Exchange – Database Availability Group – FSW on DC

I needed to use DC as File Share Witness for my LAB and in one small environment. Microsoft doesn´t recommend that, but if you have only limited number of servers, you dont have a choice.

Theory:

Really basics, full article can be found on MS Technet)

• FSW must be configured every time you create Database Availability Group for Exchange 2010 and Exchange 2013 (if you do not specify, Exchange will configure FSW on first CAS server without mailbox role installed). Besides the other parameters you should specify the WitnessServer and WitnessDirectory parameters

New-DatabaseAvailabilityGroup -Name DAG1 -WitnessServer CAS1 -WitnessDirectory D:\DAG1_FSW

• FSW is used to maintain quorum (node majority for DAG application) when even number of nodes in the DAG
• FSW is only actively used, when there is even number of servers in the DAG. One case is that you have configured even number of servers by design or you have conffigured odd number of servers by design and one of those is broken. Otherwise Witness directory on Witness server is empty
• Alternate FSW must be also configured, if you enable Datacentre Activation Coordination

Set-DatabaseAvailabilityGroup <identity> -DatacenterActivationMode DAGOnly -AlternateWitnessServer <FQDN or NetBIOS name of the server> -AlternateWitnessDirectory <Path>

• More then one DAG can have FSW on the same server, but directory must be unique

Solution:

To configure FSW on DC there are more steps to perform before configuration of FSW:

• Add domain controller to Exchange Trusted Subsystem security group
• Add Exchange Trusted Subsystem to Buildin\Administrators
• Create Directory on the DC and share the directory with the share name of the DAG
• Set sharing permissions so that virtual account for DAG will have Full Control

If set some of the point incorrectly, you will get the result, that DAG cannot access FSW and availability of DAG is limited

Get-DatabaseAvailabilityGroup -Status

Result is shown in Picture:

If this happens to you, fix incorrectly set steps and re-enable FSW:

Set-DatabaseAvailabilityGroup <identity> -WitnessServer <FQDN or NetBios name of the server>

Exchange 2013 CU1 setup problem – Install-RuleCollection error in Organization preparation step (protected until CU1 is officially out for public)

I have been upgrading my RTM Exchange 2013 to CU1.  I have 2 multirole servers in DAG. I have started to install CU1 on the node hosting only passive copies of databases. In step 1 of 18. Organization preparation from GUI setup it generated error as it can be seen in the following Picture.

Recommended workaround from Microsoft is to delete the following object from AD configuration partition using AdsiEdit

CN=ClassificationDefinitions,CN=Rules,CN=Transport Settings,CN=<Your organization name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>i,DC=<com>

The object is also shown in the Picture

After deletion setup can be restarted. Object is then re-created and setup can continue.

Exchange 2010 complete certificate request problem

I was renewing Exchange certificate for my test domain salonovi.cz. I was doing it via EMC console but behind of GUI it is done via certificate request CMDlet. For Example this CMDlet:

New-ExchangeCertificate  -Server 'SERVER1' -FriendlyName 'Your Exchange Certificate Name' -GenerateRequest -PrivateKeyExportable $true -KeySize '2048' -SubjectName 'C=Country code,S="Region",L="City",O="Organization name",OU="Department Name",CN=CAS Array hostname' -DomainName 'server1.domain.com,'server2.domain.com',...

I am using certificate from Startcom certification authority (however this happened to me also vith GeoTrust), because it is free, so I have passed the request to web browser and generated new certificate, downloaded it and tried to import the certificate to Exchange environment.

First import went OK, but I havent seen pending certificate request to be completed

Second try of import generated an error:

I have checked local certificate store for the computer account and the certificate was there, but didn´t have private key attached to it.

Solution:

Solution is simple. Run the command bellow, where red text is the serial number of your certificate

certutil -repairstore my "SerialNumber"

After running the command certificate with serial number “SerialNumber” will be connected to its private key and pending certificate request will be completed, and you can continue as usual.

Links:

MS KB on support.microsoft.com

 

 

 

PS 2.0 – Remove and compress IIS logs automatically

I created a PS script for removing and compressing IIS log files.

Description

• Define variables: the log folder $LogFolder (basically it could be %SYSTEMROOT%\System32\LogFiles\W3SVC) and the retention periods ($DeletionRetention = -120, $CompressionRetention = -60).
• Scripts handles only files with expired retention for attribute LastWriteTime  (e.g. -120 = older than 120 days).
• It deletes all* files with expired retention ($DeletionRetention) from the log folder. (* Be careful, the folder doesn’t have to contain only logs.)
• It compresses log files with expired retention ($CompressionRetention) into one zip based on month number from LastWriteTime (IISLogs-Month2-2502132135.zip). Number 2502132135 is the time stamp.
• The script can be simply scheduled via Windows Task Scheduler if needed (e.g. Trigger: Monthly – last day).

Note

I used in my script zip functions from David Aiken – Compress Files with Windows PowerShell then package a Windows Vista Sidebar Gadget

Script

# VARIABLES
$LogPath = "D:\IISLogs"
$DeletionRetention = -120
$CompressionRetention = -60

# FUNCTIONS
function New-Zip
{
 param([string]$zipfilename)
 set-content $zipfilename ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
 (dir $zipfilename).IsReadOnly = $false
}

function Add-Zip
{
 param([string]$zipfilename)

 if(-not (test-path($zipfilename)))
 {
 set-content $zipfilename ("PK" + [char]5 + [char]6 + ("$([char]0)" * 18))
 (dir $zipfilename).IsReadOnly = $false 
 }

 $shellApplication = new-object -com shell.application
 $zipPackage = $shellApplication.NameSpace($zipfilename)

 foreach($file in $input) 
 { 
 $zipPackage.CopyHere($file.FullName)
 Start-sleep -milliseconds 500
 }
}

function Get-Zip
{
 param([string]$zipfilename)
 if(test-path($zipfilename))
 {
 $shellApplication = new-object -com shell.application
 $zipPackage = $shellApplication.NameSpace($zipfilename)
 $zipPackage.Items() | Select Path
 }
}

# MAIN SCRIPT
$Items = get-childitem $LogPath

$DeleteLogs = $Items | ? {$_.LastWriteTime -le (Get-Date).adddays($DeletionRetention)}
if($DeleteLogs -ne $null) { $DeleteLogs | %{Remove-Item $_.fullname}}

$Items = get-childitem $LogPath |? {($_.extension -like "*.log") -and ($_.LastWriteTime -le (Get-Date).adddays($CompressionRetention))}

$GroupedItems = $Items | sort LastWriteTime | select @{n='Month';e={$_.LastWriteTime.month}},fullname,length,name | group month

if($GroupedItems -ne $null){
 foreach ($GroupedItem in $GroupedItems){
 $MonthNumber = $GroupedItem.Name
 $Time = Get-Date -Format ddMMyyHHss
 $ZipPath = "$LogPath\IISLogs-Month$MonthNumber-$Time.zip"
 New-Zip $ZipPath
 $GroupedItem.group | select fullname,length | %{
 Get-Item $_.fullname | Add-Zip $ZipPath
 start-sleep -s ($_.Length/20000000)
 }
 if((Get-Zip $ZipPath).length -eq $GroupedItem.Count){
 $GroupedItem.group | %{Remove-Item $_.fullname}
 }else{
 Write-Host "`nERROR - Files are not zipped correctly. Deletion process skipped."
 $GroupedItem.group | %{$_.name}
 }
 }
}

Download

IISLog-Removing&Compressing-v1.ps1

https://skydrive.live.com/redir?resid=E3BA57A6A24B6F3C!137

Note

We can remove logs also by command Forfiles (thank you Lukas).

 

 

Exchange 2010 – OABGen skipped users (Event ID: 9325)

I fixed OAB errors (Event ID: 9325) on generation server and I wanted to get OABGen skipped users from Application Event log.

Error

Log Name: ApplicationSource: MSExchangeSA
Date: 2/19/2013 5:07:36 AM
Event ID: 9325
Task Category: (13)
Level: Error
Keywords: Classic
User: N/A
Computer: s01.contoso.com
Description:
OABGen will skip user entry 'Filip' in address list '\Global Address List' because the SMTP address '' is invalid. 
- \Default Offline Address Book NEW

How to filter skipped users from event log?

Run EMS on generation server and use the following cmdlets. It will update and distribute the OAB to the CAS servers (do not forget to use also $date variable, it is needed for further action):

$date = get-date

Get-OfflineAddressBook | Update-OfflineAddressBook

Get-ClientAccessServer | Update-FileDistributionService

All errors related to OABGen should be written to the event log. After that you can use cmdlets below, it will find/count all OAB errors ($OABerrors) and  take out names of skipped users ($OABerrorsUser).

$OABerrors = Get-EventLog -LogName Application -EntryType error -Source MSExchangeSA | ?{$_.TimeGenerated -gt $date}  | select Message
Write-Host "Count of OAB errors:" ($OABerrors| Measure-Object).count
$OABerrorsUser = $OABerrors | % {$_.Message.Substring($_.Message.IndexOf(" '")+2,($_.Message.IndexOf("' ")-$_.Message.IndexOf(" '"))-2)}

Solution

Variable $OABerrorsUser could be used for another loop based on your needs of repairs.

Event ID: 9325 basically occurs because the recipient’s primary SMTP address (PrimarySmtpAddress) was changed without updating the Mail attribute (WindowsEmailAddress). If the Mail attribute does not match the primary SMTP address, the recipient will be dropped when the offline address book is generated. Description how to solve this issue is shown here: Using Powershell to Correct 9325 Events in Exchange 2007

The event could occur also for mail-disabled users if ShowInAddressBook attribute is not clear <not set>. All mail-enabled objects have this attribute always filled in (including users, contacts, groups, public-folders). The attribute can be erased via ADSI Edit or Active Directory Module for Windows PowerShell.

Get-ADuser GlenJohn -Properties showInAddressBook | Set-ADUser -Clear showInAddressBook

Notes

• OALGen will skip user entry ‘Nikie Goldman’ in address list ‘\Global Address List’ because the SMTP address ” is invalid.
• Event ID 9325 and 9327 OAL Generator Error

Exchange 2010 – Outlook Anywhere – Outlook is unable to connect to the proxy server. (Error Code 10)

I noticed the error message below:

---------------------------
Microsoft Outlook
---------------------------
There is a problem with the proxy server's security certificate.
The name on the security certificate is invalid or does not match the name of the target site.

Outlook is unable to connect to the proxy server. (Error Code 10)
---------------------------
OK 
---------------------------

Definitely it is related to Outlook Anywhere and client (Outlook 2013) which wraps remote procedure calls (RPCs) with an HTTP layer. By default this feature is enabled and all outlook connectivity takes place over it based on valid SSL certificate on CAS server(s). Mailbox servers only require the default self-signed SSL certificate. According to screen shot above is either needed to have value “s04.testexch.local” in the certificate on CASs, switch off requiredSSL or change the value regarding to your needs (e.g. you have certificate with different value).

EAC

EMS

Set-OutlookAnywhere

• ExternalHostname
• InternalHostname
• ExternalClientAuthenticationMethod (Negotiate authentication: Enabled by default in Exchange 2013. This is a combination of Windows integrated authentication and Kerberos authentication. If we employ negotiate authentication, exchange will authenticate the client using NTLM authentication type and if unable to verify authenticity, will challenge the client to authenticate using a username and password.)
• SSLOffloadingNote: The SSLOffloading parameter specifies whether the Client Access server requires SSL. This value should be set only to $true when an SSL hardware solution is running in front of the Client Access server.

Testing

Outlook Anywhere can be tested via Test-OutlookConnectivity or Remote Connectivity Analyzer

Solution

In my case I used a cert issued by internal CA with two subject alternative names mail.testexch.local and autodiscove.testexch.local. So it was needed to rewrite the attribute InternalHostname on each CAS server only.

[PS] C:\>Get-OutlookAnywhere | Set-OutlookAnywhere -InternalHostname mail.testexch.local -In
ternalClientsRequireSsl $true
[PS] C:\>Get-OutlookAnywhere | fl server,name,*hostname,ssl*,*auth*

Server : s03
Name : Rpc (Default Web Site)
ExternalHostname : mail.testexch.com
InternalHostname : mail.testexch.local
SSLOffloading : True
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

Server : s04
Name : Rpc (Default Web Site)
ExternalHostname : mail.testexch2013.com
InternalHostname : mail1.testexch2013.local
SSLOffloading : True
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

Notes

• CAS server in Exchange 2013 is only going to proxy the traffic and not render the mailbox data. Besides the advantage of having only Level 4 Load balancing solution (hell you could just use Round Robin), the new architecture will reduce the amount of namespaces you are going to need if you are deploying Exchange (source: EHLO: I am Exchange 2013–CAS Role).
• Exchange 2013: Configuring Outlook anywhere
• Exchange Team Blog – Exchange 2013 Client Access Server Role
• TechNet Articles  – How to Configure SSL Offloading in Exchange 2010

iOS 6.1.2 released! – Exchange problems solved?

Apple claims, that iOS 6.1.2 solves problems with Exchange sync. Good luck with update: http://support.apple.com/kb/DL1639  and hopefully no more http://ficility.net/2013/02/14/ios-6-1-and-ios-6-1-1-exchange-problems/

Exchange 2013 – Outlook 2013 – The connection to Microsoft Exchange is unavailable.

If you use Autodiscover service by Outlook, you can see the following error (Exchange 2013 + Outlook 2013 in my case) :

Outlook error: Microsoft Outlook: The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.

Outlook error: Outlook is unable to connect to the proxy server. (Error Code 10)

The error could be due to:

1. Firewall issue
2. DNS failure
3. Exchange misconfiguration
4. Client issue
5. Certificate validation failed

Well quite common problem.

Investigation

• DNS resolving worked properly without any packet loss. Basically A records (mail.contoso.com, autodiscover.contoso.com) were pointed to NLB/CAS Array (Tony Redmond’s Exchange Unwashed – Exchange 2013 dumps CAS arrays).

• Autodiscover URLs were tested via IE at CAS servers (https://autodiscover.contoso.com/autodiscover/autodiscover.xml, https://localhost/autodiscover/autodiscover.xml) with results:

<?xml version="1.0" encoding="UTF-8"?>
-<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
-<Response> 
-<Error Id="3876576560" Time="21:12:30.2927520">
<ErrorCode>600</ErrorCode>
<Message>Invalid Request</Message>
<DebugData/>
</Error>
</Response>
</Autodiscover>

Error code 600 means autodiscover service is accessible and works. Autodiscover request is corrupted at this point but it is typical behavior for testing via IE. Very useful articles regarding to Autodiscover are White Paper: Exchange 2007 Autodiscover Service and Troublshooting Autodiscover (Exchange 2007/2010).

• Exchange virtual directories such as Set-AutodiscoverVirtualDirectory, Set-WebServicesVirtualDirectory, Set-OABVirtualDirectory, Set-ClientAccessServer –AutoDiscoverServiceInternalUri, Set-OutlookAnywhere + Set-EcpVirtualDirectory, Set-OwaVirtualDirectory, Set-ActiveSyncVirtualDirectory were configured properly.

•  The client was Outlook 2013 RTM (Technet – Exchange 2013 System Requirements – Supported Clients).

• Outlook service tested via Test-OutlookWebServices indicated a cert issue:

Test-OutlookWebServices | fl
Source : s04.contoso.com
ServiceEndpoint : autodiscover.contoso.com
Scenario : AutoDiscoverOutlookProvider
ScenarioDescription : Autodiscover: Outlook Provider
Result : Failure
Latency : 22
Error : System.Net.WebException: The underlying connection was closed: Could not establish trust
 relationship for the SSL/TLS secure channel. --->
 System.Security.Authentication.AuthenticationException: The remote certificate is invalid
 according to the validation procedure.
…

The validation procedure (shortly):

1. The name used to access the resource needs match the certificate exactly.
2. The Certificate date must be valid
3. The Certificate Authority which issued the certificate must be trusted by the client. (It needs to exist in the Trusted Root Certificate Authorities)

Solution

I checked CAS certificate issued by internal CA and I found missing letter in one SAN name. New certificate assigned to IIS service solved the error.

Notes

• How to install certificate authority on windows server 2012
• Missing Web-Server template in certsrv web interface could be solved by Certreq.exe –submit –attrib “CertificateTemplate:webserver” C:\RequestFile.req NewCertName.cer
• Configuring Certificates in Exchange Server 2013 Preview
• Connection issues and error messages in Outlook for a mailbox on a server that is running Exchange Server 2010
• Autodiscover Service Returns Unexpected Values for Outlook Anywhere Proxy Settings

Cisco Labs – Redundant and Resilient networks (16) – Multicast Redundancy IPv6

Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test First Hop Redundancy Protocols (FHRP) , Any Transport over MPLS (AToM) and Border Gateway Protocol (BGP) on Cisco platform. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Skydrive

ZIP file contains:

• *.HTML file – complete step by step guide how to perform the task
• *.PNG – pictures with topology and others
• *_preconf.txt – file with basic configuration of topology to be able to focus on task goal (IP addresses, interfaces and so on)
• *_end.txt – file with complete configuration. Once put to the routers, you will get working task
• *.dia – Topology in free DIA editor
• *.XML – topology in XML format

To complete the task:

• Connect your environment accorrding the topology
• open the file *_preconf.txt from ZIP file with complete task and configure your environment with basic settings so you can start with the task.

Multicast redundancy – IPv6

Title: Multicast redundancy – IPv6

Goal:

Configure Protocol Indipendent Multicast on IPv6 network.

Configure PIM with BSR feature. Configure routers RP1 and RP2 as rendezvouz point candidates. Configure MA1 and MA2 as BSR candidatets.

Test multicast redundancy and functionality.

Required time: 120 minutes

Theoretical background:

• Multicast configuration guide

Topology:

Configuration:

 

1) Basic network configuration

IPv6 addresses and RIP routing process RIP should be configured on each router and PC.

PC1

     
      PC1#ip -6 addr add 2001:1::1/64 dev eth0
      PC1#ip -6 route add default via 2001:1::2

PC2

     
      PC2#ip -6 addr add 2001:2::2/64 dev eth0
      PC2#ip -6 route add default via 2001:2::1

Router MA1

MA1(config)#hostname MA1

MA1(config)#ipv6 unicast-routing

MA1(config)#ipv6 router rip RIP

MA1(config)#interface #MA1:MA1-SW#

MA1(config-if)#ipv6 address 2001::1/128

MA1(config-if)#ipv6 rip RIP enable

MA1(config)#no shutdown
 

Router MA2

MA2(config)#hostname MA2

MA2(config)#ipv6 unicast-routing

MA2(config)#ipv6 router rip RIP

MA2(config)#interface #MA2:MA2-SW#

MA2(config-if)#ipv6 address 2001::2/128

MA2(config-if)#ipv6 rip RIP enable
 

Router RP1

RP1(config)#hostname RP1

RP1(config)#ipv6 unicast-routing

RP1(config)#ipv6 router rip RIP

RP1(config)#interface #RP1:RP1-SW#

RP1(config-if)#ipv6 address 2001::4/128

RP1(config-if)#ipv6 rip RIP enable
 

Router RP2

RP2(config)#hostname RP2

RP2(config)#ipv6 unicast-routing

RP2(config)#ipv6 router rip RIP

RP2(config)#interface #RP2:RP2-SW#

RP2(config-if)#ipv6 address 2001::6/128

RP2(config-if)#ipv6 rip RIP enable
 

Router R1

R1(config)#hostname R1

R1(config)#ipv6 unicast-routing

R1(config)#ipv6 router rip RIP

R1(config)#interface #R1:R1-SW#

R1(config)#ipv6 address 2001::3/128

R1(config)#ipv6 rip RIP enable

R1(config)#interface #R1:PC1-R1#

R1(config)#ipv6 address 2001:1::2/64

R1(config)#ipv6 rip RIP enable
 

Router R2

R2(config)#hostname R2

R2(config)#ipv6 unicast-routing

R2(config)#ipv6 router rip RIP

R2(config)#interface #R2:R2-SW#

R2(config)#ipv6 address 2001::5/128

R2(config)#ipv6 rip RIP enable

R2(config)#interface #R2:PC2-R2#

R2(config)#ipv6 address 2001:2::1/64

R2(config)#ipv6 rip RIP enable
 

Test connectivity between devices using ping6 command.

 

2) Multicast configuration – BSR candidates

Router MA1

MA1(config)#ipv6 multicast-routing; enable multicast routing on the router

MA1(config)#ipv6 pim bsr candidate bsr 2001::1 priority 10; set router as BSR candidate with priority 10 (lower number mean lower priority)
 

Router MA2

MA2(config)#ipv6 multicast-routing; enable multicast routing on the router

MA2(config)#ipv6 pim bsr candidate bsr 2001::2 priority 20; set router as BSR candidate with priority 20 (lower number mean lower priority)
 

3) Multicast configuration – rendezvous points

Router RP1

      RP1(config)#ipv6 multicast-routing; enable multicast routing on the router
      RP1(config)#ipv6 pim bsr candidate rp 2001::4 priority 10; set router as RP candidate with priority 10 (lower number mean higher priority)

 

Router RP2

      RP2(config)#ipv6 multicast-routing; enable multicast routing on the router
      RP2(config)#ipv6 pim bsr candidate rp 2001::6 priority 20; set router as RP candidate with priority 20 (lower number mean higher priority)

 

4) Multicast configuration – client routers

Router R1

R1(config)#ipv6 multicast-routing
 

Router R2

R2(config)#ipv6 multicast-routing
 

Function test:

1) Turn PIM debugging on

MA1# debug ipv6 pim; turn PIM debugging on to display PIM communication
 

2) Display PIM information

MAx# sh ipv6 pim rp mapping; show which router is RP

RPx# sh ipv6 pim bsr candidate ; display bsr candidates

MAx# sh ipv6 pim bsr election ; display bsr election

MAx# show ipv6 pim tunnel ; display tunnels between elected BSR and elected RP
 

3) send multicast traffic

PC1# mcast -6 -s -a FF0E::10 -t 1 -m “This is multicast message”; run mcast application as sender of IPv6 multicast traffic to group address FF0E::10

PC2# mcast -6 -l -a FF0E::10 ; run mcast application as listener of IPv6 multicast traffic to group address FF0E::10
 

4) Turn RP2 off to initiate RP1 to be rendezvous point

RP2(config)#interface #RP2:RP2-SW#

RP2(config-if)#shutdown
; after interface shutdown router RP2 will no longer act as RP, role will be switched to the RP1 which has lower priority
 

5) Display PIM information

MAx# sh ipv6 pim rp mapping

RPx# sh ipv6 pim bsr candidate

MAx# sh ipv6 pim bsr election

MAx# show ipv6 pim tunnel
 

6) Turn MA2 off to use MA1 as BSR router

MA2(config)#interface #MA2:MA2-SW#

MA2(config-if)#shutdown
; after interface shutdown router MA2 will no longer act as BSR router, role will be switched to the MA1 which has lower priority
 

7) Display PIM information

MAx# sh ipv6 pim rp mapping

RPx# sh ipv6 pim bsr candidate

MAx# sh ipv6 pim bsr election

MAx# show ipv6 pim tunnel
 

 

Cisco Labs – Redundant and Resilient networks (15) – Multicast Redundancy IPv4

Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test First Hop Redundancy Protocols (FHRP) , Any Transport over MPLS (AToM) and Border Gateway Protocol (BGP) on Cisco platform. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Skydrive

ZIP file contains:

• *.HTML file – complete step by step guide how to perform the task
• *.PNG – pictures with topology and others
• *_preconf.txt – file with basic configuration of topology to be able to focus on task goal (IP addresses, interfaces and so on)
• *_end.txt – file with complete configuration. Once put to the routers, you will get working task
• *.dia – Topology in free DIA editor
• *.XML – topology in XML format

To complete the task:

• Connect your environment accorrding the topology
• open the file *_preconf.txt from ZIP file with complete task and configure your environment with basic settings so you can start with the task.

Multicast redundancy – IPv4

Title: Multicast redundancy – IPv4

Goal:

• Configure Protocol Independent Multicast on IPv4 network.
• Configure MA1 and MA2 as mapping agents. Configure PIM with auto-RP feature. Configure routers RP1 and RP2 as rendezvous point candidates.
• Test multicast redundancy and functionality.

Required time: 120 minutes

Theoretical background:

• Multicast configuration guide
• Multicast information

Topology:

Configuration:

 

1) Basic network configuration

IP addresses and OSPF routing area 0 should be configured on each router and PC.

PC1

      
      PC1#ifconfig eth0 192.168.1.2 netmask 255.255.255.0
      PC1#route add default gw 192.168.1.1

PC2

      
      PC2#ifconfig eth0 172.16.0.2 netmask 255.255.255.0
      PC2#route add default gw 172.16.0.1

Router MA1

      MA1(config)#hostname MA1
      MA1(config)#interface #MA1:MA1-SW#
      MA1(config-if)#ip address 10.0.0.1 255.255.255.0
      MA1(config-if)#no shutdown
      MA1(config)#router ospf 1
      MA1(config-router)#network 10.0.0.0 0.0.0.255 area 0

 

Router MA2

      MA2(config)#hostname MA2
      MA2(config)#interface #MA2:MA2-SW#
      MA2(config-if)#ip address 10.0.0.2 255.255.255.0
      MA2(config-if)#no shutdown
      MA2(config)#router ospf 1
      MA2(config-router)#network 10.0.0.0 0.0.0.255 area 0

 

Router RP1

      RP1(config)#hostname RP1
      RP1(config)#interface #RP1:RP1-SW# 
      RP1(config-if)#ip address 10.0.0.4 255.255.255.0
      RP1(config-if)#no shutdown 
      RP1(config)#router ospf 1 
      RP1(config-router)#network 10.0.0.0 0.0.0.255 area 0

 

Router RP2

      RP2(config)#hostname RP2
      RP2(config)#interface #RP2:RP2-SW#
      RP2(config-if)#ip address 10.0.0.6 255.255.255.0
      RP2(config-if)#no shutdown 
      RP2(config)#router ospf 1
      RP2(config-router)#network 10.0.0.0 0.0.0.255 area 0

 

Router R1

      R1(config)#hostname R1
      R1(config)#interface #R1:R1-SW#
      R1(config-if)#ip address 10.0.0.3 255.255.255.0 
      R1(config-if)#no shutdown
      R1(config)#interface #R1:PC1-R1#
      R1(config-if)#ip address 192.168.1.1 255.255.255.0
      R1(config-if)#no shutdown
      R1(config)#router ospf 1
      R1(config-router)#network 10.0.0.0 0.0.0.255 area 0
      R1(config-router)#network 192.168.1.0 0.0.0.255 area 0

 

Router R2

      R2(config)#hostname R2
      R2(config)#interface #R2:R2-SW#
      R2(config-if)#ip address 10.0.0.5 255.255.255.0
      R2(config-if)#no shutdown
      R2(config)#interface #R2:PC2-R2#
      R2(config)#ip address 172.16.0.1 255.255.255.0
      R2(config-if)#no shutdown
      R2(config)#router ospf 1
      R2(config-router)#network 10.0.0.0 0.0.0.255 area 0
      R2(config-router)#network 172.16.0.0 0.0.0.255 area 0

 

Test connectivity between devices using ping command.

 

2) Multicast configuration – mapping agents

Router MA1

      MA1(config)#ip multicast-routing; enable multicast routing on the router
      MA1(config)#interface #MA1:MA1-SW#
      MA1(config-if)#ip pim sparse-dense-mode; enable PIM protocol in sparse-dense mode
      MA1(config)#ip pim send-rp-discovery scope 100; set router as Mapping agent, hello messages will be sent with TTL 100

 

Router MA2

      MA2(config)#ip multicast-routing;  enable multicast routing on the router
      MA2(config)#interface #MA2:MA2-SW#
      MA2(config-if)#ip pim sparse-dense-mode; enable PIM protocol in sparse-dense mode
      MA2(config)#ip pim send-rp-discovery scope 100; set router as Mapping agent, hello messages will be sent with TTL 100

 

3) Multicast configuration – rendezvouz points

Router RP1

 
      RP1(config)#ip multicast-routing
      RP1(config)#interface #RP1:RP1-SW#
      RP1(config-if)#ip pim sparse-dense-mode; enable PIM protocol in sparse-dense mode
      RP1(config)#ip pim send-rp-announce 10.0.0.4 scope 100; set router to announce itself as RP candidate
      RP1(config)#ip pim send-rp-announce #RP1:RP1-SW# scope 100 interval 20; set router to announce itself as RP candidate on interface #RP1:RP1-SW#, TTL 100, every 20 seconds

 

Router RP2

 
      RP2(config)#ip multicast-routing
      RP2(config)#interface #RP2:RP2-SW#
      RP2(config-if)#ip pim sparse-dense-mode; enable PIM protocol in sparse-dense mode
      RP2(config)#ip pim send-rp-announce 10.0.0.6 scope 100;  set router to announce itself as RP candidate
 
      RP2(config)#ip pim send-rp-announce #RP2:RP2-SW# scope 100 interval 20;set router to announce itself as RP candidate on interface #RP2:RP2-SW#, TTL 100, every 20 seconds

 

4) Multicast configuration – client routers

Router R1

      R1(config)#ip multicast-routing 
      R1(config)#interface #R1:R1-SW#
      R1(config-if)#ip pim sparse-dense-mode
      R1(config)#interface #R1:PC1-R1#
      R1(config-if)#ip pim sparse-dense-mode

 

Router R2

      R2(config)#ip multicast-routing
      R2(config)#interface #R2:R2-SW#
      R2(config-if)#ip pim sparse-dense-mode
      R2(config)#interface #R2:PC2-R2#
      R2(config-if)#ip pim sparse-dense-mode

 

Function test:

1) Turn PIM debugging on

    MA1# debug ip pim; turn PIM debuggign on to display PIM communication

 

2) Display PIM information

    MA1# sh ip pim rp mapping; show which router is RP
    MA1# sh ip pim autorp ; display if auto RP is enabled
    MA1# sh ip pim neighbor ; display PIM neighbors

 

3) send multicast traffic

    PC1# mcast -4 -s -a 239.0.10.10 -m "This is multicast message"; run mcast application as sender of IPv4 multicast traffic to group address 239.0.10.10
    
    PC2# mcast -4 -l -a 239.0.10.10 ; run mcast application as listener of IPv4 multicast traffic to group address 239.0.10.10

 

4) Turn RP2 off to initiate RP1 to be rendezvouz point

    RP2(config)#interface #RP2:RP2-SW#
    RP2(config-if)#shutdown 
; after interface shutdown router RP2 will no longer act as RP, RP role will be switched to the RP1 which has lower IP address

 

5) Display PIM information

    MA1# sh ip pim rp mapping; show which router is RP
    MA1# sh ip pim autorp ; display if auto RP is enabled
    MA1# sh ip pim neighbor ; display PIM neighbors

 

6) Turn MA2 off to use MA1 as mapping agent

    MA2(config)#interface #MA2:MA2-SW#
    MA2(config-if)#shutdown 
; after interface shutdown router MA2 will no longer act as mapping agent, role will be swithed to the MA1 which has lower IP address

 

7) Display PIM information

    MA1# sh ip pim rp mapping; show which router is RP
    MA1# sh ip pim autorp ; display if auto RP is enabled
    MA1# sh ip pim neighbor ; display PIM neighbors