to be 133 00:09:22,480 --> 00:09:26,080 an RP. And I think I configured him to announce his candidacy just for 134 00:09:26,080 --> 00:09:33,860 the 238 group. So now I'm also going to configure router four to also 135 00:09:33,860 --> 00:09:35,880 be an RP candidate. 136 00:09:35,880 --> 00:09:41,500 And we'll give him the exact same group. 137 00:09:41,500 --> 00:09:44,200 So there's going to be some conflict here. 138 00:09:44,200 --> 00:09:59,640 238.000. And we'll configure router eight as our mapping agent. 139 00:09:59,640 --> 00:10:03,020 And we'll see which one of these guys is elected as the highest. 140 00:10:03,020 --> 00:10:07,140 Now remember, as part of my command when I make these guys the RP candidates, 141 00:10:07,140 --> 00:10:12,100 I have to specify what interface they're going to use as their source 142 00:10:12,100 --> 00:10:17,700 IP address. So let's say I say, well, I actually want router three to 143 00:10:17,700 --> 00:10:19,900 be the winner. I want him to always win. 144 00:10:19,900 --> 00:10:30,500 So here's what I'm going to do. 145 00:10:30,500 --> 00:10:36,900 I'll have router four use his serial 010 as his source address. 146 00:10:36,900 --> 00:10:40,740 So router four will be saying my name is 2.4.2.4. 147 00:10:40,740 --> 00:10:45,000 Router three will be saying my name is 8.3.8.3. 148 00:10:45,000 --> 00:10:50,540 And so router three should be elected as the winning RP by the mapping 149 00:10:50,540 --> 00:10:55,180 agent. So on the mapping agent, we'll see how he's learned about both 150 00:10:55,180 --> 00:10:59,100 our P's. We'll see how he's elected router three. 151 00:10:59,100 --> 00:11:05,540 And then when we go to router two, we'll see how he should only know about 152 00:11:05,540 --> 00:11:09,500 router three. He should have no knowledge of router four because router 153 00:11:09,500 --> 00:11:11,600 four is the loser. 154 00:11:11,600 --> 00:11:14,320 So let's go ahead and finish this up here. 155 00:11:14,320 --> 00:11:17,240 So I've already done router three, although I don't think I specified 156 00:11:17,240 --> 00:11:32,840 that interface as my source. 157 00:11:32,840 --> 00:11:34,860 Yeah, I've got the wrong interface there. 158 00:11:34,860 --> 00:11:38,700 So let's get rid of that command. 159 00:11:38,700 --> 00:11:43,020 And let's redo it. 160 00:11:43,020 --> 00:11:47,780 But with this interface. 161 00:11:47,780 --> 00:11:52,880 And now we should see, here's my previous snippet trace. 162 00:11:52,880 --> 00:11:56,340 And we saw it was coming from three four three three. 163 00:11:56,340 --> 00:12:00,100 That was his IP address on fast ethernet zero zero. 164 00:12:00,100 --> 00:12:03,680 Now as soon as I hit enter here, he should be sending new announcements 165 00:12:03,680 --> 00:12:06,980 with a much higher IP address. 166 00:12:06,980 --> 00:12:08,740 Yep, there it is. 167 00:12:08,740 --> 00:12:20,040 8.3.8.3. All right, now let's go ahead and configure. 168 00:12:20,040 --> 00:12:26,100 Let's just take the same configuration. 169 00:12:26,100 --> 00:12:34,080 And what I'll do is I'll copy and paste most of this into notepad. 170 00:12:34,080 --> 00:12:44,580 So we can have an identical configuration on the other router. 171 00:12:44,580 --> 00:12:47,120 I'll leave this off. 172 00:12:47,120 --> 00:12:53,420 And for him, we'll have it be serial zero one zero. 173 00:12:53,420 --> 00:12:57,040 So that's what we're going to put into router four. 174 00:12:57,040 --> 00:13:07,400 Okay. So now every single minute, we should be seeing our P announced 175 00:13:07,400 --> 00:13:17,520 messages being sent from router three and router four. 176 00:13:17,520 --> 00:13:23,740 See if I can catch both of those. 177 00:13:23,740 --> 00:13:29,660 Once again, wire shark is not letting me click any of the buttons up here. 178 00:13:29,660 --> 00:13:31,920 This is probably an issue with my laptop. 179 00:13:31,920 --> 00:13:36,000 Not an issue with wire shark because my laptop has been doing all kinds 180 00:13:36,000 --> 00:13:38,760 of weird stuff lately. 181 00:13:38,760 --> 00:13:48,780 Come on. There we go. 182 00:13:48,780 --> 00:13:53,400 Okay, so we've got one announcement we've seen so far from router three. 183 00:13:53,400 --> 00:14:00,840 And because these announcements are flooded, we should see another one 184 00:14:00,840 --> 00:14:07,860 coming from router four. 185 00:14:07,860 --> 00:14:12,460 Well, I don't want to waste time looking for it, but it should be in there. 186 00:14:12,460 --> 00:14:22,160 We can do show IP, PIM, auto RP. 187 00:14:22,160 --> 00:14:31,300 And it does verify that auto RP is enabled and that he is sending out 188 00:14:31,300 --> 00:14:32,780 RP announcements. 189 00:14:32,780 --> 00:14:35,680 So far, he sent out eight of them, even though I didn't capture it in 190 00:14:35,680 --> 00:14:36,900 my sniffer trace. 191 00:14:36,900 --> 00:14:52,840 Okay, so now let's go over to our eight and make him the mapping agent. 192 00:14:52,840 --> 00:14:55,040 Send RP Discovery packets. 193 00:14:55,040 --> 00:14:59,020 And same thing, I got to select an interface for that just for the source 194 00:14:59,020 --> 00:15:03,040 address. Scope defines the TTL. 195 00:15:03,040 --> 00:15:05,700 I could change the interval. 196 00:15:05,700 --> 00:15:06,840 Let's go ahead and do this. 197 00:15:06,840 --> 00:15:10,380 Let's set the interval because normally it's every 60 seconds or if there's 198 00:15:10,380 --> 00:15:14,440 a change. If the mapping agent suddenly hears a new RP announced message 199 00:15:14,440 --> 00:15:18,000 that he didn't hear before, that will trigger him to send out another 200 00:15:18,000 --> 00:15:19,300 discovery message. 201 00:15:19,300 --> 00:15:21,940 But otherwise, if everything is nice and stable, they'll go out every 202 00:15:21,940 --> 00:15:24,660 minute. I'm going to have him go out every 20 seconds. 203 00:15:24,660 --> 00:15:31,140 Let's make it every 15 seconds. 204 00:15:31,140 --> 00:15:39,320 Non-IP or PIM interface ignored and accepted command. 205 00:15:39,320 --> 00:15:42,760 Oh, because he's using, I know why, because he's not using. 206 00:15:42,760 --> 00:15:45,140 Fast Ethan at 00 doesn't have PIM or an IP on it. 207 00:15:45,140 --> 00:15:47,500 He's using sub interfaces. 208 00:15:47,500 --> 00:15:57,260 So I've got to put this on, let's just put on Fast Ethan at 01 as his 209 00:15:57,260 --> 00:16:08,620 source address. Okay, so I don't know if he has collected the RP announcements 210 00:16:08,620 --> 00:16:09,920 yet. Let's just see. 211 00:16:09,920 --> 00:16:13,520 Show IP, PIM, RP, Mapping. 212 00:16:13,520 --> 00:16:16,800 And it looks like he has. 213 00:16:16,800 --> 00:16:23,680 Okay. So here for group 238, anything beginning with 238, he says I received 214 00:16:23,680 --> 00:16:27,760 an RP announcement from router three, which is 8.3.8.3. 215 00:16:27,760 --> 00:16:30,740 I've also received one from router four. 216 00:16:30,740 --> 00:16:35,540 I have elected router three simply by virtue of the fact that he has the 217 00:16:35,540 --> 00:16:37,140 highest IP address. 218 00:16:37,140 --> 00:16:43,360 He also says, by the way, router three told me that the 239 group needs 219 00:16:43,360 --> 00:16:45,160 to be flooded in dense mode. 220 00:16:45,160 --> 00:16:47,980 But there's not going to be any RP for that. 221 00:16:47,980 --> 00:16:53,640 Finally, let's go over to router two and see what router two has learned. 222 00:16:53,640 --> 00:16:59,320 By the way, while I'm here, I can do show IP PIM, auto RP. 223 00:16:59,320 --> 00:17:08,060 And this says, okay, I have actually transmitted 15 RP discovery messages. 224 00:17:08,060 --> 00:17:16,240 And lastly on R2. 225 00:17:16,240 --> 00:17:20,840 Show IP PIM RP. Now, notice you say what? 226 00:17:20,840 --> 00:17:21,500 He doesn't have an RP. 227 00:17:21,500 --> 00:17:25,780 Remember, this command show IP PIM RP really only useful if you have a 228 00:17:25,780 --> 00:17:30,420 static RP. Then it verifies that you statically configured an RP. 229 00:17:30,420 --> 00:17:33,280 But in this case, we're not doing static RP. 230 00:17:33,280 --> 00:17:36,100 We're listening to auto RP messages. 231 00:17:36,100 --> 00:17:40,140 Show IP PIM RP Mapping. 232 00:17:40,140 --> 00:17:45,340 And right here. So we can see he has now learned about the elected RP 233 00:17:45,340 --> 00:17:50,720 of 8.3. He has no knowledge of router four. 234 00:17:50,720 --> 00:17:53,520 Because router four was not elected. 235 00:17:53,520 --> 00:17:55,420 All he knows about is the elected one. 236 00:17:55,420 --> 00:17:59,040 And he has also learned that if he ever gets any multicast packets for 237 00:17:59,040 --> 00:18:01,980 239, there is no RP for that. 238 00:18:01,980 --> 00:18:05,580 That has to be flooded via dense mode. 239 00:18:05,580 --> 00:18:14,020 So in our next video, I'm going to conclude this section on auto RP by 240 00:18:14,020 --> 00:18:16,980 talking about something called an RP of last resort. 241 00:18:16,980 --> 00:18:18,840 Otherwise known as a sync RP. 242 00:18:18,840 --> 00:18:22,300 What that is and why you might need to have one.