Search This Blog

Saturday, November 29, 2014

EIGRP metric calculation direction

EIGRP metric formula:
Metric = 256 * ((10^7 / slowest-bandwidth) + cumulative-delay)

As we all know EIGRP calculate his metric based on least bandwidth and cumulative delay.
The least bandwidth is based on the interface with the lowest bandwidth value in Kbps units, the cumulative delay is the sum of all delay in the path in tens of microsecond units. Both parameters are calculated on a per-link basis.

Delay or bandwidth can be configured differently on both sides of the same link, so which value is chosen for the metric calculation?  How does the router calculate the cumulative delay? Which end bandwidth value counts?

In this post I will try to figure it out…

This is the topology I used for the following example:


I started with delay so I had to change the K values to count only delay when calculating the metric, on all routers:

Rx(config)#router eigrp 100
Rx(config-router)#metric weights 0 0 0 1 0 0

Show R2 loopback:

R2#show interfaces lo1
Loopback1 is up, line protocol is up
  Hardware is Loopback
  Internet address is 192.168.21.1/24
  MTU 1514 bytes, BW 8000000 Kbit/sec, DLY 5000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation LOOPBACK, loopback not set
  Keepalive set (10 sec)
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
<OUTPUT_OMMITED>

The current delay is 5000 microseconds (usec), now let’s look on network 192.168.21.0/24 on R2 EIGRP topology table:

R2#sh ip eigrp topology 192.168.21.0/24
EIGRP-IPv4 Topology Entry for AS(100)/ID(2.2.2.2) for 192.168.21.0/24
  State is Passive, Query origin flag is 1, 1 Successor(s), FD is 128000
  Descriptor Blocks:
  0.0.0.0 (Loopback1), from Connected, Send flag is 0x0
      Composite metric is (128000/0), route is Internal
      Vector metric:
        Minimum bandwidth is 8000000 Kbit
        Total delay is 5000 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1514
        Hop count is 0
        Originating router is 2.2.2.2

Loopback 1 has delay of 5000usec which is 500 tens of microseconds (remember the delay value is calculated as tens of microseconds!) so the composite metric is 500*256 = 128000
Now the process starts as follow:

R2 sends update message to R4 advertising network 192.168.21.0/24 with delay 5000usec

R4 will add his link delay (toward this network – Fa0/1) to this update message and advertise it to R3 with 5100usec

R3 will add his link delay to this update message and advertise it to R1 with delay of 5200

R1 will add his link delay and install this network in his topology table with delay of 5300usec

R1#show ip eigrp topology 192.168.21.0
EIGRP-IPv4 Topology Entry for AS(100)/ID(1.1.1.1) for 192.168.21.0/24
  State is Passive, Query origin flag is 1, 1 Successor(s), FD is 135680
  Descriptor Blocks:
  10.1.13.3 (FastEthernet0/1), from 10.1.13.3, Send flag is 0x0
      Composite metric is (135680/133120), route is Internal
      Vector metric:
        Minimum bandwidth is 100000 Kbit
        Total delay is 5300 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 3
        Originating router is 2.2.2.2

All routers will also runs DUAL on this update message and install this network in their EIGRP topology and routing tables.



 In the following process every router adds his link delay toward network 192.168.21.0/24, so if we would like to change the delay of the path, between R1 this network, we will have to change it on the downstream interfaces, hence on R1 Fa0/1, R3 Fa0/0, R4 Fa0/1 or R2 Loopback 1.

Changing the interface delay on the upstream interfaces (R3 Fa0/1, R4 Fa0/0 or R2 Fa0/1) won’t change nothing in the perspective of R1 to reach network 192.168.21.0/24.

Now let’s test this issue with bandwidth parameter, first change the K values for matching only bandwidth:

Rx(config)#router eigrp 100
Rx(config-router)#metric weights 0 1 0 0 0 0

And this is the current topology:


All FastEthernet has bandwidth of 100000 (Kbps) while loopback 1 on R2 has 8000000 (Kbps).

First let’s see R1 EIGRP topology table for network 192.168.21.0/24:

R1#sh ip eigrp topology 192.168.21.0/24
EIGRP-IPv4 Topology Entry for AS(100)/ID(1.1.1.1) for 192.168.21.0/24
  State is Passive, Query origin flag is 1, 2 Successor(s), FD is 25600
  Descriptor Blocks:
  10.1.12.2 (FastEthernet0/0), from 10.1.12.2, Send flag is 0x0
      Composite metric is (25600/256), route is Internal
      Vector metric:
        Minimum bandwidth is 100000 Kbit
        Total delay is 5100 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 1
        Originating router is 2.2.2.2
  10.1.13.3 (FastEthernet0/1), from 10.1.13.3, Send flag is 0x0
      Composite metric is (25600/25600), route is Internal
      Vector metric:
        Minimum bandwidth is 100000 Kbit
        Total delay is 5300 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 3
        Originating router is 2.2.2.2

As we can see R1 learns this network from both R2 and R3 with the same equal cost, although the path through R3 is much longer (R1->R3->R4).

Changing the interface bandwidth on R3 Fa0/1 (toward R1) won’t change nothing, R1 will still learns network 192.168.21.0/24 from both R3 and R2 in the same manner:


R1 EIGRP table:

R1#sh ip eigrp topology 192.168.21.0/24
EIGRP-IPv4 Topology Entry for AS(100)/ID(1.1.1.1) for 192.168.21.0/24
  State is Passive, Query origin flag is 1, 2 Successor(s), FD is 25600
  Descriptor Blocks:
  10.1.12.2 (FastEthernet0/0), from 10.1.12.2, Send flag is 0x0
      Composite metric is (25600/256), route is Internal
      Vector metric:
        Minimum bandwidth is 100000 Kbit
        Total delay is 5100 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 1
        Originating router is 2.2.2.2
  10.1.13.3 (FastEthernet0/1), from 10.1.13.3, Send flag is 0x0
      Composite metric is (25600/25600), route is Internal
      Vector metric:
        Minimum bandwidth is 100000 Kbit
        Total delay is 5300 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 3
        Originating router is 2.2.2.2

In order to change the way R1 learns this network, and to prefer the path through R2, we will have to change the upstream interfaces to influence the path, changing R3 Fa0/0 or R4 Fa0/1
 

Configure bandwidth 10000 on R4 Fa0/1, and look again at R1 EIGRP table:

R1#sh ip eigrp topology 192.168.21.0/24
EIGRP-IPv4 Topology Entry for AS(100)/ID(1.1.1.1) for 192.168.21.0/24
  State is Passive, Query origin flag is 1, 2 Successor(s), FD is 25600
  Descriptor Blocks:
  10.1.12.2 (FastEthernet0/0), from 10.1.12.2, Send flag is 0x0
      Composite metric is (25600/256), route is Internal
      Vector metric:
        Minimum bandwidth is 100000 Kbit
        Total delay is 5100 microseconds
        Reliability is 255/255
        Load is 1/255
        Minimum MTU is 1500
        Hop count is 1
        Originating router is 2.2.2.2

And now the path is changed to R2 only.

So to summarize this issue - metric calculation in EIGRP is always from the local router toward the destination.

The cumulative delay is counted on the upstream interfaces only while the least bandwidth is chosen based the least upstream interface, both from the local router to the destination.
Note that when dealing with tunnels and SVI’s (VLAN’s) the calculation is made by using the virtual interface (tunnel or SVI) parameters and not physical one.

Monday, November 24, 2014

Packet capture byte level filter



Here in this post i will explain how to filter capture based on byte level, as an example i will use EIGRP packets.

To filter capture based on EIGRP packets using Wireshark expression filter:

eigrp.opcode == 1

This will display only EIGRP updates, you can change the value to 2 (Request), 3 (Query), 4 (Replay) or 5 (Hello).

Filter capture based on byte offset - 

Choose an EIGRP update packet and mark the opcode field (1):


When you mark the field on the packet detail pane, a field on the packet byte pane is also marked (2), now note that the byte 01 is found on a grey area which represent the EIGRP payload, this payload starts on byte 02, so to capture all EIGRP packets which in the second field there is a byte with value 01 we will use the following string:

eigrp[01:1]==01

Syntax: <PROTOCOL>[<START_FIELD>:<NUMBER_OF_BYTES_TO_COUNT>]<OPERATOR><VALUE>

PROTOCOL - the protocol we are filtering – it can be IP, EIGRP, OSPF, GRE whatever
START_FIELD - indicate the number of the field we are looking on that given protocol
NUMBER_OF_BYTES - number of bytes to count, in my example I used 1 so only one byte after the first byte.
OPERATOR - can be any given one – equal, not, large or less, equal, contain etc.

Here is another example which filters EIGRP packets with a value 002f on the 11th and 12th bytes field:
 
eigrp[10:2]==002f


 This method works on tcpdump and wireshark both on display and capture filters and can be used to capture any given packet with specific byte value.