The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
When neighbors are not adjacent, normal Cisco Service Advertisement Framework (SAF) peering mechanisms cannot be used to exchange SAF information over the networking cloud. The neighbors are often multiple hops away, and separated by dark nets (routers not running SAF).
To support this type of network, SAF provides the neighbor command, which allows remote neighbors to be configured and sessions established though unicast packet transmission. However, as the number of forwarders needing to exchange SAF information over the networking cloud increases, unicast SAF neighbor definitions may become cumbersome to manage. Each neighbor must be manually configured, resulting in increased operational costs.
To better accommodate deployment of these topologies, ease configuration management, and reduce operational costs, the Dynamic Neighbors feature provides support for the dynamic discovery of remote unicast and multicast neighbors (referred to as "remote neighbors"). Remote neighbor support allows Cisco SAF peering to one or more remote neighbors, which may not be known at the time the device is configured, thus reducing configuration management.
This section contains the following major topics:
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Before configuring SAF dynamic neighbors, ensure that when using:
Within a service family, the following restrictions apply:
When neighbors are not adjacent, normal Cisco SAF peering mechanisms cannot be used to exchange SAF information over the networking cloud. The neighbors are often multiple hops away, and separated by dark nets (devices not running SAF).
To support this type of network, SAF provides the neighbor command, which allows remote neighbors to be configured and sessions established through unicast packet transmission. However, as the number of Forwarders needing to exchange SAF information over the networking cloud increases, unicast SAF neighbor definitions may become cumbersome to manage. Each neighbor must be manually configured, resulting in increased operational costs.
To better accommodate deployment of these topologies, ease configuration management, and reduce operational costs, the Dynamic Neighbors feature provides support for the dynamic discovery of remote unicast and multicast neighbors (referred to as "remote neighbors"). Remote neighbor support allows Cisco SAF peering to one or more remote neighbors, which may not be known at the time the device is configured, thus reducing configuration management.
When using remote unicast-listen or remote multicast-group neighbor configurations, SAF neighbor IP addresses are not predefined, and neighbors may be many hops away. A device with this configuration could peer with any device that sends a valid HELLO packet. Because of security considerations, this open aspect requires policy capabilities to limit peering to valid devices and to restrict the number of neighbors in order to limit resource consumption. This capability is accomplished using the following manually configured parameters, and takes effect immediately.
The optional allow-list keyword, available in the remote-neighbors command, enables you to use an access list (access control list) to specify the remote IP addresses from which Cisco SAF neighbor connections may be accepted. If you do not use the allow-list keyword, then all IP addresses (permit any) will be accepted.
The access control list (ACL) defines a range of IPv4 or IPv6 IP addresses with the following conditions:
The optional max-neighbors keyword, available in the remote-neighbors command, enables you to specify a maximum number of remote neighbors that Cisco SAF can create using the remote neighbor configurations. When the maximum number of remote neighbors has been created for a configuration, Cisco SAF rejects all subsequent connection attempts for that configuration. This option helps to protect against denial-of-service attacks that attempt to create many remote neighbors in an attempt to overwhelm device resources.
The max-neighbors configuration option has the following conditions:
When the allow-list or max-neighbors configurations are changed, any existing remote Cisco SAF sessions that are no longer allowed by the new configuration will be removed automatically and immediately. Pre-existing neighbors that are still allowed by the new configuration will not be affected.
The following terms are used when describing neighbor types:
For configurations in which multiple remote neighbors peer with a single hub (point-to-point), the hub can be configured for remote unicast-listen peering using the remote-neighbors command to allow the remote neighbors to peer with the hub without having to manually configure the remote neighbor IP addresses on the hub.
When configured with this command, the hub device:
Multicast can be used to provide an efficient transport between multiple Cisco SAF neighbors. A single multicast-group address can be used for multiple Cisco SAF neighbors to exchange information within the same multicast group. To configure multipoint-to-multipoint configurations, use the multicast-group keyword available in the remote neighbors command.
When configured with this command, the device:
Static neighbors configured with the neighbor ip-address or the neighbor ip-address remote commands take precedence over the remote neighbors that are created as a result of the remote-neighbors command. If the remote IP address of an incoming unicast Cisco SAF connection matches both a static neighbor and the remote unicast-listen neighbor access list, the static neighbor is used and no remote unicast-listen neighbor is created. If you configure a new static neighbor while a remote neighbor for the same remote IP address already exists, Cisco SAF automatically removes the remote unicast-listen neighbor.
Remote unicast-listen neighbors take precedence over remote multicast-group neighbors. If Cisco SAF is receiving both unicast and multicast HELLOs from the same remote IP address targeted at the same local interface, the neighbor will be treated as unicast (unicast-listen) rather than multicast (multicast-group) for packet exchange.
To configure Cisco SAF dynamic neighbors, use the following commands:
The following examples show how to configure both devices involved in the neighbor relationship.
This example uses the unicast-listen keyword to configure remote neighbors to accept inbound connections from IP addresses that match the access list myNeighborList.
Device1(config)# interface Loopback1 Device1(config-if)# ip address 10.1.1.1 255.255.255.255 Device1(config-if)# exit Device1(config)# ip access-list standard myNeighborList Device1(config-std-nacl)# permit 10.0.0.0 0.255.255.255 Device1(config-std-nacl)# exit Device1(config)# router eigrp virtual-name Device1(config-router)# service-family ipv4 autonomous-system 4453 Device1(config-router-sf)# remote-neighbors source Loopback1 unicast-listen allow-list myNeighborList Device2(config)# interface Loopback2 Device2(config-if)# ip address 10.2.2.2 255.255.255.255 Device2(config-if)# exit Device2(config)# router eigrp virtual-name Device2(config-router)# service-family ipv4 autonomous-system 4453 Device2(config-router-sf)# neighbor 10.1.1.1 Loopback2 remote 20
This example uses the multicast-group keyword to use IP multicast to discover remote neighbors and form remote neighbor relationships. It also specifies 30 as the maximum number of inbound connections from remote neighbors that a member of the multicast group may accept.
Device1(config)# interface Loopback1 Device1(config-if)# ip address 10.1.1.1 255.255.255.255 Device1(config-if)# ip pim sparse-mode Device1(config-if)# exit Device1(config)# router eigrp virtual-name Device1(config-router)# service-family ipv4 autonomous-system 4453 Device1(config-router-sf)# remote-neighbors source Loopback1 multicast-group 224.44.56.1 max-neighbors 30 Device2(config)# interface Loopback2 Device2(config-if)# ip address 10.2.2.2 255.255.255.255 Device2(config-if)# ip pim sparse-mode Device2(config-if)# exit Device2(config)# router eigrp virtual-name Device2(config-router)# service-family ipv4 autonomous-system 4453 Device2(config-router-sf)# remote-neighbors source Loopback2 multicast-group 224.44.56.1 max-neighbors 30
The existing detail option of the show neighbor command will be extended to show the information as to how the neighbor was configured. If the neighbor is:
Configured as remote multicast-group. It is listed as a group neighbor (multicast-group <ip addr>.)
For example:
Device# show eigrp ipv4 neighbor detail
EIGRP-SFv4 VR(test) Service-Family Neighbors for AS(100)
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
1 10.1.2.1 Lo0 12 00:02:20 3 100 0 3
Static neighbor
Version 8.0/4.0, Retrans: 0, Retries: 0
Topology-ids from peer - 0
1 1.1.2.1 Lo0 12 00:02:20 3 100 0 3
Remote Static neighbor (static multihop)
Version 8.0/4.0, Retrans: 0, Retries: 0
Topology-ids from peer - 0
1 10.1.1.4 Lo0 12 00:02:01 3 100 0 1
Remote neighbor (unicast-listen)
Version 8.0/4.0, Retrans: 0, Retries: 0
Topology-ids from peer - 0
1 10.1.1.5 Lo0 14 00:04:07 1552 5000 0 3
Group neighbor (multicast-group 224.1.1.1)
Version 8.0/4.0, Retrans: 0, Retries: 0
Topology-ids from peer - 0
0 3.1.2.3 Et1/0 12 00:02:20 1999 5000 0 1
Version 8.0/4.0, Retrans: 0, Retries: 0
Topology-ids from peer - 0
Related Topic | Document Title |
---|---|
Cisco IOS commands |
|
Service Advertisement Framework commands |
Cisco IOS Service Advertisement Framework Technology Command Reference |
Cisco EIGRP stub routing |
Configuring EIGRP |
Description | Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for Dynamic Neighbors |
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.