Choosing the Right Interior Routing Protocol

Transcription

1 Expert Reference Series of White Papers Choosing the Right Interior Routing Protocol COURSES

2 Choosing the Right Interior Routing Protocol Denise Donohue, Global Knowledge Instructor, CCIE #9566 Introduction Choosing an IP routing protocol is an important step. The right protocol can make your routing operate efficiently, and the wrong one can make your life difficult. Each protocol has its own pros and cons, and works better in some situations than others. In this paper, we explore the strengths and weakness of RIP, EIGRP, OSPF, and IS-IS, and discuss when it is appropriate to use each. We will evaluate each protocol in terms of five criteria: Convergence speed Ease of use Network topology required Vendor support IPv6 support This paper also provides configuration tasks and commands for Cisco routers. It includes tips for each protocol, as well as suggestions on designing your network to maximize the efficiency of each protocol. This paper assumes the reader is already familiar with interior routing protocols. It contains a short description of each protocol, but does not go in depth on each of its features or possible configuration commands. A list of good reference material is at the end of the paper, for those wishing more information on a particular protocol. Routing Information Protocol (RIP) RIP was one of the first IP routing protocols. It is simple to understand and simple to configure. RIP version 1 sends its advertisements as broadcasts; RIP version 2 sends them as multicasts. Both versions advertise their entire routing table every 30 seconds. For both versions, the metric is hop count with each router counting as a hop. A network with a metric of 16 hops is considered unreachable, which limits the diameter of a RIP routing domain. Convergence Speed RIP is notoriously slow to converge. It is a distance vector protocol, which means that each router advertises only the path it itself is using to reach a particular network. When there is a change in the network topology, each router recalculates its routing table before announcing the change to its neighbors. If a network has gone down, the router must query its neighbors for an alternate path to the network, and wait for them to respond. Additionally, RIP employs timers such as the hold-down timer to lessen the chance of a routing loop. These timers, however, also lengthen the amount of time that incorrect information might be propagated through the network. Copyright 2005 Global Knowledge Network, Inc. All rights reserved. Page 2

3 Ease of Use RIP is an easy protocol to use. All that is required is to enable RIP and configure a network statement for the router interfaces that will be running RIP. RIP version 1 is a classful routing protocol, and thus all links within the RIP domain must use the same subnet mask. RIP version 2 is classless, and thus supports variable-length subnet masking (VLSM). With either version of RIP, the network statement lists only the classful network. Network Topology The best place to use RIP is in a small network with links of about the same bandwidth since its metric does not account for differences in bandwidth. The more stable the network, the better RIP performs. RIPv1 is best used on links with only RIP devices, since its advertisements are sent as broadcasts. If it were used on a LAN link with hosts as well as a neighbor router on the link, the hosts would be interrupted every 30 seconds by RIP broadcasts. This is not a problem with RIPv2, since it sends its advertisements to the multicast address of Only devices listening for that multicast address would be affected. When using RIPv1, the same subnet mask must be used on every subnet of a classful network. There must be no discontiguous subnets. RIPv2 can handle networks with VLSM, since you can disable auto-summarization. Vendor Support Since RIP is such a well-known protocol, it is very widely supported. All Cisco routers support it, as well as firewalls, Microsoft Windows operating systems, and Unix-based operating systems. Some networks must run RIP in order to support a Unix computer. If that is the case in your network, consider sectioning off that part of the network, confining the RIP portion of the network to as few devices as possible. Run a more sophisticated protocol in the rest of the network, and redistribute the RIP routes into it. If possible, inject only a default route into the RIP area. IPv6 Support There is a version of RIP that supports IPv6, called RIPng (RFC 2080). It is available beginning in Cisco IOS version 12.2(8)T9. Tasks and Tips On a Cisco router, enable RIP under the global configuration mode and then list the classful networks for the interfaces where you want to run RIP. For instance, suppose you have the network shown in the drawing below. Copyright 2005 Global Knowledge Network, Inc. All rights reserved. Page 3

4 Router B has three interfaces. Two are in the classful network , and one is in the classful network Suppose you want Routers A, B, and C to all exchange RIP information. The configuration on Router B would then be: (config)#router rip (config-router)#network (config-router)#network The default configuration sends RIPv1 advertisements and listens for both version 1 and version 2 advertisements. The version can be configured under the router configuration mode, for the entire RIP process, or in interface configuration mode, for just that interface. In the previous example, suppose you want to run RIP version 2 in general, but version 1 on the interface connecting to Router C (you can choose which version to both send and receive): (config)#router rip (config-router)#version 2 (config-router)#interface s1/0 (config-if)#ip rip send version 1 (config-if)#ip rip receive version 1 You may not want all interfaces with IP addresses in the classful network to be running RIP; in that case, you can use the passive-interface <interface> command. Making an interface passive for RIP stops the router from sending advertisements out that interface. It will still listen to RIP advertisements coming in that interface, however, and will still advertise the network assigned to that interface. A variation of this is the command passive-interface default. This makes all interfaces encompassed in the network statement passive for RIP. You can then enable RIP on a specific interface with no passive-interface <interface>. In the drawing above, the LAN interface has no other routers on it, only hosts. It would make sense to make that interface passive for RIP. The commands to accomplish that are: Copyright 2005 Global Knowledge Network, Inc. All rights reserved. Page 4

5 (config)#router rip (config-router)#passive-interface fa0/0 Another option with RIPv2 is to make an interface passive, then add a neighbor statement listing the IP address of the router on the other end of a link. RIP will then send its updates as a unicast out that interface, to that neighbor. If you wanted to do this for Router A, for example, use the following commands: (config-router)#passive-interface s1/1 (config-router)#neighbor RIP will automatically summarize up to the classful network when advertising routes out an interface belonging to a different classful network. For instance, in our example network, Router B would not advertise the two subnets and to Router A. It would instead summarize and advertise only network Similarly, Router B would summarize the subnet and advertise to Router C. You can disable this functionality in RIPv2 with the following command: (config-router)#no auto-summary Turning off auto-summarization causes RIP to advertise every subnet to its neighbors. This isn t necessarily a good thing it makes the routing tables and route advertisements larger. RIPv2 allows you to manually configure summarization at the interface level. The command looks like this: (config-if)#summary-address rip <network> <subnet_mask> When using RIP in only a portion of your network, it is good practice to redistribute the RIP routes into your primary (core) protocol, and represent the core networks with either a default or static routes in the RIP portion of the network. To configure RIP to advertise a default route to its neighbors, first configure a static default route pointing to a neighbor core router. Then tell RIP to generate default information to its peers: (config)#ip route <neighbor_ip_address> (config)#router rip (config-router)#default-information originate RIP Summary Convergence Speed Slow Ease of Use Easy to understand and use Network Topology No special topology required Vendor Support Widely supported by many vendors IPv6 Support Supported When to Use Small, homogenous, stable network. When hosts require its use Copyright 2005 Global Knowledge Network, Inc. All rights reserved. Page 5

6 Open Shortest Path First (OSPF) OSPF is an open standard link-state protocol, described in several RFCs. It calculates its best path using the Shortest Path First algorithm originated by Edgars Djikstra. OSPF s metric is cost. On Cisco routers, cost is based on bandwidth the default value is 108 divided by interface bandwidth. OSPF adds the cost of each link along the path to the destination network. The SPF algorithm uses this metric to build a tree containing the shortest (least-cost) path to each network. Running the SPF algorithm is very CPU intensive, which could be a liability in an unstable network. Advertisements are sent as multicasts, and once a router has converged, only triggered updates are sent. Convergence Speed OSPF is one of the fastest-converging protocols. When an OSPF router learns about a change in network topology, it forwards the information to its neighbors before recalculating its routing information. This helps speed up convergence. Each router maintains a link-state database containing information about all networks in the OSPF routing domain. If a network goes down, there is no need for a router to query its neighbors it already knows any alternate paths to that network. Once a router has updated its neighbors, it reruns the SPF algorithm and submits the resulting routes to the routing table. Ease of Use A basic OSPF configuration is fairly easy to configure. However, one of the protocol s strengths is the ability to customize it to better fit your network needs. An OSPF configuration can get very complex if you take advantage of its many features. On the plus side, many network engineers are knowledgeable and skilled in the protocol, since it is so widely used. Network Topology OSPF requires a two-level hierarchy. There is a backbone area called Area 0, and all traffic between areas transits Area 0. It fits well in hub-and-spoke networks, where you have a welldefined backbone with groups of networks branching out from it. The need for this type of topology is often the most challenging part of implementing OSPF in an existing network. Area 0 should have the most redundancy and the most bandwidth, as it is a transit area. All the other areas are required to have at least one router with at least one interface in Area 0. OSPF provides virtual links as a way around this requirement as a temporary measure while transitioning the network to fit the OSPF model. IP addressing should follow the network topology to allow for summarization of routes. For the most efficient operation, assign your IP subnets so that each area s routes are able to be summarized into as few advertisements as possible. Without summarization, information about all routes is sent to every router in the OSPF domain. When any link goes down, all routers then have to receive that information and rerun the SPF algorithm. OSPF only allows summarization at the ABRs (area border router) and ASBRs (autonomous system boundary router). In a pure hub-and-spoke network, you may be able to designate areas as stub or totally stubby areas. This helps make OSPF operation even more efficient, as it limits the information routers in the stub areas must maintain. Copyright 2005 Global Knowledge Network, Inc. All rights reserved. Page 6

7 Vendor Support OSPF is a standards-based protocol. It is supported by most routers, many firewalls, and some versions of Windows. Thus, it is good for use in a multi-vendor environment. IPv6 Support Support for IPv6 is built into OSPF version 3. Cisco routers include OSPFv3 beginning in IOS 12.2(15)T9. Tasks and Tips On a Cisco router, enable OSPF under the global configuration mode. You must specify a process number this number is local to the router. Then enable OSPF on interfaces and assign those interfaces to areas using the network statement. The network statement requires a wildcard mask after the prefix information. This allows you to either specify a range of interfaces to be included in the OSPF process or limit it to one particular IP address. The network statements are read from the top down, so more specific statements should be configured first. The following examples are based on this diagram: In this example, the requirement is to enable OSPF area 0 between Router A and Router B, and OSPF area 10 between Router B and Router C. On Router B, we specify interface S1/1 by its exact IP address and include interfaces Fa0/0 and S1/0 in one network statement: (config)#router ospf 1 (config-router)#network area 0 (config-router)#network area 10 Copyright 2005 Global Knowledge Network, Inc. All rights reserved. Page 7

8 This configuration makes Router B an area border router, as it belongs to both area 0 and area 10. This is a basic OSPF configuration; some additional changes can make OSPF more eff i c i e n t. Recall that all OSPF routers within an area must have an identical link state database. With a basic configuration, all network information would be flooded throughout the entire OSPF routing domain. This can create a very large OSPF database, using a significant amount of memory. When there is a topology change, all routers would be involved in convergence. This adversely impacts router CPU and network bandwidth. Additionally, as a general rule, the more routers involved in convergence, the slower the convergence time. Some tuning of OSPF can make it more efficient in terms of router and network resource use. It would make sense to make area 10 totally stubby Router C would then have only intraarea routes and a default route pointing to Router B. There is no need to send OSPF hellos out interface Fa0/0, so make it a passive interface. Additionally, if all subnets of /16 are in area 10, we could summarize the routes advertised into area 0. (config-router)#area 10 stub no-summary (config-router)#passive-interface fa0/0 (config-router)#area 10 range With these simple changes, a topology change in area 10 does not affect Router A at all, as long as the summary route is still valid. Similarly, a topology change in area 0 does not affect Router C at all. Router B is still affected by topology changes in both areas, since Area Border Routers keep the complete database for each area they border. A good design consideration is to have several ABRs each bordering a few areas, rather than a few ABRs each bordering many areas. When designing an OSPF network, it is common to wonder how many routers and networks to put in one area, and how many areas to have. There is no single good answer to these questions, as they depend on many factors. For example, networks with good summarization can accommodate more routers per area, networks with many stub areas can accommodate more areas, and routers with fast CPUs and high memory can hold more information in their databases. The main thing is to understand OSPF and work with it, rather than trying to challenge it. A well-designed OSPF network can converge quickly (in under a second) and operate eff i c i e n t- ly. For instance, consider the following network (some links have been omitted for simplicity): Copyright 2005 Global Knowledge Network, Inc. All rights reserved. Page 8

9 One possible design would be to put the Core routers in Area 0, along with the connected interfaces of the Distribution routers. The two Distribution routers on the left, and their connected Access routers, would comprise one area. The two Distribution routers on the right, along with their connected Access routers, would comprise another area. Summarization could be done only on the Distribution routers. As a result, the Distribution and Access-layer routers could have about 1,030 routes in their routing tables. Also, at least six routers are involved in convergence when there is a topology change. (Perhaps more, if there are other routers in the Access-layer cloud.) Contrast this with the same network, in the EIGRP section. Another option would be to extend Area 0 to include the links between the Distribution and Access-layer routers. Then each Access-layer router would be its own OSPF area, could summarize its subnets to a 16-bit mask (e.g., /16), and could be a stub area. This would minimize the number of routes per router, and the number of routers involved in convergence in each area, but it also means that the Access routers are part of the core area. Hopefully, this helps you see that network design is a serious consideration with OSPF. In this time of such high security concerns, I would be lax not to mention authentication. OSPF can do both clear text and MD5 authentication between routers. This is a good feature to use to prevent an attacker from hijacking your routing and injecting false routes. As long as you re using authentication, you might as well use MD5, as it is more secure. Commands to enable this are given both under the OSPF routing process and under the interface configuration mode. As an example, if we wished to use authentication in area 0, using asecret1 as the password, we would configure Router B as follows: Copyright 2005 Global Knowledge Network, Inc. All rights reserved. Page 9

10 (config)#router ospf 1 (config-router)#area 0 authentication message-digest (config-router)#interface s1/1 (config-if)#ip ospf message-digest-key 1 md5 asecret1 One last thing to plan in OSPF is the router ID. Each OSPF router is identified in the database by an IP address. Router ID can be statically configured under the OSPF process, or dynamically chosen by the router. If it is not statically configured, then the router chooses the highest loopback interface IP address, if any loopbacks are present. If not, then the router chooses the highest IP address of an active interface. Duplicate router IDs can cause a problem in the network and break your routing. The safest way to ensure that each router has a unique router ID is to first create a loopback interface on each router with the IP address you wish to use as that r o u t e r s ID. Next, statically configure that IP address to be the router ID under the OSPF process. Then the router ID will be unique, it will not change, and you can ping it when troubleshooting. OSPF Summary Convergence Speed Fast Ease of Use More complex than RIP or EIGRP Network Topology Requires a two-level hierarchy with backbone are. Scales to very large networks in a hierarchical network Vendor Support Widely supported by many vendors IPv6 Support Supported in OSPF v3 When to Use In a (possibly multi-vendor) network with a two-level hierarchy, and IP addressing design that allows summarization Enhanced Interior Gateway Protocol (EIGRP) EIGRP is a Cisco proprietary distance-vector routing protocol. It was created to be used with basically any media and network topology, to converge quickly, and to use network resources efficiently. It uses an algorithm called DUAL Diffusing Update Algorithm to calculate a loopfree path to each network. It really shines in networks with more than two levels of hierarchy, because you can summarize at any router s interface. EIGRP s metric is based on the lowest bandwidth on the path to a network, and the sum of the interface delays along the path to that network. Convergence Speed In a properly designed network, EIGRP converges very quickly. For every destination network, it will attempt to identify a backup route. Then, if the primary route goes down, the router immediately inserts the backup route into the table. No recalculation or querying of neighbors is necessary. The catch to this is that an alternative path to each network must exist. Additionally, EIGRP must be able to insure that the alternative path is loop-free. It does this by comparing the metric (or distance) advertised by each neighbor, for each network, to the metric of its best route to that network. Any neighbor with an advertised distance less than the best distance can be used as a backup next hop. Copyright 2005 Global Knowledge Network, Inc. All rights reserved. Page 10

11 If EIGRP does not have a backup route for a network, then it must query its neighbors for an alternate path. If they don t have the route, then they query their neighbors, and so on. This takes time, and slows convergence, as EIGRP cannot chose a new path to the network until all its neighbors have answered. We will discuss ways to improve this situation later in the paper. Ease of Use EIGRP is very easy to use. It is simple to implement, and does not require any specific network topology. It will adapt itself to any type of link. There are not as many ways you can customize it as with OSPF, so even a complex EIGRP configuration is not very difficult. Network Topology Although EIGRP does not impose any requirements as far as network topology, it operates most efficiently in a hierarchical environment. It is really good in a network with multiple levels of hierarchy. Since you can summarize at any interface, you can have multiple levels of summarization in that type of network. This does three things: it reduces the amount of update traffic, it reduces the length of routing tables, and it sets boundaries for queries. Bounding queries is an important consideration with EIGRP. When a router loses the path to a network and doesn t have a backup path, then it must query all its neighbors. If those routers had the network in their routing tables and don t have a backup path either, then they must in turn query their neighbors. This progresses throughout the network. No router can answer its neighbor s query until it has gotten an answer back to all of its queries. For instance, consider the following diagram (some links have been omitted for simplification): Copyright 2005 Global Knowledge Network, Inc. All rights reserved. Page 11

12 Using just a default EIGRP configuration, every router has a route for every subnet, about 2,063 routes. A topology change in any of the Access-layer subnets would cause queries to be sent throughout the entire network, assuming that no backup route exists. This uses bandwidth and router resources, and may cause a route never to converge. However, since this network has a well-designed addressing scheme, we can greatly improve EIGRP s efficiency. EIGRP supports summarization at an interface; thus, you can have multiple levels of summarization. In the above example, each Access layer router shown could summarize its networks to a 16-bit mask (e.g., /16) and each Distribution layer router could summarize these routes to a 14-bit mask (e.g., /14). Each Core router would then have just two routes, with two paths to each, in its routing table representing all the Access layer subnets. They would also have their own five links, and the links between the Distribution routers, for a total of nine routes. Each Distribution router would have the summaries from its four Access routers, plus the subnets from the Core (if it doesn t summarize) and the one from the other Distribution routers, for a total of eleven routes. Each Access router would have its 255 subnets, the summaries from the other Access routers in its side of the network (assume the links to the Distribution routers are included in those summaries), the link between its Distribution routers, the Core subnets, and the summary from the other side of the network. This gives a total of 265 routes for each Access router. After summarization, suppose subnet /24 goes down. The Access-layer router sends a query to its Distribution-layer neighbors. They never have /16 in their routing tables, but they never had a route to /24. So they reply to the query with a network unreachable message, and do not propagate the query. A total of three routers have been involved in convergence. This speeds up convergence and saves resources for the other routers in the network. Another way to bound queries is to designate a router as an EIGRP stub router. Queries are not sent to stub routers. Remember that EIGRP will select a backup route (called a feasible successor) if possible. It is a good idea to design the network so that there are backup routes, as much as possible. Then there are no queries sent out all out the new route is simply installed in the routing table. EIGRP also adapts itself to various types of network links. It sends hello messages less frequently on slower links. It also paces its packets so that it will not overwhelm a link EIGRP limits itself to using half of the bandwidth configured on an interface. This bandwidth percent is also configurable. Vendor Support EIGRP is a Cisco-proprietary routing protocol, so all routers in the EIGRP portion of your network must be Cisco. IPv6 Support As of this writing, EIGRP support for IPv6 is still being developed. Tasks and Tips Enable EIGRP routing under the global configuration mode. You must specify an autonomous Copyright 2005 Global Knowledge Network, Inc. All rights reserved. Page 12

13 system number; this number must match on all routers that exchange routing information. The network statement enables EIGRP on any interface that falls within the specified range, and also tells EIGRP to advertise that interface. The network statement has an optional wildcard mask that, like the OSPF wildcard mask, allows you more precise control over the interfaces running EIGRP. Using the same example network as with the other protocols, the commands on Router B might look like this: (config)#router eigrp 44 (config-router)#network (config-router)#network One wrinkle of EIGRP is that, by default, it will automatically summarize routes at the classful boundary just like RIP and IGRP. Thus, Router B would advertise only network /8 to Router A. You can turn this feature off, however, and manually configure summarization at a point of your choosing. For instance, if all subnets of are behind Router B, we could summarize them in Router B s advertisements to Router A. (config)#router eigrp 44 (config-router)#no auto-summary (config-router)#interface s1/1 (config-if)ip summary-address eigrp Since neither Routers A nor C are transit routers, it would not make sense for Router B to query them if it lost a route. We can designate them as stub routers. The command is given under the router configuration mode. Once the command is issued, the stub router sends a message to its EIGRP neighbors, telling them it is a stub. They will mark it as a stub in their neighbor database and not send it any queries. By default, a stub will advertise only its connected routes, static routes, and summary routes, although you can configure it to behave differently. To configure an EIGRP stub router: Copyright 2005 Global Knowledge Network, Inc. All rights reserved. Page 13

14 (config)#router eigrp 44 (config-router)#eigrp stub One other option you may want to add to your EIGRP configuration is authentication. When you enable authentication, each EIGRP packet carries an MD5 keyed digest. Configuring this takes several steps, but would be worth it if it prevented unauthorized or false route information from being propagated throughout your network. You must configure one or more key chains, and then one or more keys under each chain. Each key can be given a specific lifetime, for more security. The router uses the first valid key it finds. Next you must enable authentication under each interface, and tell the router which key chain to use. To configure a key chain named MyNet, with a key #1 of ReallySecure, and enable it under interface s1/1, the commands would look like this: (config)#key chain MyNet (config-keychain)#key 1 (config-keychain-key)#key-string ReallySecure (config-keychain-key)#exit (config)#interface s1/1 (config-if)#ip authentication mode eigrp 44 md5 (config-if)#ip authentication key-chain eigrp 44 MyNet Of course, authentication must be configured on routers on both ends of a link, using the same authentication information. It is a good idea to build redundancy, and thus backup paths, into your EIGRP network. In some networks this takes the form of parallel links between pairs of routers. Currently, EIGRP will form a separate neighbor adjacency and send separate messages over each link, even though they all connect to the same neighbor. Future versions of EIGRP will peer based on router ID, rather than per link, cutting down on resource use when you have parallel links. Router ID is dynamically selected in the same way as with OSPF and BGP the highest loopback IP address, or the highest IP address of an interface active when EIGRP was initiated. EIGRP Summary Convergence Speed Fast. Extremely fast with a feasible successor Ease of Use Fairly easy to use. Not as complex a configuration as OSPF Network Topology No topology requirement. Good in a network with multiple levels on hierarchy. Scales to very large networks, if network is properly designed. Vendor Support Cisco proprietary IPv6 Support Under development When to Use In an all-cisco network, or portion of network, with IP addressing is designed for summarization Copyright 2005 Global Knowledge Network, Inc. All rights reserved. Page 14

15 Intermediate System Intermediate System (IS-IS) IS-IS is a routing protocol created by the ISO and is based on OSI protocols, not on IP. However, there is a version of IS-IS adapted to carry IP route information, called Integrated IS-IS. This is the version we discuss here. IS-IS uses CLNS and CLNP to establish adjacencies and distribute reachability information IP prefix information is just carried in route updates as if it were end-system information. IS-IS gets its name because it calls a router an Intermediate System. Thus, the protocol defines communication from an Intermediate System to another Intermediate System. IS-IS is a link-state protocol and, like OSPF, divides the network into areas. All inter-area communication goes through the backbone, but the backbone is not a discrete area. An IS-IS backbone is merely an unbroken string of routers doing Level 2 (inter-area) routing. These routers can belong to any area. This makes IS-IS network design much more flexible than OSPF, and makes it more useful in a geographically dispersed network. The metric for IS-IS is cost, but Cisco assigns a cost value of 10 to every interface. Convergence Speed Since it is a link-state protocol, IS-IS converges very quickly. Several factors make it more efficient than OSPF. A change in the IP network topology does not necessarily cause routers to have to reconverge. The SPF algorithm is run on CLNS information. If an IP link goes up or down, that information is sent to other routers, but IS-IS needs to recalculate its SPF information only if the link change affects an adjacency. Another way IS-IS is more efficient involves the roles of Level 1 (L1), Level 2 (L2), and Level 1/Level 2 (L1/2) routers. L1/2 routers (routers doing both inter- and intra-area routing) automatically send just a default route to any L1 neighbors in their area. L1 (intra-area only) routers thus know only the links within their own area, and default routes from their L1/2 routers. Therefore, they need to converge only if the topology changes within their own area. Similarly, L2 routers maintain a database of only routes outside their area, which limits when they need to converge. Finally, one IS-IS update packet can carry information about many IP subnets. (Contrast this with OSPF, which sends a separate Type 3 LSA per prefix.) Thus, IS-IS updates use link bandwidth more efficiently. Ease of Use Using IS-IS involves learning some new terms and concepts. The configuration tasks are different from native IP routing protocols. Configuring it is not difficult, however, once you understand how it works. The main problem is that fewer companies use IS-IS than use OSPF, and thus fewer network engineers know how to support it. IS-IS configurations tend to be less complex than OSPF, mostly because there are fewer changes you can make to the protocol s operation. Network Topology IS-IS is a link-state protocol and thus divides the network into a two-level hierarchy using area. Copyright 2005 Global Knowledge Network, Inc. All rights reserved. Page 15

16 All inter-area communication is done through the backbone. However, backbone design is much more flexible with IS-IS than with OSPF. The IS-IS backbone is simply a continuous chain of routers doing either L2 or L1/2 routing. IS-IS really shines in a very large network it provides not only fast convergence but is very stable even with frequent IP topology changes. It is typically used in networks with sites worldwide, such as large ISPs. The following diagram shows a network where IS-IS would fit well. Sites are far-flung, there are several routers and hosts at each site, and there is no particular core area. Network design is still important with IS-IS; in fact, the CLNS part of the protocol requires an additional amount of planning. Areas must be planned out. With IS-IS, an entire router is within an area and area borders are on the link between areas. Each router has its own ISO address (called its NET ) which specifies the area number and the system ID. These addresses must be planned. You must decide which type of intermediate system each router will be: L1, L2, or L1/2. Additionally, you must plan the IP addressing scheme. IS-IS is a classless protocol, thus you can use VLSM. It is also capable of summarizing IP addresses. You would typically want to plan your IP addressing so that you are able to summarize at area borders. This reduces the amount of information your neighbor routers must store in their routing tables, and also the amount of information your router must send in its updates. One other issue that must be addressed is the type of links in the network. IS-IS will work properly only over two types of links: point-to-point (such as a T1) and multi-access broadcast (such as ethernet.) When using IS-IS over multi-access networks such as frame relay and ATM, be sure to use point-to-point sub-interfaces. The alternative to this is a full mesh of PVCs, but it will break IS-IS if one of them goes down, so do not use this alternative. Vendor Support IS-IS was created by the ISO and is specified in ISO documents, but Integrated IS-IS is out- Copyright 2005 Global Knowledge Network, Inc. All rights reserved. Page 16

17 lined in RFCs. Many router manufacturers support it, including Cisco. You are not likely to find support for it on firewalls and servers, however. IPv6 Support IP reachability information is carried in Type/Length/Value (TLV) fields in an IS-IS PDU. These fields were modified to carry IPv4 information; enabling them to carry IPv6 information is just another modification. Switching from IPv4 to IPv6 does not require an entire rewrite of the protocol. Thus, IS-IS is ideally positioned to support IPv6, and indeed does support it on Cisco routers. Tasks and Tips Because configuring IS-IS requires more planning than an all-ip network, let s look at a case study. Illustrated below is the same network shown in the OSPF and EIGRP sections, with some redundancy removed for simplification: Some of the IP addressing is already done. But where would you divide the network into areas? What will you name the areas? What numbering scheme will you use to identify each router s system ID? What type of IS-IS router would each one be? It is beyond the scope of this paper to explore all the design options, but let s suppose you decide to create the following areas: Copyright 2005 Global Knowledge Network, Inc. All rights reserved. Page 17

18 Routers D, H, I Area DDDD Routers E, J, K Area EEEE Routers F, L, M Area FFFF Routers G, N, O Area 0006 Routers A, B, C Area ABC The Access routers, H and I, J and K, L and M, and N and O will be L1 routers. They will form adjacencies with each other and with the L1/1 router in their area. The Distribution routers, D, E, F, and G will be L1/2 routers. They need to form adjacencies with the L1 routers in their area, and also with routers in other areas. The Core routers, A, B, and C can be just L2 routers, as they will only form adjacencies with each other and with routers in other areas. The areas and backbone would then look like this drawing. The thicker lines are the ISIS backbone. Taking Area DDDD as an example, let s look at the configuration tasks. The first task is to configure IP addresses on the interfaces as usual. Once that is done, you can configure IS-IS routing. As an easy system ID scheme, we will number each router then use a combination of the area ID and that number as its system ID. On Router D, the configuration would be: (config)#router isis (config-router)#net dddd.0000.dddd (config-router)#interface s0/0 (config-if)#ip router isis <continue with other interfaces> Copyright 2005 Global Knowledge Network, Inc. All rights reserved. Page 18

19 Cisco routers are L1/2 by default, and that is what we want Router D to be, so we don t need to specify it. On Routers H and I, we would need to add the following command under the IS- IS router configuration mode: (config-router)#is-type level-1 These commands will start IS-IS running on each of the routers. There are some things you probably want to do, however, to make your routing more efficient and secure. The first thing is to adjust the metrics on each interface. IS-IS uses a metric of 10 for every interface, no matter what the speed. You may want to give higher speed links a lower metric. It s important to use the same metric assignments through your entire network. The command is given at interface configuration mode: (config-if) isis metric <number> You should also adjust the circuit types of the interfaces on the L1/2 routers. By default, they will be sending both types of hellos out to every IS-IS interface. However, they will only establish a L1 adjacency with the L1 routers, and L2 adjacencies with the L2 routers and the L1/2 routers in other areas. It s inefficient to send unnecessary hellos. You can correct this by specifying a circuit type at the interface configuration mode: (config-if)isis circuit-type [level-1 level-1-2 level-2-only] Summarizing is done on routers bordering other areas, under the IS-IS configuration mode. The command is similar to those in other protocols. If Router D were summarizing its two subnets, the command would be: (config-router)#summary-address One last option you should consider is authentication. With IS-IS, passwords can be configured either at an interface, for an entire area, or for the entire IS-IS routing domain. Passwords configured at an interface are carried in IS-IS hello packets and thus authenticate the establishment of adjacencies. The area password is carried in all L1 messages and authenticates the exchange of intra-area routing information. The domain-wide password is carried in L2 messages and thus authenticates the exchange of inter-area routing information. Multiple types of passwords can be used on a router. However, you should understand that these passwords are sent as clear text and so provide only limited security. Use the following commands to configure IS-IS authentication: (config-if)isis password <password> [level-1 level-2] (config-if)#router isis (config-router)#area-password <password> (config-router)#domain-password <password> Copyright 2005 Global Knowledge Network, Inc. All rights reserved. Page 19

20 IS-IS Summary Convergence Speed Fast. Uses fewer router and network resources than OSPF Ease of Use Harder because engineers must learn CLNS configuration as well as IP. Not as many things to tune as OSPF Network Topology Uses areas, but backbone is link of routers. Scales to very large networks Vendor Support OSI protocol extended for use with IP. Supported by large router manufacturers IPv6 Support Supports IPv6 When to Use In a large, spread-out network with no centralized core Learn More Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out the following Global Knowledge courses: INTRO Introduction to Cisco Networking Technologies ICND Interconnecting Cisco Network Devices CCNA Boot Camp BCRAN Building Cisco Remote Access Network BSCI Building Scalable Cisco Internetworks CIT Cisco Internetwork Troubleshooting MPLS Implementing Cisco MPLS For more information or to register, visit or call COURSES to speak with a sales representative. Our courses and enhanced, hands-on labs offer practical skills and tips that you can immediately put to use. Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to your specific work situation. Choose from our more than 700 courses, delivered through Classrooms, e-learning, and On-site sessions, to meet your IT and management training needs. About the Author Denise Donohue, CCIE #9566, is an instructor for Global Knowledge. She teaches the Cisco CCNA and CCNP courses, as well as BGP and QoS. She is the course director for the Cisco BSCI and BGP courses. Denise co-authored Cisco's BSCI course and the Cisco Press book, CCNP Flash Cards and Exam Practice Pack. Before coming to Global Knowledge, she was a network consultant. Denise has her CCIE certification in Routing and Switching. For Further Reading Routing TCP/IP, Jeff Doyle, Cisco Press Advance IP Network Design, Alvaro Retana, Don Slice, Russ White, Cisco Press Copyright 2005 Global Knowledge Network, Inc. All rights reserved. Page 20

21 EIGRP for IP, Alvaro Retana, Russ White, Don Slice, Addison-Wesley OSPF: Anatomy of a Routing Protocol, John T. Moy, Addison-Wesley Cisco OSPF Command and Configuration Handbook, William Parkhurst, Cisco Press Interconnections, Radia Perlman, Addison-Wesley Copyright 2005 Global Knowledge Network, Inc. All rights reserved. Page 21