Routing Issues

In this video, we're going to discuss routing issues that you may come
across in your networks, including
multicast flooding,
asymmetrical routing and
missing routes.

Multicast flooding
If you remember, multicast networks operate by sending out group
communications
that are addressed to a group of destination computers simultaneously.
For this to work, the multicast message is sent to a single multicast
address
and then the message can be distributed to the entire group.
This is great most of the time, but sometimes things can malfunction and
a multicast flood can occur.
Now, multicast flooding happens when no specific host is associated with
the multicast MAC address inside the CAM table of the switch.
When this occurs, multitask traffic is going to be flooded throughout the
entire local area network or VLAN, creating unnecessary traffic and
wasting network resources.
To prevent this issue, you need to configure your switch to block unknown
multicast packets.

Now, for the exam, you don't need to know the specific commands on how
to block multicast traffic on a switchboard, but you do need to know that
blocking it
will solve this type of multicast flood issue.

Asymmetrical routing
Asymmetrical routing occurs when network packets leave via one path
and then return via a different path. This can occur when traffic is flowing
across two different layer two bridge pair interfaces on a router or a
firewall
or when there's flows across different routers or firewalls in a high
availability cluster.
Now, if you're using Load Balancing and using a protocol like HSRP,
asymmetric routing can occur and it's something you need to think about.
This is a problem if you're using security devices and network appliances
to perform deep packet inspection or you're using a stateful firewall,
because these devices need to see all the packets associated with a given
packet flow,
otherwise issues happen.
Now, while modern routers will attempt to forward packets in a consistent
next hop for each packet in the flow, this only applies in one direction
when they do their forwarding.
Our routers will make no attempt in directing return traffic to the
originating router, because they only want to ensure the fastest and most
efficient delivery of those packets. Now, this behavior presents problems
for our firewalls and our security appliance clusters, because they don't
support asymmetric routing, because of the set of cluster nodes all
provide a path to the same networks.
So routers forwarding packets to networks through the cluster can choose
any of the cluster nodes as their next hop. And this causes asymmetric
routing to occur
and the flow of packets in one direction goes out a different node than
what comes back in the return path.
Because of this difference in packet flow, network traffic can be dropped
by one or both of the firewalls in the cluster, because they aren't seeing
all the traffic from the packet flow.
So how do we solve this problem?
Ref the figure on page 239
Well, the solution to this is to adjust the placement of your firewalls and
internal routing
so that the traffic will flow in both directions to the same firewall, even if
the incoming traffic is entering the network through a different router than
the router that handled the matching outgoing traffic.
Essentially, we need to put all our firewalls closer to the systems they are
protecting
instead of at the edge of the network and this will avoid asymmetric
routing problems.
Remember, asymmetric routing doesn't cause any routing issues
necessarily,
but they do cause issues with dropped packet flows, because our security
devices like firewalls and unified threat management systems need to be
able to see the entire flow.
So you need to consider the design of your network architecture to
prevent this issue from occurring. If you don't, then packet flow drops are
going to occur and your clients can experience network intermittent
connectivity.

Missing routes.
Now, missing routes occur when a router cannot reach a destination
because there's a missing route inside the routing table.
These missing routes can occur for lots of different reasons, depending
on what routing protocol is being used to share that routing information.
Now, missing routes are commonly found as an issue when network
administrators are using static routes and manually adding them to the
routing tables.
If the administrator mistypes a route or the command, the proper route
will not get added to the routing table and this causes problems.
So if you suspect you're missing a route, you should enter the show IP
route command
from the command line interface of your switch
and that'll display the routes available to it.
Now, if you're working on a Windows client or server,
you can enter the route print command to see the routing table for your
system.

If you're using dynamic routing protocols like OSPF or BGP, there may also
be issues where the routers are not properly establishing their neighbor
states and this can cause the routers to not reach convergence across
their routing tables.
To troubleshoot this kind of issue, you need to verify the dynamic routing
protocols enabled and if the two routers can communicate with each
other.
To verify this, you should run the ping command from one router to the
destination router and validate that connectivity exists. If you identify that
a route is missing, you can statically add that route from the command
line or you can work with a network administrator or network engineer to
troubleshoot the underlying dynamic routing protocols that are being used
by these routers.