Nortel Secure Router 8000 Series

Configuration - IP Routing Release: 5.3 Document Revision: 01.01

www.nortel.com

NN46240-505 324559-A Rev01

Nortel Secure Router 8000 Series Release: 5.3 Publication: NN46240-505 Document Revision: 01.01 Document status: Standard Document release date: 30 March 2009

Copyright © 2009 Nortel Networks All Rights Reserved.

Printed in Canada, India, and the United States of America

LEGAL NOTICE

While the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document are subject to change without notice.

Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks.

All other trademarks are the property of their respective owners.

ATTENTION For information about the safety precautions, read "Safety messages" in this guide. For information about the software license, read "Software license" in this guide.

Nortel Secure Router 8000 Series Configuration - IP Routing

Contents

About this document...... 1 1 IP routing overview ...... 1-1 1.1 Overview of IP routing and the routing table ...... 1-2 1.1.1 Route and route segments...... 1-2 1.1.2 Route selection through the routing table...... 1-3 1.2 Routing protocol overview...... 1-4 1.2.1 Static and dynamic routes...... 1-4 1.2.2 Dynamic routing protocols classification...... 1-5 1.2.3 Routing protocols and route preferences...... 1-5 1.2.4 Load balancing and route backup...... 1-6 1.2.5 Sharing routing information between protocols ...... 1-7 1.3 Routing management...... 1-7 1.3.1 Displaying the routing table ...... 1-7 1.3.2 Displaying and debugging of the routing management module...... 1-8 2 IP static route configuration...... 2-1 2.1 Introduction ...... 2-2 2.1.1 Static routes...... 2-2 2.1.2 Default routes ...... 2-2 2.1.3 Attributes and functions of IPv6 static routes...... 2-2 2.2 Configuring IPv4 static routes...... 2-3 2.2.1 Establishing the configuration task ...... 2-3 2.2.2 Configuring an IPv4 static route...... 2-4 2.2.3 Configuring the default preference for the IPv4 static route ...... 2-5 2.2.4 Checking the configuration ...... 2-5 2.3 Configuring IPv6 static routes...... 2-5 2.3.1 Establishing the configuration task ...... 2-5 2.3.2 Configuring an IPv6 static route...... 2-6 2.3.3 Checking the configuration ...... 2-7 2.4 Configuration examples...... 2-7 2.4.1 Example of configuring IPv4 static routes ...... 2-7 2.4.2 Example of configuring IPv6 static routes ...... 2-11

Issue 5.3 (30 March 2009) Nortel Networks Inc. i

Nortel Secure Router 8000 Series Configuration - IP Routing

3 RIP configuration...... 3-1 3.1 Introduction ...... 3-2 3.1.1 Overview of RIP...... 3-2 3.1.2 Principles of RIP operation ...... 3-2 3.1.3 RIP version...... 3-3 3.1.4 RIP packet formats ...... 3-4 3.1.5 Supported RIP features...... 3-6 3.1.6 References...... 3-6 3.2 Configuring basic RIP functions ...... 3-6 3.2.1 Establishing the configuration task ...... 3-6 3.2.2 Enabling RIP ...... 3-7 3.2.3 Enabling RIP on the specified network segment...... 3-8 3.2.4 Configuring the working status of the interface ...... 3-8 3.2.5 Configuring the RIP version...... 3-10 3.2.6 Checking the configuration ...... 3-10 3.3 Controlling RIP routing information ...... 3-11 3.3.1 Establishing the configuration task ...... 3-11 3.3.2 Configuring additional metrics of the interface...... 3-12 3.3.3 Configuring RIP route aggregation ...... 3-13 3.3.4 Enabling RIP to receive host routes ...... 3-14 3.3.5 Configuring RIP to advertise the default routes ...... 3-14 3.3.6 Configuring RIP to filter the received routes...... 3-14 3.3.7 Configuring RIP protocol preference ...... 3-15 3.3.8 Configuring RIP to import external routes ...... 3-16 3.3.9 Checking the configuration ...... 3-16 3.4 Adjusting and optimizing RIP networks...... 3-17 3.4.1 Establishing the configuration task ...... 3-17 3.4.2 Configuring RIP timers ...... 3-18 3.4.3 Configuring the sending interval and the number of sent packets...... 3-19 3.4.4 Configuring Split Horizon and Poison Reverse ...... 3-19 3.4.5 Configuring the maximum number of equal-cost routes...... 3-20 3.4.6 Configuring RIP to check the validity of the update packets ...... 3-20 3.4.7 Configuring packet authentication of RIP-2...... 3-21 3.4.8 Configuring RIP neighbors...... 3-22 3.4.9 Configuring RIP and MIB binding...... 3-22 3.4.10 Checking the configuration ...... 3-23 3.5 Maintaining RIP ...... 3-23 3.6 Configuration examples...... 3-24 3.6.1 Example of configuring the RIP Version...... 3-24 3.6.2 Example of configuring RIP to import external routes...... 3-27 4 RIPng configuration ...... 4-1

ii Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing

4.1 Overview ...... 4-2 4.1.1 RIPng overview...... 4-2 4.1.2 Operation principle...... 4-2 4.1.3 RIPng packet formats ...... 4-3 4.1.4 RIPng packet processing ...... 4-4 4.1.5 References...... 4-5 4.2 Configuring basic RIPng functions ...... 4-5 4.2.1 Establishing the configuration task ...... 4-5 4.2.2 Enabling RIPng and entering the RIPng view...... 4-6 4.2.3 Enabling RIPng in the interface view...... 4-6 4.2.4 Checking the configuration ...... 4-7 4.3 Controlling RIPng routing information ...... 4-8 4.3.1 Establishing the configuration task ...... 4-8 4.3.2 Configuring RIPng protocol preference ...... 4-9 4.3.3 Configuring additional metrics of the interface...... 4-9 4.3.4 Configuring RIPng route aggregation ...... 4-10 4.3.5 Configuring RIPng to advertise the default routes ...... 4-10 4.3.6 Configuring RIPng to filter the received routes ...... 4-11 4.3.7 Configuring the default cost for external routes imported by RIPng...... 4-11 4.3.8 Configuring RIPng to import external routes...... 4-12 4.3.9 Checking the configuration ...... 4-12 4.4 Adjusting and optimizing RIPng networks...... 4-13 4.4.1 Establishing the configuration task ...... 4-13 4.4.2 Configuring RIPng timers ...... 4-13 4.4.3 Configuring Split Horizon and Poison Reverse ...... 4-14 4.4.4 Enabling zero field checks of the RIPng packets ...... 4-15 4.4.5 Configuring the maximum number of equal-cost routes...... 4-15 4.4.6 Checking the configuration ...... 4-16 4.5 Maintaining RIPng ...... 4-16 4.6 Example of configuring RIPng to filter the received routes...... 4-17 5 OSPF configuration ...... 5-1 5.1 Overview ...... 5-2 5.1.1 Introduction...... 5-2 5.1.2 OSPF concepts ...... 5-3 5.1.3 OSPF areas and route aggregation ...... 5-4 5.1.4 OSPF network types...... 5-9 5.1.5 OSPF packet format ...... 5-11 5.1.6 Supported OSPF features ...... 5-20 5.1.7 References...... 5-23 5.2 Configuring basic OSPF functions...... 5-23 5.2.1 Establishing the configuration task ...... 5-23

Issue 5.3 (30 March 2009) Nortel Networks Inc. iii

Nortel Secure Router 8000 Series Configuration - IP Routing

5.2.2 Enabling OSPF and entering the OSPF view ...... 5-24 5.2.3 Configuring the network segments included by each area ...... 5-24 5.2.4 Checking the configuration ...... 5-25 5.3 Configuring OSPF area features...... 5-26 5.3.1 Establishing the configuration task ...... 5-26 5.3.2 Configuring OSPF stub areas...... 5-27 5.3.3 Configuring an OSPF NSSA...... 5-27 5.3.4 Configuring OSPF virtual links...... 5-28 5.3.5 Checking the configuration ...... 5-29 5.4 Configuring OSPF network types...... 5-29 5.4.1 Establishing the configuration task ...... 5-29 5.4.2 Configuring network types of OSPF interfaces...... 5-30 5.4.3 Configuring neighbors for NBMA networks...... 5-30 5.4.4 Configuring DR priorities of OSPF interfaces ...... 5-31 5.4.5 Checking the configuration ...... 5-31 5.5 Controlling OSPF routing information...... 5-32 5.5.1 Establishing the configuration task ...... 5-32 5.5.2 Configuring OSPF route aggregation...... 5-33 5.5.3 Configuring OSPF to filter the received routes ...... 5-34 5.5.4 Configuring OSPF to filter ABR Type 3 LSA...... 5-34 5.5.5 Configuring the link cost of OSPF ...... 5-35 5.5.6 Configuring the maximum number of equal-cost routes...... 5-36 5.5.7 Configuring the priority for OSPF ...... 5-36 5.5.8 Configuring OSPF to import external routes...... 5-37 5.5.9 Checking the configuration ...... 5-39 5.6 Adjusting and optimizing OSPF networks ...... 5-40 5.6.1 Establishing the configuration task ...... 5-40 5.6.2 Configuring OSPF packet timer ...... 5-41 5.6.3 Configuring the OSPF retransmission limit ...... 5-42 5.6.4 Configuring the delay to transmit LSAs on the interface ...... 5-42 5.6.5 Configuring the update and receive interval for LSAs...... 5-43 5.6.6 Configuring the SPF calculation interval ...... 5-44 5.6.7 Suppressing the interface from receiving and sending OSPF packets...... 5-44 5.6.8 Configuring a stub router ...... 5-45 5.6.9 Configuring the authentication mode for OSPF areas...... 5-46 5.6.10 Configuring the MTU in DD packets...... 5-47 5.6.11 Configuring the maximum number of external LSAs in the LSDB ...... 5-48 5.6.12 Configuring RFC 1583 compatible external routing...... 5-48 5.6.13 Configuring the network management of OSPF ...... 5-49 5.6.14 Checking the configuration ...... 5-50 5.7 Configuring OSPF Graceful Restart...... 5-50 5.7.1 Establishing the configuration task ...... 5-50

iv Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing

5.7.2 Enabling OSPF GR ...... 5-51 5.7.3 Checking the configuration ...... 5-52 5.8 Maintaining OSPF...... 5-52 5.8.1 Resetting OSPF ...... 5-53 5.8.2 Clearing OSPF...... 5-53 5.8.3 Debugging OSPF...... 5-54 5.9 Configuration examples...... 5-54 5.9.1 Example of configuring basic OSPF functions ...... 5-55 5.9.2 Example of configuring OSPF stub areas...... 5-61 5.9.3 Example of configuring an OSPF NSSA ...... 5-66 5.9.4 Example of configuring DR election of OSPF...... 5-69 5.9.5 Example of configuring OSPF virtual links ...... 5-75 5.9.6 Example of configuring OSPF load balancing...... 5-78 5.9.7 Example of configuring OSPF GR...... 5-85 6 OSPFv3 configuration ...... 6-1 6.1 Overview ...... 6-2 6.1.1 OSPFv3 overview ...... 6-2 6.1.2 OSPFv3 protocol packets ...... 6-2 6.1.3 LSA type...... 6-3 6.1.4 Supported OSPFv3 features ...... 6-3 6.1.5 References...... 6-4 6.2 Configuring basic OSPFv3 functions...... 6-4 6.2.1 Establishing the configuration task ...... 6-4 6.2.2 Enabling OSPFv3...... 6-5 6.2.3 Enabling OSPFv3 on the interface ...... 6-5 6.2.4 Entering OSPFv3 area view ...... 6-6 6.2.5 Checking the configuration ...... 6-7 6.3 Configuring OSPFv3 area features...... 6-7 6.3.1 Establishing the configuration task ...... 6-7 6.3.2 Configuring OSPFv3 stub areas ...... 6-8 6.3.3 Configuring OSPFv3 virtual links...... 6-9 6.3.4 Checking the configuration ...... 6-9 6.4 Controlling OSPFv3 routing information...... 6-10 6.4.1 Establishing the configuration task ...... 6-10 6.4.2 Configuring OSPFv3 route summary...... 6-11 6.4.3 Configuring OSPFv3 to filter the received routes ...... 6-11 6.4.4 Configuring the cost of the OSPFv3 interface...... 6-12 6.4.5 Configuring the maximum number of equal-cost routes...... 6-12 6.4.6 Configuring OSPFv3 to import external routes...... 6-13 6.4.7 Checking the configuration ...... 6-14 6.5 Adjusting and optimizing OSPFv3 networks ...... 6-14

Issue 5.3 (30 March 2009) Nortel Networks Inc. v

Nortel Secure Router 8000 Series Configuration - IP Routing

6.5.1 Establishing the configuration task ...... 6-14 6.5.2 Configuring the OSPFv3 packet timer ...... 6-15 6.5.3 Configuring the LSA transmit delay on the interface...... 6-16 6.5.4 Configuring the SPF timer ...... 6-16 6.5.5 Configuring the DR priority of the interface...... 6-17 6.5.6 Ignoring the MTU check on DD packets...... 6-17 6.5.7 Suppressing the interface from sending and receiving OSPFv3 packets...... 6-18 6.5.8 Checking the configuration ...... 6-18 6.6 Maintaining OSPFv3...... 6-19 6.7 Configuration examples...... 6-20 6.7.1 Example of configuring OSPFv3 areas ...... 6-20 6.7.2 Example of configuring OSPFv3 DR election ...... 6-25 6.7.3 Example of configuring OSPFv3 virtual links ...... 6-29 7 IS-IS configuration ...... 7-1 7.1 Introduction ...... 7-2 7.1.1 Basic concepts...... 7-2 7.1.2 IS-IS areas ...... 7-4 7.1.3 IS-IS network types...... 7-7 7.1.4 IS-IS PDU formats ...... 7-8 7.1.5 IS-IS support for IPv6 ...... 7-15 7.1.6 Supported IS-IS features ...... 7-16 7.1.7 References...... 7-19 7.2 Configuring basic IS-IS functions ...... 7-20 7.2.1 Establishing the configuration task ...... 7-20 7.2.2 Enabling IS-IS processes...... 7-21

7.2.3 Configuring NETT...... 7-21 7.2.4 Configuring the level of a router ...... 7-22 7.2.5 Enabling IS-IS on the specified interface...... 7-22 7.2.6 Checking the configuration ...... 7-23 7.3 Controlling IS-IS routing information...... 7-23 7.3.1 Establishing the configuration task ...... 7-23 7.3.2 Configuring the preference of IS-IS...... 7-24 7.3.3 Configuring the link cost...... 7-25 7.3.4 Configuring IS-IS route aggregation...... 7-28 7.3.5 Configuring IS-IS to generate default routes...... 7-29 7.3.6 Configuring IS-IS to filter the routing information received...... 7-29 7.3.7 Set the state of an IS-IS interface to suppressed...... 7-30 7.3.8 Configuring IS-IS to import external routes...... 7-30 7.3.9 Configuring route leaking ...... 7-31 7.3.10 Checking the configuration ...... 7-31 7.4 Adjusting and optimizing IS-IS ...... 7-32

vi Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing

7.4.1 Establishing the configuration task ...... 7-32 7.4.2 Configuring the network type of an interface...... 7-33 7.4.3 Configuring the level of an IS-IS interface ...... 7-33 7.4.4 Configuring the DIS priority of the interface ...... 7-34 7.4.5 Configuring IS-IS to ignore the check on IP addresses of received hello packets...... 7-35 7.4.6 Configuring IS-IS packet timers...... 7-35 7.4.7 Configuring LSP parameters ...... 7-38 7.4.8 Configuring SPF parameters ...... 7-42 7.4.9 Enabling LSP fast flooding ...... 7-43 7.4.10 Configuring IS-IS dynamic hostname mapping ...... 7-43 7.4.11 Configuring IS-IS authentication...... 7-45 7.4.12 Configuring LSDB overload flag bit...... 7-46 7.4.13 Configuring output of the adjacency state...... 7-47 7.4.14 Checking the configuration ...... 7-47 7.5 Configuring IS-IS GR...... 7-48 7.5.1 Establishing the configuration task ...... 7-48 7.5.2 Enabling IS-IS GR ...... 7-49 7.5.3 Configuring parameters for an IS-IS GR session ...... 7-49 7.5.4 Checking the configuration ...... 7-50 7.6 Configuring BFD for IS-IS...... 7-50 7.6.1 Establishing the configuration task ...... 7-50 7.6.2 Configuring BFD one-hop detection ...... 7-51 7.6.3 Enabling IS-IS fast sense...... 7-53 7.6.4 Checking the configuration ...... 7-53 7.7 Configuring IS-IS IPv6 features...... 7-53 7.7.1 Establishing the configuration task ...... 7-53 7.7.2 Enabling IPv6 on IS-IS processes ...... 7-54 7.7.3 Enabling IPv6 on IS-IS interfaces ...... 7-55 7.7.4 Configuring IPv6 route features of IS-IS ...... 7-55 7.7.5 Checking the configuration ...... 7-58 7.8 Maintaining IS-IS...... 7-58 7.8.1 Resetting the IS-IS data structure...... 7-59 7.8.2 Resetting a specific IS-IS peer ...... 7-59 7.8.3 Debugging IS-IS...... 7-60 7.9 Configuration examples...... 7-61 7.9.1 Example of configuring basic IS-IS functions ...... 7-62 7.9.2 Example of configuring IS-IS in an NBMA network...... 7-68 7.9.3 Example of configuring route convergence...... 7-72 7.9.4 Example of configuring the DIS election of IS-IS ...... 7-75 7.9.5 Example of configuring IS-IS load balancing ...... 7-81 7.9.6 Example of configuring IS-IS GR...... 7-88 7.9.7 Example of configuring BFD for IS-IS...... 7-91

Issue 5.3 (30 March 2009) Nortel Networks Inc. vii

Nortel Secure Router 8000 Series Configuration - IP Routing

7.9.8 Example of configuring IS-IS fast convergence...... 7-95 7.9.9 Example of configuring basic IS-IS IPv6 functions...... 7-100 8 BGP configuration ...... 8-1 8.1 Introduction ...... 8-3 8.1.1 BGP...... 8-3 8.1.2 BGP message...... 8-4 8.1.3 BGP route attributes ...... 8-7 8.1.4 Principles of route selection ...... 8-11 8.1.5 IBGP and IGP synchronization ...... 8-13 8.1.6 Issues in large-scale BGP networks...... 8-13 8.1.7 MP-BGP...... 8-17 8.1.8 BGP GR...... 8-18 8.1.9 References...... 8-18 8.2 Configuring basic BGP functions...... 8-19 8.2.1 Establishing the configuration task ...... 8-19 8.2.2 Configuring basic BGP functions...... 8-20 8.2.3 Configure BGP to advertise the local routes ...... 8-21 8.2.4 Configuring the local interfaces used for BGP connections...... 8-21 8.2.5 Configuring the maximum number of hops in EBGP connections ...... 8-22 8.2.6 Entering BGP extended address family view ...... 8-22 8.2.7 Checking the configuration ...... 8-25 8.3 Controlling the advertising and receiving of routing information ...... 8-26 8.3.1 Establishing the configuration task ...... 8-26 8.3.2 Configuring BGP to import IGP routes ...... 8-27 8.3.3 Configuring BGP to filter the imported routes ...... 8-28 8.3.4 Configuring BGP route aggregation...... 8-29 8.3.5 Configuring a router to advertise default routes to its peer ...... 8-30 8.3.6 Configuring related access lists...... 8-31 8.3.7 Configuring related routing policies...... 8-32 8.3.8 Policies for advertising BGP routing information ...... 8-35 8.3.9 Configuring the policies for receiving BGP routing information...... 8-36 8.3.10 Configuring BGP route dampening...... 8-39 8.3.11 Checking the configuration ...... 8-39 8.4 Configuring BGP route attributes...... 8-40 8.4.1 Establishing the configuration task ...... 8-40 8.4.2 Configuring the BGP preference ...... 8-41 8.4.3 Configuring the default local_pref attribute ...... 8-42 8.4.4 Configuring the MED attribute ...... 8-42 8.4.5 Configuring the next_hop attribute ...... 8-44 8.4.6 Configuring the AS-Path attribute...... 8-45 8.4.7 Checking the configuration ...... 8-48

viii Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing

8.5 Adjusting and optimizing BGP networks ...... 8-48 8.5.1 Establishing the configuration task ...... 8-48 8.5.2 Configuring BGP timers...... 8-50 8.5.3 Configuring the interval for sending update packets...... 8-51 8.5.4 Configuring BGP soft resetting ...... 8-52 8.5.5 Enabling quick resetting of EBGP connections...... 8-53 8.5.6 Configuring MD5 authentication ...... 8-54 8.5.7 Configuring the maximum number of equal-cost routes...... 8-54 8.5.8 Configuring EBGP split horizon ...... 8-55 8.5.9 Checking the configuration ...... 8-55 8.6 Building large-sized BGP networks ...... 8-56 8.6.1 Establishing the configuration task ...... 8-56 8.6.2 Configuring a BGP peer group...... 8-57 8.6.3 Configuring the BGP community...... 8-59 8.6.4 Configuring the BGP route reflector ...... 8-60 8.6.5 Configuring the BGP confederation...... 8-62 8.6.6 Checking the configuration ...... 8-63 8.7 Configuring BGP GR ...... 8-63 8.7.1 Establishing the configuration task ...... 8-63 8.7.2 Enabling BGP GR ...... 8-64 8.7.3 Configuring GR parameters for the BGP session...... 8-64 8.7.4 Checking the configuration ...... 8-65 8.8 Maintaining BGP...... 8-65 8.8.1 Resetting BGP connections ...... 8-65 8.8.2 Clearing BGP information...... 8-66 8.8.3 Debugging BGP ...... 8-67 8.9 Configuration examples...... 8-67 8.9.1 Example of configuring basic BGP functions ...... 8-68 8.9.2 Example of configuring AS-Path filter...... 8-73 8.9.3 Example of configuring BGP to interact with IGP...... 8-77 8.9.4 Example of configuring BGP load balancing and MED attribute ...... 8-82 8.9.5 Example of configuring the BGP community ...... 8-86 8.9.6 Example of configuring the BGP route reflector...... 8-90 8.9.7 Example of configuring the BGP confederation...... 8-95 9 BGP4+ configuration...... 9-1 9.1 Introduction ...... 9-2 9.2 Configuring basic BGP4+ functions...... 9-2 9.2.1 Establishing the configuration task ...... 9-2 9.2.2 Configuring an IPv6 peer ...... 9-3 9.2.3 Configuring BGP4+ to advertise local IPv6 routes ...... 9-3 9.2.4 Configuring the local interfaces used for BGP4+ connections...... 9-4

Issue 5.3 (30 March 2009) Nortel Networks Inc. ix

Nortel Secure Router 8000 Series Configuration - IP Routing

9.2.5 Configuring the maximum number of hops in EBGP connections ...... 9-4 9.2.6 Checking the configuration ...... 9-5 9.3 Controlling the routing information ...... 9-5 9.3.1 Establishing the configuration task ...... 9-5 9.3.2 Configuring BGP4+ to import and filter external routes...... 9-6 9.3.3 Configuring routers to advertise default routes to peers...... 9-7 9.3.4 Configuring the policies for advertising BGP routing information ...... 9-8 9.3.5 Configuring the policies for receiving BGP routing information...... 9-8 9.3.6 Configuring BGP route dampening...... 9-9 9.3.7 Checking the configuration ...... 9-10 9.4 Configuring the BGP4+ route attributes...... 9-10 9.4.1 Establishing the configuration task ...... 9-10 9.4.2 Configuring the preference of BGP4+ protocol ...... 9-11 9.4.3 Configuring the default local_pref attribute of the local router...... 9-12 9.4.4 Configuring the MED attributes...... 9-12 9.4.5 Configuring the next_hop attributes...... 9-13 9.4.6 Configuring the AS_path attributes...... 9-14 9.4.7 Checking the configuration ...... 9-15 9.5 Adjusting and optimizing BGP+ networks...... 9-15 9.5.1 Establishing the configuration task ...... 9-15 9.5.2 Configuring the peer timer ...... 9-17 9.5.3 Configuring the interval for sending update packets...... 9-17 9.5.4 Configuring BGP4+ soft resetting...... 9-18 9.5.5 Configuring the maximum number of equal-cost routes...... 9-19 9.5.6 Checking the configuration ...... 9-20 9.6 Building large-scale BGP4+ networks ...... 9-20 9.6.1 Establishing the configuration task ...... 9-20 9.6.2 Configuring a BGP4+ peer group...... 9-21 9.6.3 Configuring the BGP4+ community ...... 9-23 9.6.4 Configuring the BGP4+ route reflector...... 9-25 9.6.5 Checking the configuration ...... 9-26 9.7 Maintaining BGP4+ ...... 9-27 9.7.1 Debugging BGP4+ ...... 9-27 9.7.2 Resetting BGP4+ connections...... 9-28 9.7.3 Clearing BGP4+ statistics ...... 9-28 9.8 Configuration examples...... 9-29 9.8.1 Example of configuring basic BGP4+ functions...... 9-29 9.8.2 Example of configuring BGP4+ route reflection ...... 9-34 10 Routing policy configuration...... 10-1 10.1 Introduction ...... 10-2 10.1.1 Routing policy...... 10-2

x Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing

10.1.2 Filters...... 10-3 10.1.3 Application of routing policy ...... 10-4 10.1.4 FRR principle ...... 10-4 10.1.5 Routing table ...... 10-5 10.2 Configuring IP-prefix list ...... 10-5 10.2.1 Establishing the configuration task ...... 10-5 10.2.2 Configuring an IPv4 prefix list...... 10-6 10.2.3 Configuring an IPv6 prefix list...... 10-7 10.2.4 Checking the configuration ...... 10-8 10.3 Configuring the route-policy ...... 10-8 10.3.1 Establishing the configuration task ...... 10-8 10.3.2 Creating a route-policy...... 10-9 10.3.3 Configuring if-match clauses ...... 10-9 10.3.4 Configuring apply clauses...... 10-11 10.3.5 Checking the configuration ...... 10-12 10.4 Applying routing filters ...... 10-13 10.4.1 Establishing the configuration task ...... 10-13 10.4.2 Filtering the route received...... 10-14 10.4.3 Configuring the route advertised...... 10-14 10.4.4 Applying route-policy when external routes are imported ...... 10-15 10.4.5 Checking the configuration ...... 10-16 10.5 Controlling valid time of routing policy...... 10-16 10.5.1 Establishing the configuration task ...... 10-16 10.5.2 Configuring the delay for applying routing policy...... 10-17 10.5.3 Checking the configuration ...... 10-17 10.6 Configuring IP FRR of the public network...... 10-18 10.6.1 Establishing the configuration task ...... 10-18 10.6.2 Configuring route-policy...... 10-18 10.6.3 Enabling IP FRR in the public network...... 10-19 10.6.4 Checking the configuration ...... 10-20 10.7 Maintaining routing policy...... 10-20 10.7.1 Clearing statistics of IP prefix list ...... 10-20 10.8 Configuration examples...... 10-20 10.8.1 Example of filtering routes received and sent ...... 10-21 10.8.2 Example of applying the routing policy during importing routes...... 10-26 10.8.3 Example of configuring the IP FRR of the public network...... 10-31 A Acronyms and abbreviations...... A-1

Index ...... i-1

Issue 5.3 (30 March 2009) Nortel Networks Inc. xi

Nortel Secure Router 8000 Series Configuration - IP Routing

Figures

Figure 1-1 Route segments ...... 1-2 Figure 1-2 Routing table...... 1-4 Figure 2-1 IPv4 static route network diagram ...... 2-8 Figure 2-2 IPv6 static route network diagram ...... 2-11 Figure 3-1 RIP-1 packet format...... 3-4 Figure 3-2 RIP-2 packet format...... 3-5 Figure 3-3 RIP-2 authentication packet format ...... 3-5 Figure 3-4 RIP version network diagram...... 3-24 Figure 3-5 RIP importing external routes network diagram ...... 3-28 Figure 4-1 RIPng packet basic format ...... 4-3 Figure 4-2 Next-hop RTE format ...... 4-4 Figure 4-3 IPv6 prefix RTE format ...... 4-4 Figure 4-4 RIPng network diagram ...... 4-17 Figure 5-1 OSPF area partition...... 5-5 Figure 5-2 OSPF router types...... 5-6 Figure 5-3 Virtual link schematic diagram 1 ...... 5-6 Figure 5-4 Virtual link schematic diagram 2 ...... 5-7 Figure 5-5 NSSA ...... 5-8 Figure 5-6 Route aggregation ...... 5-8 Figure 5-7 DR and BDR schematic diagram...... 5-11 Figure 5-8 OSPF packet format...... 5-12 Figure 5-9 OSPF packet header format ...... 5-12 Figure 5-10 Hello packet format...... 5-13 Figure 5-11 DD packet format...... 5-14 Figure 5-12 LSR packet format ...... 5-15 Figure 5-13 LSU packet format...... 5-15

Issue 5.3 (30 March 2009) Nortel Networks Inc. xiii

Nortel Secure Router 8000 Series Configuration - IP Routing

Figure 5-14 LSAck packet format ...... 5-16 Figure 5-15 LSA header format...... 5-16 Figure 5-16 Router LSA format...... 5-17 Figure 5-17 Network LSA format...... 5-18 Figure 5-18 Summary LSA format...... 5-18 Figure 5-19 AS-External LSA format...... 5-19 Figure 5-20 NSSA External LSA format ...... 5-20 Figure 5-21 OSPF basic configuration ...... 5-55 Figure 5-22 OSPF stub area configuration ...... 5-61 Figure 5-23 OSPF NSSA configuration...... 5-66 Figure 5-24 DR election of OSPF configuration ...... 5-70 Figure 5-25 OSPF virtual link configuration...... 5-75 Figure 5-26 OSPF load balancing configuration ...... 5-79 Figure 5-27 OSPF GR configuration...... 5-85 Figure 6-1 OSPFv3 packet header...... 6-3 Figure 6-2 OSPFv3 area configuration...... 6-20 Figure 6-3 DR election of OSFPv3 ...... 6-25 Figure 6-4 OSPFv3 virtual link configuration...... 6-30 Figure 7-1 IS-IS address structure ...... 7-3 Figure 7-2 IS-IS topology 1...... 7-6 Figure 7-3 IS-IS typology 2...... 7-6 Figure 7-4 DISs and adjacencies in IS-IS broadcast networks ...... 7-8 Figure 7-5 PDU format...... 7-8 Figure 7-6 PDU header format ...... 7-9 Figure 7-7 Level-1 and Level-2 LAN IIH format...... 7-10 Figure 7-8 P2P IIH format...... 7-11 Figure 7-9 Level-1 and Level-2 LSP format...... 7-12 Figure 7-10 LSDB overload schematic diagram ...... 7-13 Figure 7-11 Level-1 and Level-2 CSNP format...... 7-14 Figure 7-12 Level- 1 and Level-2 PSNP format...... 7-14 Figure 7-13 CLV format ...... 7-15 Figure 7-14 Basic IS-IS configuration...... 7-62 Figure 7-15 IS-IS in NBMA network configuration...... 7-68

xiv Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing

Figure 7-16 Route convergence of IS-IS configuration...... 7-72 Figure 7-17 DIS election of IS-IS configuration ...... 7-76 Figure 7-18 IS-IS load balancing configuration ...... 7-81 Figure 7-19 IS-IS GR configuration ...... 7-88 Figure 7-20 BFD for IS-IS configuration ...... 7-91 Figure 7-21 IS-IS fast convergence network diagram ...... 7-95 Figure 7-22 Basic IS-IS IPv6 feature network diagram...... 7-101 Figure 8-1 BGP message packet header ...... 8-4 Figure 8-2 Open message format...... 8-5 Figure 8-3 Update message format...... 8-5 Figure 8-4 Notification message format ...... 8-6 Figure 8-5 BGP route-refresh message format ...... 8-6 Figure 8-6 AS-Path attribute...... 8-8 Figure 8-7 Next_Hop attribute...... 8-9 Figure 8-8 MED attribute ...... 8-10 Figure 8-9 Local_Pref attribute ...... 8-10 Figure 8-10 IBGP and IGP synchronization ...... 8-13 Figure 8-11 BGP route dampening ...... 8-14 Figure 8-12 Route reflector ...... 8-15 Figure 8-13 Confederation...... 8-16 Figure 8-14 Basic BGP configuration...... 8-68 Figure 8-15 AS-Path filter ...... 8-74 Figure 8-16 Interaction between BGP and IGP ...... 8-78 Figure 8-17 BGP route selection ...... 8-82 Figure 8-18 BGP community...... 8-86 Figure 8-19 BGP route reflector configuration...... 8-90 Figure 8-20 Confederation configuration ...... 8-95 Figure 9-1 Basic BGP4+ functions...... 9-29 Figure 9-2 BGP route reflector ...... 9-34 Figure 10-1 Routing information sent and received ...... 10-21 Figure 10-2 Routing policy application during route import...... 10-26 Figure 10-3 IP FRR in the public network...... 10-31

Issue 5.3 (30 March 2009) Nortel Networks Inc. xv

Nortel Secure Router 8000 Series Configuration - IP Routing

Tables

Table 1-1 Routing protocols and default preferences...... 1-6 Table 1-2 Routing table display commands...... 1-7 Table 1-3 Display and debug commands ...... 1-8 Table 7-1 PDU types...... 7-9 Table 7-2 PDU types and the included CLV names...... 7-15 Table 7-3 Relationship between the interface cost and the bandwidth ...... 7-28 Table 8-1 Route attributes and their types...... 8-7 Table 10-1 Differences between routing policy and policy-based routing...... 10-2

Issue 5.3 (30 March 2009) Nortel Networks Inc. xvii

Nortel Secure Router 8000 Series Configuration - IP Routing

Contents

About this document...... 1

Issue 5.3 (30 March 2009) Nortel Networks Inc. i

Nortel Secure Router 8000 Series Configuration - IP Routing About this document

About this document

Overview This document describes the configuration methods of IP routing in terms of features and basic principles of various protocols, configuration procedures in different scenarios, and configuration examples.

Related versions The following table lists the product versions related to this document.

Product name Version Nortel Secure Router 8000 Series V200R005

Intended audience The intended audiences of this document are the following

z Network operators z Network administrators z Network maintenance engineers

Organization The following table describes the chapters in this document.

Chapter Description 1 IP Routing Overview This chapter describes the IP route, the routing table, the routing protocol, and routing management. 2 IP Static Route This chapter describes the fundamentals of the static route, Configuration configuration steps for IPv4 static routes, and typical examples.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 1

Nortel Secure Router 8000 Series About this document Configuration - IP Routing

Chapter Description 3 RIP Configuration This chapter describes the Routing Information Protocol (RIP) fundamentals, steps to configure basic RIP functions, control RIP routing information, adjust and optimize RIP networks, and typical examples. 4 RIPng Configuration This chapter describes the Routing Information Protocol Next Generation (RIPng) fundamentals, steps to configure basic RIPng functions, control RIPng routing information, adjust and optimize RIPng networks, and typical examples. 5 OSPF Configuration This chapter describes the Open Shortest Path First (OSPF) fundamentals, steps to configure basic OSPF functions, OSPF area features, OSPF network types, how to control OSPF routing information, adjust and optimize OSPF networks, and typical examples. 6 OSPFv3 Configuration This chapter describes the OSPFv3 fundamentals and configuration steps for basic OSPFv3 functions, OSPFv3 area features, OSPFv3 routing information and adjusting and optimizing OSPFv3 networks, along with typical examples. 7 IS-IS Configuration This chapter describes the Intermediate System – Intermediate System (IS-IS) fundamentals, steps to configure basic IS-IS functions, control IS-IS routing information, adjust and optimiz IS-IS and IS-IS IPv6 features, and typical examples. 8 BGP Configuration This chapter describes the Border Gateway Protocol (BGP) fundamentals, steps to configure basic BGP functions, control the advertising and receiving of routing information, BGP route attributes, how to adjust and optimize BGP networks and build large-sized BGP networks, and typical examples. 9 BGP4+ Configuration This chapter describes the BGP4+ fundamentals, steps to configure basic BGP4+ functions, control the advertisement and receiving of routing information, BGP4+ route attributes, how to adjust and optimize BGP networks and build large-sized BGP4+ networks, and typical examples. 10 Routing Policy This chapter describes the fundamentals of the routing Configuration policy, steps to configure filtering lists, the routing policy, BGP accounting, IP fast reroute (FRR) of a public network, IP FRR of a private network and virtual private network (VPN) FRR, and typical examples. Appendix A Acronyms and This chapter defines the acronyms and abbreviations in this Abbreviations document. Index This chapter defines important keywords in this manual to help you access the required information quickly.

2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing About this document

Conventions

Symbol conventions The following table identifies the symbols in this document.

Symbol Description Indicates a hazard with a high level of risk that, if not avoided, results in death or serious injury.

Indicates a hazard with a medium or low level of risk that, if not avoided, can result in minor or moderate injury.

Indicates a potentially hazardous situation that, if not avoided, can cause equipment damage, data loss, and performance degradation or unexpected results.

Indicates a tip that can help you solve a problem or save time.

Provides additional information to emphasize or supplement important points of the main text.

General conventions

Convention Description Times New Roman Normal paragraphs use Times New Roman. Boldface Names of files, directories, folders, and users use boldface. For example, log in as user root. Italic Book titles use italics.

Courier New Terminal display uses Courier New.

Command conventions

Convention Description Boldface The keywords of a command line use boldface. Italic Command arguments use italics. [ ] Items (keywords or arguments) in square brackets [ ] are optional. { x | y | ... } Alternative items are grouped in braces and separated by vertical bars. Select one of the items.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 3

Nortel Secure Router 8000 Series About this document Configuration - IP Routing

Convention Description [ x | y | ... ] Optional alternative items are grouped in square brackets and separated by vertical bars. Select one or none of the items. { x | y | ... } * Alternative items are grouped in braces and separated by vertical bars. Select a minimum of one or a maximum of all of the items. Optional alternative items are grouped in square brackets [ x | y | ... ] * and separated by vertical bars. Select many or none of the items. &<1-n> You can repeat the parameter before the ampersand sign (&) 1 to n times. A line that begins with the number sign (#) indicates # comments.

GUI conventions

Convention Description Boldface Buttons, menus, parameters, tabs, windows, and dialog titles use boldface. For example, click OK. > Multilevel menus use boldface and a greater-than sign (>) separates the menu choices. For example, choose File > Create > Folder.

Keyboard operation

Format Description Key Press the key. For example, press Enter and press Tab. Key 1+Key 2 Press the keys concurrently. For example, press Ctrl+Alt+A means you press the three keys at the same time. Key 1, Key 2 Press the keys in turn. For example, press Alt, A means you press the two keys one after the other.

Mouse operation

Action Description Click Press and release the primary mouse button without moving the pointer.

4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing About this document

Action Description Double-click Quickly press the primary mouse button twice without moving the pointer. Drag Press and hold the primary mouse button and move the pointer to a specific position.

Update history Updates between document versions are cumulative. The latest document version contains all updates made to previous versions.

Updates in issue 01 (2008-06-06) Initial field trial release.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5

Nortel Secure Router 8000 Series Configuration - IP Routing

Contents

1 IP routing overview ...... 1-1 1.1 Overview of IP routing and the routing table ...... 1-2 1.1.1 Route and route segments ...... 1-2 1.1.2 Route selection through the routing table ...... 1-3 1.2 Routing protocol overview...... 1-4 1.2.1 Static and dynamic routes ...... 1-4 1.2.2 Dynamic routing protocols classification...... 1-5 1.2.3 Routing protocols and route preferences...... 1-5 1.2.4 Load balancing and route backup ...... 1-6 1.2.5 Sharing routing information between protocols...... 1-7 1.3 Routing management...... 1-7 1.3.1 Displaying the routing table...... 1-7 1.3.2 Displaying and debugging of the routing management module...... 1-8

Issue 5.3 (30 March 2009) Nortel Networks Inc. i

Nortel Secure Router 8000 Series Configuration - IP Routing

Figures

Figure 1-1 Route segments...... 1-2 Figure 1-2 Routing table...... 1-4

Issue 5.3 (30 March 2009) Nortel Networks Inc. iii

Nortel Secure Router 8000 Series Configuration - IP Routing

Tables

Table 1-1 Routing protocols and default preferences ...... 1-6 Table 1-2 Routing table display commands...... 1-7 Table 1-3 Display and debug commands...... 1-8

Issue 5.3 (30 March 2009) Nortel Networks Inc. v

Nortel Secure Router 8000 Series Configuration - IP Routing 1 IP routing overview

1 IP routing overview

About this chapter

The following table shows the contents of this chapter.

Section Description 1.1 Overview of IP routing This section describes IP routing and the routing table. and the routing table 1.2 Routing protocol overview This section describes the routing protocol. 1.3 Routing management This section describes routing management.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-1

Nortel Secure Router 8000 Series 1 IP routing overview Configuration - IP Routing

1.1 Overview of IP routing and the routing table The section covers the following topics that you must know before you configure IP routing and the routing table:

z Route and route segments z Route selection through the routing table 1.1.1 Route and route segments Routers select the route on the Internet. After a router receives an IP packet, it selects an appropriate path (through a network) based on the destination address of the packet. The router then forwards the packet to the next router in the path. The packet transfers from one router to the next along the path. The last router delivers the packet to the destination. In Figure 1-1, from host A to host C, a packet transfers through three networks and two routers. If one node connects to another node in a network, a route segment exists between these two nodes. The two nodes are adjacent nodes on the Internet. Based on the same principle, adjacent routers are two routers that connect to the same network. The number, or count, of route segments between a router and hosts in the same network is zero. In Figure 1-1, the bold arrows represent these segments. The physical links that constitute this route segment do not influence the router.

Figure 1-1 Route segments

Host A

Route Segment

Host C

Host B

When the size of the networks vary, the length of the route segments also vary. After the actual length of the path is measured, for different networks, the number of route segments is multiplied by a weighted coefficient. Consider a router in a network as a node in the network and a route segment on the Internet as a link. Routing on the Internet is similar to routing in a simple network. Routing through multiple routing segments is not always ideal. For example, routing through three local area network (LAN) route segments can be much faster than routing through two wide area network (WAN) route segments.

1-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 1 IP routing overview

1.1.2 Route selection through the routing table

Routing table The router uses the routing table to forward the packets. Each router maintains a routing table in memory. Each entry of the table specifies the physical interface of the router through which to send a packet to a subnet or a host. The packet can reach the next router in the path or the destination host if the router or host directly connects to the network. The routes in the routing table use the following three categories:

z The route in the link layer protocol (also called interface route or direct route) z The static route you manually configure z The route in the dynamic route protocol

Routing table contents A routing table uses the following key entries:

z Destination address—This entry identifies the destination IP address or the destination network address of the IP packet. z Network mask—This entry combines with the destination address to determine the address of the network segment where the destination host or router exists. The two entries identify the network address of the destination host or the router. For example, if the destination address is 129.102.8.10 and the mask is 255.255.0.0, then the address of the network where the host or the router exists is 129.102.0.0. The mask uses several consecutive 1-bits. Express the value of the 1-bits either in the dotted decimal format or as the number of consecutive 1-bits in the mask. z Outgoing interface—This entry indicates the interface through which to forward an IP packet. z Next hop IP address—This entry indicates the next router through which an IP packet passes. z Preference added to the IP routing table for a route—Different next hops can exist for the same destination. Different routing protocols can discover these routes or you can manually configure them as static routes. The route with the highest preference (the smallest value) is the current optimal route. The following list categorizes routes by destination:

z Subnet route—The destination is a subnet. z Host route—The destination is a host. The following list categorizes routes based on the destination connection to the router:

z Direct route—The router directly connects to the network in which the destination exists. z Indirect route—The router does not directly connect to the network in which the destination exists. Configure a default route to prevent a high number of entries in the routing table. All the packets that fail to match a suitable entry in the routing table forward through this default route. As shown in Figure 1-2, Router A connects with three networks. Router A uses three IP addresses and three physical interfaces. Figure 1-2 shows the routing table.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-3

Nortel Secure Router 8000 Series 1 IP routing overview Configuration - IP Routing

Figure 1-2 Routing table

11.0.0.0/8

Routing Table RouterB Destination Nexthop Interface 11.0.0.0/8 1.1.1.2 Eth1/0/0 1.1.1.2/24 12.0.0.0/8 2.2.2.2 Eth2/0/0 13.0.0.0/8 3.3.3.2 Eth3/0/0 Eth1/0/0 1.1.1.1/24

Eth2/0/0 Eth3/0/0 2.2.2.1/24 3.3.3.1/24 RouterA RouterC RouterD 2.2.2.2/24 3.3.3.2/24

12.0.0.0/8 13.0.0.0/8

1.2 Routing protocol overview This section describes the following routing protocols:

z Static and dynamic routes z Dynamic routing protocols classification z Routing protocols and route preferences z Load balancing and route backup z Sharing routing information between protocols 1.2.1 Static and dynamic routes In addition to static routes, the Nortel Secure Router 8000 Series supports dynamic routing protocols, such as the Routing Information Protocol (RIP), Open Shortest Path First (OSPF), Intermediate System to Intermediate System (IS-IS), and Border Gateway Protocol (BGP). You can easily configure static routes on a system because they use lower system requirements than routing protocols. Use static routes for simple, stable, and small-scale networks. Static routes cannot automatically adapt to changes in the network topology; you must manually configure changes. Dynamic routing protocols use routing algorithms to automatically adapt to changes in network topology. Use dynamic routing protocols in a network that uses with a certain quantity of Layer 3 devices. Dynamic routes are difficult to configure. Dynamic routing protocols user higher system requirements and occupy network resources.

1-4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 1 IP routing overview

1.2.2 Dynamic routing protocols classification The following conditions classify dynamic routing protocols:

Range of functions According to the range of functions, the routing protocols divide into

z Interior Gateway Protocol (IGP): runs inside an autonomous system (AS), such as RIP, OSPF, and IS-IS z Exterior Gateway Protocol (EGP): runs between different ASs, such as BGP

Algorithm According to the algorithm, the routing protocols divided into

z distance-vector routing protocol: includes RIP and BGP (BGP is also path-vector) z link-state routing protocol: includes OSPF and IS-IS The algorithms differ in the method of route discovery and calculation.

Types of destination addresses According to the types of destination addresses, the routing protocols divide into

z Unicast routing protocol: includes RIP, OSPF, BGP, and IS-IS z Multicast routing protocol: includes Distance Vector Multicast Routing Protocol (DVMRP), Protocol Independent Multicast – Spare Mode (PIM-SM), and PIM – Dense Mode (PIM-DM) This document describes the unicast routing protocols. For details about multicast routing protocols, see Nortel Secure Router 8000 Series Configuration Guide - IP Multicast (NN46240-509). Manage static routes in the router together with the dynamic routes the routing protocols discover. The different routing protocols can share all these routes. 1.2.3 Routing protocols and route preferences Different routing protocols, as well as the static route, can learn different routes to the same destination but not all of these routes are optimal. At a specific moment, only one routing protocol determines the current route to a specific destination. Configure a preference for each of these routing protocols, including the static route. When multiple routing information sources exist, the route learned by the routing protocol with the highest preference becomes the current route. Table 1-1 shows the routing protocols and the default preferences for the routes the protocols learn. The smaller the value is, the higher the preference. In Table 1-1, 0 indicates a direct route and 255 indicates any route the protocol learns from unreliable sources.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-5

Nortel Secure Router 8000 Series 1 IP routing overview Configuration - IP Routing

Table 1-1 Routing protocols and default preferences

Routing protocol or route type Preference of the corresponding route Direct 0 OSPF 10 IS-IS 15 Static 60 RIP 100

OSPF Autonomous System External 150 (ASE) OSPF Not So Stubby Area (NSSA) 150 IBGP 255 EBGP 255 Unknown 255

Except for a direct route, you can configure the preferences of the various routing protocols. In addition, the preferences for each static route can be different. 1.2.4 Load balancing and route backup

Load balancing: The Nortel Secure Router 8000 Series supports the multiroute mode. The Nortel Secure Router 8000 Series permits the configuration of multiple routes with the same destination and the same preference. If no route with a higher preference reaches the destination, the router uses all routes with the same preference. Routers at the IP layer send packets to the destination through various paths which balances the traffic load. For the same destination, a routing protocol can find multiple routes. If the routing protocol uses the highest preference among all active routing protocols, these multiple routes are the currently valid routes. This method ensures load balancing of the IP traffic at the routing protocol layer. The routing protocols that support load balancing are RIP, OSPF, BGP, and IS-IS. Static routes also support load balancing.

NOTE

The number of load balancing routes depends on the product type.

Route backup: The Nortel Secure Router 8000 Series supports route backup to improve the network reliability. You can configure multiple routes to the same destination based on the actual situation. The route with the highest preference is the active route. The other routes with descending preferences are backup routes.

1-6 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 1 IP routing overview

Generally, the main route forwards packets. When a fault occurs, the route becomes inactive and the router chooses a backup route to forward the data. The routing process realizes the switch from the main route to the backup route. When the main route recovers, the router recovers the corresponding route and chooses the route again. Because the route uses the highest preference, the router chooses the main route to send the data. 1.2.5 Sharing routing information between protocols The algorithms of the various routing protocols are different. The protocols can discover different routes. This discovery creates a problem sharing learned routes between the routing protocols. A router can import the information of another routing protocol. Each protocol uses a different route import mechanism. For more details, see the configuration document for the corresponding routing protocol.

1.3 Routing management The section describes the following topics:

z Displaying the routing table z Displaying and debugging of the routing management module 1.3.1 Displaying the routing table To locate routing problems, first view the information in the routing table. Table 1-2 shows commands to display the routing information. You can use the display command in all views.

Table 1-2 Routing table display commands

Action Command View brief information about the display ip routing-table current active routes. View the details of the routing table. display ip routing-table verbose View the route to a specified display ip routing-table ip-address [ mask | destination address. mask-length ] [ longer-match ] [ verbose ] View the routes within a specified display ip routing-table ip-address1 { mask1 | range of destination addresses. mask-length1 } ip-address2 { mask2 | mask-length2 } [ verbose ] View the routes filtered by a specified display ip routing-table acl acl-number basic access control list (ACL). [ verbose ] View the route filtered by a specified IP display ip routing-table ip-prefix prefix list. ip-prefix-name [ verbose ] View the route discovered by the display ip routing-table protocol protocol specified protocol. [ inactive | verbose ]

Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-7

Nortel Secure Router 8000 Series 1 IP routing overview Configuration - IP Routing

Action Command

View the statistics in a routing table. display ip routing-table statistics View brief information about the display ip routing-table vpn-instance private network routing table. vpn-instance-name [ filter-option ] View the private network routing table display ip routing-table vpn-instance details (in the user view). vpn-instance-name [ filter-option ] verbose

1.3.2 Displaying and debugging of the routing management module As shown in Table 1-3, one method to solve a routing problem is to use the display and the debugging commands in the routing management module. You can use the display command in all views but you can use the debugging command only in the user view.

Table 1-3 Display and debug commands

Action Command Check the information about the display rm interface [ interface-type routing management on the interface. interface-number ] Check the information about IPv6 display rm ipv6 interface [ interface-type routing management on the interface. interface-number ] Check the information about the display rm interface vpn-instance routing management on the private vpn-instance-name network interface. Enable the debugging of all routing debugging rm all management. Enable the debugging of all backup debugging rm backup routing management. Enable the IPv4 debugging of all debugging rm ipv4 { bfd | im | urt | usr | msr | routing management. rcom [ ip-prefix ip-prefix-name ] | rr } Enable the IPv6 debugging of all debugging rm ipv6 { im | urt | usr | rcom routing management. [ ip-prefix ip-prefix-name ] | rr } Enable the job debugging of all routing debugging rm job management. NOTE Job refers to tasks with low priority. The system divides the tasks with low priority into several discontinuous phases and processes them at leisure. Enable the routing policy debugging of debugging rm policy [ ip-prefix all routing management. ip-prefix-name ]

1-8 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 1 IP routing overview

Action Command Enable the system debugging of all debugging rm system routing management. Enable the task debugging of all debugging rm task routing management. Enable the timer debugging of all debugging rm timer routing management.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 1-9

Nortel Secure Router 8000 Series Configuration - IP Routing

Contents

2 IP static route configuration...... 2-1 2.1 Introduction...... 2-2 2.1.1 Static routes...... 2-2 2.1.2 Default routes...... 2-2 2.1.3 Attributes and functions of IPv6 static routes ...... 2-2 2.2 Configuring IPv4 static routes...... 2-3 2.2.1 Establishing the configuration task ...... 2-3 2.2.2 Configuring an IPv4 static route ...... 2-4 2.2.3 Configuring the default preference for the IPv4 static route...... 2-5 2.2.4 Checking the configuration...... 2-5 2.3 Configuring IPv6 static routes...... 2-5 2.3.1 Establishing the configuration task ...... 2-6 2.3.2 Configuring an IPv6 static route ...... 2-7 2.3.3 Checking the configuration...... 2-7 2.4 Configuration examples ...... 2-7 2.4.1 Example of configuring IPv4 static routes...... 2-8 2.4.2 Example of configuring IPv6 static routes...... 2-11

Issue 5.3 (30 March 2009) Nortel Networks Inc. i

Nortel Secure Router 8000 Series Configuration - IP Routing

Figures

Figure 2-1 IPv4 static route network diagram ...... 2-8 Figure 2-2 IPv6 static route network diagram ...... 2-11

Issue 5.3 (30 March 2009) Nortel Networks Inc. iii

Nortel Secure Router 8000 Series Configuration - IP Routing 2 IP static route configuration

2 IP static route configuration

About this chapter

The following table shows the contents of this chapter.

Section Description 2.1 Introduction This section describes the principles and concepts of the static route. 2.2 Configuring IPv4 static This section describes how to configure IPv4 static routes routes. For an example configuration, see Example of configuring IPv4 static routes. 2.3 Configuring IPv6 static This section describes how to configure IPv6 static routes routes. For an example configuration, see Example of configuring IPv6 static routes. 2.4 Configuration examples This section provides configuration examples for IP static routes.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 2-1

Nortel Secure Router 8000 Series 2 IP static route configuration Configuration - IP Routing

2.1 Introduction This section describes the following topics that you must understand before you configure a static route:

z Static routes z Default routes z Attributes and functions of IPv6 static routes 2.1.1 Static routes In a relatively simple network, you only need to configure static routes. Proper configuration and usage of static routes improves network performance and provides the required bandwidth for important applications. When a fault occurs to a static route or when the topology changes, you must manually change the static route to rectify the fault. 2.1.2 Default routes A default route is another special route. Normally, you manually configure the static route; but sometimes, a dynamic routing protocol, like Open Shortest Path First (OSPF) or Intermediate System to Intermediate System (IS-IS), generates the static route. The router uses a default route only when no suitable routing table entry exists. In a routing table, the default route is the route to the network 0.0.0.0 (with the mask 0.0.0.0). Use the display ip routing-table command to determine if a default route exists. If the destination address of a packet does not match an entry in the routing table, the router selects the default route to forward this packet. If no default route exists and the destination address of the packet does not match an entry in the routing table, the router discards the packet. The router sends an Internet Control Message Protocol (ICMP) packet, informing the originating host that the destination host or network is not accessible. 2.1.3 Attributes and functions of IPv6 static routes An IPv6 static route is similar to an IPv4 static route and you must configure it manually. An IPv6 static route is suitable for simple IPv6 networks. The difference between an IPv6 static route and an IPv4 static route involves the destination address and the next-hop address. The IPv6 static routes use IPv6 addresses, while the IPv4 static routes use IPv4 addresses. IPv6 static routes do not support virtual private network (VPN) instances. In IPv6 static route configuration, if the specified destination address is ::/0 (the mask length is 0), it indicates the route is an IPv6 default route. If the destination address of a packet fails to match an entry in the routing table, the router selects the default route to forward the IPv6 packet.

2-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 2 IP static route configuration

2.2 Configuring IPv4 static routes 2.2.1 Establishing the configuration task

Applicable environment The Nortel Secure Router 8000 Series supports a common static route. You can associate a static route with VPN instances to manage VPN routes. For information about related VPN instances, see Nortel Secure Router 8000 Series Configuration Guide - VPN (NN46240-507). When you configure an IPv4 static route, you must know the following:

z destination address and mask If you use the ip route-static command, specify the IPv4 destination address in dotted decimal notation. You can specify the mask in dotted decimal notation or by the mask length (the number of consecutive 1-bits in the mask).

z outbound interface and the next-hop address When you configure a static route, you can specify the interface-type interface-number and the nexthop-address. Based on the actual situation, specify the outbound interface or the next-hop address. All route entries must specify the next-hop address. When the router sends a packet, the router first searches the matched route in the routing table according to the destination address. Only if the routing table specifies the next-hop address can the link layer find the corresponding link layer address and forward the packet. When you specify the sending interface, be aware of the following conditions:

− For point-to-point interfaces, the next-hop address is implicit for the specific sending interface. The address of the peer interface that connects with this interface is the next-hop address. For example, when a Packet over SONET (POS) interface is Point-to-Point Protocol (PPP) encapsulated, the local router obtains the peer IP address through PPP negotiations. In this case, you need to specify only the sending interface without the next-hop address. − NonBroadcast Multiple Access (NBMA) interfaces, such as an Asynchronous Transfer Mode (ATM) interface, support point-to-multi-point networks. You need to configure IP routes and build the reroute table at the link layer (the mapping between IP addresses and link layer addresses). You need to configure the next-hop IP address. − In static route configuration, do not specify the Ethernet interface or the Virtual-template interface as the sending interface. The Ethernet interface is a broadcast interface and the Virtual-template interface uses several virtual access interfaces. Many next hops occur and the router cannot determine a unique next hop. If you must specify a broadcast interface, a VT interface, or an NBMA interface as the sending interface, configure the next-hop address at the same time. z Other attributes Configure different preferences for the static routes to apply the route management policy in a flexible manner. For example, if you configure multiple routes to the same destination address, you can specify the same preference for these routes to implement load balancing. You can specify different preferences to implement route backup.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 2-3

Nortel Secure Router 8000 Series 2 IP static route configuration Configuration - IP Routing

When you configure static routes by using the ip route-static command, if you configure the destination address and the mask as all zeros (0.0.0.0 0.0.0.0), that indicates a default route.

Preconfiguration tasks Before you configure an IPv4 static route, complete the following tasks:

z Configure physical parameters for related interfaces. z Configure link layer attributes for related interfaces. z Configure IPv4 addresses for related interfaces.

Data preparation The following table lists the data you need to configure an IPv4 static route.

No. Data 1 Destination address and mask 2 Outbound interface or the next-hop IPv4 address 3 Preference of the IPv4 static route

Configuration procedures

No. Procedure 1 Configuring an IPv4 static route 2 (Optional) Configuring the default preference for the IPv4 static route 3 Checking the configuration

2.2.2 Configuring an IPv4 static route Do as follows on the router configured with static routes: Step 1 Run:

system-view The system view appears. Step 2 Run:

ip route-static [ vpn-instance vpn-instance-name ] ip-address { mask | mask-length } { nexthop-address | interface-type interface-number [ nexthop-address ] | vpn-instance vpn-instance-name } [ preference preference ] This command enables the IPv4 static route. ----End

2-4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 2 IP static route configuration

By default, no IPv4 static route exists. 2.2.3 (Optional) Configuring the default preference for the IPv4 static route Do as follows on the router configured with static routes: Step 1 Run:

system-view The system view appears. Step 2 Run:

ip route-static default-preference preference This command configures the default preference for the static route. ----End

By default, the preference of the static route is 60. In static route configuration, the route uses the default preference if you do not specify a preference. The new default preference takes effect only on new IPv4 static routes. 2.2.4 Checking the configuration

Run the following commands to check the previous configuration.

Action Command Check the current configuration. display current-configuration Check the brief information of the display ip routing-table IPv4 routing table. Check the details of the IPv4 display ip routing-table verbose routing table.

Run the display ip routing-table verbose command. IThe static route is configured when information about the static route appears in the detailed information of the routing table.

display ip routing-table verbose Routing Table : Public Destinations : 3 Routes : 3

Destination: 1.1.1.1/32 Protocol: Static Process ID: 0 Preference: 60 Cost: 0 NextHop: 2.2.2.2 Neighbour: 0.0.0.0 State: Active Adv Age: 00h00m05s Tag: 0 Priority: 0 Label: NULL QoSInfo: 0x0 RelayNextHop: 0.0.0.0 Interface: Ethernet1/0/0 TunnelID: 0x0

Issue 5.3 (30 March 2009) Nortel Networks Inc. 2-5

Nortel Secure Router 8000 Series 2 IP static route configuration Configuration - IP Routing

Destination: 2.2.2.0/24 Protocol: Direct Process ID: 0 Preference: 0 Cost: 0 NextHop: 2.2.2.2 Neighbour: 0.0.0.0 State: Active Adv Age: 00h00m16s Tag: 0 Priority: 0 Label: NULL QoSInfo: 0x0 RelayNextHop: 0.0.0.0 Interface: Ethernet1/0/0 TunnelID: 0x0

Destination: 2.2.2.2/32 Protocol: Direct Process ID: 0 Preference: 0 Cost: 0 NextHop: 127.0.0.1 Neighbour: 0.0.0.0 State: Active NoAdv Age: 00h00m16s Tag: 0 Priority: 0 Label: NULL QoSInfo: 0x0 RelayNextHop: 0.0.0.0 Interface: InLoopBack0 TunnelID: 0x0

2.3 Configuring IPv6 static routes 2.3.1 Establishing the configuration task

Applicable environment In a small IPv6 network, you can use IPv6 static routes to interconnect networks. Compared to a dynamic route, the static route saves bandwidth.

Preconfiguration tasks Before you configure an IPv6 static route, complete the following tasks:

z Configure physical parameters for related interfaces. z Configure link layer attributes for related interfaces. z Enable IPv6 packet forwarding. z Ensure you can access the network layers (IPv6) of the adjacent nodes.

Data preparation The following table lists the data you need to configure an IPv6 static route.

No. Data 1 Destination address and mask 2 Outbound interface or the next-hop IPv6 address 3 Preference of the IPv6 static route

2-6 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 2 IP static route configuration

Configuration procedures

No. Procedure 1 Configuring an IPv6 static route 2 Checking the configuration

2.3.2 Configuring an IPv6 static route Do as follows on the router configured with static routes: Step 1 Run:

system-view The system view appears. Step 2 Run:

ipv6 route-static ipv6-address prefix-length { interface-type interface-number | nexthop-address } [ preference preference ] This command configures the IPv6 static route. ----End

In static route configuration, you must specify either the outbound interface or the next-hop address based on the actual situation. If the type of the outbound interface is PPP, you can specify the outbound interface. If the type of the outbound interface is broadcast, you must specify the next-hop address. If you do not specify a preference, the default preference is 60. By default, IPv6 static routes do not exist. 2.3.3 Checking the configuration Run the following commands to check the previous configuration.

Action Command Check the current configuration. display current-configuration Check the brief information of the IPv6 display ipv6 routing-table routing table. Check the details of the IPv6 routing display ipv6 routing-table verbose table.

2.4 Configuration examples This section provides the following examples:

z Example of configuring IPv4 static routes

Issue 5.3 (30 March 2009) Nortel Networks Inc. 2-7

Nortel Secure Router 8000 Series 2 IP static route configuration Configuration - IP Routing

z Example of configuring IPv6 static routes 2.4.1 Example of configuring IPv4 static routes

Networking requirements Figure 2-1 shows the IP addresses and masks of the interfaces and the hosts. All the hosts or routers must connect through static routes.

Figure 2-1 IPv4 static route network diagram

PC2 1.1.2.2/24

GbE3/0/0 1.1.2.1/24

POS1/0/0 POS2/0/0 1.1.4.2/30 1.1.4.5/30 RouterB RouterA RouterC POS1/0/0 POS1/0/0 1.1.4.1/30 1.1.4.6/30

GbE2/0/0 GbE2/0/0 1.1.1.1/24 1.1.3.1/24

PC1 PC3 1.1.1.2/24 1.1.3.2/24

Configuration roadmap The steps in the configuration roadmap are 1. Configure the IPv4 address of each interface on each router to connect them with each other. 2. Configure the IPv4 static route to the destination address and the default route on the router. 3. Configure the IPv4 default gateway on each host to connect every two hosts with each other.

Data preparation To complete the configuration, you need the following data:

z The next hop of Router A is the default route 1.1.4.2. z A destination address of Router B is 1.1.1.0 with the next hop as the static route 1.1.4.1. z A destination address of Router B is 1.1.3.0 with the next hop as the static route 1.1.4.6.

2-8 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 2 IP static route configuration

z The next hop of Router C is the default route 1.1.4.5. z The default gateway of host PC1 is 1.1.1.1. The default gateway of host PC2 is 1.1.2.1. The default gateway of host PC3 is 1.1.3.1.

Configuration procedure Step 1 Configure the IP address for each interface. Step 2 Configure static routes. # Configure the IPv4 default route on Router A:

[RouterA] ip route-static 0.0.0.0 0.0.0.0 1.1.4.2 # Configure two IPv4 static routes on Router B:

[RouterB] ip route-static 1.1.1.0 255.255.255.0 1.1.4.1 [RouterB] ip route-static 1.1.3.0 255.255.255.0 1.1.4.6 # Configure the IPv4 default route on Router C:

[RouterC] ip route-static 0.0.0.0 0.0.0.0 1.1.4.5 Step 3 Configure hosts. Configure the default gateway of hosts PC1, PC2, and PC3 as 1.1.1.1, 1.1.2.1, and 1.1.3.1 respectively. Step 4 Verify the configuration. # Display the IP routing table of Router A:

[RouterA] display ip routing-table Route Flags: R - relied, D - download to fib ------Routing Tables: Public Destinations : 8 Routes : 8

Destination/Mask Proto Pre Cost Flags NextHop Interface

0.0.0.0/0 Static 60 0 RD 1.1.4.2 Pos1/0/0 1.1.1.0/24 Direct 0 0 D 1.1.1.1 GigabitEthernet2/0/0 1.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 1.1.4.0/30 Direct 0 0 D 1.1.4.1 Pos1/0/0 1.1.4.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 1.1.4.2/32 Direct 0 0 D 1.1.4.2 Pos1/0/0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

# Verify connectivity with the ping command:

[RouterA] ping 1.1.3.1 PING 1.1.3.1: 56 data bytes, press CTRL_C to break Reply from 1.1.3.1: bytes=56 Sequence=1 ttl=254 time=62 ms Reply from 1.1.3.1: bytes=56 Sequence=2 ttl=254 time=63 ms Reply from 1.1.3.1: bytes=56 Sequence=3 ttl=254 time=63 ms Reply from 1.1.3.1: bytes=56 Sequence=4 ttl=254 time=62 ms

Issue 5.3 (30 March 2009) Nortel Networks Inc. 2-9

Nortel Secure Router 8000 Series 2 IP static route configuration Configuration - IP Routing

Reply from 1.1.3.1: bytes=56 Sequence=5 ttl=254 time=62 ms

--- 1.1.3.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 62/62/63 ms

# Verify connectivity with the tracert command:

[RouterA] tracert 1.1.3.1 traceroute to 1.1.3.1(1.1.3.1) 30 hops max,40 bytes packet 1 1.1.4.2 31 ms 32 ms 31 ms 2 1.1.4.6 62 ms 63 ms 62 ms ----End

Configuration f ile s z Configuration file of Router A

# sysname RouterA # interface GigabitEthernet2/0/0 ip address 1.1.1.1 255.255.255.0 # interface Pos1/0/0 link-protocol ppp ip address 1.1.4.1 255.255.255.252 # ip route-static 0.0.0.0 0.0.0.0 1.1.4.2 # return z Configuration file of Router B

# sysname RouterB # interface GigabitEthernet3/0/0 ip address 1.1.2.1 255.255.255.0 # interface Pos1/0/0 link-protocol ppp ip address 1.1.4.2 255.255.255.252 # interface Pos2/0/0 link-protocol ppp ip address 1.1.4.5 255.255.255.252 # ip route-static 1.1.1.0 255.255.255.0 1.1.4.1 ip route-static 1.1.3.0 255.255.255.0 1.1.4.6 # return z Configuration file of Router C

2-10 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 2 IP static route configuration

# sysname RouterC # interface GigabitEthernet2/0/0 ip address 1.1.3.1 255.255.255.0 # interface Pos1/0/0 link-protocol ppp ip address 1.1.4.6 255.255.255.252 # ip route-static 0.0.0.0 0.0.0.0 1.1.4.5 # return 2.4.2 Example of configuring IPv6 static routes

Networking requirements As shown in Figure 2-2, the mask length of all the IPv6 addresses is 64 bits. Every two hosts or routers must interconnect through IPv6 static routes. The POS interface of the router uses the local address of the IPv6 link.

Figure 2-2 IPv6 static route network diagram

PC2 2::2/64

GbE3/0/0 2::1/64

POS1/0/0 POS20/0 RouterB

RouterA RouterC POS1/0/0 POS1/0/0

GbE2/0/0 GbE2/0/0 1::1/64 3::1/64

PC1 PC3 1::2/64 3::2/64

Configuration roadmap The steps in the configuration roadmap are 1. Configure the Gigabit Ethernet (GbE) interface of each router with the IPv6 address. 2. Configure each router with an IPv6 static route to the destination address and the default route. 3. Configure each host with the IPv6 default gateway to connect any two hosts with each other.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 2-11

Nortel Secure Router 8000 Series 2 IP static route configuration Configuration - IP Routing

Data preparation To complete the configuration, you need the following data:

z The inbound interface of Router A is the default route POS1/0/0. z A destination address of Router B is 1:: 64 and the outbound interface is the static route POS1/0/0. z A destination address of Router B is 3:: 64 and the outbound interface is the static route POS2/0/0. z The outbound interface of Router C is the default route POS1/0/0. z The default gateway of host PC1 is 1::1. The default gateway of host PC2 is 2::1. The default gateway of host PC3 is 3::1.

Configuration procedure Step 1 Configure IPv6 address for each interface. Step 2 Configure IPv6 static routes. # Configure the IPv6 default route on Router A:

[RouterA] ipv6 route-static :: 0 pos 1/0/0 # Configure two IPv6 static routes on Router B:

[RouterB] ipv6 route-static 1:: 64 pos 1/0/0 [RouterB] ipv6 route-static 3:: 64 pos 2/0/0 # Configure the IPv6 default route on Router C:

[RouterC] ipv6 route-static :: 0 pos 1/0/0 Step 3 Configure the host addresses and the gateways. Configure the IPv6 addresses of the hosts according to the network diagram. Configure the default gateway of the host PC1 as 1::1, the default gateway of the host PC2 as 2::1, and the default gateway of the host PC3 as 3::1. Step 4 Verify the configuration. # Verify the IPv6 routing table of Router A:

[RouterA] display ipv6 routing-table Routing Table : Destinations : 5 Routes : 5

Destination : :: PrefixLength : 0 NextHop : FE80::510A:0:8D7:1 Preference : 60 Interface : Pos1/0/0 Protocol : Static State : Active Adv Cost : 0 Tunnel ID : 0x0 Label : NULL Age : 685270sec

Destination : ::1 PrefixLength : 128 NextHop : ::1 Preference : 0 Interface : InLoopBack0 Protocol : Direct State : Active NoAdv Cost : 0 Tunnel ID : 0x0 Label : NULL

2-12 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 2 IP static route configuration

Age : 523sec

Destination : 1:: PrefixLength : 64 NextHop : 1::1 Preference : 0 Interface : GigabitEthernet2/0/0 Protocol : Direct State : Active Adv Cost : 0 Tunnel ID : 0x0 Label : NULL Age : 523sec

Destination : 1::1 PrefixLength : 128 NextHop : ::1 Preference : 0 Interface : InLoopBack0 Protocol : Direct State : Active NoAdv Cost : 0 Tunnel ID : 0x0 Label : NULL Age : 357sec

Destination : FE80:: PrefixLength : 10 NextHop : :: Preference : 0 Interface : NULL0 Protocol : Direct State : Active NoAdv Cost : 0 Tunnel ID : 0x0 Label : NULL Age : 407sec # Verify connectivity with the ping command:

[RouterA] ping ipv6 3::1 PING 3::1 : 56 data bytes, press CTRL_C to break Reply from 3::1 bytes=56 Sequence=1 hop limit=254 time = 63 ms Reply from 3::1 bytes=56 Sequence=2 hop limit=254 time = 62 ms Reply from 3::1 bytes=56 Sequence=3 hop limit=254 time = 62 ms Reply from 3::1 bytes=56 Sequence=4 hop limit=254 time = 63 ms Reply from 3::1 bytes=56 Sequence=5 hop limit=254 time = 63 ms

--- 3::1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 62/62/63 ms

# Verify connectivity with the tracert command:

[RouterA] tracert ipv6 3::1 traceroute to 3::1 30 hops max,60 bytes packet 1 2::1 31 ms 32 ms 31 ms 2 3::1 62 ms 63 ms 62 ms [RouterA] ----End

Issue 5.3 (30 March 2009) Nortel Networks Inc. 2-13

Nortel Secure Router 8000 Series 2 IP static route configuration Configuration - IP Routing

Configuration files z Configuration file of Router A

# sysname RouterA # ipv6 # interface GigabitEthernet2/0/0 ipv6 address 1::1/64 # interface Pos1/0/0 link-protocol ppp ipv6 address auto link-local # ipv6 route-static :: 0 Pos 1/0/0 # return z Configuration file of Router B

# sysname RouterB # ipv6 # interface GigabitEthernet3/0/0 ipv6 address 2::1/64 # interface Pos1/0/0 link-protocol ppp ipv6 address auto link-local # interface Pos2/0/0 link-protocol ppp ipv6 address auto link-local # ipv6 route-static 1:: 64 Pos1/0/0 ipv6 route-static 3:: 64 Pos1/0/1 # return z Configuration file of Router C

# sysname RouterC # ipv6 # interface GigabitEthernet2/0/0 ipv6 address 3::1/64 # interface Pos1/0/0 link-protocol ppp ipv6 address auto link-local # ipv6 route-static :: 0 Pos1/0/0 #

2-14 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 2 IP static route configuration

return

Issue 5.3 (30 March 2009) Nortel Networks Inc. 2-15

Nortel Secure Router 8000 Series Configuration - IP Routing

Contents

3 RIP configuration...... 3-1 3.1 Introduction...... 3-2 3.1.1 Overview of RIP ...... 3-2 3.1.2 Principles of RIP operation ...... 3-2 3.1.3 RIP version...... 3-4 3.1.4 RIP packet formats...... 3-4 3.1.5 Supported RIP features ...... 3-6 3.1.6 References...... 3-6 3.2 Configuring basic RIP functions ...... 3-7 3.2.1 Establishing the configuration task ...... 3-7 3.2.2 Enabling RIP...... 3-7 3.2.3 Enabling RIP on the specified network segment...... 3-8 3.2.4 Configuring the working status of the interface...... 3-8 3.2.5 Configuring the RIP version ...... 3-10 3.2.6 Checking the configuration...... 3-11 3.3 Controlling RIP routing information ...... 3-11 3.3.1 Establishing the configuration task ...... 3-11 3.3.2 Configuring additional metrics of the interface ...... 3-12 3.3.3 Configuring RIP route aggregation...... 3-13 3.3.4 Enabling RIP to receive host routes ...... 3-14 3.3.5 Configuring RIP to advertise the default routes...... 3-14 3.3.6 Configuring RIP to filter the received routes ...... 3-15 3.3.7 Configuring RIP protocol preference...... 3-15 3.3.8 Configuring RIP to import external routes...... 3-16 3.3.9 Checking the configuration...... 3-17 3.4 Adjusting and optimizing RIP networks...... 3-17 3.4.1 Establishing the configuration task ...... 3-17 3.4.2 Configuring RIP timers...... 3-18 3.4.3 Configuring the sending interval and the number of sent packets ...... 3-19 3.4.4 Configuring Split Horizon and Poison Reverse ...... 3-19 3.4.5 Configuring the maximum number of equal-cost routes...... 3-20 3.4.6 Configuring RIP to check the validity of the update packets ...... 3-20

Issue 5.3 (30 March 2009) Nortel Networks Inc. i

Nortel Secure Router 8000 Series Contents Configuration - IP Routing

3.4.7 Configuring packet authentication of RIP-2 ...... 3-21 3.4.8 Configuring RIP neighbors ...... 3-22 3.4.9 Configuring RIP and MIB binding...... 3-23 3.4.10 Checking the configuration...... 3-23 3.5 Maintaining RIP...... 3-23 3.6 Configuration examples ...... 3-24 3.6.1 Example of configuring the RIP Version...... 3-24 3.6.2 Example of configuring RIP to import external routes ...... 3-28

ii Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing

Figures

Figure 3-1 RIP-1 packet format...... 3-4 Figure 3-2 RIP-2 packet format...... 3-5 Figure 3-3 RIP-2 authentication packet format ...... 3-6 Figure 3-4 RIP version network diagram ...... 3-24 Figure 3-5 RIP importing external routes network diagram...... 3-28

Issue 5.3 (30 March 2009) Nortel Networks Inc. iii

Nortel Secure Router 8000 Series Configuration - IP Routing 3 RIP configuration

3 RIP configuration

About this chapter

The following table shows the contents of this chapter.

Section Description 3.1 Introduction This section describes the principles and concepts of the Routing Information Protocol (RIP). 3.2 Configuring basic RIP This section describes how to configure basic RIP functions functions. For an example configuration, see Example of configuring the RIP Version. 3.3 Controlling RIP routing This section describes how to control RIP routing information information. For an example configuration, see Example of configuring RIP to import external routes. 3.4 Adjusting and optimizing This section describes how to adjust and optimize RIP RIP networks networks. 3.5 Maintaining RIP This section describes how to maintain RIP. 3.6 Configuration examples This section provides configuration examples of RIP.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-1

Nortel Secure Router 8000 Series 3 RIP configuration Configuration - IP Routing

3.1 Introduction This section covers the following topics that you must understand before you configure RIP:

z Overview of RIP z Principles of RIP operation z RIP version z RIP packet formats z Supported RIP features z References 3.1.1 Overview of RIP

RIP is a dynamic routing protocol that you use in an Autonomous System (AS). RIP is a simple Interior Gateway Protocol (IGP). Use RIP in small and simple-structure networks such as campus networks and regional networks. RIP is not suitable for complex environments or large-sized networks. RIP is a protocol based on the Distance-Vector algorithm. RIP exchanges the routing information through User Datagram Protocol (UDP) packets on port number 520. RIP uses the hop count to measure the distance to the destination host. The distance is the metric value. With RIP, the network that connects directly to the router uses a hop count, or metric, of 0. A network that connects to the router through one router uses a hop count of 1. For each router that separates a network from the main router, the hop count increases by one. To achieve faster convergence times, RIP regulates the cost as an integer that ranges from 0 to 15. RIP defines a hop count that is equal to or exceeds 16 as infinite, that is, the destination network or the host is inaccessible. Because of this limitation, RIP does not apply to large-scale networks. To improve the performance and to avoid routing loops, RIP supports both Split Horizon and Poison Reverse. RIP is easier to configure and maintain than Open Shortest Path First (OSPF) and Intermediate System to Intermediate System (IS-IS). 3.1.2 Principles of RIP operation

RIP routing database Each router that uses RIP manages a routing database. This database contains routing entries to all the accessible destinations in the network. The routing entries contain the following information:

z Destination address—This entry identifies the IP address of a host or a network. z Next-hop address—This entry identifies the interface address of the next router that a packet passes through to the destination. z Interface—This entry identifies the interface through which the IP packet forwards.

3-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 3 RIP configuration

z Metric value—This entry identifies the cost for the router to reach the destination. The cost is an integer in the range of 0 to 16. z Timer—This entry identifies the duration since the last update. The timer resets to 0 when a routing entry updates. z Route flag—This entry distinguishes routes for internal routing protocols from those of external routing protocols.

RIP timers RIP uses the following four timers:

z Update—This timer sends update packets periodically. z Age— If the RIP router does not receive update packets from a neighbor within this time, the router considers the route to the neighbor inaccessible. z Suppress—The advertisement of the optimal routing information is suppressed during this period. z Garbage-collect—If an unreachable route does not receive an update packet from a neighbor after the timer expires, RIP removes the entry from the RIP routing table.

RIP startup and operation The following list identifies the process of RIP startup and operation:

z After you enable RIP on a router, the router sends a request packet to a neighboring router. After the neighbor receives the packet, the neighbor router sends a response packet. The response packet contains information from the local routing table. z When the former router receives the response packet, it updates the local routing table. The router then sends a triggered update packet to the neighbor router and broadcasts the route update information. After the neighbor receives the triggered update packet, the neighbor router sends the packet to all neighboring routers. After a series of triggered update broadcasts, each router obtains the updated routing information and preserves it. z RIP uses the timeout mechanism to ensure the real-time performance and validity of the routes. RIP broadcasts the routing table to the neighboring routers periodically. The neighboring routers update their own routing tables after they receive the packets. All RIP routers repeat this process.

Routing loop avoidance RIP is a protocol based on the D-V algorithm. Because the router advertises the routing table to neighbors, a routing loop can occur. RIP avoids routing loops through the following mechanisms:

z Counting to infinity—RIP defines the cost 16 as infinity. In case routing loops occur, when the cost reaches 16, RIP considers this route inaccessible. z Split Horizon—RIP does not send the routes it learns from the neighboring interface to neighboring routers. This mechanism reduces bandwidth consumption and avoids routing loops. z Poison Reverse—RIP learns a route from the neighboring interface, sets the cost to 16 (inaccessible), and advertises the route to neighboring routers. This mechanism clears unnecessary information in the routing tables of the neighbors.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-3

Nortel Secure Router 8000 Series 3 RIP configuration Configuration - IP Routing

3.1.3 RIP version There are two RIP versions, RIP-1 and RIP-2. RIP-1 is a classful routing protocol. RIP-1 only supports broadcasting protocol packets. The RIP-1 protocol packets do not contain masks so they identify only the routes of the natural network segment such as Class A, Class B, and Class C. RIP-1 does not support route aggregation or discontinuous subnets. RIP-2 is a classless routing protocol. Compared with RIP-1, RIP-2 provides more function because it supports the following

z Route tag—RIP-2 uses the tag in the routing policy to control routes. z Route aggregation and Classless Inter-domain Routing (CIDR)—The packets contain masks. z The next-hop selection—In broadcast networks, the router can select the optimal next-hop address. z Multicast route—RIP-2 can use a multicast route to send update packets. Only RIP-2 routers can receive protocol packets, which reduces resource consumption. z Protocol packet authentication—RIP-2 provides two authentication modes, authentication in plain text and Message Digest 5 (MD5) authentication, to enhance security.

NOTE

RIP-2 transmits packets in two modes, the broadcast mode and the multicast mode. By default, packets transmit in multicast mode using the multicast address 224.0.0.9. When the interface operates in RIP-2 broadcast mode, it can also receive RIP-1 packets. 3.1.4 RIP packet formats

RIP-1 packet format A RIP packet consists of a packet header and several route entries. The packet can contain up to 25 route entries. Figure 3-1shows the packet format of RIP-1.

Figure 3-1 RIP-1 packet format

0 715 31 Header command version must be zero address family identifier must be zero IP address Route Entries must be zero must be zero metric

The following list explains the main fields in the RIP-1 packet:

3-4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 3 RIP configuration

z command—This field indicates the packet type. The value 1 represents a request packet. The value 2 represents a response packet. z version—This field indicates the RIP version number. For RIP-1, the value is 0x01. z Address Family Identifier (AFI)—When the value is 2, this field represents the IP protocol. z IP Address:—This field indentifies the destination IP address of the route. The address can only be an address of the natural network segment. z metric—This field identifies the cost of a route to the destination.

RIP-2 packet format The packet format of RIP-2 is similar to that of RIP-1, as shown in Figure 3-2.

Figure 3-2 RIP-2 packet format

0 7 15 31 Header Command Version unused (must be zero) Address Family Identifier Route Tag IP Address Route Subnet Mask Entries Next Hop Metric

The following list identifies the differences between the fields of RIP-1 and RIP-2:

z Version—This field indicates the RIP version number. For RIP-2, the value is 0x02. z Route Tag—This field indicates the external routes. z IP Address:—This field indentifies the destination IP address of the route. The address can be an address of the natural network segment, a subnet address, or a host address. z Subnet Mask—This field identifies the mask of the destination address. z Next Hop—This field provides a better next hop address. If the value is 0.0.0.0, it indicates the address of the advertising router is the optimal next-hop address.

RIP-2 packet authentication RIP-2 uses the first route entry to support packet authentication. RIP-2 also configures the AFI field to 0xFFFF, as shown in Figure 3-3.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-5

Nortel Secure Router 8000 Series 3 RIP configuration Configuration - IP Routing

Figure 3-3 RIP-2 authentication packet format

0 7 15 31 command version unused 0xFFFF Authentication Type

Authentication (16 octets)

The following list explains the additional fields in the authentication packet:

z Authentication Type—When the value of this field is 2, it indicates authentication in plain text mode. The value 3 indicates MD5 authentication mode. z Authentication—When the authentication mode is plain text, this field contains the password information.

NOTE

RFC 1723 only defines the plain text mode. For details about MD5 authentication, see RFC 2082 RIP-2 MD5 Authentication. 3.1.5 Supported RIP features

The Nortel Secure Router 8000 Series supports the following RIP features:

z RIP-1 and RIP-2 z RIP multi-instance RIP can serve as the internal routing protocol of a virtual private network (VPN) and run between the Customer Edge (CE) and Provider Edge (PE) in Multiprotocol Label Switching (MPLS) Layer 3 VPN networks.

NOTE

For details about VPN instance configuration, see Nortel Secure Router 8000 Series Configuration Guide - VPN (NN46240-507). 3.1.6 References For more information about RIP, see the documents listed in the following table.

Document number Description RFC 1058 Routing Information Protocol RFC 1723 RIP Version 2 - Carrying Additional Information RFC 1721 RIP Version 2 Protocol Analysis RFC 1722 RIP Version 2 Protocol Applicability Statement RFC 1724 RIP Version 2 MIB Extension RFC 2082 RIP-2 MD5 Authentication

3-6 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 3 RIP configuration

3.2 Configuring basic RIP functions 3.2.1 Establishing the configuration task

Applicable environment Configure basic RIP functions to use the RIP features.

Preconfiguration tasks Before you configure basic RIP functions, complete the following tasks:

z Configure the link layer protocol. z Configure the network-layer addresses of the interfaces to keep the network layers of the adjacent nodes accessible.

Data preparation The following table lists the data you need to configure basic RIP functions.

No. Data 1 RIP process number 2 Network segment where the RIP interface lies 3 RIP version number

Configuration procedures

No. Procedure 1 Enabling RIP 2 Enabling RIP on the specified network segment 3 Configuring the working status of the interface 4 Configuring the RIP version 5 Checking the configuration

3.2.2 Enabling RIP Do as follows on each router that runs the RIP: Step 1 Run:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-7

Nortel Secure Router 8000 Series 3 RIP configuration Configuration - IP Routing

system-view The system view appears. Step 2 Run:

rip [ process-id ] [ vpn-instance vpn-instance-name ] This command enables RIP and the RIP view appears. ----End

If you configure related RIP commands in the interface view before you enable RIP, these configurations take effect only after you enable RIP. RIP supports multi-instance. RIP can associate RIP processes with VPN instances. You must run the rip [ process-id ] vpn-instance vpn-instance-name command. 3.2.3 Enabling RIP on the specified network segment

Do as follows on each router that runs the RIP: Step 1 Run:

system-view The system view appears. Step 2 Run:

rip [ process-id ] This command enables RIP and the RIP view appears. Step 3 Run:

network network-address This command enables RIP on the specific network segment. ----End

RIP runs only on the interfaces of the specific network segment. For other interfaces, RIP does not receive or send routes and does not forward their routes. After you enable RIP, you must specify the network segment. The network-address is an address in the natural network segment. By default, after you enable RIP globally, it is disabled on all interfaces.

NOTE

RIP does not support using different addresses on the same physical interface in different RIP processes. The address of only one process takes effect. 3.2.4 Configuring the working status of the interface

Suppressing send update packets on the interface Do as follows on the related router according to requirements:

3-8 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 3 RIP configuration

Step 1 Run:

system-view The system view appears. Step 2 Run:

rip [ process-id ] This command enables the RIP process and the RIP view appears. Step 3 According to the requirements, configure the state of interface as suppressed. Run:

silent-interface all This command configures all interfaces as silent. Or Run:

silent-interface interface-type interface-number This command disables the interface from sending updated routes. ----End

You can configure an interface as silent. The interface can only receive the packet to update its routing table but cannot send the RIP packet. If you use the silent-interface command and either the rip input or rip output command on an interface, the silent-interface command is of higher priority. By default, the interface does not operate in silent status.

Allowing the interface to send and receive RIP update packets Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

rip input This command enables an interface to receive RIP update packets. Step 4 Run:

rip output

Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-9

Nortel Secure Router 8000 Series 3 RIP configuration Configuration - IP Routing

This command enables an interface to send RIP update packets. ----End

You can specify an interface to send, or receive, RIP update packets separately. The preference of the interface is smaller than the value of the silent-interface. By default, the interface sends and receives route update packets. 3.2.5 Configuring the RIP version

Configuring the global RIP version Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

rip [ process-id ] This command enables the RIP process and the RIP view appears. Step 3 Run:

version { 1 | 2 } This command configures the global RIP version. ----End

Configuring the RIP version for the interface Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

rip version { 1 | 2 [ broadcast | multicast ] } This command configures the RIP version of the packets received by the interface. ----End

3-10 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 3 RIP configuration

By default, an interface receives RIP-1 and RIP-2 packets and only sends RIP-1 packets. When you configure RIP-2 for an interface, you can configure the interface to send packets in broadcast and multicast modes simultaneously. If you do not configure the RIP version of the interface, the interface uses the global version as the standard. 3.2.6 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the current running state and display rip [ process-id | vpn-instance configuration information. vpn-instance-name ] Check the active and inactive RIP route. display rip process-id route

3.3 Controlling RIP routing information 3.3.1 Establishing the configuration task

Applicable environment In practice, you can control RIP routing information more accurately to meet the requirements of a complicated network environment. The related actions are as follows:

z Adjust the additional metrics of the RIP interface to control route selection. z Aggregate routes and disable routes to the receiving host to reduce the size of the routing table. z Advertise the default routes to the neighbors. z Filter the received routing information. z Change the preference of the routing protocol by configuring the protocol preference of RIP when several routing protocols discover the same route. z Import external routes when there are multiple routing protocols and filter the advertised routes.

Preconfiguration tasks Before you control RIP routing information, complete the following tasks:

z Configure the network-layer addresses of the interfaces to keep the network layers of the adjacent nodes accessible. z Complete the procedures in Configuring basic RIP functions.

Data preparation The following table lists the data you need to control RIP routing information.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-11

Nortel Secure Router 8000 Series 3 RIP configuration Configuration - IP Routing

No. Data 1 The additional metrics of the interface 2 Address after aggregation 3 Related filtering list needed for filtering routing information 4 Name and process number of the external routing protocol to be imported 5 The preference value of the RIP protocol

Configuration procedures

No. Procedure 1 Configuring additional metrics of the interface 2 Configuring RIP route aggregation 3 Enabling RIP to receive host routes 4 Configuring RIP to advertise the default routes 5 Configuring RIP to filter the received routes 6 Configuring RIP protocol preference 7 Configuring RIP to import external routes 8 Checking the configuration

3.3.2 Configuring additional metrics of the interface Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

rip metricin value This command configures the metric to add to the received route. Step 4 Run:

rip metricout value This command configures the metric to add to the sent route.

3-12 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 3 RIP configuration

----End

Use the rip metricin command to add additional metrics to the received route and add the metrics to the routing table. The metrics in the routing table change. Use the rip metricout command for route forwarding. When the interface forwards the route, it adds an additional metric but the metrics in the routing table do not change. 3.3.3 Configuring RIP route aggregation

Enabling RIP-2 automatic route aggregation Do as follows on the router on which you enable the RIP according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

rip [ process-id ] This command enables the RIP process and the RIP view appears. Step 3 Run:

summary This command enables RIP-2 automatic route aggregation. ----End

When different subnet routes in the same natural network segment transmit to other network segments, you can aggregate them into one natural mask route. This is route aggregation. Route aggregation reduces the routing traffic and the size of the routing table. Route aggregation takes no effect on RIP-1. RIP-2 supports Variable Length Subnet Mask (VLSM) and CIDR. To broadcast all subnet routes, you can disable the automatic route aggregation of RIP-2.

Configuring RIP-2 advertisement aggregation address Do as follows on the router on which you enable the RIP according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-13

Nortel Secure Router 8000 Series 3 RIP configuration Configuration - IP Routing

rip summary-address ip-address mask This command configures the local IP address for RIP-2 advertisement aggregation. ----End

3.3.4 Enabling RIP to receive host routes Do as follows on the router on which you enable the RIP according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

rip [ process-id ] This command enables the RIP process and the RIP view appears. Step 3 Run:

host-route This command enables the interface to receive host routes. ----End

A router can sometimes receive abundant host routes from the same network segment. These routes are pointless in route addressing but consume network resources. You can disable the host routes so that the router can refuse the host routes. 3.3.5 Configuring RIP to advertise the default routes Do as follows on the router on which you enable the RIP according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

rip [ process-id ] This command enables the RIP process and the RIP view appears. Step 3 Run:

default-route originate cost cost This command enables the RIP to advertise a default route. ----End

You can configure the current router to advertise a default route with the specified metrics to its RIP neighbors.

3-14 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 3 RIP configuration

3.3.6 Configuring RIP to filter the received routes Do as follows on the router on which you enable the RIP according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

rip [ process-id ] This command enables the RIP process and the RIP view appears. Step 3 Configure RIP to filter the received routes according to the requirements:

z Run:

filter-policy acl-number import This command use an access control list (ACL) to filter routing information.

z Run:

filter-policy gateway ip-prefix-name import This command uses a destination address prefix to filter routing information advertised by neighbors.

z Run:

filter-policy ip-prefix ip-prefix-name [ gateway ip-prefix-name ] import [ interface-type interface-number ] This command uses a destination address prefix learned by the specified interface or neighbors to filter routes. ----End

The router supports route filtering. To filter the received and advertised routes, you can configure the inbound and outbound filtering policy by specifying the ACL and IP prefix list. You can configure the router to receive RIP packets only from a designated neighbor. 3.3.7 Configuring RIP protocol preference Do as follows on the router on which you enable the RIP according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

rip [ process-id ] This command enables the RIP process and the RIP view appears. Step 3 Run:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-15

Nortel Secure Router 8000 Series 3 RIP configuration Configuration - IP Routing

preference { preference | route-policy route-policy-name } * This command configures the preference of the RIP protocol. ----End

3.3.8 Configuring RIP to import external routes Do as follows on the router on which you enable the RIP according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

rip [ process-id ] This command enables the RIP process and the RIP view appears. Step 3 Run:

default-cost cost This command configures the default cost of the routes imported. Step 4 Run:

import-route protocol [ process-id ] [ cost cost ] [ route-policy route-policy-name ] This command imports the external routing information. Step 5 Run:

filter-policy { acl-number | ip-prefix ip-prefix-name } export [ protocol | interface-type interface-number ] This command filters the imported routes when the router advertises them. ----End

Step 3 is optional. If you do not specify a metric value when you import the external route (Step 4), the route uses the default cost. Step 5 is optional. If RIP must advertise the routing information of other protocols, you can specify the protocol to filter the specific routing information. If you do not specify the protocol, the router filters all the routing information to be advertised, including the imported routes and the local RIP routes (equivalent to the directly connected routes).

3-16 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 3 RIP configuration

NOTE

RIP regulates the length of the tag as 16 bits, while other protocols regulate the length of the tag as 32 bits. If you import the other protocols, and use the tag in the routing policy, ensure that the length of the tag does not exceed 65 535 bits. Otherwise, the routing policy becomes invalid and the matching result is incorrect. 3.3.9 Checking the configuration Run the commands in the following table to check the previous configuration.

Action Command Check the current running status and display rip [ process-id | vpn-instance configuration information. vpn-instance-name ] Check all active routes in the database display rip process-id database advertised by RIP. Check the active and inactive RIP route. display rip process-id route

3.4 Adjusting and optimizing RIP networks 3.4.1 Establishing the configuration task

Applicable environment In certain networks, you must configure some RIP features, adjust, and optimize the performance of RIP networks. The related actions are as follows:

z Adjust RIP timers to change the convergence speed of the RIP networks. z Configure Split Horizon and Poison Reverse to avoid routing loops. z Implement load balancing through multiple equal-cost routes. z Check and authenticate the packets with higher security requirements. z Configure RIP features on the interfaces and links with special requirements. z Configure RIP and management information base (MIB) binding in the network management environments.

Preconfiguration tasks Before you adjust RIP, complete the following tasks:

z Configure the network-layer addresses of the interfaces to keep the network layers of the adjacent nodes accessible. z Complete the procedures in Configuring basic RIP functions

Data preparation The following table lists the data you need to configure RIP networks.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-17

Nortel Secure Router 8000 Series 3 RIP configuration Configuration - IP Routing

No. Data 1 The value of each timer 2 The maximum number of equal-cost routes 3 Packet authentication mode and password 4 IP addresses of RIP neighbors

Configuration procedures

No. Procedure 1 Configuring RIP timers 2 Configuring the sending interval and the number of sent packets 3 Configuring Split Horizon and Poison Reverse 4 Configuring the maximum number of equal-cost routes 5 Configuring RIP to check the validity of the update packets 6 Configuring packet authentication of RIP-2 7 Configuring RIP neighbors 8 Configuring RIP and MIB binding 9 Checking the configuration

3.4.2 Configuring RIP timers Do as follows on the router on which you enable the RIP according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

rip [ process-id ] This command enables the RIP process and the RIP view appears. Step 3 Run:

timers rip update age suppress garbage-collect This command configures the RIP timers. ----End

3-18 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 3 RIP configuration

RIP uses four timers: update, age, suppress, and garbage-collect. If you change the values of the timers, you affect the RIP convergence speed. The RIP timers take effect instantly after you change them. Improper configuration of these four timers leads to instability of routes. Values of timers must follow the rule of update is less than expire and suppress is less than garbage-collect. For example, if the update time is greater than the aging time, if the RIP routes change during the update time, the router cannot inform its neighbors in time. By default, the update timer is 30 seconds, the age timer is 180 seconds, the suppress timer is 0 seconds, and the garbage-collect timer is four times the update timer, namely, 120 seconds. In practice, the garbage-collect timer is not fixed. When you configure the update timer to 30 seconds, the garbage-collect timer can be between 90 seconds and 120 seconds. Before RIP permanently deletes an inaccessible route from the routing table, it advertises this route (the weight is set to 16) by periodically sending update packets four times. All the neighbors know that this route is inaccessible. Because the route is accessible at the beginning of an update period, the garbage-collect timer is actually three or four times the update timer.

NOTE

When you configure RIP timers, you must consider the network performance and configure all RIP routers uniformly. This configuration avoids unnecessary network traffic and route oscillation. 3.4.3 Configuring the sending interval and the number of sent packets Do as follows on the interface you enable with the RIP: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

rip pkt-transmit { interval interval | number pkt count } This command configures the interval during which the RIP sends packets and the number of packets sent each time. ----End

3.4.4 Configuring Split Horizon and Poison Reverse Do as follows on the router on which you enable the RIP according to requirements: Step 1 Run:

system-view The system view appears.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-19

Nortel Secure Router 8000 Series 3 RIP configuration Configuration - IP Routing

Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

rip split-horizon This command enables Split Horizon. Step 4 Run:

rip poison-reverse This command enables Poison Reverse. ----End

If you configure Split Horizon and Poison Reverse at the same time, the router uses only Poison Reverse. In NonBroadcast Multiple Access (NBMA) networks such as Frame Relay and X.25, if you do not use a subinterface, disable Split Horizon to ensure that the routing information transmits correctly. 3.4.5 Configuring the maximum number of equal-cost routes Do as follows on the router on which you enable the RIP according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

rip [ process-id ] This command enables the RIP process and the RIP view appears. Step 3 Run:

maximum load-balancing number This command configures the maximum number of equal-cost routes. ----End

The number value ranges from 1 to 3. By default, the maximum number of equal-cost routes is 3. 3.4.6 Configuring RIP to check the validity of the update packets

Configuring Zero Field Check of the RIP-1 Packets Do as follows on the router on which you enable the RIP according to requirements:

3-20 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 3 RIP configuration

Step 1 Run:

system-view The system view appears. Step 2 Run:

rip [ process-id ] This command enables the RIP process and the RIP view appears. Step 3 Run:

checkzero This command configures the zero field check for RIP-1 packets. ----End

Some fields in a RIP-1 packet must be 0. Those fields are zero fields. RIP-1 checks the zero fields when it receives the packet. If the value in the zero field is not 0, the router does not process the packet. Because there are no zero fields in a RIP-2 packet, this configuration is not valid for RIP-2.

Configuring source address check of RIP update packets Do as follows on the router on which you enable the RIP according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

rip [ process-id ] This command enables the RIP process and the RIP view appears. Step 3 Run:

verify-source This command configures the source address check for the RIP update packets. ----End

RIP checks the source address when it receives packets. By default, the source address check is enabled on RIP packets. 3.4.7 Configuring packet authentication of RIP-2 Do as follows on the router on which you enable the RIP according to requirements: Step 1 Run:

system-view

Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-21

Nortel Secure Router 8000 Series 3 RIP configuration Configuration - IP Routing

The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Configure the authentication mode of the RIP-2 packets:

z Run:

rip authentication-mode simple password This command configures the simple authentication mode for the RIP-2 packets.

z Run:

rip authentication-mode md5 { nonstandard password-key key-id | usual password-key } This command configures the MD5 authentication mode for RIP-2 packets. ----End

RIP-2 supports two authentication modes, plain text authentication and MD5 authentication. Plain text authentication does not ensure security. The router or host does not encrypt the authentication key sent along with the packet. Plain text authentication cannot meet the high security requirements. You must configure the MD5 type along with the MD5 authentication. The usual type supports the Internet Engineering Task Force (IETF) standard authentication packets and the nonstandard type supports nonstandard authentication packets. 3.4.8 Configuring RIP neighbors Do as follows on the router on which you enable the RIP according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

rip [ process-id ] This command enables the RIP process and the RIP view appears. Step 3 Run:

peer ip-address This command configures RIP neighbors. ----End

RIP sends packets in broadcast or multicast mode. If you use RIP on links that do not support broadcast or multicast packets, you must specify RIP neighbors manually.

3-22 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 3 RIP configuration

3.4.9 Configuring RIP and MIB binding Do as follows on the router on which you enable the RIP according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

rip mib-binding process-id This command configures RIP and MIB binding. ----End

This command configures the binding relationship between the MIB and the RIP process ID. You can specify the ID of the RIP process that accepts Simple Network Management Protocol (SNMP) requests. 3.4.10 Checking the configuration The following table lists commands to check the previous configuration.

Action Command Check the current running state display rip [ process-id | vpn-instance and configuration. vpn-instance-name ] Check all active routes in the display rip process-id database [ verbose ] database advertised by RIP. Check the information on the RIP display rip process-id interface [ interface-type interface. interface-number ] [ verbose ] Check the information about the display rip process-id neighbor [ verbose ] RIP neighbor. Check the active and inactive RIP display rip process-id route route.

3.5 Maintaining RIP

Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-23

Nortel Secure Router 8000 Series 3 RIP configuration Configuration - IP Routing

Debugging affects system performance. After you debug the system, use the undo debugging all command to disable it immediately.

After a RIP fault occurs, use the following debugging command in the user view to debug RIP and locate the fault. For information about how to display the debugging information, see Nortel Secure Router 8000 Series Configuration Guide - System Management (NN46240-601). For related debugging commands, see Nortel Secure Router 8000 Series Commands Reference (NN46240-500).

Action Command Debugs RIP packets. debugging rip process-id [ brief | error | event | job | packet | receive | route-processing | send | timer ] Debugs RIP backup. debugging rip backup

3.6 Configuration examples This section provides the following examples:

z Example of configuring the RIP Version z Example of configuring RIP to import external routes 3.6.1 Example of configuring the RIP Version

Networking requirements As shown in Figure 3-4, you must enable RIP on all interfaces of Router A, Router B, Router C, and Router D. The routers interconnect with each other through RIP-2.

Figure 3-4 RIP version network diagram

RouterC

POS2/0/0 172.16.1.2/24

POS2/0/0 172.16.1.1/24 POS1/0/0 POS3/0/0 192.168.1.2/24 10.1.1.2/24 POS1/0/0 POS3/0/0 RouterA 192.168.1.1/24 RouterB10.1.1.1/24 RouterD

3-24 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 3 RIP configuration

Configuration roadmap The steps in the configuration roadmap are 1. Configure the IP address on each interface to make the network accessible. 2. Enable RIP on each router to configure basic RIP functions. 3. Configure the RIP-2 version on each router to check the accurate subnetwork masks.

Data preparation To complete the configuration, you need the following data:

z RIP network segment 192.168.1.0 on Router A z RIP network segments 192.168.1.0, 172.16.0.0, and 10.0.0.0 on Router B z RIP network segment 172.16.0.0 on Router C z RIP network segment 10.0.0.0 on Router D z RIP-2 version on Router A, Router B, Router C, and Router D

Configuration procedure Step 1 Configure the IP address for each interface. Step 2 Configure basic RIP functions. # Configure Router A:

[RouterA] rip [RouterA-rip-1] network 192.168.1.0 # Configure Router B:

[RouterB] rip [RouterB-rip-1] network 192.168.1.0 [RouterB-rip-1] network 172.16.0.0 [RouterB-rip-1] network 10.0.0.0 # Configure Router C:

[RouterC] rip [RouterC-rip-1] network 172.16.0.0 # Configure Router D:

[RouterD] rip [RouterD-rip-1] network 10.0.0.0 # View the RIP routing table of Router A:

[RouterA] display rip 1 route Route Flags: R - RIP, T - TRIP P - Permanent, A - Aging, S - Suppressed, G - Garbage-collect ------Peer 192.168.1.2 on Pos1/0/0 Destination/Mask Nexthop Cost Tag Flags Sec 10.0.0.0/8 192.168.1.2 1 0 RA 14 172.16.0.0/16 192.168.1.2 1 0 RA 14 From the routing table, you can see that the routes RIP-1 advertises use the natural masks.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-25

Nortel Secure Router 8000 Series 3 RIP configuration Configuration - IP Routing

Step 3 Configure RIP version. # Configure RIP-2 on Router A:

[RouterA] rip [RouterA-rip-1] version 2 # Configure RIP-2 on Router B:

[RouterB] rip [RouterB-rip-1] version 2 # Configure RIP-2 on Router C:

[RouterC] rip [RouterC-rip-1] version 2 # Configure RIP-2 on Router D:

[RouterD] rip [RouterD-rip-1] version 2 # View the RIP routing table of Router A:

[RouterA] display rip 1 route Route Flags: R - RIP, T - TRIP P - Permanent, A - Aging, S - Suppressed, G - Garbage-collect ------Peer 192.168.1.2 on Pos1/0/0 Destination/Mask Nexthop Cost Tag Flags Sec 10.1.1.0/24 192.168.1.2 1 0 RA 32 172.16.1.0/24 192.168.1.2 1 0 RA 32 192.168.1.0/24 192.168.1.2 1 0 RA 14

From the routing table, you can see that the routes RIP-2 advertises contain more accurate subnet masks. ----End

NOTE

The aging time of RIP routes is too long. Some RIP-1 routes in the routing table still exist after you configure RIP-2.

Configuration files z Configuration file of Router A

# sysname RouterA # interface Pos1/0/0 link-protocol ppp ip address 192.168.1.1 255.255.255.0 # rip 1 version 2 network 192.168.1.0 #

3-26 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 3 RIP configuration

return z Configuration file of Router B

# sysname RouterB # interface Pos1/0/0 link-protocol ppp ip address 192.168.1.2 255.255.255.0 # interface Pos2/0/0 ip address 172.16.1.1 255.255.255.0 # interface Pos3/0/0 ip address 10.1.1.1 255.255.255.0 # rip 1 version 2 network 192.168.1.0 network 172.16.0.0 network 10.0.0.0 # return z Configuration file of Router C

# sysname RouterC # interface Pos2/0/0 link-protocol ppp ip address 172.16.1.2 255.255.255.0 # rip 1 version 2 network 172.16.0.0 # return z Configuration file of Router D

# sysname RouterD # interface Pos3/0/0 link-protocol ppp ip address 10.1.1.2 255.255.255.0 # rip 1 version 2 network 10.0.0.0 # return

Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-27

Nortel Secure Router 8000 Series 3 RIP configuration Configuration - IP Routing

3.6.2 Example of configuring RIP to import external routes

Networking requirements As shown in Figure 3-5, two RIP processes, RIP100 and RIP200, run on Router B. Router B exchanges routing information with Router A through RIP100. Router B exchanges routing information with Router C through RIP200. You must configure Router B to import routes. Two different processes import the RIP routes of each other. The default metric value of the imported RIP200 router is 3. You must configure filtering policies on Router B. The router can filter an imported route (192.168.4.0/24) of RIP200 and not advertise it to Router A.

Figure 3-5 RIP importing external routes network diagram

GbE2/0/0 192.168.0.1/24 POS1/0/0 POS2/0/0 GbE2/0/0 192.168.1.2/24 192.168.2.1/24 192.168.3.1/24 POS1/0/0 GbE3/0/0 POS1/0/0 192.168.2.2/24 192.168.4.1/24 RouterA 192.168.1.1/24 RouterB RouterC RIP 100 RIP 200

Configuration roadmap The steps in the configuration roadmap are 1. Enable RIP100 and RIP200 on each router and specify the network segments. 2. Import two different RIP processes of Router B into the routing table of the other side and configure the default metric that imports RIP200, as 3. 3. Configure an ACL on Router B and filter the routing that imports RIP200.

Data preparation To complete the configuration, you need the following data:

z RIP100 on Router A and the network segment 192.168.1.0 and 192.168.0.0 z RIP100 and RIP200 on Router B and the network segment 192.168.1.0 and 192.168.2.0 z RIP200 on Router C and the network segment 192.168.2.0, 192.168.3.0 and 192.168.4.0 z Import the RIP200 route into RIP100 on Router B and configure the default value as 3. Configure ACL2000 to exclude the route with the source network segment of 192.168.4.0. Import the RIP100 route into RIP200.

Configuration procedure Step 1 Configure the IP address for each interface. Step 2 Configure basic RIP functions.

3-28 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 3 RIP configuration

# Enable the RIP process 100 on Router A:

[RouterA] rip 100 [RouterA-rip-100] network 192.168.0.0 [RouterA-rip-100] network 192.168.1.0 # Enable the two RIP processes, process 100 and process 200, on Router B:

[RouterB] rip 100 [RouterB-rip-100] network 192.168.1.0 [RouterB-rip-100] quit [RouterB] rip 200 [RouterB-rip-200] network 192.168.2.0 [RouterB-rip-200] quit # Enable the RIP process 200 on Router C:

[RouterC] rip 200 [RouterC-rip-200] network 192.168.2.0 [RouterC-rip-200] network 192.168.3.0 [RouterC-rip-200] network 192.168.4.0 # View the routing table of Router A:

[RouterA] display ip routing-table Route Flags: R - relied, D - download to fib ------Routing Tables: Public Destinations : 7 Routes : 7

Destination/Mask Proto Pre Cost Flags NextHop Interface 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.0.0/24 Direct 0 0 D 192.168.0.1 GigabitEthernet2/0/0 192.168.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.1.0/24 Direct 0 0 D 192.168.1.1 Pos1/0/0 192.168.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.1.2/32 Direct 0 0 D 192.168.1.2 Pos1/0/0

Step 3 Configure RIP to import external routes. # Configure the default route value as 3 on Router B and import the two routes of different RIP processes into the routing tables of each other:

[RouterB] rip 100 [RouterB-rip-100] default-cost 3 [RouterB-rip-100] import-route rip 200 [RouterB-rip-100] quit [RouterB] rip 200 [RouterB-rip-200] import-route rip 100 [RouterB-rip-200] quit # View the routing table of Router A after it imports the routes:

[RouterA] display ip routing-table Route Flags: R - relied, D - download to fib ------Routing Tables: Public

Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-29

Nortel Secure Router 8000 Series 3 RIP configuration Configuration - IP Routing

Destinations : 10 Routes : 10

Destination/Mask Proto Pre Cost Flags NextHop Interface

127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.0.0/24 Direct 0 0 D 192.168.0.1 GigabitEthernet2/0/0 192.168.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.1.0/24 Direct 0 0 D 192.168.1.1 Pos1/0/0 192.168.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.1.2/32 Direct 0 0 D 192.168.1.2 Pos1/0/0 192.168.2.0/24 RIP 100 4 D 192.168.1.2 Pos1/0/0 192.168.3.0/24 RIP 100 4 D 192.168.1.2 Pos1/0/0 192.168.4.0/24 RIP 100 4 D 192.168.1.2 Pos1/0/0

Step 4 Configure RIP to filter the imported routes. # Configure an ACL on Router B and add a rule to exclude packets with the source address of 192.168.4.0/24:

[RouterB] acl 2000 [RouterB-acl-basic-2000] rule deny source 192.168.4.0 0.0.0.255 [RouterB-acl-basic-2000] rule permit [RouterB-acl-basic-2000] quit # Filter the imported route 192.168.4.0/24 of the RIP 200 on Router B according to the ACL rule:

[RouterB] rip 100 [RouterB-rip-100] filter-policy 2000 export Step 5 Verify the configuration. # View the routing table of Router A after the filtering:

[RouterA] display ip routing-table Route Flags: R - relied, D - download to fib ------Routing Tables: Public Destinations : 9 Routes : 9

Destination/Mask Proto Pre Cost Flags NextHop Interface 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.0.0/24 Direct 0 0 D 192.168.0.1 GigabitEthernet2/0/0 192.168.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.1.0/24 Direct 0 0 D 192.168.1.1 Pos1/0/0 192.168.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.1.2/32 Direct 0 0 D 192.168.1.2 Pos1/0/0 192.168.2.0/24 RIP 100 4 D 192.168.1.2 Pos1/0/0 192.168.3.0/24 RIP 100 4 D 192.168.1.2 Pos1/0/0 ----End

Configuration files z Configuration file of Router A

3-30 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 3 RIP configuration

# sysname RouterA # interface GigabitEthernet2/0/0 ip address 192.168.0.1 255.255.255.0 # interface Pos1/0/0 link-protocol ppp ip address 192.168.1.1 255.255.255.0 # rip 100 network 192.168.0.0 network 192.168.1.0 # return z Configuration file of Router B

# sysname RouterB # acl number 2000 rule 5 deny source 192.168.4.0 0.0.0.255 rule 10 permit # interface Pos1/0/0 link-protocol ppp ip address 192.168.1.2 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 192.168.2.1 255.255.255.0 # rip 100 default-cost 3 network 192.168.1.0 filter-policy 2000 export import-route rip 200 # rip 200 network 192.168.2.0 import-route rip 100 # return z Configuration file of Router C

# sysname RouterC # interface GigabitEthernet2/0/0 ip address 192.168.3.1 255.255.255.0 # interface GigabitEthernet3/0/0 ip address 192.168.4.1 255.255.255.0 # interface Pos1/0/0 link-protocol ppp

Issue 5.3 (30 March 2009) Nortel Networks Inc. 3-31

Nortel Secure Router 8000 Series 3 RIP configuration Configuration - IP Routing

ip address 192.168.2.2 255.255.255.0 # rip 200 network 192.168.2.0 network 192.168.3.0 network 192.168.4.0 # return

3-32 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing

Contents

4 RIPng configuration ...... 4-1 4.1 Overview...... 4-2 4.1.1 RIPng overview ...... 4-2 4.1.2 Operation principle ...... 4-2 4.1.3 RIPng packet formats...... 4-3 4.1.4 RIPng packet processing...... 4-4 4.1.5 References...... 4-5 4.2 Configuring basic RIPng functions ...... 4-5 4.2.1 Establishing the configuration task ...... 4-5 4.2.2 Enabling RIPng and entering the RIPng view ...... 4-6 4.2.3 Enabling RIPng in the interface view ...... 4-6 4.2.4 Checking the configuration...... 4-7 4.3 Controlling RIPng routing information...... 4-8 4.3.1 Establishing the configuration task ...... 4-8 4.3.2 Configuring RIPng protocol preference...... 4-9 4.3.3 Configuring additional metrics of the interface ...... 4-9 4.3.4 Configuring RIPng route aggregation...... 4-10 4.3.5 Configuring RIPng to advertise the default routes...... 4-10 4.3.6 Configuring RIPng to filter the received routes...... 4-11 4.3.7 Configuring the default cost for external routes imported by RIPng ...... 4-11 4.3.8 Configuring RIPng to import external routes...... 4-12 4.3.9 Checking the configuration...... 4-12 4.4 Adjusting and optimizing RIPng networks...... 4-13 4.4.1 Establishing the configuration task ...... 4-13 4.4.2 Configuring RIPng timers...... 4-13 4.4.3 Configuring Split Horizon and Poison Reverse ...... 4-14 4.4.4 Enabling zero field checks of the RIPng packets...... 4-15 4.4.5 Configuring the maximum number of equal-cost routes...... 4-15 4.4.6 Checking the configuration...... 4-16 4.5 Maintaining RIPng ...... 4-16 4.6 Example of configuring RIPng to filter the received routes...... 4-17

Issue 5.3 (30 March 2009) Nortel Networks Inc. i

Nortel Secure Router 8000 Series Configuration - IP Routing

Figures

Figure 4-1 RIPng packet basic format...... 4-3 Figure 4-2 Next-hop RTE format ...... 4-4 Figure 4-3 IPv6 prefix RTE format ...... 4-4 Figure 4-4 RIPng network diagram...... 4-17

Issue 5.3 (30 March 2009) Nortel Networks Inc. iii

Nortel Secure Router 8000 Series Configuration - IP Routing 4 RIPng configuration

4 RIPng configuration

About this chapter

The following table shows the contents of this chapter.

Section Description 4.1 Overview This section describes the principles and concepts of the Routing Information Protocol Next Generation (RIPng). 4.2 Configuring basic RIPng This section describes how to configure basic functions of functions RIPng. 4.3 Controlling RIPng routing This section describes how to control RIPng routing information information. For configuration examples, see Example of configuring RIPng to filter the received routes. 4.4 Adjusting and optimizing This section describes how to adjust and optimize RIPng RIPng networks networks. 4.5 Maintaining RIPng This section describes how to maintain RIPng. 4.6 Example of configuring This section provides configuration examples of RIPng. RIPng to filter the received routes

Issue 5.3 (30 March 2009) Nortel Networks Inc. 4-1

Nortel Secure Router 8000 Series 4 RIPng configuration Configuration - IP Routing

4.1 Overview This section covers the following topics that you must understand before you configure RIP:

z RIPng overview z Operation principle z RIPng packet formats z RIPng packet processing z References 4.1.1 RIPng overview RIPng is a dynamic routing protocol for the internal Autonomous System (AS). RIPng is the extension of the RIP-2 in the original IPv4 network. Most RIP concepts apply to RIPng. For IPv6 applications, RIPng changes the existing RIP in the following ways:

z User Datagram Protocol (UDP) port number—RIPng uses UDP port number 521 to send and receive routing information. z Multicast address—The RIPng router uses FF02::9 as the multicast address in the local scope of the links. z Prefix length—The destination address uses a 128-bit (the mask length) prefix. z Next-hop address—RIPng uses a 128-bit IPv6 address. z Source address—RIPng uses the local link address FE80::/10 as the source address to send the update packets of the RIPng routing information. 4.1.2 Operation principle RIPng is a Distance-Vector (D-V) algorithm-based protocol that exchanges routing information through UDP packets on port number 521. RIPng uses the hop count to measure the distance to the destination host. The distance is the metric value or cost. With RIPng, the network that connects directly to the router uses a hop count, or metric, of 0. A network that connects to the router through one router uses a hop count of 1. For each router that separates a network from the main router, the hop count increases by one. By default, RIPng sends a routing refresh packet every 30 seconds. If RIPng does not receive a routing refresh packet from one network neighbor in 180 seconds, RIPng tags all routes of the network neighbor as inaccessible. If RIPng does not receive a routing refresh packet from one network neighbor in 300 seconds, RIPng removes the routes of the network neighbor from the routing table. To improve performance and avoid routing loops, RIPng supports both Split Horizon and Poison Reverse. RIPng can import routes from other routing protocols. Each router that uses RIPng manages a routing database that contains routing entries to all the accessible destinations in the network. These routing entries contain the following information:

z Destination address—This entry identifies the IPv6 address of a host or a network.

4-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 4 RIPng configuration

z Next-hop address—This entry identifies the address of the next router through which a packet reaches the destination. z Interface—This entry identifies the interface that forwards IP packet. z Cost—This entry identifies the cost, as an integer, for the router to reach the destination. The range is from 0 to 16. When the cost is 16, the network or the host is inaccessible. z Timer—This entry identifies the amount of time since the entry was last updated. The timer resets to 0 when a routing entry updates. z Route tag—This entry identifies a label that distinguishes routes of internal routing protocols from those of external routing protocols. 4.1.3 RIPng packet formats

Basic formats A RIPng packet consists of a packet header and multiple route table entries (RTE). In a RIPng packet, the maximum number of RTEs depends on the maximum transmission unit (MTU) of the interface. Figure 4-1 shows the basic format of a RIPng packet.

Figure 4-1 RIPng packet basic format

0715 31 Command Version Must be zero

Route table entry 1 (20 octets)

------

Route table entry N (20 octets)

The following list describes the main fields in the packet:

z command—This field defines the packet type. The value 0x01 represents a request packet and the value 0x02 represents a response packet. z version—This field indicates the RIPng version. Currently, only 0x01 is valid. z route table entry—Each entry is 20 bytes long.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 4-3

Nortel Secure Router 8000 Series 4 RIPng configuration Configuration - IP Routing

RTE format In RIPng, two types of RTEs exist:

z next-hop RTE—This RTE defines the IPv6 address of the next hop. z IPv6 prefix RTE—This RTE describes the destination IPv6 addresses in the RIPng routing table and the costs. Figure 4-2 shows the format of the next-hop RTE.

Figure 4-2 Next-hop RTE format

0715 31

IPv6 next hop address (16 octets)

Must be zero Must be zero 0xFF

The IPv6 next-hop address in the packet represents the IPv6 address of the next hop. Figure 4-3 shows the format of the IPv6 prefix RTE.

Figure 4-3 IPv6 prefix RTE format

0715 31

IPv6 prefix (16 octets)

Route tag Prefix len Metric

The following list explains the fields in the prefix RTE:

z IPv6 prefix—This field indicates the prefix of the destination IPv6 address. z route tag—This field distinguishes the external routes. z prefix len—This field indicates the prefix length of the IPv6 address. z metric—This field indicates the routing cost. 4.1.4 RIPng packet processing

Request packets When a RIPng router starts or needs to update routing entries, it sends a request packet to its neighbor to request the needed routing information. Usually, the router sends the request packet in multicast mode.

4-4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 4 RIPng configuration

The RIPng router that receives the request packet processes the RTEs. The router sends all routing information from its current routing table to the request router through a response packet if the request packet meets the following conditions:

z The request packet uses only one RTE. z The IPv6 prefix and its length are both 0 and the cost is 16. If the request packet does not meet the preceding conditions, the router processes RTEs entry by entry, updates the cost of each route, and finally returns the information to the request router.

Response packets A response packet contains information from the local routing table. The router generates the response packet in the following cases:

z when it responds to a certain request packet z when it sends the packet periodically as an update packet The router that receives the response packet updates its own RIPng routing table. To ensure that the routes are correct, the RIPng router checks the validity of the received request packets, such as whether the source IPv6 address is a link local address and whether the port number is correct. The router ignores the packets which fail to pass the validity checks. 4.1.5 References For more information about RIPng, see the RFCs listed in the following table.

Document number Description RFC 2080 RIPng for IPv6 RFC 1723 RIP Version 2 - Carrying Additional Information

4.2 Configuring basic RIPng functions 4.2.1 Establishing the configuration task

Applicable environment Configure basic RIPng functions to use the RIPng features. Enable the RIPng globally before you configure related RIPng commands in the interface view. Interface view commands take effect only after you enable RIPng in the system view.

Preconfiguration tasks Before you configure basic RIPng functions, complete the following tasks:

z Enable the IPv6 on the router.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 4-5

Nortel Secure Router 8000 Series 4 RIPng configuration Configuration - IP Routing

z Configure the network-layer addresses of the interfaces to keep the network layers of the adjacent nodes accessible.

Data preparation The following table lists the data you need to configure basic RIPng functions.

No. Data 1 RIPng process number 2 Interfaces on which to enable RIPng

Configuration procedures

No. Procedure 1 Enabling RIPng and entering the RIPng view 2 Enabling RIPng in the interface view 3 Checking the configuration

4.2.2 Enabling RIPng and entering the RIPng view Do as follows on each router that runs RIPng according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ripng [ process-id ] This command enables RIPng and the RIPng view appears. ----End

If you configure only one RIPng routing process, usually you do not specify the process-id. By default, the process-id is 1. When you cancel the operation, you need to reconfigure all the commands relevant to the ripng enable command on the interface. 4.2.3 Enabling RIPng in the interface view Do as follows on each router that runs RIPng according to requirements: Step 1 Run:

system-view

4-6 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 4 RIPng configuration

The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. The interface is on the network side of the router and interconnects with other routers. To enable the router to learn the routes of the network segment where the interface resides, ensure that the link state of the interface is up.

NOTE

z You cannot run the following command in interface view if you do not configure the IPv6 address. z ATM interfaces do not support the following command. Step 3 Run:

ripng process-id enable This command enables RIPng on the specified interface. ----End

After you enable RIPng, you must specify the interfaces. RIP operates only on the specified interface. For an interface you do not enable with RIPng, RIPng does not receive or send routes on it nor forward its route.

NOTE

If multiple interfaces on a router connect to other routers, repeat the commands in Step 2 and Step 3. 4.2.4 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the configuration information about the display ripng [ process-id ] RIPng process. Check all active and inactive RIPng routes. display ripng process-id route

Use the display ripng [ process-id ] command to view that both the link status and the IP status of the network segment on which you enable the RIPng appear as Up.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 4-7

Nortel Secure Router 8000 Series 4 RIPng configuration Configuration - IP Routing

4.3 Controlling RIPng routing information 4.3.1 Establishing the configuration task

Applicable environment This section describes how to configure RIPng route features, such as how to change the protocol preference and the cost of a RIPng route. This section introduces how to control the received and advertised routes and the imported external routing information.

Preconfiguration tasks Before you configure RIPng route features, complete the following tasks:

z Configure the network-layer address of the interface. z Complete the procedures in Configuring basic RIPng functions.

Data preparation The following table lists the data you need to import and filter RIPng routes.

No. Data 1 RIPng protocol preference 2 Link cost of each interface 3 IPv6 address and its length after aggregation 4 Related filtering list needed for filtering routing information 5 Name, process number, and cost of the external routes to import

Configuration procedures

No. Procedure 1 Configuring RIPng protocol preference 2 Configuring additional metrics of the interface 3 Configuring RIPng route aggregation 4 Configuring RIPng to advertise the default routes 5 Configuring RIPng to filter the received routes 6 Configuring the default cost for external routes imported by RIPng 7 Configuring RIPng to import external routes 8 Checking the configuration

4-8 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 4 RIPng configuration

4.3.2 Configuring RIPng protocol preference Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ripng [ process-id ] The RIPng view appears. Step 3 Run:

preference { preference | route-policy route-policy-name } * This command configures the RIPng preference. ----End

Each kind of routing protocol uses its own preference by which the routing policy selects the optimal route from the routes of different protocols. You can configure the RIPng preference manually. The greater the preference value, the lower the preference. 4.3.3 Configuring additional metrics of the interface Do as follows on the related routers according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

ripng metricin value This command configures the metric to add to the received routes. Step 4 Run:

ripng metricout value This command configures the metric to add to the sent routes. ----End

Additional metrics includes the input or output metrics to add to a RIPng route. Use the ripng metricin command to add an additional metric to the received route and then add the additional metrics to the routing table, which changes the metrics in the table. Use the ripng

Issue 5.3 (30 March 2009) Nortel Networks Inc. 4-9

Nortel Secure Router 8000 Series 4 RIPng configuration Configuration - IP Routing

metricout command for the advertisement of its route. The command adds an additional metric to the route but the metrics in the routing table do not change.

NOTE

If multiple interfaces of a router connect to other RIPng routers, repeat the commands in Step 2 and Step 4 until you configure the cost of all links. 4.3.4 Configuring RIPng route aggregation Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

ripng summary-address ipv6-address prefix-length This command configures RIPng route aggregation. ----End

Use this command to configure the RIPng router to advertise the IPv6 prefixes an interface aggregates instead of the specific route. 4.3.5 Configuring RIPng to advertise the default routes Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

ripng default-route { only | originate } [ cost cost ] This command configures RIPng to advertise a default route. Configure RIPng to advertise the default routes according to the actual network requirements. The following list explains the advertisement options:

z only—Only advertise the IPv6 default routes (::/0) and suppress the advertisement of other routes.

4-10 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 4 RIPng configuration

z originate—Only advertise the IPv6 default routes (::/0) but do not affect the advertisement of other routes. ----End

The update packets of the specific interface advertise RIPng default routes whether the route exists in the IPv6 routing table. 4.3.6 Configuring RIPng to filter the received routes Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ripng [ process-id ] The RIPng view appears. Step 3 Run:

filter-policy { acl6-number | ipv6-prefix ipv6-prefix-name } import This command filters the received routes. ----End

You can specify the ACL or IPv6 prefix to configure the filter policy rules. The only routes you can add to the RIPng routing table are those that match the filter. 4.3.7 Configuring the default cost for external routes imported by RIPng Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ripng [ process-id ] The RIPng view appears. Step 3 Run:

default-cost cost This command configures the default cost of external routes RIPng imports. ----End

Issue 5.3 (30 March 2009) Nortel Networks Inc. 4-11

Nortel Secure Router 8000 Series 4 RIPng configuration Configuration - IP Routing

When you do not specify the metric, the command configures the default RIPng cost for routes imported from other routing protocols. 4.3.8 Configuring RIPng to import external routes Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ripng [ process-id ] The RIPng view appears. Step 3 Run:

default-cost cost This command configures the default cost for external routes imported. Step 4 Run:

import-route protocol [ process-id ] [ cost cost ] [ route-policy route-policy-name ] This command imports external routes. Step 5 Run:

filter-policy { acl6-number | ipv6-prefix ipv6-prefix-name } export [ protocol ] This command configures RIPng to filter the routing information it imports and advertises. ----End

Step 3 is optional. If you do not specify a routing cost when you import the routes in Step 4, the routes use the default routing cost. Step 5 is optional. RIPng can filter the imported routes based on the ACL6 or IPv6 prefix list. RIPng advertises only the routes that meet the requirements. If you do not specify the protocol, RIPng filters all the advertised routing information, including the imported routes and the local RIPng routes (equivalent to the directly-connected routes). 4.3.9 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the RIPng routes in the database. display ripng process-id database Check all active and inactive RIPng routes. display ripng process-id route

4-12 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 4 RIPng configuration

4.4 Adjusting and optimizing RIPng networks 4.4.1 Establishing the configuration task

Applicable environment This section describes how to adjust and optimize the performance of RIPng networks and the application of some RIPng features in special network environments.

Preconfiguration tasks Before you adjust and optimize the RIPng networks, complete the following tasks:

z Configure the network-layer address for the interface. z Complete the procedures in Configuring basic RIPng functions.

Data preparation The following table lists the data you need to adjust RIPng.

No. Data 1 RIPng timers 2 The maximum number of equal-cost routes

Configuration procedures

No. Procedure 1 Configuring RIPng timers 2 Configuring Split Horizon and Poison Reverse 3 Enabling zero field checks of the RIPng packets 4 Configuring the maximum number of equal-cost routes 5 Checking the configuration

4.4.2 Configuring RIPng timers Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 4-13

Nortel Secure Router 8000 Series 4 RIPng configuration Configuration - IP Routing

ripng [ process-id ] The RIPng view appears. Step 3 Run:

timers ripng update age suppress garbage-collect This command configures RIPng timers.

NOTE

The system does not support suppress timer configuration. ----End

By default, the update timer is 30 seconds, the age timer is 180 seconds, the suppress timer is 0 seconds, and the garbage-collect timer is 120 seconds. Incorrect configuration of the four timers results in unstable RIPng routes. The relationships between the timers are update is less than age and suppress is less than garbage-collect. For example, if the update time is longer than the aging time and a RIPng route changes during the update time, the router cannot notify its neighbor in time. 4.4.3 Configuring Split Horizon and Poison Reverse Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

ripng split-horizon This command enables Split Horizon. Step 4 Run:

ripng poison-reverse This command enables Poison Reverse. ----End

If you enable Split Horizon, an interface does not send a route that it receives. Split Horizon avoids routing loops. In some special cases, for example, Frame Relay and X.25 networks that belong to NonBroadcast Multiple Access (NBMA) networks, you must disable Split Horizon to ensure the correct advertisement of the routes. If you enable Poison Reverse, an interface can send a route that it learns. The metric of this route is 16, which means the route is inaccessible.

4-14 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 4 RIPng configuration

If you enable Split Horizon and Poison Reverse at the same time, the router uses only Poison Reverse. 4.4.4 Enabling zero field checks of the RIPng packets Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ripng [ process-id ] The RIPng view appears. Step 3 Run:

checkzero This command enables the zero field check on RIPng packets. ----End

Some fields in a RIPng packet must be 0 and they are called zero fields. If the value in the zero field is not 0, the RIPng that processes the packet does not process the packet. 4.4.5 Configuring the maximum number of equal-cost routes Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ripng [ process-id ] The RIPng view appears. Step 3 Run:

maximum load-balancing number This command configures the maximum number of equal-cost routes. By default, the RIPng supports up to six equal-cost routes. ----End

Issue 5.3 (30 March 2009) Nortel Networks Inc. 4-15

Nortel Secure Router 8000 Series 4 RIPng configuration Configuration - IP Routing

NOTE

The maximum number of equal-cost routes varies with products and protocols. You can adjust the number if you purchase licenses. 4.4.6 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the configuration information display ripng [ process-id ] about the RIPng process. Check the RIPng routes in the display ripng process-id database [ verbose ] database. Check the information on the RIPng display ripng process-id interface interface. [ interface-type interface-number ] [ verbose ] Check the information on the neighbor. display ripng process-id neighbor [ verbose ] Check all active and inactive RIPng display ripng process-id route routes.

4.5 Maintaining RIPng

Debugging affects system performance. After you debug the system, use the undo debugging all command to disable it immediately.

After a RIPng fault occurs, use the following debugging commands in the user view to debug RIPng and locate the fault. For information about how to display the debugging information, see Nortel Secure Router 8000 Series Configuration Guide - System Management (NN46240-601). For related debugging commands, see Nortel Secure Router 8000 Series Commands Reference (NN46240-500).

Action Command Debug the specified RIPng debugging ripng process-id [ brief | error | event | job | process. packet | receive | route-processing | send | timer ] Debug the specified RIPng debugging ripng interface-type interface-number interface. [ packet | receive | send ]

4-16 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 4 RIPng configuration

4.6 Example of configuring RIPng to filter the received routes

Networking requirements As shown in Figure 4-4, the prefix length of the IPv6 addresses is 64. The adjacent routers connect by IPv6 link-local addresses. All routers must learn IPv6 routing information in the networks through RIPng. The routers must filter the routes of Router C (3::/64) received on Router B, and neither add it to the routing table of Router B nor advertise it to Router A.

Figure 4-4 RIPng network diagram

GbE2/0/0 1::1/64 GbE2/0/0 POS1/0/0 POS2/0/0 2::1/64 POS1/0/0 POS1/0/0 GbE3/0/0 RouterA RouterB RouterC 3::1/64

Configuration roadmap The steps in the configuration roadmap are: 1. Enable basic RIPng functions on each router and connect the routers with each other. 2. Configure ACL on Router B and filter the received routes.

Data Preparation The following list explains the data you need to complete the configuration:

z Process RIPng1 enabled on each router z ACL6 2000 on Router B

Configuration procedure Step 1 Configure the IPv6 address for each interface. Step 2 Configure basic RIPng functions. # Configure Router A:

[RouterA] ripng 1 [RouterA-ripng-1] quit [RouterA] interface GigabitEthernet 2/0/0 [RouterA-GigabitEthernet2/0/0] ripng 1 enable [RouterA-GigabitEthernet2/0/0] quit [RouterA] interface pos 1/0/0 [RouterA-Pos1/0/0] ripng 1 enable [RouterA-Pos1/0/0] quit # Configure Router B:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 4-17

Nortel Secure Router 8000 Series 4 RIPng configuration Configuration - IP Routing

[RouterB] ripng 1 [RouterB-ripng-1] quit [RouterB] interface pos 1/0/0 [RouterB-Pos1/0/0] ripng 1 enable [RouterB-Pos1/0/0] quit [RouterB] interface pos 2/0/0 [RouterB-Pos2/0/0] ripng 1 enable [RouterB-Pos2/0/0] quit # Configure Router C:

[RouterC] ripng 1 [RouterC-ripng-1] quit [RouterC] interface pos 1/0/0 [RouterC-Pos1/0/0] ripng 1 enable [RouterC-Pos1/0/0] quit [RouterC] interface GigabitEthernet 2/0/0 [RouterC-GigabitEthernet2/0/0] ripng 1 enable [RouterC-GigabitEthernet2/0/0] quit [RouterC] interface GigabitEthernet 3/0/0 [RouterC-GigabitEthernet3/0/0] ripng 1 enable [RouterC-GigabitEthernet3/0/0] quit # View the RIPng routing table of Router B:

[RouterB] display ripng 1 route Route Flags: A - Aging, S - Suppressed, G - Garbage-collect ------

Peer FE80::F54C:0:9FDB:1 on Pos2/0/0 Dest 2::/64, via FE80::F54C:0:9FDB:1, cost 1, tag 0, A, 3 Sec Dest 3::/64, via FE80::F54C:0:9FDB:1, cost 1, tag 0, A, 3 Sec

Peer FE80::D472:0:3C23:1 on Pos1/0/0 Dest 1::/64, via FE80::D472:0:3C23:1, cost 1, tag 0, A, 4 Sec

# View the RIPng routing table of Router A:

[RouterA] display ripng 1 route Route Flags: A - Aging, S - Suppressed, G - Garbage-collect ------

Peer FE80::476:0:3624:1 on Pos1/0/0 Dest 2::/64, via FE80::476:0:3624:1, cost 2, tag 0, A, 21 Sec Dest 3::/64, via FE80::476:0:3624:1, cost 2, tag 0, A, 21 Sec Step 3 Configure Router B to filter the received routes:

[RouterB] acl ipv6 number 2000 [RouterB-acl6-basic-2000] rule deny source 3::/64 [RouterB-acl6-basic-2000] rule permit [RouterB-acl6-basic-2000] quit

4-18 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 4 RIPng configuration

[RouterB] ripng 1 [RouterB-ripng-1] filter-policy 2000 import Step 4 Verify the configuration # Check that no route of 3::/64 network segment is in the RIPng routing table of Router B:

[RouterB] display ripng 1 route Route Flags: A - Aging, S - Suppressed, G - Garbage-collect ------

Peer FE80::F54C:0:9FDB:1 on Pos2/0/0 Dest 2::/64, via FE80::F54C:0:9FDB:1, cost 1, tag 0, A, 14 Sec

Peer FE80::D472:0:3C23:1 on Pos1/0/0 Dest 1::/64, via FE80::D472:0:3C23:1, cost 1, tag 0, A, 25 Sec

[RouterA] display ripng 1 route Route Flags: A - Aging, S - Suppressed, G - Garbage-collect ------

Peer FE80::476:0:3624:1 on Pos1/0/0 Dest 2::/64, via FE80::476:0:3624:1, cost 2, tag 0, A, 7 Sec ----End

Configuration files z Configuration file of Router A

# sysname RouterA # ipv6 # interface GigabitEthernet2/0/0 ipv6 address 1::1/64 ripng 1 enable # interface Pos1/0/0 link-protocol ppp ipv6 address auto link-local ripng 1 enable # ripng 1 # return z Configuration file of Router B

# sysname RouterB # ipv6 #

Issue 5.3 (30 March 2009) Nortel Networks Inc. 4-19

Nortel Secure Router 8000 Series 4 RIPng configuration Configuration - IP Routing

acl ipv6 number 2000 rule 0 deny source 3::/64 rule 1 permit # interface Pos1/0/0 link-protocol ppp ipv6 address auto link-local ripng 1 enable # interface Pos2/0/0 link-protocol ppp ipv6 address auto link-local ripng 1 enable # ripng 1 filter-policy 2000 import # return z Configuration file of Router C

# sysname RouterC # ipv6 # interface GigabitEthernet2/0/0 ipv6 address 2::1/64 ripng 1 enable # interface GigabitEthernet3/0/0 ipv6 address 3::1/64 ripng 1 enable # interface Pos1/0/0 link-protocol ppp ipv6 address auto link-local ripng 1 enable # ripng 1 # return

4-20 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing

Contents

5 OSPF configuration ...... 5-1 5.1 Overview...... 5-2 5.1.1 Introduction...... 5-2 5.1.2 OSPF concepts...... 5-3 5.1.3 OSPF areas and route aggregation ...... 5-4 5.1.4 OSPF network types ...... 5-9 5.1.5 OSPF packet format...... 5-11 5.1.6 Supported OSPF features...... 5-20 5.1.7 References...... 5-23 5.2 Configuring basic OSPF functions...... 5-23 5.2.1 Establishing the configuration task ...... 5-23 5.2.2 Enabling OSPF and entering the OSPF view...... 5-24 5.2.3 Configuring the network segments included by each area...... 5-24 5.2.4 Checking the configuration...... 5-25 5.3 Configuring OSPF area features...... 5-26 5.3.1 Establishing the configuration task ...... 5-26 5.3.2 Configuring OSPF stub areas...... 5-27 5.3.3 Configuring an OSPF NSSA...... 5-28 5.3.4 Configuring OSPF virtual links ...... 5-28 5.3.5 Checking the configuration...... 5-29 5.4 Configuring OSPF network types ...... 5-30 5.4.1 Establishing the configuration task ...... 5-30 5.4.2 Configuring network types of OSPF interfaces ...... 5-31 5.4.3 Configuring neighbors for NBMA networks ...... 5-31 5.4.4 Configuring DR priorities of OSPF interfaces...... 5-32 5.4.5 Checking the configuration...... 5-32 5.5 Controlling OSPF routing information...... 5-33 5.5.1 Establishing the configuration task ...... 5-33 5.5.2 Configuring OSPF route aggregation...... 5-34 5.5.3 Configuring OSPF to filter the received routes...... 5-35 5.5.4 Configuring OSPF to filter ABR Type 3 LSA ...... 5-35 5.5.5 Configuring the link cost of OSPF...... 5-36

Issue 5.3 (30 March 2009) Nortel Networks Inc. i

Nortel Secure Router 8000 Series Configuration - IP Routing

5.5.6 Configuring the maximum number of equal-cost routes...... 5-37 5.5.7 Configuring the priority for OSPF ...... 5-37 5.5.8 Configuring OSPF to import external routes ...... 5-38 5.5.9 Checking the configuration...... 5-40 5.6 Adjusting and optimizing OSPF networks ...... 5-41 5.6.1 Establishing the configuration task ...... 5-41 5.6.2 Configuring OSPF packet timer...... 5-42 5.6.3 Configuring the OSPF retransmission limit...... 5-43 5.6.4 Configuring the delay to transmit LSAs on the interface...... 5-44 5.6.5 Configuring the update and receive interval for LSAs...... 5-44 5.6.6 Configuring the SPF calculation interval...... 5-45 5.6.7 Suppressing the interface from receiving and sending OSPF packets ...... 5-46 5.6.8 Configuring a stub router ...... 5-46 5.6.9 Configuring the authentication mode for OSPF areas...... 5-47 5.6.10 Configuring the MTU in DD packets...... 5-48 5.6.11 Configuring the maximum number of external LSAs in the LSDB...... 5-49 5.6.12 Configuring RFC 1583 compatible external routing...... 5-49 5.6.13 Configuring the network management of OSPF ...... 5-50 5.6.14 Checking the configuration...... 5-51 5.7 Configuring OSPF Graceful Restart...... 5-52 5.7.1 Establishing the configuration task ...... 5-52 5.7.2 Enabling OSPF GR...... 5-53 5.7.3 Checking the configuration...... 5-54 5.8 Maintaining OSPF...... 5-55 5.8.1 Resetting OSPF...... 5-55 5.8.2 Clearing OSPF ...... 5-55 5.8.3 Debugging OSPF ...... 5-56 5.9 Configuration examples ...... 5-57 5.9.1 Example of configuring basic OSPF functions...... 5-57 5.9.2 Example of configuring OSPF stub areas ...... 5-63 5.9.3 Example of configuring an OSPF NSSA ...... 5-68 5.9.4 Example of configuring DR election of OSPF...... 5-71 5.9.5 Example of configuring OSPF virtual links...... 5-77 5.9.6 Example of configuring OSPF load balancing...... 5-80 5.9.7 Example of configuring OSPF GR ...... 5-87

ii Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing

Figures

Figure 5-1 OSPF area partition...... 5-5 Figure 5-2 OSPF router types...... 5-6 Figure 5-3 Virtual link schematic diagram 1 ...... 5-6 Figure 5-4 Virtual link schematic diagram 2 ...... 5-7 Figure 5-5 NSSA...... 5-8 Figure 5-6 Route aggregation...... 5-8 Figure 5-7 DR and BDR schematic diagram...... 5-11 Figure 5-8 OSPF packet format...... 5-12 Figure 5-9 OSPF packet header format ...... 5-12 Figure 5-10 Hello packet format ...... 5-13 Figure 5-11 DD packet format...... 5-14 Figure 5-12 LSR packet format...... 5-15 Figure 5-13 LSU packet format...... 5-15 Figure 5-14 LSAck packet format...... 5-16 Figure 5-15 LSA header format...... 5-16 Figure 5-16 Router LSA format ...... 5-17 Figure 5-17 Network LSA format ...... 5-18 Figure 5-18 Summary LSA format...... 5-18 Figure 5-19 AS-External LSA format...... 5-19 Figure 5-20 NSSA External LSA format...... 5-20 Figure 5-21 OSPF basic configuration ...... 5-57 Figure 5-22 OSPF stub area configuration...... 5-63 Figure 5-23 OSPF NSSA configuration ...... 5-68 Figure 5-24 DR election of OSPF configuration...... 5-72 Figure 5-25 OSPF virtual link configuration...... 5-77 Figure 5-26 OSPF load balancing configuration...... 5-81

Issue 5.3 (30 March 2009) Nortel Networks Inc. iii

Nortel Secure Router 8000 Series Configuration - IP Routing

Figure 5-27 OSPF GR configuration...... 5-87

iv Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

5 OSPF configuration

About this chapter

The following table shows the contents of this chapter.

Section Description 5.1 Overview This section describes the principles and concepts of Open Shortest Path First (OSPF). 5.2 Configuring basic OSPF This section describes how to configure basic OSPF functions functions. For a configuration example, see Example of configuring basic OSPF functions. 5.3 Configuring OSPF area This section describes how to configure OSPF area features. features For configuration examples, see Example of configuring OSPF stub areas, Example of configuring an OSPF NSSA , and Example of configuring OSPF virtual links. 5.4 Configuring OSPF This section describes how to configure the OSPF network network types type. For a configuration example, see Example of configuring DR election of OSPF. 5.5 Controlling OSPF This section describes how to control OSPF routing routing information information. 5.6 Adjusting and This section describes how to adjust and optimize an OSPF optimizing OSPF networks network. 5.7 Configuring OSPF This section describes how to configure OSPF Graceful Graceful Restart Restart (GR). For a configuration example, see Example of configuring OSPF GR. 5.8 Maintaining OSPF This section describes how to maintain OSPF. 5.9 Configuration examples This section provides configuration examples of OSPF.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-1

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

5.1 Overview This section covers the topics that you must understand before you configure OSPF:

z Introduction z OSPF concepts z OSPF areas and route aggregation z OSPF network types z OSPF packet format z Supported OSPF features z References 5.1.1 Introduction OSPF is a dynamic routing protocol that operates within an Autonomous System (AS). The Internet Engineering Task Force (IETF defines OSPF as an interior gateway protocol (IGP) that the router implements based on the link state. IPv4 uses OSPF version 2 (defined in RFC 2328).

NOTE

In this document the term OSPF refers to OSPFv2. The following list identifies OSPF features:

z Wide applications OSPF applies to networks of various sizes, even to networks that use hundreds of routers. z Fast convergence After the network topology changes, update packets transmit to synchronize the link-state databases (LSDB) of all the routers within the AS. z Loop-free OSPF calculates routes with the shortest path tree algorithm according to the collected link states. This collection ensures that the algorithm generates loop-free routes. z Area partition An AS divides into areas to simplify the AS management. The aggregated routing information that transmits within the AS uses less bandwidth than routes in a full-meshed network. z Equal-cost route OSPF can use multiple equal-cost routes to the same destination. z Routing hierarchy Four types of routing exist. The types of routing, in decreasing order of priority are: intra-area, inter-area, type 1 external, and type 2 external. z Authentication Area and interfaces authenticate packets to guarantee the security of interaction. z Multicast Multicast packets transmit only on certain types of links.

5-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

5.1.2 OSPF concepts

OSPF route calculation OSPF calculates routes in the following ways:

z Each OSPF router originates a Link State Advertisement (LSA) based on the surrounding network topology. Then the router transmits the update packets that contain the LSA to other routers. z Each OSPF router collects the LSAs from other routers and all these LSAs compose the link state database (LSDB). An LSA describes the network topology around a router, while an LSDB describes the network topology of the AS. z OSPF routers transform the LSDB into a weighted directed map. The weighted directed map reflects the topology of the entire network. All routers use the same map. z Each router uses the Shortest Path First (SPF) algorithm on the directed map to calculate the shortest path tree, itself being the root. The tree shows the routes to each node in the AS.

Router ID To run the OSPF protocol, a router must use a Router ID. The router ID, a 32-bit unsigned integer, uniquely identifies a router in an AS. Configure the router ID manually. If you do not specify a router ID, the system uses the IP address of the interface as the router ID. The system uses the largest IP address of the loopback interface addresses as the router ID. If you did not configure a loopback interface, the router uses the largest IP address from the physical interface as the router ID.

OSPF packets OSPF uses the following five types of packets:

z hello packet—periodically sends to the peer to establish and maintain the OSPF relationships z database description (DD) packet—contains the summary of the local LSDB and synchronizes the LSDBs of two routers z link state request (LSR) packet—requests the LSAs from the peers. OSPF sends the LSR packets only after it successfully exchanges the DD packets with the peer. z link state update (LSU) packet—transmits the LSAs to the peers z link state acknowledgment (LSAck) packet—acknowledges the received LSAs

LSA types OSPF encapsulates the description of its routes in LSAs and advertises the LSAs. The following list describes the common types of LSAs:

z Router LSA (Type 1) This type describes the link state and cost of the router. Each router originates this LSA and floods it throughout a single area. z Network LSA (Type 2)

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-3

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

This type describes the link state of the local network segment. The designated router (DR) originates this LSA and floods it throughout a single area. z Network Summary LSA (Type 3) This type describes the routes of a certain network segment. The area border router (ABR) originates this LSA and floods it to other areas. z ASBR Summary LSA (Type 4) This type describes the routes to the AS boundary router (ASBR). The ABR originates this LSA and floods it to related areas. z AS External LSA (Type 5) This type describes the AS external routes. The ASBR originates this LSA and floods it to all areas except stub areas and not so stub areas (NSSA). z NSSA LSA (Type 7) This type describes the AS external routes. The ASBR originates this LSA and transmits it in an NSSA.

Neighbor and adjacency In OSPF, the concepts of neighbor and adjacency are different. After an OSPF router starts, it sends hello packets through the OSPF interfaces. The OSPF router receives these packets, and then checks certain parameters in the packets. If the parameters of both routers match, they establish the neighbor relationship with each other. The neighbor relationship is not equal to the adjacency. The adjacency configuration depends on the network type. You can establish adjacency only when two routers can exchange the DD packets and LSAs. 5.1.3 OSPF areas and route aggregation

Area partition The number of routers increases with the unceasing expansion of the network scale. The large number of routers leads to a large LSDB on each router. As a result, the load of each router is very heavy. OSPF addresses the preceding problem by dividing an AS into areas. An area is regarded as a router group logically. Each group is identified by an area ID. On the border of an area resides a router, rather than a link. A network segment (or a link) belongs to only one area. That is, the area to which each OSPF interface belongs must be specified, as shown in Figure 5-1.

5-4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

Figure 5-1 OSPF area partition

Area4 Area1

Area0

Area2 Area3

After area partition, you can enable route aggregation on border routers to reduce the LSAs the routers advertise to other areas. Route aggregation also minimizes the influence of topology changes.

Router types Depending on their location in the AS, OSPF classifies routers into the following four categories:

z Internal router All interfaces of the router belong to the same OSPF area. z Area border router The router can belong to two or more areas at the same time but one of the areas must be a backbone area. An ABR connects the backbone area to the nonbackbone areas. An ABR physically or logically connects to the backbone area. z Backbone routers On the router, one or more interfaces belong to the backbone area. All ABRs and the routers inside Area0 are backbone routers. z AS boundary routers This router exchanges routing information with other ASs. An ASBR is not necessarily on the AS border. The ASBR can be an internal router or an ABR. After an OSPF router imports external routing information, it becomes an ASBR. The following figure illustrates the types of OSPF routers.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-5

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

Figure 5-2 OSPF router types

IS-IS ASBR

Area4 Area1 Backbone Router Internal Router Area0

Area2 Area3 ABR

Backbone area and virtual link After area partition, not all areas play the same role in advertising routes in an AS. The area that uses the area ID 0 is the backbone area. The backbone area provides routing between areas. The routing information between the nonbackbone areas must forward through the backbone area. OSPF defines the following two rules for the backbone area:

z Connectivity must exist between each nonbackbone area and the backbone area. z Connectivity must exist over the backbone area. Because of network topology, you cannot ensure the physical connectivity. You can configure an OSPF virtual link to solve this problem. A virtual link is a logical channel between two ABRs through a nonbackbone area. You must configure the virtual link on both ends of the link. The nonbackbone area provides an internal route, the transit area, for both ends of the virtual link. As shown in Figure 5-3, Area2 does not connect directly with the backbone area. A virtual link on the ABRs provides connectivity between Area 2 and the backbone area.

Figure 5-3 Virtual link schematic diagram 1

Virtual Link Area0 ABR Area1 ABR Area2

Transit Area

The virtual link also serves as a backup link. If link failure occurs on the backbone area, the virtual link provides the logical connectivity for the backbone area, as shown in the following figure.

5-6 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

Figure 5-4 Virtual link schematic diagram 2

Area1 Transit Area

Virtual Link ABR ABR

Area0

The virtual link is similar to a point-to-point connection between two ABRs. Similar to physical interfaces, you can configure the interfaces on the virtual link with parameters such as the hello interval. Routers between the two ABRs only forward OSPF packets from one ABR to the other; the routers do not handle the packets. The intermediate routers detect that the routers themselves are not the destination and forward them as common IP packets.

Stub area A stub area is a special area where the ABRs do not flood external LSAs. Because ABRs do not flood external LSAs, this configuration reduces the size of the routing tables and the routing traffic in the area. Stub area configuration is optional. You cannot configure all areas as stub areas. A stub area is a nonbackbone area, on the AS boundary, with only one ABR. To ensure the reachability of a destination external to the AS, the ABR in the stub area originates a default route and advertises it to the non-ABR routers in the area. When you configure a stub area, understand the following points:

z You cannot configure the backbone area as the stub area. z If you must configure an area as a stub area, configure all the routers in this area by using the stub command. z An ASBR cannot exist in a stub area. External LSAs do not flood in the stub area. z A virtual link cannot pass through the stub area.

NSSA RFC 1587 specifies a new area, the NSSA, and a new LSA, NSSA LSA or Type 7 LSA. As the stub area derives the NSSA, the NSSA resembles the stub area in many ways. An NSSA does not import the AS-External-LSA (Type 5). The ASBR in the NSSA generates the Type 7 LSA and floods the LSA only within the NSSA. When a Type 7 LSA reaches the ABR of the NSSA, the ABR transforms the Type 7 LSA into an AS-External-LSA and floods it to the other areas.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-7

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

As shown in Figure 5-5, the AS that runs OSPF includes three areas: Area 1, Area 2, and Area0. The other two ASs run the Routing Information Protocol (RIP). Area 1 is an NSSA. Area 1 transmits the received RIP routes to the NSSA ASBR, and then the NSSA ASBR originates Type7 LSAs and floods them within Area 1. When Type7 LSAs reach the NSSA ABR, the ABR transforms them into Type5 LSAs, and then floods them to Area0 and Area 2. The ASBR in Area 2 uses Type 5 LSAs to transmit the RIP routes from the RIP AS to the OSPF AS. Type-5 LSAs do not reach Area 1 because Area 1 is an NSSA. Similar to the stub area, you cannot configure an NSSA with virtual links.

Figure 5-5 NSSA

RIP RIP

Type5 Type5 NSSA Area

Type5 Type5 Type7 ASBR Area2 ABR Area0 ABR Area1 ASBR

Route aggregation An ABR can aggregate the routes with the same prefix and only advertise one aggregated route to other areas. This method is route aggregation. After area partition, route aggregation reduces the routing traffic between areas. Route aggregation reduces the size of the routing table and the routers calculate routes at a faster speed. For example, as shown in Figure 5-6, three intra-area routes exist in Area 19: 19.1.1.0/24, 19.1.2.0/24, and 19.1.3.0/24. After you enable route aggregation on Router A, it aggregates the three routes into one, 19.1.0.0/16. Router A originates only one LSA that contains the aggregated route and advertises it to other routers in Area 0.

Figure 5-6 Route aggregation

RouterC Area0 RouterA 19.1.1.0/24 RouterB 19.1.2.0/24 19.1.0.0/16 19.1.3.0/24 ABR ABR .... Area19

OSPF uses the following two types of aggregation:

z ABR aggregation When an ABR transmits routing information to other areas, it originates Type 3 LSAs for each network segment. If continuous segments exist in this area, you can aggregate these segments into a single segment by using the abr-summary command. The ABR only sends an aggregated LSA. LSAs that belong to the aggregation network segment that the command specifies do not transmit separately. This action reduces the LSDB scale in other areas.

5-8 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

After the area adds the aggregated segment of a network, all internal routes with an IP address in the range of the aggregated segment do not broadcast separately to other areas. Only the routing information of the entire aggregated network segment broadcasts.

z ASBR aggregation After you enable route aggregation, if the local router is an ASBR, it aggregates the Type 5 LSAs imported from the aggregate address range. After you configure the NSSA, the ASBR aggregates the Type 7 LSAs imported from the aggregate address range. If the local router is an ABR, it aggregates Type 5 LSAs that are transformed from Type7 LSA.

Route types The following list indentifies the four types of OSPF routes, in descending order of precedence:

z Intra-area route z Inter-area route z Type 1 external route z Type 2 external route By default, the protocol precedence of the first two types is 10, and that of the last two types is 150. The first two types of routes describe the network structure of the AS. External routes describe how to select a route to the destination external to the AS. OSPF classifies the imported AS external routes into Type 1 and Type 2. Type 1 external routes are the received IGP routes such as RIP routes and static routes. Because of their high reliability, the calculated cost value of the external routes and that of the AS internal routes are comparable with the cost of the OSPF routes. The cost of a Type 1 external route equals the cost for the router to reach the corresponding ASBR plus the cost for the ASBR to reach the destination. Type 2 external routes are the received EGP routes. Because of their relatively low reliability, the Type 2 cost is much greater than the cost of an internal path to the AS. The cost of a Type 2 external route equals the cost for the ASBR to reach the destination. Both Type 1 and Type 2 external metrics can be present in the AS at the same time. In this case, Type 1 external metrics always take precedence.. 5.1.4 OSPF network types

Four network types OSPF divides networks into four types according to the link-layer protocol:

z Broadcast If the link-layer protocol is Ethernet or Fiber Distributed Digital Interface (FDDI), OSPF uses the broadcast network type. In this type of network, hello, LSU, and LSAck packets transmit in the multicast mode (224.0.0.5: the reserved IP broadcast address of the OSPF router; 224.0.0.6: the reserved IP multicast address of the OSPF DR), and DD and LSR packets transmit in unicast mode. z NonBroadcast Multiple Access (NBMA)

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-9

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

If the link layer protocol is Frame Relay, ATM, or X.25, OSPF uses the NBMA network type. In this type of network, the protocol packets, such as hello, DD, LSR, LSU, and LSAck, transmit in unicast mode. z Point-to-Multipoint (P2MP) Regardless of the link-layer protocol, OSPF does not use the P2MP network type. You must change a P2MP network from other network types. A common practice is to change a non-fully connected NBMA network into a P2MP network. In this type of network, the protocol packets, such as hello, DD, LSR, LSU, and LSAck, transmit in multicast mode. z Point-to-point (P2P) If the link-layer protocol is the Point-to-Point Protocol (PPP), High level Data Link Control (HDLC), or Link Access Procedure, Balanced (LAPB), OSPF uses the P2P network type. In this type of network, the protocol packets, such as hello, DD, LSR, LSU, and LSAck, transmit in multicast mode (224.0.0.5).

Configuration principles for NBMA networks ATM and Frame Relay networks are typical NBMA networks. NBMA networks require special configuration. The exchange of hello packets cannot detect neighboring routers. You must configure the IP address and the election right of the neighboring router on the interface. The NBMA network must fully connect; two routers in the network must be directly reachable. Otherwise, configure the network type on the interface as P2MP. If the router uses only one peer on the NBMA network, change the interface type to P2P. The following list identifies the differences between NBMA and P2MP networks:

z An NBMA network is a network where routers fully connect while a P2MP network does not require complete connection. z An NBMA network needs to elect a DR and backup DR (BDR) while a P2MP network does not use a DR or BDR. z NBMA is a default network type. You must change other networks types to a P2MP network. z NBMA transmits packets in the unicast mode and you must configure neighboring routers manually while P2MP transmits packets by multicast.

DR and BDR In broadcast and NBMA networks, routing information transmits between any two routers. If n routers exist in the network, you must establish a number of adjacencies according to the following formula: n x (n-1)/2 In this case, the route changes cause unnecessary transmissions. The transmissions waste bandwidth resources. A DR solves this problem. All the routers send information only to the DR which then broadcasts the network link states to the network. If the DR fails, routers must reelect a DR, and then synchronize with it. The reelection and synchronization take a long time during which the route calculation is incorrect. To speed the process, OSPF introduces the concept of a BDR. The BDR is a backup for the DR. Routers elect the DR and BDR at the same time. The BDR establishes the adjacencies with all the routers within the network segment and exchanges

5-10 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

routing information with them. Once the DR fails, the BDR replaces the DR immediately. BDR election can take a relatively long time but it does not influence the route calculation. Routers, other than the DR or BDR, do not establish adjacencies between them nor do they exchange routing information. OSPF causes a reduction in the number of adjacencies between any two routers in a broadcast or NBMA network. As shown in Figure 5-7, the continuous line represents an Ethernet physical connection and the dashed line represents the adjacency. After DR and BDR election, only seven adjacencies exist between the five routers.

Figure 5-7 DR and BDR schematic diagram

DR BDR

DR Other DR Other DR Other

Election process You cannot designate a DR manually. All the routers in the network segment elect the DR. The DR priority of an interface determines whether the interface is qualified to become a DR or BDR. A router that uses a priority greater than zero can become the DR or BDR. Hello packets are the votes. Each router indicates the elected DR in the packet and sends the packet to all the other routers on the segment. Among all the routers that the packets define as DRs, the router with the highest priority becomes the DR. If two routers use the same priority, the one with the larger router ID becomes the DR. A router with a zero priority cannot become a DR or BDR. You must understand the following conditions about router election:

z You only need to elect a DR when the interface type if broadcast or NBMA. You do not need to elect a DR for a P2MP or a P2P interface. z A router acts as a DR on a certain network segment in the context of a router interface. A router can be a DR on one interface and a BDR or DR on another interface. z If you add a new router after the election process, the new router cannot become the DR even if it uses the highest priority. z The DR on the network is not necessarily the router with the highest priority. Likewise, the BDR is not necessarily the router with the second highest priority. 5.1.5 OSPF packet format

OSPF encapsulates its protocol packets into IP packets with the protocol number 89. The following figureFigure 5-8 shows an LSU packet.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-11

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

Figure 5-8 OSPF packet format

OSPF Packet Number of IP Header LSA Header LSA Data Header LSAs

OSPF packet header OSPF uses five types of packets, which all use the same packet header, as shown in the following figure.

Figure 5-9 OSPF packet header format

0 7 15 31 Version Type Packet length Router ID Area ID Checksum AuType

Authentication

The following list explains the main fields in the packet header:

z Version—This field indicates the OSPF version number. For OSFPv2, it is 2. z Type—This field indicates the OSPF packet type. The type ranges from 1 to 5, and indicates hello packet, DD packet, LSR packet, LSU packet, and LSAck packet respectively. z Packet length—This field indicates the length of the OSPF packet, including the packet header), in bytes. z AuType—This field indicates the authentication type. The type can be 0, 1, or 2, corresponding to no authentication, simple authentication, and MD5 authentication respectively. z Authentication—The value of this field depends on the AuType field. When the AuType field is 0, this field is blank. When the AuTypefield is 1, this field provides the password information. When the AuType field is 2, this field contains the key ID, MD5 authentication data length, and the sequence number.

NOTE

The Authentication field does not include the MD5 authentication data. The router adds the MD5 authentication data end of the OSPF packet.

Hello packet The hello packet is a common packet. Routers periodically send hello packets to the neighbors. The packet contains information on the timers, DR, BDR, and the known neighbors. The following figure shows the hello packet format.

5-12 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

Figure 5-10 Hello packet format

0 7 15 31 Version Type=1 Packet length Router ID Area ID Checksum AuType

Authentication

Network Mask HelloInterval Options Rtr Pri RouterDeadInterval Designated Router Backup Designated Router Neighbor ...

The following list explains the main fields in the hello packet:

z Network Mask—This field indicates the mask of the interface that sends hello packets. z HelloInterval:—This field indicates the interval to send hello packets. If the intervals of two adjacent routers are different, the neighbor relationship does not establish. z Rtr Pri—This field indicates the DR priority. If the value is 0, this router cannot become a DR or BDR. z RouterDeadInterval—This field indicates a dead interval during which the router waits for the hello packet from the neighboring router. If the router does not receive a hello packet within the dead interval, the router considers the neighbor dead. If you configure two adjacent routers with different dead intervals, they cannot establish the neighbor relationship with each other.

DD packet In the LSDB synchronization, two routers use database description (DD) packets to describe their own LSDBs. These packets contain the header of an LSA, which uniquely identifies the LSA. This process reduces the traffic transmitted between the routers, because the header of an LSA is a small portion of the overall LSA. The peer uses the LSA header to judge whether it already uses the LSA. The following figure shows the DD packet format.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-13

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

Figure 5-11 DD packet format

0 7 15 31 Version Type=2 Packet length Router ID Area ID Checksum AuType

Authentication

M Interface MTU Options 00000 I M S DD Sequence Number LSA Headers ...

The following list explains the main fields in the DD packet:

z Interface MTU—This field indicates the maximum length of an IP packet that transmits from this interface without fragmentation. z I (Initial)—If DD packets transmit continuously, the first DD packet configures this field to 1; otherwise, this field is 0. z M (More)—If DD packets transmit continuously, the last DD packet configures this field to 0; otherwise, this field is 1, which indicates there are other DD packets to follow. z MS (Master/Slave)—When two OSPF routers exchange DD packets, they must confirm the master and slave relationship. The router with the greater router ID is the master. When this field is 1, it indicates the sender is the master. z DD Sequence Number—The master configures this field. This field increases by 1 when a DD packet transmits. The slave confirms the sequence number of the master. The master and slave ensure the reliability and completeness of the transmitted DD packets by the sequence number.

LSR packet After it exchanges DD packets with the peer, a router knows which LSAs the LSDB lacks. The router sends the LSR packets to the peer to request the LSA it requires. The LSR packet contains the summary of the requested LSA. The following figure shows the LSR packet format.

5-14 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

Figure 5-12 LSR packet format

0 7 15 31 Version Type=3 Packet length Router ID Area ID Checksum AuType

Authentication

LS type Link State ID Advertising Router ......

The following list explains the main fields in the LSR packet:

z LS type—This field indicates the LSA type. For example, Type1 indicates Router LSA. z Link State ID—This field indicates the field of the LSA header. It depends on the LS type field. z Advertising Router—This field indicates the router ID of the router that originates this LSA.

LSU packet The LSU packet transmits the required LSAs to the peer router. The packet contains a collection of multiple LSAs (complete contents). The following figure shows the LSU packet format.

Figure 5-13 LSU packet format

0 7 15 31 Version Type=4 Packet length Router ID Area ID Checksum AuType

Authentication

Number of LSAs LSAs...

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-15

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

LSAck packet The LSAck packet acknowledges the received LSU packets. The packet contains the headers of LSAs to acknowledge. An LSAck packet can acknowledge multiple LSAs. The following figure shows the LSAck packet format.

Figure 5-14 LSAck packet format

0 7 15 31 Version Type=5 Packet length Router ID Area ID Checksum AuType

Authentication

LSA Headers...

LSA header format All LSAs use the same packet header, as shown in the following figure.

Figure 5-15 LSA header format

0215 331 LS age Options LS type Link State ID Advertising Router LS sequence number LS checksum length

The following list explains the main fields in the LSA header:

z LS age—This field indicates the time, in seconds, for which a LSA is valid after it originates. Even if the LSA transmits on the links or saves in the LSDB, the age increases continuously. z LS type—This field indicates the type of LSA. z Link State ID—The type of LSA determines this field. z LS sequence number—This field indicates the sequence number of the LSA. Other routers determine which LSA is the newest based on this value. z length—This field indicates the length of the LSA, including the LSA header, in bytes.

Router LSA The following figure shows the Router LSA format.

5-16 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

Figure 5-16 Router LSA format

0215 331 LS age Options LS type=1 Link State ID Advertising Router LS sequence number LS checksum length 0 V E B 0 # links Link ID Link Data Type # TOS metric ...... TOS 0 TOS metric Link ID Link Data ......

The following list explains the main fields in the Router LSA:

z Link State ID—This field indicates the router ID of the router that originates this LSA. z V (Virtual Link)—If the router that originates this LSA is one end of the virtual link, the value of this field is 1. z E (External)—If the router that originates this LSA is an ASBR, the value of this field is 1. z B (Border)—If the router that originates this LSA is an ABR, the value of this field is 1. z #links—This field indicates the number of links the LSA describes, including all links and interfaces in the area where the router resides.

Network LSA The DR originates the Network LSA in broadcast or NBMA networks. The LSA records the router IDs of all the routers on this network. The following figure shows the Network LSA format.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-17

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

Figure 5-17 Network LSA format

0215 331 LS age Options LS type=2 Link State ID Advertising Router LS sequence number LS checksum length Network Mask Attached Router ......

The following list explains the main fields in the Network LSA:

z Link State ID—This field indicates the interface address of the DR. z Network Mask—This field indicates the address masks of the broadcast or NBMA network. z Attached Router—This field indicates the router IDs of all the routers, including the DRs, that connect on the same network.

Summary LSA The ABR originates Summary LSAs for both the Type 3 and Type 4 LSAs. The following figure shows the Summary LSA format.

Figure 5-18 Summary LSA format

0215 331 LS age Options LS type=3 or 4 Link State ID Advertising Router LS sequence number LS checksum length Network Mask 0 metric TOS TOS metric ......

The following list explains the main fields in the Summary LSA:

z Link State ID—For Type 3 LSAs, the value of this field is the advertised network address. For Type 4 LSA, the value of this field is the router ID of the ASBR. z Network Mask—For Type 3 LSAs, this field indicates the network address mask. Type 4 LSAs do not require this field and the value is 0.0.0.0.

5-18 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

z Metric—This field indicates the route cost to the destination address.

NOTE

You can use the Type 3 LSA to advertise default routes. In this case, the Link State ID and Network Mask are 0.0.0.0.

AS-External LSA The ASBR originated the AS-External LSA to describe the routes to destinations outside the AS. The following figure shows the AS-External LSA format.

Figure 5-19 AS-External LSA format

0215 331 LS age Options LS type=5 Link State ID Advertising Router LS sequence number LS checksum length Network Mask E 0 metric Forwarding address External Route Tag E TOS TOS metric Forwarding address External Route Tag ......

The following list explains the main fields in the AS-External LSA:

z Link State ID—This field indicates the advertised destination address of another external AS. z Network Mask—This field indicates the mask of the destination address to advertise. z E (External Metric)—This field indicates the type of the external metric. For Type 2 external routes, the value of this field is 1; for Type 1 external routes, the value of this field is 0. z Metric—This field indicates the route cost. z Forwarding Address—This field indicates the address to which packets with the advertised destination address forward. z External Route Tag—This field indicates the tag to add to the external route. OSPF does not use this field itself; this field manages external routes.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-19

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

NOTE

You can use the Type 5 LSA to advertise default routes. In this case, the Link State ID and Network Mask are 0.0.0.0.

NSSA External LSA The ASBR originates the NSSA External LSA. This LSA can only transmit in an NSSA. The LSA uses the same format as the AS-External LSA, as shown in the following figure.

Figure 5-20 NSSA External LSA format

0215 331 LS age Options LS type=7 Link State ID Advertising Router LS sequence number LS checksum length Network Mask E TOS metric Forwarding address External Route Tag ......

5.1.6 Supported OSPF features

Multiprocess OSPF supports multiprocess. More than one OSPF process can run on the same router because processes are independent of each other. The route interaction between the different OSPF processes is similar to the interaction between the different routing protocols. An interface of a router can only belong to one OSPF process.

Authentication OSPF supports packet authentication. The router receives only the OSPF packets that pass authentication. If the packets do not pass authentication, the neighbor relationship does not establish. The Nortel Secure Router 8000 Series supports two authentication modes:

z area authentication mode z interface authentication mode If both modes are available, the router uses interface authentication.

5-20 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

OSPF hot backup The router in the distributed structure supports OSPF hot standby (HSB). OSPF backs up the necessary information from the active main board (AMB) to the standby main board (SMB).When the AMB fails, the SMB replaces it to ensure normal OSPF operation. OSPF supports the following two types of HSB mode:

z Back up all OSPF data—After the switchover between the AMB and SMB occurs, the normal operation of OSPF immediately restores. z Back up only the OSPF configuration information—After the switchover between the AMB and SMB occurs, OSPF performs a graceful restart (GR), obtains the adjacency relationship from its neighbors, and synchronizes the LSDBs.

OSPF Graceful Restart GR restarts the router gracefully. GR does not affect traffic forwarding and does not cause route flapping. If the router does not restart OSPF in GR mode, the adjacent router removes the router from the neighbors list and notifies other routers about the removal. This action leads to the SPF recalculation. If the restart period for the protocol is too short, route flapping can occur. To avoid unnecessary SPF calculation, when a router restarts OSPF in GR mode, the router notifies its adjacent routers that it is shutdown for a few minutes and restores after a while. The adjacent router does not remove the router from the neighbors list. Other routers are not aware that the router restarts. This action avoids route flapping caused by the changes of the neighbor relationship.

In this chapter, protocol restart refers to restarting OSPF in GR mode, unless otherwise specified. When a router restarts OSPF, the GR restarter does not age the forwarded information. At the same time, the GR helper keeps the topology information or routes obtained from the GR restarter for a specific period. This action ensures that a protocol restart does not interrupt traffic forwarding.

OSPF and DS-TE OSPF traffic engineering (TE) establishes and maintains the Label Switch Path (LSP) of the TE. When Multiprotocol Label Switching (MPLS) constructs constraint-based routed LSP (CR LSP), it needs information about the traffic attributes of all the links in the area. MPLS obtains the traffic engineering information about the links from OSPF. OSPF supports a new type of LSA called Opaque LSA. The Opaque LSA can carry TE information. You can configure whether OSPF originates and handles Opaque LSAs. Difference service aware TE (DS-TE) optimizes and subdivides network transmission resources, classifies the traffic, and specifies the percentage of each flow to the bandwidth of the link. The router implements traffic engineering based on each subdivided class (aggregation class with fine granularity) instead of an aggregation class (aggregation class with coarse granularity). This implementation enhances the performance and the utility of the bandwidth. To support DS-TE in MPLS, OSPF supports Local Overbooking Multiplier Type, Length, Value (TLV) and bandwidth constraint (BC) TLV.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-21

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

NOTE

For details about OSPF TE configuration, see Nortel Secure Router 8000 Series Configuration Guide - MPLS (NN46240-506).

IGP shortcut and forwarding adjacency OSPF supports IGP shortcut and forwarding adjacency. These features allow OSPF to use an LSP as a possible outgoing interface to reach the destination. Without this feature, OSPF cannot take the advantage of an LSP even if it exists. The differences between IGP shortcut and forwarding adjacency are as follows:

z If you enable forwarding adjacency alone, OSPF can reach the destination by using LSP. z If you enable IGP shortcut alone, only the router on which you enable it can use the LSP.

NOTE

For detailed information about these features, see Nortel Secure Router 8000 Series Configuration Guide - MPLS (NN46240-506).

OSPF VPN multiinstance OSPF supports multiinstance, which can run between the provider edge (PE) and customer edge (CE) in a virtual private network (VPN). In a Border Gateway Protocol (BGP) MPLS VPN, many sites of one VPN can use OSPF as the internal routing protocol. The sites operate as different ASs. In this way, the OSPF routes detected in one site transmit as external routes to another site. This action causes heavy OSPF traffic and avoidable network management problems. In the VPN implementation, you can configure a domain ID on a PE to differentiate the VPNs where different sites reside. Different sites in one VPN see each other as if they connect directly. The PE routers exchange OSPF routing information as if they directly connect thorough a leased line. This configuration leads to better network management and effective OSPF usage.

NOTE

For detailed information about this feature, see Nortel Secure Router 8000 Series Configuration Guide - VPN (NN46240-507).

OSPF sham links OSPF sham links are unnumbered point-to-point links between two PE routers over an MPLS VPN backbone network. In general, the BGP extended community attributes carry the route information over the MPLS VPN backbone between BGP peers. OSPF that runs on the PE at the other end can use this information to originate Type 3 Summary LSAs from PE to CE. These routes are inter-area routes. If a router connects to PE routers in its own area and establishes an intra-area route (backdoor route) to a particular destination, the VPN traffic always traverses the backdoor rather than the backbone route. This movement is because the OSPF intra-area routes in the routing table use relatively higher priorities. To avoid this traffic pattern, configure an unnumbered point-to-point sham link between the PE routers. This configuration provides an intra-area path with a lower cost to the PE router.

5-22 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

NOTE

For information about OSPF sham links, see Nortel Secure Router 8000 Series Configuration Guide - IP routing(NN46240-507). 5.1.7 References For more information about OSPF, see the RFCs listed in the following table.

Document number Description RFC 2328 OSPF Version 2 draft-ietf-bfd-v4v6-1hop-00 BFD for IPv4 and IPv6 (Single Hop)

5.2 Configuring basic OSPF functions 5.2.1 Establishing the configuration task

Applicable environment Before you configure OSPF, you must enable OSPF globally and specify the interface and area ID. Even if you enable OSPF, you can run OSPF commands in the interface view. When you disable OSPF, the related commands you configure in the interface view remain unchanged.

NOTE

When you configure multiple routers in the same area, most configuration data (such as timer, filter, and aggregation) must be consistent in the entire area. Wrong configuration can make neighboring routers fail to send messages to each other and even lead to path congestion or routing loops.

Preconfiguration tasks Before you configure OSPF, you need to complete the following tasks:

z Configure the link-layer protocol. z Configure the network-layer addresses of the interfaces to ensure the network layer connectivity between OSPF neighbors.

Data preparation The following table lists the data you need to configure OSPF.

No. Data 1 Router ID 2 OSPF process ID 3 Areas to which each interface belongs

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-23

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

Configuration procedures

No. Procedure 1 Enabling OSPF and entering the OSPF view 2 Configuring the network segments included by each area 3 Checking the configuration

5.2.2 Enabling OSPF and entering the OSPF view Do as follows on each router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] [ router-id router-id ] This command enables OSPF and the OSPF view appears. ----End

To ensure the stability of OSPF, determine the division of router IDs and manually configure them when you plan the network. When you configure router IDs manually, ensure that the router IDs of any two routers in a single AS are different. A common practice is to configure the router ID to be the IP address of an interface on the router. The Nortel Secure Router 8000 Series supports OSPF multiprocesses. When you enable multiple OSPF processes on a router, you must specify different process IDs. The OSPF process ID is a local concept, with no effect on its packet exchange with other routers. Different routers can exchange packets, even with different process IDs. The Nortel Secure Router 8000 Series supports OSPF multiinstance and you can configure OSPF to run in VPN instance. If you specify the VPN instance, the OSPF process belongs to that instance. Otherwise, the OSPF process belongs to the global instance.

NOTE

The process ID of OSPF, including OSPF multiinstance, is unique. The process IDs of OSPF multiinstance cannot be the same as the process IDs you configure first. 5.2.3 Configuring the network segments included by each area Do as follows on each router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

5-24 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

area area-id The OSPF area view appears. Step 4 Run:

network ip-address wildcard-mask This command configures the network segments in the areas. ----End

This network segment refers to one of the IP addresses of the interface that runs the OSPF protocol. A network segment can belong to only one area. You must specify the area for each interface that runs OSPF. You can run OSPF on an interface only when you meet the following two conditions:

z The mask length of the IP address of an interface is not shorter than that in the network command. z The master IP address of an interface must be in the range of the network segment you specify in the network command. For a loopback interface, by default, the OSPF advertises its IP address in 32-bit host route, regardless of the mask length of the IP address on the interface. To advertise the segment route of a loopback interface, configure the network type as nonbroadcast, for example, P2P, in the interface view. For details, see Configuring OSPF network types. 5.2.4 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command View the OSPF statistics. display ospf [ process-id ] cumulative View the LSDB information of display ospf [ process-id ] lsdb [ brief ] OSPF. display ospf [ process-id ] lsdb [ router | network | summary | asbr | ase | nssa | opaque-link | opaque-area | opaque-as ] [ link-state-id ] [ originate-router [ advertising-router-id ] | self-originate ] View the information about the display ospf [ process-id ] peer [ interface-type OSPF neighboring routers. interface-number ] [ neighbor-id ] View the information about the display ospf [ process-id ] routing [ interface OSPF routing table. interface-type interface-number ] [ nexthop nexthop-address ]

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-25

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

Run the display ospf peer command. The OSPF neighbor establishes when the status of the OSPF neighbor is Full.

display ospf peer

OSPF Process 1 with Router ID 10.1.1.2 Neighbors

Area 0.0.0.0 interface 10.1.1.2(GigabitEthernet1/0/0)'s neighbors Router ID: 10.1.1.1 Address: 10.1.1.1 GR State: Normal State: Full Mode:Nbr is Slave Priority: 1 DR: 10.1.1.1 BDR: None MTU: 0 Dead timer due in 35 sec Neighbor is up for 00:00:05 Authentication Sequence: [ 0 ]

5.3 Configuring OSPF area features 5.3.1 Establishing the configuration task

Applicable environment After you partition the areas, the number of LSAs in the network decreases and OSPF scalability enhances. To reduce the size of the routing table and the number of LSAs, configure nonbackbone areas that reside at the AS border as stub areas. Because stub areas cannot import external routes, use the NSSA. An NSSA permits Type 7 LSA transmission. In an NSSA, the ASBR originates a Type 7 LSA that transforms AS-External LSAs that reach the ABR and advertise them to other areas. After you partition the areas, the OSPF routes between nonbackbone areas update with the help of the backbone area. OSPF stipulates that all the nonbackbone areas maintain the connectivity with the backbone area and the backbone area maintains its own connectivity. In practice, you cannot ensure the physical connectivity because of network topology restrictions. Configure OSPF virtual links to solve this problem. The following section provides the configuration procedures for the preceding features.

Preconfiguration tasks Before you configure OSPF area features, you need to complete the following tasks:

z Configure the network-layer addresses of the interfaces so that the network layers of the adjacent nodes are reachable. z Complete the procedures in Configuring basic OSPF functions.

Data preparation The following table lists the data you need to configure OSPF areas.

5-26 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

No. Data 1 Type of the area 2 Interfaces included in the area 3 The default routes advertised to the area

Configuration procedures

No. Procedure 1 Configuring OSPF stub areas 2 Configuring an OSPF NSSA 3 Configuring OSPF virtual links 4 Checking the configuration

5.3.2 Configuring OSPF stub areas Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] The OSPF process and the OSPF view appear. Step 3 Run:

area area-id The OSPF area view appears. Step 4 Run:

stub [ no-summary ] This command configures the current area as a stub area. Step 5 Run:

default-cost cost This command configures the cost of the default route to the stub area. Use this command on only the ABR. ----End

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-27

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

You must configure all the routes that connect to the stub area with the stub attributes through the stub command. 5.3.3 Configuring an OSPF NSSA Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

area area-id The OSPF area view appears. Step 4 Run:

nssa [ default-route-advertise ] [ no-import-route ] [ no-summary ] This command configures an area as an NSSA. You must configure all the routers that connect to the NSSA with the NSSA attribute through the nssa command. The optional parameters take effect only the nssa command is used on an ABR. Step 5 Run:

default-cost cost This command configures the cost of the default route to the NSSA. Use this command only on the ABR. ----End

5.3.4 Configuring OSPF virtual links Do as follows on the on the ABRs which are at both ends of the virtual link: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

5-28 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

area area-id The OSPF area view appears. Step 4 Run:

vlink-peer router-id [ hello seconds] [ retransmit seconds ] [ trans-delay seconds ] [ dead seconds] [ [ simple [ plain | cipher ] password ] | [ { md5 | hmac-md5 } key-id [ plain | cipher ] password ] | authentication-null ] This command creates and configures a virtual link. ----End

Use this command at the other end of the virtual link. 5.3.5 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the LSDB display ospf [ process-id ] lsdb [ brief ] information of OSPF. display ospf [ process-id ] lsdb [ router | network | summary | asbr | ase | nssa | opaque-link | opaque-area | opaque-as ] [ link-state-id ] [ originate-router [ advertising-router-id ] | self-originate ] Check the information display ospf [ process-id ] routing [ interface interface-type about the OSPF routing interface-number ] [ nexthop nexthop-address ] table. Check the information display ospf [ process-id ] vlink about the OSPF virtual links. Check the OSPF and display ospf [ process-id ] abr-asbr ASBR information. Check the OSPF display ospf [ process-id ] interface [ all | interface-type interface information. interface-number ]

Run the display ospf vlink command. The virtual connection is correctly set up when the status of the local virtual connection is Up.

display ospf vlink

OSPF Process 1 with Router ID 1.1.1.1 Virtual Links

Virtual-link Neighbor-id -> 2.2.2.2, Neighbor-State: Down Interface: Cost: 0 State: Down Type: Virtual Transit Area: 0.0.0.1 Timers: Hello 10 , Dead 40 , Retransmit 5 , Transmit Delay 1

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-29

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

5.4 Configuring OSPF network types 5.4.1 Establishing the configuration task

Applicable environment OSPF divides networks into four types according to the link layer protocol. Because an NBMA network must fully connect, any two routers in the network are directly reachable. In most cases, you need to change the network type by using commands. For NBMA networks, if no directly reachable links exist between two routers, you can configure the interface type to P2MP. If a router in an NBMA network uses only one peer, you can change the interface type to P2P. When you configure broadcast networks or NBMA networks, you can specify the DR priority for each interface to effect the DR and BDR election in the network. Routers with high performance and reliability can become the DR or BDR.

Preconfiguration tasks Before you configure OSPF network types, complete the following tasks:

z Configure the network-layer addresses of the interfaces so that the network layers of the adjacent nodes are reachable. z Complete the procedures in Configuring basic OSPF functions.

Data preparation The following table lists the data you need to configure OSPF network types.

No. Data 1 Network types to use 2 IP addresses of the neighbors (for NBMA networks) 3 DR priorities of the interfaces

Configuration procedures

No. Procedure 1 Configuring network types of OSPF interfaces 2 Configuring neighbors for NBMA networks 3 Configuring DR priorities of OSPF interfaces 4 Checking the configuration

5-30 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

5.4.2 Configuring network types of OSPF interfaces Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

ospf network-type { broadcast | nbma | p2mp | p2p } This command configures the network types of OSPF interfaces.

Generally, the network types of two OSPF interfaces on the both ends of the link must be identical. Otherwise, the two interfaces cannot set up neighbor relationship. Only when the network type of one OSPF interface is broadcast and the network type of the other OSPF interface is P2P, the two interfaces can still set up neighbor relationship. The broadcast interface can learn the correct OSPF routing information, but the P2P interface cannot learn the OSPF routing information from its peer. ----End

When you configure a new network type for the interface, the interface removes the previous network type automatically. 5.4.3 Configuring neighbors for NBMA networks Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

peer ip-address [ dr-priority priority ] This command configures neighbors for NBMA networks. ----End

NBMA networks require some special configurations. Because a router cannot detect neighboring routers by broadcasting hello packets, you must manually configure the IP addresses of its adjacent routers for this interface and their election rights.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-31

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

5.4.4 Configuring DR priorities of OSPF interfaces Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

ospf dr-priority priority This command configures the DR priorities of OSPF interfaces. ----End

When you configure broadcast networks or NBMA networks, you can specify the DR priorities of each interface to affect the DR and BDR election in the network. After you configure the DR priority, you can run the reset ospf [ process-id ] process command in the user view to restart the OSPF process. 5.4.5 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the LSDB information of display ospf [ process-id ] lsdb [ brief ] OSPF. display ospf [ process-id ] lsdb [ router | network | summary | asbr | ase | nssa | opaque-link | opaque-area | opaque-as ] [ link-state-id ] [ originate-router [ advertising-router-id ] | self-originate ] Check the information about the display ospf [ process-id ] peer [ interface-type OSPF neighbor. interface-number ] [ neighbor-id ] Check the information about the display ospf [ process-id ] nexthop OSPF next hop. Check the information about the display ospf [ process-id ] routing [ interface OSPF routing table. interface-type interface-number ] [ nexthop nexthop-address ] Check the OSPF interface display ospf [ process-id ] interface [ all | information. interface-type interface-number ]

5-32 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

Run the display ospf interface commandto view the OSPF interface type and the router priority of the interface (used for DR election).

< Quidway > display ospf interface GigabitEthernet 2/0/0

OSPF Process 1 with Router ID 1.1.1.1 Interfaces

Interface: 11.1.1.1 (GigabitEthernet2/0/0) Cost: 1 State: BDR Type: Broadcast MTU: 1500 Priority: 1 Designated Router: 0.0.0.0 Backup Designated Router: 0.0.0.0 Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1

5.5 Controlling OSPF routing information 5.5.1 Establishing the configuration task

Applicable environment Use the procedures in this section to control the advertisement and receipt of OSPF routing information and import the routes of other protocols.

Preconfiguration tasks Before you control OSPF routing information, complete the following tasks:

z Configure the network-layer addresses of the interfaces so that the network layers of the adjacent nodes are reachable. z Complete the procedures in Configuring basic OSPF functions.

Data preparation The following table lists the data you need to control OSPF routing information.

No. Data 1 Link cost 2 Filtering list if you need to filter routing information 3 Name and process ID of the routing protocol to import and its default value

Configuration procedures

No. Procedure 1 Configuring OSPF route aggregation 2 Configuring OSPF to filter the received routes

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-33

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

3 Configuring OSPF to filter ABR Type 3 LSA 4 Configuring the link cost of OSPF 5 Configuring the maximum number of equal-cost routes 6 Configuring the priority for OSPF 7 Configuring OSPF to import external routes 8 Checking the configuration

5.5.2 Configuring OSPF route aggregation

Configuring ABR route aggregation Do as follows on the ABR according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

area area-id The OSPF area view appears. Step 4 Run:

abr-summary ip-address mask [ advertise | not-advertise | cost cost ] This command configures the ABR route aggregation of OSPF. ----End

Configuring ASBR route aggregation Do as follows on the ASBR according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears.

5-34 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

Step 3 Run:

asbr-summary ip-address mask [ not-advertise | tag tag | cost cost ] * This command configures the ASBR route aggregation of OSPF. ----End

5.5.3 Configuring OSPF to filter the received routes Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

filter-policy { acl-number | ip-prefix ip-prefix-name } import This command configures OSPF to filter the received routes. ----End

Because OSPF is a dynamic routing protocol based on the link state, it does not filter the advertised and received LSAs because the routing information is hidden in the link state. You can run the filter-policy import command to filter the routes OSPF calculates. OSPF adds only the filtered routes to the routing table. Use this command to filter only the routes added to the local routing table. This command does not affect the OSPF routing table and the routes OSPF advertises. 5.5.4 Configuring OSPF to filter ABR Type 3 LSA Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

area area-id The OSPF area view appears.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-35

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

Step 4 Run:

filter { acl-number | ip-prefix ip-prefix-name | route-policy route-policy-name } { export | import } This command configures OSPF to filter ABR Type 3 LSAs. ----End

5.5.5 Configuring the link cost of OSPF

Configuring the cost of OSPF interfaces Do as follows on the each route in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

ospf cost cost This command configures the cost of OSPF interfaces. ----End

Configuring bandwidth reference value Do as follows on the each route in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

bandwidth-reference value This command configures the reference value of the bandwidth. By default, the reference value of the bandwidth is 100. ----End

5-36 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

If you do not configure the cost of the interface by using the ospf cost command in the interface view, OSPF calculates the cost of the interface according to the bandwidth of the interface. The calculation formula is the cost of the interface=reference value of the bandwidth/the bandwidth of the interface. If the cost is smaller than 1, the cost value is 1.Change the reference value of the bandwidth to directly change the cost of the interface. During the configuration process, you must keep all the bandwidth reference value of routers consistent. 5.5.6 Configuring the maximum number of equal-cost routes Do as follows on the each route in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

maximum load-balancing number This command configures the maximum number of equal-cost routes. ----End

5.5.7 Configuring the priority for OSPF

Configuring the priority for OSPF Do as follows on the each route in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

priority [ ase ] [ route-policy route-policy-name ] priority This command configures the priority of OSPF. ----End

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-37

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

More than one dynamic routing protocol can run on one router. The protocols can share routing information and the router can select the optimal route from multiple routes that the different protocols detect. The system configures priorities for each routing protocol. When different protocols detect the same route, the router selects the route with a higher priority.

Configuring the priority for OSPF equal-cost routes Do as follows on the each route in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

nexthop ip-address weight value This command configures the priority for OSPF load balancing. ----End

The nexthop command selects the next hop with the highest priority from the equal-cost routes OSPF calculates. The smaller the weight is, the higher the routing priority. By default, the weight value is 255, which indicates the equal-cost routes balance the load. 5.5.8 Configuring OSPF to import external routes

Configuring OSPF to import routes from other protocols Do as follows on the ASBR according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

import-route protocol [ process-id ] [ cost cost ] [ type type ] [ tag tag ] [ route-policy route-policy-name ] This command imports routes from other protocols. Step 4 Run:

filter-policy { acl-number | ip-prefix ip-prefix-name } export [ protocol [ process-id ] ]

5-38 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

This command filters imported routes. This step is optional. You can configure OSPF to filter a specific kind of routing information by specifying the protocol. If you do not specify the protocol, OSPF filters all imported routing information. ----End

NOTE

z The import-route command cannot import the default routes of the external routes. z OSPF filters the imported routes. OSPF transforms only the external routes that meet the requirements of Type 5 LSA and advertises them.

Configuring OSPF to import default routes Do as follows on the each route in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

default-route-advertise [ always ] [ cost cost ] [ type type ] [ route-policy route-policy-name ] This command imports default routes into OSPF processes. When you configure the always parameter, you force OSPF to import a default route or the local router must use a default route. You can change the parameter of the default route (like tag) by using the routing policy.

You can only change the parameter of the default route, so when you create the router-policy, you can use the apply syntax directly instead of the if-match syntax.

Step 4 Run:

default-route-advertise summary cost cost This command advertises the default route of Type 3 Summary LSAs. Enable VPN before you use the parameter. Otherwise, the you cannot aggregate the routes. ----End

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-39

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

NOTE

If you import the default route to the OSPF routing domain and an OSPF router within the domain uses a static default route, you must configure the precedence of the static default route lower than that of the imported default route. Otherwise, the default route may not use the highest priority in the routing table.

Configuring the related parameters for OSPF to import routes Do as follows on each router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

default { cost cost | limit limit | tag tag | type type } * This command configures the default values of the parameters (cost, number of routes, tag, and type) that relate to imported routes. ----End

When OSPF imports external routes, you can configure the default values for additional parameters, such as cost, number of routes, tag, and type. The route tag tags the protocol related information. For example, the tag differentiates the number of ASs when OSPF receives BGP. 5.5.9 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the information about display ospf [ process-id ] routing [ interface the OSPF routing table. interface-type interface-number ] [ nexthop nexthop-address ] Check the OSPF interface display ospf [ process-id ] interface [ all | interface-type information. interface-number ] Check the information about display ospf [ process-id ] asbr-summary [ ip-address the OSPF ASBR convergence. mask ]

Run the display ospf asbr-summary command. The OSPF aggregates the imported routes when the router imports the aggregation of the routes.

display ospf asbr-summary

OSPF Process 1 with Router ID 192.168.1.2

5-40 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

Summary Addresses

Total summary address count: 1 Summary Address

net : 10.0.0.0 mask : 255.0.0.0 tag : 10 status : Advertise Cost : 0 (Not Configured) The Count of Route is : 2

Destination Net Mask Proto Process Type Metric

10.1.0.0 255.255.0.0 Static 1 2 10 10.2.0.0 255.255.0.0 Static 1 2 10

5.6 Adjusting and optimizing OSPF networks 5.6.1 Establishing the configuration task

Applicable environment If you change the OSPF packet timer, you can adjust the convergence speed of the OSPF networks and the network overload caused by protocol packets. On some low-speed links, you must consider the LSA transmit delay on the interface. You can adjust the LSA update and receive intervals to improve OSPF convergence. If you adjust the SPF calculation interval, you restrain the resource consumption caused by frequent network changes. You can enable OSPF authentication to improve the security of OSPF networks. OSPF supports network management and you can bind OSPF management information base (MIB) with a certain process, send trap messages, and record logs.

Preconfiguration tasks Before you adjust and optimize OSPF networks, you need to complete the following tasks:

z Configure the network-layer addresses of the interfaces so that the network layers of the adjacent nodes are reachable. z Complete the procedures in Configuring basic OSPF functions.

Data preparation The following table lists the data you need to adjust and optimize OSPF networks.

No. Data 1 Value of the packet timer

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-41

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

2 Authentication type and password

Configuration procedures

No. Procedure 1 Configuring OSPF packet timer 2 Configuring the OSPF retransmission limit 3 Configuring the delay to transmit LSAs on the interface 4 Configuring the update and receive interval for LSA 5 Configuring the SPF calculation interval 6 Suppressing the interface from receiving and sending OSPF packets 7 Configuring a stub router 8 Configuring the authentication mode for OSPF areas 9 Configuring the MTU in DD packets 10 Configuring the maximum number of external LSAs in the LSDB 11 Configuring RFC 1583 compatible external routing 12 Configuring the network management of OSPF 13 Checking the configuration

5.6.2 Configuring OSPF packet timer Do as follows on each router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

ospf timer hello seconds This command configures the interval to send hello packets on the interface. Step 4 Run:

ospf timer poll seconds

5-42 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

This command configures the interval to send poll packets on the NBMA interface. Step 5 Run:

ospf timer dead seconds This command configures the dead time during which the adjacent relationship is invalid. Step 6 Run:

ospf timer retransmit seconds This command configures the interval to retransmit LSAs between the adjacent routers. ----End

You must keep the hello timer consistent between OSPF neighbors. The value of the hello timer is inversely proportional to route convergence speed and network load. The dead time on the same interface is at least four times that of the hello interval. After a router sends an LSA to its neighbor, it waits for the acknowledgement packet from its neighbor. If the router does receive an acknowledgement packet from its neighbor in the retransmit interval, it retransmits the LSA. By default, the LSA retransmit interval is 5 seconds.

NOTE

z Both hello and dead timers restore to the default values after you change the network type. z Do not configure the LSA retransmission interval to a small value. Too small a value causes unnecessary retransmission. The value must be greater than the time for a packet to transmit between two routers. 5.6.3 Configuring the OSPF retransmission limit

Do as follows on each router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

retransmission-limit [ max-number ] This command configures the OSPF retransmission limit. By default, this function is disabled. ----End

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-43

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

DD, update, and request packets use the OSPF packet retransmission mechanism. When the three types of packets do not receive the corresponding response packets, they use this mechanism to limit the number of times packets retransmit. When the number of times the packets retransmit reaches the specified value, the neighbor relationship is set up again. 5.6.4 Configuring the delay to transmit LSAs on the interface

Do as follows on each router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

ospf trans-delay seconds This command configures the delay for LSA transmission on the interface. ----End

Because OSPF packet transmission on the link costs time, you must add delay time to the age time of the LSA before transmission.

NOTE

Monitor this configuration on low-speed links. 5.6.5 Configuring the update and receive interval for LSAs

Configuring the update interval for LSAs Do as follows on each router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

lsa-originate-interval 0 This command configures the update interval for LSAs. By default, the update interval for LSAs is 5 seconds.

5-44 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

----End

The OSPF protocol defines the update interval for LSAs is 5 seconds. This value prevents network connections or routing flaps from using excessive bandwidth and router resources. In an environment where the network is stable and you require fast convergence, you can configure the receive interval as 0 to cancel the receive interval for LSAs. Changes to the topology and routes advertise to the network in time and routing convergence speeds up in the network.

Configuring the receive interval for LSAs Do as follows on each router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

lsa-arrival-interval 0 This command configures the receive interval for LSAs. By default, the receive interval for the LSA is 1 second. ----End

In a stable network, if you require a fast speed of route convergence is, you can configure the receive interval of LSAs to 0 to cancel it. Routers can detect changes of topology and route, which speeds up route convergence. 5.6.6 Configuring the SPF calculation interval Do as follows on each router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

spf-schedule-interval { interval1 | millisecond interval2 } This command configures the interval for SPF calculation.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-45

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

----End

After the LSDB changes, the router recalculates SPF. This calculation consumes excessive resources and affects the performance of the router. Adjust the SPF calculation interval to restrain the resource consumption that frequent network changes can cause. 5.6.7 Suppressing the interface from receiving and sending OSPF packets Do as follows on each router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

silent-interface { all | interface-type interface-number } This command suppresses the interface from receiving and sending OSPF packets. ----End

Use the silent-interface command to prevent the receipt of routing information by routers on a specific network and to ensure the local router does not receive route update advertisements from other routers. Different processes can suppress the same interface but the silent-interface command is valid only for the OSPF interface on which you enable the specified process. The command does not affect the interface of other processes. After you configure an OSPF interface with silent status, the interface can still advertise its direct route. The interface blocks hello packets and it does not establish a neighbor relationship. This configuration enhances the OSPF capability to adapt to the networking, which reduces the consumption of system resources. 5.6.8 Configuring a stub router Do as follows on the router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ]

5-46 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

This command enables the OSPF process and the OSPF view appears. Step 3 Run:

stub-router This command configures a stub router. ----End

Use a stub router to control the traffic. The stub router notifies other OSPF routers not to forward the data by the stub router, but they can use a route to the stub router. A stub router generates Router LSAs that use a larger link metric of 65 535.

NOTE

A stub router does not relate to the stub area. 5.6.9 Configuring the authentication mode for OSPF areas

Area authentication mode Do as follows on the router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

area area-id The OSPF area view appears. Step 4 Configure the authentication mode of the OSPF area: Run:

authentication-mode simple { [ plain ] plain-text | cipher cipher-text } This command configures simple authentication for the OSPF area. Run:

authentication-mode { md5 | hmac-md5 } [ key-id { plain plain-text | [ cipher ] cipher-text } ] This command configures the MD5 authentication mode of the OSPF area. ----End

OSPF supports packet authentication. The router can receive only the OSPF packets that pass the authentication; otherwise, the neighbor relationship does not establish.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-47

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

All the routers in the area must use the same area authentication mode and password. For example, the authentication mode of all routers on area 0 is simple authentication and the password is abc.

Interface authentication mode Do as follows on the router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Configure the interface authentication mode: Run:

ospf authentication-mode simple { [ plain ] plain-text | cipher cipher-text } This command configures simple authentication for the OSPF interface. Run:

ospf authentication-mode { md5 | hmac-md5 } key-id { plain plain-text | [ cipher ] cipher-text } This command configures MD5 authentication for the OSPF interface. Run:

ospf authentication-mode null This command configures the nonauthentication mode for the OSPF interface. ----End

Neighbor routers use the interface authentication mode. Interface authentication mode uses a higher priority than area authentication mode. The authentication mode and the password of interfaces in the same network segment must be consistent. If the interfaces are in different network segment, the authentication mode and the password of interfaces can be different. 5.6.10 Configuring the MTU in DD packets Do as follows on the router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

5-48 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

interface interface-type interface-number The interface view appears. Step 3 Run:

ospf mtu-enable This command enables interface to fill the MTU in DD packets when it sends the DD packets. ----End

The interface replaces the actual MTU with 0 when it sends DD packets. After you configure this command, the interface fills the interface MTU field of the DD packets with the actual MTU. 5.6.11 Configuring the maximum number of external LSAs in the LSDB Do as follows on the router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

lsdb-overflow-limit number This command configures the maximum number of external LSAs in the LSDB. ----End

5.6.12 Configuring RFC 1583 compatible external routing Do as follows on the router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

rfc1583 compatible

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-49

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

This command enables RFC 1583 compatible external routing. ----End

When multiple LSAs calculate the same external route, RFC 2328 defines a different routing rule than RFC 1583. After you configure this command, the rule in RFC 2328 is compatible with the routing rule in RFC 1583. 5.6.13 Configuring the network management of OSPF

Configuring OSPF MIB binding Do as follows on the router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf mib-binding process-id This command configures OSPF MIB binding. ----End

When you enable multiple OSPF processes, you can configure the OSPF MIB to select the process to bind.

Configuring OSPF traps Do as follows on the router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

snmp-agent trap enable ospf [ process-id ] [ ifauthfail | ifcfgerror | ifrxbadpkt | ifstatechange | lsdbapproachoverflow | lsdboverflow | maxagelsa | nbrstatechange | originatelsa | txretransmit | vifauthfail | vifcfgerror | virifrxbadpkt | virifstatechange | viriftxretransmit | virnbrstatechange ] * This command enables OSPF traps. ----End

You can configure OSPF to forward diversified SNMP trap packets and you can specify a certain OSPF process in the process ID to send SNMP trap packets. If you do not specify the process-id during configuration, OSPF trap configuration is valid for all OSPF processes.

5-50 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

Configuring OSPF logs Do as follows on the router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

enable log [ config | state | error ] This command enables the log information. ----End

5.6.14 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the brief information of display ospf [ process-id ] brief OSPF. Check the OSPF statistics. display ospf [ process-id ] cumulative Check the OSPF request list. display ospf [ process-id ] request-queue [ interface-type interface-number ] [neighbor-id ] Check the OSPF retransfer list. display ospf [ process-id ] retrans-queue [ interface-type interface-number ] [ neighbor-id ] Check the OSPF error information. display ospf [ process-id ] error display ospf error [ packet ]

Run the display ospf brief command to view detailed information about the OSPF packet timer and the delay for transmitting LSAs on the interface.

display ospf brief

OSPF Process 126 with Router ID 1.1.1.9 OSPF Protocol Information

RouterID: 1.1.1.9 Border Router: Route Tag: 0 Multi-VPN-Instance is not enabled OSPF Stub Router Capable Applications Supported: MPLS Traffic-Engineering

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-51

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

Spf-schedule-interval: 5 Default ASE parameters: Metric: 1 Tag: 1 Type: 2 Route Preference: 10 ASE Route Preference: 150 SPF Computation Count: 52 RFC 1583 Compatible Retransmission limitation is disabled Area Count: 1 Nssa Area Count: 0 ExChange/Loading Neighbors: 0

Area: 0.0.0.0 (MPLS TE not enabled) Authtype: None Area flag: Normal SPF scheduled Count: 12 ExChange/Loading Neighbors: 0

Interface: 172.1.2.1 (Ethernet1/0/0) Cost: 1 State: BDR Type: Broadcast MTU: 1500 Priority: 1 Designated Router: 172.1.2.2 Backup Designated Router: 172.1.2.1 Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1

5.7 Configuring OSPF Graceful Restart 5.7.1 Establishing the configuration task

Applicable environment To avoid route flapping and traffic interruption caused by restarts of OSPF, you must enable OSPF GR. After the protocol restarts, the GR restarter and the adjacent GR helper perform the following actions to implement OSPF fast convergence:

z Maintain the neighbor relationship. z Exchange the routing information and synchronize the LSDB. z Update the routing table and the forwarding table. The procedure includes the following steps: 1. Enable the signaling capability and the out-of-band synchronization capability of the local link. 2. Enable OSPF GR. 3. Adjust the time parameters for GR based on the requirements. Generally, Nortel recommends that you use the default values.

Preconfiguration tasks Before you configure OSPF GR, complete the following task:

z Complete the procedures in Configuring basic OSPF functions.

5-52 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

Data preparation The following table lists the data you need to configure OSPF GR.

No. Data 1 OSPF process number 2 Filtering rules of OSPF GR help

Configuration procedures

No. Procedure 1 Enabling OSPF GR 2 Checking the configuration

5.7.2 Enabling OSPF GR Do as follows on the router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf process-id The OSPF view appears. Step 3 Run:

enable link-local-signaling This command enables the signaling capability of the local link for OSPF. By default, the signaling capability of the local link is disabled. Step 4 Run:

enable out-of-band-resynchronization This command enables the out-of-band synchronization capability for OSPF. By default, the out-of-band synchronization capability is disabled. Step 5 Perform the following as required:

z To enable OSPF GR, run:

graceful-restart [ wait-time value ] z To enable OSPF GR help, run:

graceful-restart help { ip-prefix prefix-list | acl-number } [ wait-time value ]

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-53

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

By default, OSPF GR is disabled and OSPF GR help is also disabled. On the GR restarter, you can configure the time interval specified by wait-time and the filtering rules of OSPF GR help at the same time. The wait-time parameter is optional and limits the number of neighbors found by the GR restarter during the time interval you specify. The value ranges from 10 to 3600 seconds. The default value is the maximum invalidation time of routes among all the neighbors. When the wait-time expires, the GR restarter completes the GR process after the LSDBs synchronize, if the GR restarter synchronizes LSDBs with the neighbors; otherwise, the GR process is complete. ----End

5.7.3 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the state of OSPF GR. display ospf brief

Run the display ospf brief command to view the configuration of OSPF GR.

display ospf brief

OSPF Process 1 with Router ID 1.1.1.1 OSPF Protocol Information

RouterID: 1.1.1.1 Border Router: Route Tag: 0 Multi-VPN-Instance is not enabled Link-local signaling capable Out-of-band resynchronize capable Graceful restart capable Graceful restart Helper filter capable, filter: No Filter Applications Supported: MPLS Traffic-Engineering Spf-schedule-interval: 5 Default ASE parameters: Metric: 1 Tag: 1 Type: 2 Route Preference: 10 ASE Route Preference: 150 SPF Computation Count: 5 RFC 1583 Compatible Retransmission limitation is disabled Area Count: 1 Nssa Area Count: 0 ExChange/Loading Neighbors: 0

Area: 0.0.0.0 (MPLS TE not enabled) Authtype: None Area flag: Normal SPF scheduled Count: 5 ExChange/Loading Neighbors: 0

Interface: 172.1.2.1 (Ethernet1/0/0) Cost: 1 State: BDR Type: Broadcast MTU: 1500

5-54 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

Priority: 1 Designated Router: 172.1.2.2 Backup Designated Router: 172.1.2.1 Timers: Hello 10 , Dead 40 , Poll 120 , Retransmit 5 , Transmit Delay 1

5.8 Maintaining OSPF This section describes the following topics:

z Resetting OSPF z Clearing OSPF z Debugging OSPF 5.8.1 Resetting OSPF

After you use the reset ospf command to reset the OSPF connection, the router deletes OSPF adjacencies. Confirm the action before you use the command.

After you modify the OSPF routing policy or protocol, you must reset the OSPF connections to make the modification take effect. To reset OSPF connections, run the following reset commands in the user view.

Action Command Restart OSPF processes. reset ospf [ process-id ] process Restart the OSPF process in GR mode. reset ospf [ process-id ] process graceful-restart

5.8.2 Clearing OSPF

You cannot restore OSPF information after you clear it. Confirm the action before you use the command.

To clear the OSPF information, run the following reset commands in the user view.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-55

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

Action Command Clear OSPF counters. reset ospf [ process-id ] counters [ neighbor [ interface-type interface-number ] [neighbor-id ] ] Clear routes imported by OSPF. reset ospf [ process-id ] redistribution

5.8.3 Debugging OSPF

Debugging affects the system performance. After you debug the system, run the undo debugging all command to disable it immediately.

After an OSPF fault occurs, run the following debugging commands in the user view to debug OSPF and locate the fault. For more information about the output of the debugging information, see Nortel Secure Router 8000 Series Configuration Guide - System Management (NN46240-601). For information about the debugging command, see Nortel Secure Router 8000 Series Commands Reference (NN46240-500).

Action Command Debug the OSPF packet. debugging ospf [ process-id ] packet [ ack | dd | hello | request | update ] [ brief ] [ filter { src | nbr } { acl-number | ip-prefix ip-prefix-name } ] debugging ospf packet [ rcv-dump [ error ] | snd-dump ] [ filter { src | nbr } { acl-number | ip-prefix ip-prefix-name } Debug the OSPF hot-standby. debugging ospf [ process-id ] hot-standby Debug the OSPF event. debugging ospf [ process-id ] event Debug the OSPF LSA packet. debugging ospf [ process-id ] lsa-originate Debug OSPF SPF. debugging ospf [ process-id ] spf { all | brief | intra } debugging ospf [ process-id ] spf { asbr-summary | ase | net-summary | nssa } [ filter { acl acl-number | ip-prefix ip-prefix-name } ]

5-56 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

5.9 Configuration examples

NOTE

The configuration examples only list the commands related to the OSPF configuration. This section provides the following examples:

z Example of configuring basic OSPF functions z Example of configuring OSPF stub areas z Example of configuring an OSPF NSSA z Example of configuring DR election of OSPF z Example of configuring OSPF virtual links z Example of configuring OSPF load balancing z Example of configuring OSPF GR 5.9.1 Example of configuring basic OSPF functions

Networking requirements As shown in Figure 5-21, all routers run OSPF and the entire AS uses three areas. Router A and Router B serve as ABRs to forward the routes between areas. After the configuration, each router must learn the routes from the AS to all network segments.

Figure 5-21 OSPF basic configuration

Area0 RouterA RouterB POS1/0/0 POS1/0/0 192.168.0.1/24 192.168.0.2/24 POS2/0/0 POS2/0/0 192.168.2.1/24 192.168.1.1/24

POS1/0/0 POS1/0/0 192.168.1.2/24 192.168.2.2/24

GbE2/0/0 GbE2/0/0 RouterC 172.16.1.1/24 172.17.1.1/24 RouterD

GbE2/0/0 GbE2/0/0 172.16.1.2/24 172.17.1.2/24 RouterE RouterF

Area1 Area2

Configuration roadmap The steps in the configuration roadmap are

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-57

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

1. Enable OSPF on each router and specify the network segment in different areas. 2. Check the routing list and LSDB.

Data preparation To complete the configuration, you need the following data:

z The router ID of Router A is 1.1.1.1. Enable ospf1. Specify the network segment 192.168.0.0 in area 0. Specify the network segment 192.168.1.0 in area 1. z The router id of Router B is 2.2.2.2. Enable OSPF1. Specify the network segment 192.168.0.0 in area 0. Specify the network segment 192.168.2.0 in area 2. z The router id of Router C is 3.3.3.3. Enable ospf1. Specify the network segment 192.168.1.0 in area 1 and the network segment 192.168.2.0. z The router id of Router D is 4.4.4.4. Enable ospf1. Specify the network segment 192.168.2.0 in area 2 and the network segment 172.17.1.0.0. z The router id of Router E is 5.5.5.5. Enable ospf1. Specify the network segment 172.16.1.0 in area 1. z The router id of Router F is 6.6.6.6. Enable ospf1. Specify the network segment 172.17.1.0 in area 2.

Configuration procedure Step 1 Configure IP addresses for each interface. Step 2 Configure basic OSPF functions. # Configure Router A:

[RouterA] router id 1.1.1.1 [RouterA] ospf [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit [RouterA-ospf-1] area 1 [RouterA-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.1] quit # Configure Router B:

[RouterB] router id 2.2.2.2 [RouterB] ospf [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] area 2 [RouterB-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.2] quit # Configure Router C:

[RouterC] router id 3.3.3.3 [RouterC] ospf [RouterC-ospf-1] area 1 [RouterC-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.1] network 172.16.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.1] quit

5-58 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

# Configure Router D:

[RouterD] router id 4.4.4.4 [RouterD] ospf [RouterD-ospf-1] area 2 [RouterD-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255 [RouterD-ospf-1-area-0.0.0.2] network 172.17.1.0 0.0.0.255 [RouterD-ospf-1-area-0.0.0.2] quit # Configure Router E:

[RouterE] router id 5.5.5.5 [RouterE] ospf [RouterE-ospf-1] area 1 [RouterE-ospf-1-area-0.0.0.1] network 172.16.1.0 0.0.0.255 [RouterE-ospf-1-area-0.0.0.1] quit # Configure Router F:

[RouterF] router id 6.6.6.6 [RouterF] ospf [RouterF-ospf-1] area 2 [RouterF-ospf-1-area-0.0.0.2] network 172.17.1.0 0.0.0.255 [RouterF-ospf-1-area-0.0.0.2] quit Step 3 Verify the configuration. # View OSPF neighbors of Router A:

[RouterA] display ospf peer

OSPF Process 1 with Router ID 1.1.1.1 Neighbors

Area 0.0.0.0 interface 192.168.0.1(Pos1/0/0)'s neighbors Router ID: 2.2.2.2 Address: 192.168.0.2 GR State: Normal State: Full Mode:Nbr is Master Priority: 1 DR: None BDR: None MTU: 0 Dead timer due in 36 sec Neighbor is up for 00:15:04 Authentication Sequence: [ 0 ]

Neighbors

Area 0.0.0.1 interface 192.168.1.1(Pos2/0/0)'s neighbors Router ID: 3.3.3.3 Address: 192.168.1.2 GR State: Normal State: Full Mode:Nbr is Master Priority: 1 DR: None BDR: None MTU: 0 Dead timer due in 39 sec Neighbor is up for 00:07:32 Authentication Sequence: [ 0 ] # View the OSPF routing information of Router A:

[RouterA] display ospf routing

OSPF Process 1 with Router ID 1.1.1.1 Routing Tables Routing for Network

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-59

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

Destination Cost Type NextHop AdvRouter Area 172.16.1.0/24 2 Transit 192.168.1.2 3.3.3.3 0.0.0.1 172.17.1.0/24 3 Inter-area 192.168.0.2 2.2.2.2 0.0.0.0 192.168.0.0/24 1 Stub 192.168.0.1 1.1.1.1 0.0.0.0 192.168.1.0/24 1 Stub 192.168.1.1 1.1.1.1 0.0.0.1 192.168.2.0/24 2 Inter-area 192.168.0.2 2.2.2.2 0.0.0.0 Total Nets: 5 Intra Area: 3 Inter Area: 2 ASE: 0 NSSA: 0 # View the LSDB of Router A:

[RouterA] display ospf lsdb

OSPF Process 1 with Router ID 1.1.1.1 Link State Database

Area: 0.0.0.0 Type LinkState ID AdvRouter Age Len Sequence Metric Router 2.2.2.2 2.2.2.2 317 48 80000003 1 Router 1.1.1.1 1.1.1.1 316 48 80000002 1 Sum-Net 172.16.1.0 1.1.1.1 250 28 80000001 2 Sum-Net 172.17.1.0 2.2.2.2 203 28 80000001 2 Sum-Net 192.168.2.0 2.2.2.2 237 28 80000002 1 Sum-Net 192.168.1.0 1.1.1.1 295 28 80000002 1

Area: 0.0.0.1 Type LinkState ID AdvRouter Age Len Sequence Metric Router 5.5.5.5 5.5.5.5 214 36 80000004 1 Router 3.3.3.3 3.3.3.3 217 60 80000008 1 Router 1.1.1.1 1.1.1.1 289 48 80000002 1 Network 172.16.1.1 3.3.3.3 670 32 80000001 0 Sum-Net 172.17.1.0 1.1.1.1 202 28 80000001 3 Sum-Net 192.168.2.0 1.1.1.1 242 28 80000001 2 Sum-Net 192.168.0.0 1.1.1.1 300 28 80000001 1 # View the routing table of Router D and test connectivity by using the ping command:

[RouterD] display ospf routing

OSPF Process 1 with Router ID 4.4.4.4 Routing Tables

Routing for Network Destination Cost Type NextHop AdvRouter Area 172.16.1.0/24 4 Inter-area 192.168.2.1 2.2.2.2 0.0.0.2 172.17.1.0/24 1 Transit 172.17.1.1 4.4.4.4 0.0.0.2 192.168.0.0/24 2 Inter-area 192.168.2.1 2.2.2.2 0.0.0.2 192.168.1.0/24 3 Inter-area 192.168.2.1 2.2.2.2 0.0.0.2 192.168.2.0/24 1 Stub 192.168.2.2 4.4.4.4 0.0.0.2 Total Nets: 5 Intra Area: 2 Inter Area: 3 ASE: 0 NSSA: 0 [RouterD] ping 172.16.1.1 PING 172.16.1.1: 56 data bytes, press CTRL_C to break Reply from 172.16.1.1: bytes=56 Sequence=1 ttl=253 time=62 ms Reply from 172.16.1.1: bytes=56 Sequence=2 ttl=253 time=16 ms Reply from 172.16.1.1: bytes=56 Sequence=3 ttl=253 time=62 ms Reply from 172.16.1.1: bytes=56 Sequence=4 ttl=253 time=94 ms

5-60 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

Reply from 172.16.1.1: bytes=56 Sequence=5 ttl=253 time=63 ms --- 172.16.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 16/59/94 ms [RouterD] ----End

Configuration files z Configuration file of Router A

# sysname RouterA # interface Pos1/0/0 link-protocol ppp ip address 192.168.0.1 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 192.168.1.1 255.255.255.0 # ospf 1 area 0.0.0.0 network 192.168.0.0 0.0.0.255 area 0.0.0.1 network 192.168.1.0 0.0.0.255 # return z Configuration file of Router B

# sysname RouterB # router id 2.2.2.2 # interface Pos1/0/0 link-protocol ppp ip address 192.168.0.2 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 192.168.2.1 255.255.255.0 # ospf 1 area 0.0.0.0 network 192.168.0.0 0.0.0.255 area 0.0.0.2 network 192.168.2.0 0.0.0.255 # return z Configuration file of Router C

#

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-61

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

sysname RouterC # router id 3.3.3.3 # interface GigabitEthernet2/0/0 ip address 172.16.1.1 255.255.255.0 # interface Pos1/0/0 link-protocol ppp ip address 192.168.1.2 255.255.255.0 # ospf 1 area 0.0.0.1 network 192.168.1.0 0.0.0.255 network 172.16.1.0 0.0.0.255 # return z Configuration file of Router D

# sysname RouterD # router id 4.4.4.4 # interface GigabitEthernet2/0/0 ip address 172.17.1.1 255.255.255.0 # interface Pos1/0/0 link-protocol ppp ip address 192.168.2.2 255.255.255.0 # ospf 1 area 0.0.0.2 network 192.168.2.0 0.0.0.255 network 172.17.1.0 0.0.0.255 # return z Configuration file of Router E

# sysname RouterE # router id 5.5.5.5 # interface GigabitEthernet2/0/0 ip address 172.16.1.2 255.255.255.0 # ospf 1 area 0.0.0.1 network 172.16.1.0 0.0.0.255 # return z Configuration file of Router F

# sysname RouterF

5-62 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

# router id 6.6.6.6 # interface GigabitEthernet2/0/0 ip address 172.17.1.2 255.255.255.0 # ospf 1 area 0.0.0.2 network 172.17.1.0 0.0.0.255 # return 5.9.2 Example of configuring OSPF stub areas

Networking requirements As shown in Figure 5-22, all routers run OSPF and the entire AS divides into three areas. Router A and Router B serve as ABRs to forward the routes between areas. Router D serves as the ASBR to import external routes (static routes). Configure Area 1 as the stub area, thus reducing the LSAs advertised to this area without affecting the route reachability.

Figure 5-22 OSPF stub area configuration

Area0 RouterA RouterB POS1/0/0 POS1/0/0 192.168.0.1/24 192.168.0.2/24

POS2/0/0 POS2/0/0 192.168.1.1/24 192.168.2.1/24

POS1/0/0 POS1/0/0 192.168.1.2/24 192.168.2.2/24 Stub

GbE2/0/0 GbE2/0/0 RouterC 172.16.1.1/24 172.17.1.1/24 RouterD

GbE2/0/0 GbE2/0/0 172.16.1.2/24 172.17.1.2/24 RouterE RouterF

Area1 Area2

Configuration roadmap The steps in the configuration roadmap are 1. Enable OSPF on each router and configure basic OSPF functions. 2. Configure the static route on Router D and import it into OSPF. 3. Configure Area 1 as the stub area and check the OSPF routing information on Router C.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-63

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

4. Stop Router A from informing the stub area about Type 3 LSAs and check the OSPF routing information on Router C.

Data preparation To complete the configuration, you need the following data:

z The router id of Router A is1.1.1.1. The process number of OSPF is 1. The network segment of area 0 is 192.168.0.0. The network segment of area 1 is 192.168.1.0. z The router id of Router B is 2.2.2.2. The process number of OSPF is 1. The network segment of area 0 is 192.168.0.0. The network segment of area 2 is 192.168.2.0. z The router id of Router C is 3.3.3.3. The process number of OSPF is 1. The network segment of area 1 is 192.168.1.0 and 172.16.1.0. z The router id of Router D is 4.4.4.4. The process number of OSPF is 1. The network segment of area 2 is 192.168.1.0 and 172.17.1.0. z The router id of Router E is 5.5.5.5. The process number of OSPF is 1. The network segment of area 1 is 172.16.1.0. z The router id of Router F is 6.6.6.6. The process number of OSPF is 1. The network segment of area 2 is 172.17.1.0.

Configuration procedure Step 1 Configure IP addresses for each interface. Step 2 Configure basic OSPF functions (see Example of configuring basic OSPF functions). Step 3 Configure Router D to import static routes:

[RouterD] ip route-static 200.0.0.0 8 null 0 [RouterD] ospf [RouterD-ospf-1] import-route static type 1 [RouterD-ospf-1] quit # View ABR and ASBR information on Router C:

[RouterC] display ospf abr-asbr

OSPF Process 1 with Router ID 3.3.3.3 Routing Table to ABR and ASBR

Type Destination Area Cost Nexthop RtType Intra-area 1.1.1.1 0.0.0.1 1 192.168.1.1 ABR Inter-area 4.4.4.4 0.0.0.1 3 192.168.1.1 ASBR # View the OSPF routing table of Router C:

[RouterC] display ospf routing

OSPF Process 1 with Router ID 3.3.3.3 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 172.16.1.0/24 1 Transit 172.16.1.1 3.3.3.3 0.0.0.1 172.17.1.0/24 4 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1 192.168.0.0/24 2 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1 192.168.1.0/24 1 Stub 192.168.1.2 3.3.3.3 0.0.0.1

5-64 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

192.168.2.0/24 3 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1 Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 200.0.0.0/8 4 Type1 1 192.168.1.1 4.4.4.4 Total Nets: 6 Intra Area: 2 Inter Area: 3 ASE: 1 NSSA: 0

NOTE

Because Router C is in a common area, AS-external routes exist in the routing table.

Step 4 Configure Area 1 as a stub area. # Configure Router A:

[RouterA] ospf [RouterA-ospf-1] area 1 [RouterA-ospf-1-area-0.0.0.1] stub [RouterA-ospf-1-area-0.0.0.1] quit # Configure Router C:

[RouterC] ospf [RouterC-ospf-1] area 1 [RouterC-ospf-1-area-0.0.0.1] stub [RouterC-ospf-1-area-0.0.0.1] quit # Configure Router E:

[RouterE] ospf [RouterE-ospf-1] area 1 [RouterE-ospf-1-area-0.0.0.1] stub [RouterE-ospf-1-area-0.0.0.1] quit # View the routing table of Router C:

[RouterC] display ospf routing

OSPF Process 1 with Router ID 3.3.3.3 Routing Tables

Routing for Network Destination Cost Type NextHop AdvRouter Area 0.0.0.0/0 2 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1 172.16.1.0/24 1 Transit 172.16.1.1 3.3.3.3 0.0.0.1 172.17.1.0/24 4 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1 192.168.0.0/24 2 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1 192.168.1.0/24 1 Stub 192.168.1.2 3.3.3.3 0.0.0.1 192.168.2.0/24 3 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1

Total Nets: 6 Intra Area: 2 Inter Area: 4 ASE: 0 NSSA: 0

NOTE

After you configure the area where Router C resides as a stub area, the AS-external routes are invisible. Instead, a default route exists. # Stop Router A from advertising Type 3 LSAs to the stub area:

[RouterA] ospf [RouterA-ospf-1] area 1

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-65

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

[RouterA-ospf-1-area-0.0.0.1] stub no-summary [RouterA-ospf-1-area-0.0.0.1] quit # View the OSPF routing table of Router C:

[RouterC] display ospf routing

OSPF Process 1 with Router ID 3.3.3.3 Routing Tables

Routing for Network Destination Cost Type NextHop AdvRouter Area 0.0.0.0/0 2 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1 172.16.1.0/24 1 Transit 172.16.1.1 3.3.3.3 0.0.0.1 192.168.1.0/24 1 Stub 192.168.1.2 3.3.3.3 0.0.0.1

Total Nets: 3 Intra Area: 2 Inter Area: 1 ASE: 0 NSSA: 0

NOTE

After you disable the advertisement of aggregate LSAs to the stub area, this action reduces the route entries of the stub router and only the default route to a destination outside the AS is reserved. ----End

Configuration files z Configuration file of Router A

# sysname RouterA # router id 1.1.1.1 # interface Pos1/0/0 link-protocol ppp ip address 192.168.0.1 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 192.168.1.1 255.255.255.0 # ospf 1 area 0.0.0.0 network 192.168.0.0 0.0.0.255 area 0.0.0.1 network 192.168.1.0 0.0.0.255 stub no-summary # return

NOTE

The configuration files of Router B and Router F are the same as that in the preceding example. This section does not provide those configuration files. z Configuration file of Router C

# sysname RouterC

5-66 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

# router id 3.3.3.3 # interface GigabitEthernet2/0/0 ip address 172.16.1.1 255.255.255.0 # interface Pos1/0/0 link-protocol ppp ip address 192.168.1.2 255.255.255.0 # ospf 1 area 0.0.0.1 network 192.168.1.0 0.0.0.255 network 172.16.1.0 0.0.0.255 stub # return z Configuration file of Router D

# sysname RouterD # router id 4.4.4.4 # interface GigabitEthernet2/0/0 ip address 172.17.1.1 255.255.255.0 # interface Pos1/0/0 link-protocol ppp ip address 192.168.2.2 255.255.255.0 # ospf 1 import-route static type 1 area 0.0.0.2 network 192.168.2.0 0.0.0.255 network 172.17.1.0 0.0.0.255 # ip route-static 200.0.0.0 8 NULL0 # return z Configuration file of Router E

# sysname RouterE # router id 5.5.5.5 # interface GigabitEthernet2/0/0 ip address 172.16.1.2 255.255.255.0 # ospf 1 area 0.0.0.1 network 172.16.1.0 0.0.0.255 stub # return

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-67

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

5.9.3 Example of configuring an OSPF NSSA

Networking requirements As shown in Figure 5-23, all routers run OSPF and the whole AS divides into three areas. Router A and Router B serve as ABRs to forward the routes between areas. Router D serves as the ASBR to import external routes (static routes). Configure Area 1 as the NSSA and configure Router C as the ASBR to import external routes (static routes). The routing information transmits inside the AS.

Figure 5-23 OSPF NSSA configuration

Area0 RouterA RouterB POS1/0/0 POS1/0/0 192.168.0.1/24 192.168.0.2/24

POS2/0/0 POS2/0/0 192.168.1.1/24 192.168.2.1/24

POS1/0/0 POS1/0/0 192.168.1.2/24 192.168.2.2/24 ASBR ASBR

GbE2/0/0 GbE2/0/0 RouterC 172.16.1.1/24 172.17.1.1/24 RouterD

GbE2/0/0 GbE2/0/0 172.16.1.2/24 172.17.1.2/24 RouterE RouterF NSSA Area1 Area2

Configuration roadmap The steps in the configuration roadmap are 1. Enable OSPF on each router and configure basic OSPF functions. 2. Configure the static routing on Router D and import it into OSPF. 3. Configure the Area1 as the NSSA (configure nssa command on all routers in Area1) and the OSPF routing information of Router C. 4. Configure the static routing on Router C, import it into OSPF, and check the OSPF routing information of Router D.

Data preparation To complete the configuration, you need the following data:

z The router id of Router A is1.1.1.1. The process number of OSPF is 1. The network segment of area 0 is 192.168.0.0. The network segment of area 1 is 192.168.1.0.

5-68 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

z The router id of Router B is2.2.2.2. The process number of OSPF is 1. The network segment of area 0 is 192.168.0.0. The network segment of area 1 is 192.168.2.0. z The router id of Router C is 3.3.3.3. The process number of OSPF is 1. The network segment of area 1 is 192.168.1.0 and 172.16.1.0. z The router id of Router D is 4.4.4.4. The process number of OSPF is 1. The network segment of area 2 is 192.168.2.0 and 172.17.1.0. z The router id of Router E is 5.5.5.5. The process number of OSPF is 1. The network segment of area 1 is 172.16.1.0. z The router id of Router F is 6.6.6.6. The process number of OSPF is 1. The network segment of area 2 is 172.17.1.0.

Configuration procedure Step 1 Configure the IP address for each interface. Step 2 Configure basic OSPF functions (see Example of configuring OSPF stub areas). Step 3 Configure Router D to import static routes (see Example of configuring OSPF stub areas). Step 4 Configure Area 1 as an NSSA. # Configure Router A:

[RouterA] ospf [RouterA-ospf-1] area 1 [RouterA-ospf-1-area-0.0.0.1] nssa default-route-advertise no-summary [RouterA-ospf-1-area-0.0.0.1] quit # Configure Router C:

[RouterC] ospf [RouterC-ospf-1] area 1 [RouterC-ospf-1-area-0.0.0.1] nssa [RouterC-ospf-1-area-0.0.0.1] quit # Configure Router E:

[RouterE] ospf [RouterE-ospf-1] area 1 [RouterE-ospf-1-area-0.0.0.1] nssa [RouterE-ospf-1-area-0.0.0.1] quit

NOTE

z Nortel recommends that you configure the ABR (Router A) with the default-route-advertise no-summary parameter to reduce the size of the routing table of the NSSA router. z Configure other NSSA routers only with the nssa command. # View the OSPF routing table of Router C:

[RouterC] display ospf routing

OSPF Process 1 with Router ID 3.3.3.3 Routing Tables

Routing for Network Destination Cost Type NextHop AdvRouter Area 0.0.0.0/0 2 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1 172.16.1.0/24 1 Transit 172.16.1.1 3.3.3.3 0.0.0.1

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-69

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

192.168.1.0/24 1 Stub 192.168.1.2 3.3.3.3 0.0.0.1 Total Nets: 3 Intra Area: 2 Inter Area: 1 ASE: 0 NSSA: 0 Step 5 Configure Router C to import static routes:

[RouterC] ip route-static 100.0.0.0 8 null 0 [RouterC] ospf [RouterC-ospf-1] import-route static [RouterC-ospf-1] quit Step 6 Verify the configuration. # View the OSPF routing table of Router D:

[RouterD-ospf-1]display ospf routing

OSPF Process 1 with Router ID 4.4.4.4 Routing Tables

Routing for Network Destination Cost Type NextHop AdvRouter Area 172.16.1.0/24 4 Inter-area 192.168.2.1 2.2.2.2 0.0.0.2 172.17.1.0/24 1 Transit 172.17.1.1 4.4.4.4 0.0.0.2 192.168.0.0/24 2 Inter-area 192.168.2.1 2.2.2.2 0.0.0.2 192.168.1.0/24 3 Inter-area 192.168.2.1 2.2.2.2 0.0.0.2 192.168.2.0/24 1 Stub 192.168.2.2 4.4.4.4 0.0.0.2 Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 100.0.0.0/8 1 Type2 1 192.168.2.1 1.1.1.1 Total Nets: 6 Intra Area: 2 Inter Area: 3 ASE: 1 NSSA: 0

NOTE

You can see an AS external route imported by the NSSA on Router D. ----End

Configuration files z Configuration file of Router A

# sysname RouterA # router id 1.1.1.1 # interface Pos1/0/0 link-protocol ppp ip address 192.168.0.1 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 192.168.1.1 255.255.255.0 # ospf 1 area 0.0.0.0 network 192.168.0.0 0.0.0.255

5-70 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

area 0.0.0.1 network 192.168.1.0 0.0.0.255 nssa default-route-advertise no-summary # return

NOTE

The configuration files of Router B, Router D, and Router F are the same as those in the preceding example. z Configuration file of Router C

# sysname RouterC # router id 3.3.3.3 # interface GigabitEthernet2/0/0 ip address 172.16.1.1 255.255.255.0 # interface Pos1/0/0 link-protocol ppp ip address 192.168.1.2 255.255.255.0 # ospf 1 import-route static area 0.0.0.1 network 192.168.1.0 0.0.0.255 network 172.16.1.0 0.0.0.255 nssa # ip route-static 100.0.0.0 8 NULL0 # return z Configuration file of Router E

# sysname RouterE # router id 5.5.5.5 # interface GigabitEthernet2/0/0 ip address 172.16.1.2 255.255.255.0 # ospf 1 area 0.0.0.1 network 172.16.1.0 0.0.0.255 nssa # return 5.9.4 Example of configuring DR election of OSPF

Networking requirements As shown in Figure 5-24, Router A uses the highest priority (100) in the network and other routers elect it as the DR. Router C uses the second highest priority and other routes elect it as

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-71

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

the BDR. The priority of Router B is 0. Other routes cannot elect Router B as the DR or BDR. Router D does not use a priority and the default value is 1.

Figure 5-24 DR election of OSPF configuration RouterA RouterB

GbE1/0/0 GbE1/0/0 192.168.1.1/24 192.168.1.2/24

GbE1/0/0 GbE1/0/0 192.168.1.3/24 192.168.1.4/24

RouterC RouterD

Configuration roadmap The steps in the configuration roadmap are 1. Configure the router ID on each router, enable OSPF, and specify the network segment. 2. By default, check the DR and BDR state of each router. 3. Configure the DR priority of the interface and check the DR and BDR state.

Data preparation To complete the configuration, you need the following data:

z The router id of Router A is 1.1.1.1 and the DR priority is 100. z The router id of Router B is 2.2.2.2 and the DR priority is 0. z The router id of Router C is 3.3.3.3 and the DR priority is 2. z The router id of Router D is 4.4.4.4 and the DR priority is 1.

Configuration procedure Step 1 Configure IP addresses for each interface. Step 2 Configure basic OSPF functions. # Configure Router A:

[RouterA] router id 1.1.1.1 [RouterA] ospf [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 # Configure Router B:

[RouterB] router id 2.2.2.2 [RouterB] ospf [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255

5-72 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

# Configure Router C:

[RouterC] router id 3.3.3.3 [RouterC] ospf [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 # Configure Router D:

[RouterD] router id 4.4.4.4 [RouterD] ospf [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 # View the DR and BDR state:

[RouterA] display ospf peer

OSPF Process 1 with Router ID 1.1.1.1 Neighbors

Area 0.0.0.0 interface 192.168.1.1(Ethernet1/0/0)'s neighbors Router ID: 2.2.2.2 Address: 192.168.1.2 GR State: Normal State: 2-Way Mode:Nbr is Master Priority: 1 DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0 Dead timer due in 32 sec Neighbor is up for 00:04:21 Authentication Sequence: [ 0 ]

Router ID: 3.3.3.3 Address: 192.168.1.3 GR State: Normal State: Full Mode:Nbr is Master Priority: 1 DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0 Dead timer due in 37 sec Neighbor is up for 00:04:06 Authentication Sequence: [ 0 ]

Router ID: 4.4.4.4 Address: 192.168.1.4 GR State: Normal State: Full Mode:Nbr is Master Priority: 1 DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0 Dead timer due in 37 sec Neighbor is up for 00:03:53 Authentication Sequence: [ 0 ]

# Check the neighbor information of Router A. You can see the priority of DR and the neighbor status. Router D is the DR and Router C is the BDR.

NOTE

When the priority is the same, the router with the higher router-id becomes the DR. If an Ethernet interface of the router becomes the DR, the other broadcast interfaces of the router are more likely to become DRs in future DR selection. Choose the DR router as the DR. You cannot preempt the DR. Step 3 Configure DR priorities on the interfaces. # Configure Router A:

[RouterA] interface GigabitEthernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ospf dr-priority 100 [RouterA-GigabitEthernet1/0/0] quit

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-73

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

# Configure Router B:

[RouterB] interface GigabitEthernet 1/0/0 [RouterB-GigabitEthernet1/0/0] ospf dr-priority 0 [RouterB-GigabitEthernet1/0/0] quit # Configure Router C:

[RouterC] interface GigabitEthernet 1/0/0 [RouterC-GigabitEthernet1/0/0] ospf dr-priority 2 [RouterC-GigabitEthernet1/0/0] quit # View the DR and BDR state:

[RouterD] display ospf peer

OSPF Process 1 with Router ID 4.4.4.4 Neighbors

Area 0.0.0.0 interface 192.168.1.4(GigabitEthernet1/0/0)'s neighbors Router ID: 1.1.1.1 Address: 192.168.1.1 GR State: Normal State: Full Mode:Nbr is Slave Priority: 100 DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0 Dead timer due in 31 sec Neighbor is up for 00:11:17 Authentication Sequence: [ 0 ]

Router ID: 2.2.2.2 Address: 192.168.1.2 GR State: Normal State: Full Mode:Nbr is Slave Priority: 0 DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0 Dead timer due in 35 sec Neighbor is up for 00:11:19 Authentication Sequence: [ 0 ] Router ID: 3.3.3.3 Address: 192.168.1.3 GR State: Normal State: Full Mode:Nbr is Slave Priority: 2 DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0 Dead timer due in 33 sec Neighbor is up for 00:11:15 Authentication Sequence: [ 0 ]

NOTE

The DR priorities you configure on the interfaces do not take effect instantly. Step 4 Restart OSPF processes. In the user view of each router, run the reset ospf 1 process command to restart the OSPF process. Step 5 View the configuration. # View the status of OSPF neighbors:

[RouterD] display ospf peer

OSPF Process 1 with Router ID 4.4.4.4 Neighbors

Area 0.0.0.0 interface 192.168.1.4(GigabitEthernet1/0/0)'s neighbors Router ID: 1.1.1.1 Address: 192.168.1.1 GR State: Normal

5-74 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

State: Full Mode:Nbr is Slave Priority: 100 DR: 192.168.1.1 BDR: 192.168.1.3 MTU: 0 Dead timer due in 35 sec Neighbor is up for 00:07:19 Authentication Sequence: [ 0 ]

Router ID: 2.2.2.2 Address: 192.168.1.2 GR State: Normal State: 2-Way Mode:Nbr is Master Priority: 0 DR: 192.168.1.1 BDR: 192.168.1.3 MTU: 0 Dead timer due in 35 sec Neighbor is up for 00:07:19 Authentication Sequence: [ 0 ] Router ID: 3.3.3.3 Address: 192.168.1.3 GR State: Normal State: Full Mode:Nbr is Slave Priority: 2 DR: 192.168.1.1 BDR: 192.168.1.3 MTU: 0 Dead timer due in 37 sec Neighbor is up for 00:07:17 Authentication Sequence: [ 0 ]

# View the status of the OSPF interface:

[RouterA] display ospf interface

OSPF Process 1 with Router ID 1.1.1.1 Interfaces

Area: 0.0.0.0 IP Address Type State Cost Pri DR BDR 192.168.1.1 Broadcast DR 1 100 192.168.1.1 192.168.1.3

[RouterB] display ospf interface

OSPF Process 1 with Router ID 2.2.2.2 Interfaces

Area: 0.0.0.0 IP Address Type State Cost Pri DR BDR 192.168.1.2 Broadcast DROther 1 0 192.168.1.1 192.168.1.3

All neighbors are in full state. This state indicates that Router A establishes neighbor relationships with all its neighbors. If the neighbor state is 2-Way, it indicates neither router is the DR or BDR. The routes do not need to exchange LSAs. All other neighbors are DR Others. This state indicates that they are neither DR nor BDR. ----End

Configuration files z Configuration file of Router A

# sysname RouterA # router id 1.1.1.1

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-75

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

# interface GigabitEthernet1/0/0 ip address 192.168.1.1 255.255.255.0 ospf dr-priority 100 # ospf 1 area 0.0.0.0 network 192.168.1.0 0.0.0.255 # return z Configuration file of Router B

# sysname RouterB # router id 2.2.2.2 # interface GigabitEthernet1/0/0 ip address 192.168.1.2 255.255.255.0 ospf dr-priority 0 # ospf 1 area 0.0.0.0 network 192.168.1.0 0.0.0.255 # return z Configuration file of Router C

# sysname RouterC # router id 3.3.3.3 # interface GigabitEthernet1/0/0 ip address 192.168.1.3 255.255.255.0 ospf dr-priority 2 # ospf 1 area 0.0.0.0 network 192.168.1.0 0.0.0.255 # return z Configuration file of Router D

# sysname RouterD # router id 4.4.4.4 # interface GigabitEthernet1/0/0 ip address 192.168.1.4 255.255.255.0 # ospf 1 area 0.0.0.0 network 192.168.1.0 0.0.0.255 #

5-76 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

return 5.9.5 Example of configuring OSPF virtual links

Networking requirements As shown in Figure 5-25, Area2 does not connect with the backbone area directly. Area1 serves as a transit area to connect Area2 and Area0. A virtual link connects Router A and Router B.

Figure 5-25 OSPF virtual link configuration

Area1 RouterB RouterA POS1/0/0 POS1/0/0 192.168.1.1/24 192.168.1.2/24

Virtual Link GbE2/0/0 GbE2/0/0 172.16.1.1/16 10.1.1.1/8 Area0 GbE2/0/0 GbE2/0/0 Area2 172.16.1.2/16 10.1.1.2/8

RouterC RouterD

Configuration roadmap The steps in the configuration roadmap are 1. Configure the OSPF basic function on each router. 2. Configure the virtual connections on Router A and Router B to connect the backbone area with the nonbackbone area.

Data preparation To complete the configuration, you need the following data:

z The router id of Router A is 1.1.1.1. The process number of OSPF is 1. The network segment of Area 1 is 192.168.1.0. The network segment of Area 0 is 10.0.0.0. z The router id of Router B is 2.2.2.2. The process number of OSPF is 1. The network segment of Area 1 is 192.168.1.0. The network segment of Area 2 is 172.16.0.0. z The router id of Router C is 3.3.3.3. The process number of OSPF is 1. The network segment of Area 0 is 10.0.0.0. z The router id of Router D is 4.4.4.4. The process number of OSPF is 1. The network segment of Area 2 is 172.16.0.0.

Configuration procedure Step 1 Configure the IP addresses for each interface. Step 2 Configure basic OSPF functions. # Configure Router A:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-77

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

[RouterA] ospf 1 router-id 1.1.1.1 [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 10.0.0.0 0.255.255.255 [RouterA-ospf-1-area-0.0.0.0] quit [RouterA-ospf-1] area 1 [RouterA-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.1] quit # Configure Router B:

[RouterB] ospf 1 router-id 2.2.2.2 [RouterB-ospf-1] area 1 [RouterB-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.1] quit [RouterB-ospf-1] area 2 [RouterB–ospf-1-area-0.0.0.2] network 172.16.0.0 0.0.255.255 [RouterB–ospf-1-area-0.0.0.2] quit # Configure Router C:

[RouterC] ospf 1 router-id 3.3.3.3 [RouterC-ospf-1] area 0 [RouterC-ospf-1-area-0.0.0.0] network 10.0.0.0 0.255.255.255 [RouterC-ospf-1-area-0.0.0.0] quit # Configure Router D:

[RouterD] ospf 1 router-id 4.4.4.4 [RouterD-ospf-1] area 2 [RouterD-ospf-1-area-0.0.0.2] network 172.16.1.0 0.0.0.255 [RouterD-ospf-1-area-0.0.0.2] quit # View the OSPF routing table of Router A:

[RouterA] display ospf routing

OSPF Process 1 with Router ID 1.1.1.1 Routing Tables

Routing for Network Destination Cost Type NextHop AdvRouter Area 10.0.0.0/8 1 Transit 10.1.1.1 1.1.1.1 0.0.0.0 192.168.1.0/24 1 Transit 192.168.1.1 1.1.1.1 0.0.0.1 Total Nets: 2 Intra Area: 2 Inter Area: 0 ASE: 0 NSSA: 0

NOTE

Area2 does not connect directly to Area0. No Area2 routes appear in the routing table of Router A. Step 3 Configure the virtual link. # Configure Router A:

[RouterA] ospf [RouterA-ospf-1] area 1 [RouterA-ospf-1-area-0.0.0.1] vlink-peer 2.2.2.2 [RouterA-ospf-1-area-0.0.0.1] quit # Configure Router B:

5-78 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

[RouterB] ospf 1 [RouterB-ospf-1] area 1 [RouterB-ospf-1-area-0.0.0.1] vlink-peer 1.1.1.1 [RouterB-ospf-1-area-0.0.0.1] quit Step 4 Verify the configuration. # View the OSPF routing table of Router A:

[RouterA] display ospf routing

OSPF Process 1 with Router ID 1.1.1.1 Routing Tables

Routing for Network Destination Cost Type NextHop AdvRouter Area 172.16.0.0/16 2 Inter-area 192.168.1.2 2.2.2.2 0.0.0.0 10.0.0.0/8 1 Transit 10.1.1.1 1.1.1.1 0.0.0.0 192.168.1.0/24 1 Transit 192.168.1.1 1.1.1.1 0.0.0.1 Total Nets: 3 Intra Area: 2 Inter Area: 1 ASE: 0 NSSA: 0 ----End

Configuration files z Configuration file of Router A

# sysname RouterA # interface GigabitEthernet2/0/0 ip address 10.1.1.1 255.0.0.0 # interface Pos1/0/0 link-protocol ppp ip address 192.168.1.1 255.255.255.0 # ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 10.0.0.0 0.255.255.255 area 0.0.0.1 network 192.168.1.0 0.0.0.255 vlink-peer 2.2.2.2 # return z Configuration file of Router B

# sysname RouterB # interface GigabitEthernet2/0/0 ip address 172.16.1.1 255.255.0.0 # interface Pos1/0/0 link-protocol ppp ip address 192.168.1.2 255.255.255.0

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-79

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

# ospf 1 router-id 2.2.2.2 area 0.0.0.1 network 192.168.1.0 0.0.0.255 vlink-peer 1.1.1.1 area 0.0.0.2 network 172.16.0.0 0.0.255.255 # return z Configuration file of Router C

# sysname RouterC # interface GigabitEthernet2/0/0 ip address 10.1.1.2 255.0.0.0 # ospf 1 router-id 3.3.3.3 area 0.0.0.0 network 10.0.0.0 0.255.255.255 # return z Configuration file of Router D

# sysname RouterD # interface GigabitEthernet2/0/0 ip address 172.16.1.2 255.255.0.0 # ospf 1 router-id 4.4.4.4 area 0.0.0.2 network 172.16.0.0 0.0.255.255 # return 5.9.6 Example of configuring OSPF load balancing

Networking requirements Figure 5-26 shows the following network requirements:

z Router A, Router B, Router C, and Router D connect to each other through OSPF. z Router A, Router B, Router C, and Router D belong to Area 0. z Load balancing exists between Router B and Router C. The traffic of Router A is sent to Router D by Router B and Router C.

5-80 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

Figure 5-26 OSPF load balancing configuration

Area0

POS1/0/0 POS2/0/0 RouterB POS1/0/0 POS1/0/0 GbE3/0/0 GbE3/0/0 POS2/0/0 POS2/0/0 RouterA RouterD

POS1/0/0 POS2/0/0

RouterC

Router Interface IP Address Router Interface IP Address RouterA GbE3/0/0 172.16.1.1./24 RouterC POS1/0/0 10.1.2.2/24 POS1/0/0 10.1.1.1/24 POS2/0/0 192.168.1.1/24 POS2/0/0 10.1.2.1/24 RouterB POS1/0/0 10.1.1.2/24 RouterD GbE3/0/0 172.17.1.1/24 POS2/0/0 192.168.0.1/24 POS1/0/0 192.168.0.2/24 POS2/0/0 192.168.1.2/24

Configuration roadmap The steps in the configuration roadmap are: 1. Enable basic OSPF functions on each router. 2. Cancel the load balancing and check the information on the routing table. 3. Configure the load balancing mode on Router A. 4. Configure the preference for the equal-cost routes on Router A (optional).

Data preparation To configure OSPF load balancing, you need the following data:

z The data about the four routers is − For Router A, the router ID is 1.1.1.1, the OSPF process number is 1, and the network segment of Area 0 is 10.1.0.0. − For Router B, the router ID is 2.2.2.2, the OSPF process number is 1, and the network segment of area 0 is 10.1.0.0 and 192.168.0.0. − For Router C, the router ID is 3.3.3.3, the OSPF process number is 1, and the network segment of area 0 is 10.1.0.0 and 192.168.1.0. − For Router D, the router ID is 4.4.4.4, the OSPF process number is 1, and the network segments of area 0 are 192.168.0.0 and 192.168.1.0. z Number of load balancing paths on Router A is 1. z The load balancing mode on Router A, packet-by-packet load balancing or session-by-session load balancing.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-81

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

z The preference value of Router C is 1.

Configuration procedure Step 1 Configure the IP addresses for each interface. Step 2 Configure basic OSPF functions. (See Example of configuring basic OSPF functions) Step 3 Cancel the load balancing on Router A:

[RouterA] ospf [RouterA-ospf-1] maximum load-balancing 1 # Check the routing table of Router A:

[RouterA] display ip routing-table Route Flags: R - relied, D - download to fib ------Routing Tables: Public Destinations : 7 Routes : 7

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.1.0/24 Direct 0 0 D 10.1.1.1 Pos1/0/0 10.1.1.2/32 Direct 0 0 D 10.1.1.2 Pos1/0/0 10.1.2.0/24 Direct 0 0 D 10.1.2.1 Pos2/0/0 10.1.2.2/32 Direct 0 0 D 10.1.2.2 Pos2/0/0 172.17.1.0/24 OSPF 10 3125 D 10.1.1.2 Pos1/0/0 192.168.0.0/24 OSPF 10 3124 D 10.1.1.2 Pos1/0/0 192.168.1.0/24 OSPF 10 3124 D 10.1.2.2 Pos2/0/0

As shown in the routing table, when the maximum number of the equal-cost routes is 1, the next-hop route to the target network segment 172.17.1.0 is 10.1.1.2.

NOTE

In the preceding example, 10.1.1.2 is the optimal next hop because OSPF selects the next hop of the equal-cost route randomly. Step 4 Restore the default number of the load balancing on Router A:

[RouterA] ospf [RouterA-ospf-1] undo maximum load-balancing # Check the routing table of Router A:

[RouterA] display ip routing-table Route Flags: R - relied, D - download to fib ------Routing Tables: Public Destinations : 7 Routes : 8

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.1.0/24 Direct 0 0 D 10.1.1.1 Pos1/0/0 10.1.1.2/32 Direct 0 0 D 10.1.1.2 Pos1/0/0 10.1.2.0/24 Direct 0 0 D 10.1.2.1 Pos2/0/0 10.1.2.2/32 Direct 0 0 D 10.1.2.2 Pos2/0/0 172.17.1.0/24 OSPF 10 3125 D 10.1.1.2 Pos1/0/0

5-82 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

OSPF 10 3125 D 10.1.2.2 Pos2/0/0 192.168.0.0/24 OSPF 10 3124 D 10.1.1.2 Pos1/0/0 192.168.1.0/24 OSPF 10 3124 D 10.1.2.2 Pos2/0/0

As shown in the routing table, when you restore the default value of the load, the next hops of Router A, 10.1.1.2 (Router B) and 10.1.2.2 (Router C), become valid routes. This configuration occurs because the default number of equal-cost routes is 6.

NOTE

For different products and different protocols, the maximum number of equal-cost routes is different. You can purchase licenses to adjust the maximum value. Step 5 Configure the load balancing mode for Router A. Load balancing supports two modes: packet-by-packet load balancing and session-by-session load balancing. # Packet-by-packet load balancing:

[RouterA] load-balance packet Check the configuration:

[RouterA] acl 3000 [RouterA -acl-adv-3000] rule permit icmp destination 172.17.1.1 0 [RouterA -acl-adv-3000] quit [RouterA] quit debugging ip packet acl 3000 terminal debugging terminal monitor ping 172.17.1.1 PING 172.17.1.1: 56 data bytes, press CTRL_C to break *0.10792570 RouterA IP/8/debug_case: Sending, interface = pos1/0/0, version = 4, headlen = 20, tos = 0, pktlen = 84, pktid = 1194, offset = 0, ttl = 255, protocol = 1, checksum = 65258, s = 10.1.1.1, d = 172.17.1.1 prompt: Sending the packet from local at pos1/0/0

Reply from 172.17.1.1: bytes=56 Sequence=1 ttl=254 time=30 ms *0.10793100 RouterA IP/8/debug_case: Sending, interface = pos2/0/0, version = 4, headlen = 20, tos = 0, pktlen = 84, pktid = 1195, offset = 0, ttl = 255, protocol = 1, checksum = 65001, s = 10.1.2.1, d = 172.17.1.1 prompt: Sending the packet from local at pos2/0/0

Reply from 172.17.1.1: bytes=56 Sequence=2 ttl=254 time=50 ms *0.10793600 RouterA IP/8/debug_case: Sending, interface = pos1/0/0, version = 4, headlen = 20, tos = 0, pktlen = 84, pktid = 1196, offset = 0, ttl = 255, protocol = 1, checksum = 65256, s = 10.1.1.1, d = 172.17.1.1 prompt: Sending the packet from local at pos1/0/0

Reply from 172.17.1.1: bytes=56 Sequence=3 ttl=254 time=40 ms *0.10794140 RouterA IP/8/debug_case: Sending, interface = pos2/0/0, version = 4, headlen = 20, tos = 0, pktlen = 84, pktid = 1197, offset = 0, ttl = 255, protocol = 1, checksum = 64999, s = 10.1.2.1, d = 172.17.1.1

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-83

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

prompt: Sending the packet from local at pos2/0/0

Reply from 172.17.1.1: bytes=56 Sequence=4 ttl=254 time=30 ms *0.10794670 RouterA IP/8/debug_case: Sending, interface = pos1/0/0, version = 4, headlen = 20, tos = 0, pktlen = 84, pktid = 1198, offset = 0, ttl = 255, protocol = 1, checksum = 65254, s = 10.1.1.1, d = 172.17.1.1 prompt: Sending the packet from local at pos1/0/0

Reply from 172.17.1.1: bytes=56 Sequence=5 ttl=254 time=40 ms

--- 172.17.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 30/38/50 ms As shown in the preceding debugging information, packets that target 172.17.1.1 transmit alternately from POS 1/0/0 and POS 2/0/0 of Router A. This is the packet-by-packet load balancing. # Session-by-session load balancing:

[RouterA] load-balance flow Session-by-session load balancing is the default. # Check the configuration:

[RouterA] acl 3000 [RouterA -acl-adv-3000] rule permit icmp destination 172.17.1.1 0 [RouterA -acl-adv-3000] quit [RouterA] quit debugging ip packet acl 3000 terminal debugging terminal monitor ping 172.17.1.1 PING 172.17.1.1: 56 data bytes, press CTRL_C to break *0.11319030 RouterA IP/8/debug_case: Sending, interface = pos1/0/0, version = 4, headlen = 20, tos = 0, pktlen = 84, pktid = 1320, offset = 0, ttl = 255, protocol = 1, checksum = 65132, s = 10.1.1.1, d = 172.17.1.1 prompt: Sending the packet from local at pos1/0/0

Reply from 172.17.1.1: bytes=56 Sequence=1 ttl=254 time=90 ms *0.11319500 RouterA IP/8/debug_case: Sending, interface = pos1/0/0, version = 4, headlen = 20, tos = 0, pktlen = 84, pktid = 1321, offset = 0, ttl = 255, protocol = 1, checksum = 65131, s = 10.1.1.1, d = 172.17.1.1 prompt: Sending the packet from local at pos1/0/0

Reply from 172.17.1.1: bytes=56 Sequence=2 ttl=254 time=30 ms *0.11320000 RouterA IP/8/debug_case: Sending, interface = pos1/0/0, version = 4, headlen = 20, tos = 0, pktlen = 84, pktid = 1322, offset = 0, ttl = 255, protocol = 1, checksum = 65130, s = 10.1.1.1, d = 172.17.1.1 prompt: Sending the packet from local at pos1/0/0

5-84 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

Reply from 172.17.1.1: bytes=56 Sequence=3 ttl=254 time=40 ms *0.11320530 RouterA IP/8/debug_case: Sending, interface = pos1/0/0, version = 4, headlen = 20, tos = 0, pktlen = 84, pktid = 1324, offset = 0, ttl = 255, protocol = 1, checksum = 65128, s = 10.1.1.1, d = 172.17.1.1 prompt: Sending the packet from local at pos1/0/0

Reply from 172.17.1.1: bytes=56 Sequence=4 ttl=254 time=40 ms *0.11321070 RouterA IP/8/debug_case: Sending, interface = pos1/0/0, version = 4, headlen = 20, tos = 0, pktlen = 84, pktid = 1325, offset = 0, ttl = 255, protocol = 1, checksum = 65127, s = 10.1.1.1, d = 172.17.1.1 prompt: Sending the packet from local at pos1/0/0

Reply from 172.17.1.1: bytes=56 Sequence=5 ttl=254 time=80 ms

--- 172.17.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 30/56/90 ms As shown in the preceding debugging information, packets that target 172.17.1.1 transmit through POS1/0/0 of Router A. This is the session-by-session load balancing.

NOTE

The route selection of session-by-session load balancing is that routers always choose the previous path to send packets to the same destination. The packets that target the same destination transmit through POS1/0/0; so the session-by-session load balancing also chooses POS1/0/0 to send packets. Step 6 Set the preference of equal-cost routes on Router A. (This step is optional.) If you do not want to perform load balancing between Router B and Router C, configure the preference of equal-cost routes and specify the next hop:

[RouterA] ospf [RouterA-ospf-1] nexthop 10.1.2.2 weight 1 # Check the routing table of Router A:

[RouterA] display ip routing-table Route Flags: R - relied, D - download to fib ------Routing Tables: Public Destinations : 7 Routes : 7

Destination/Mask Proto Pre Cost Flags NextHop Interface

10.1.1.0/24 Direct 0 0 D 10.1.1.1 Pos1/0/0 10.1.1.2/32 Direct 0 0 D 10.1.1.2 Pos1/0/0 10.1.2.0/24 Direct 0 0 D 10.1.2.1 Pos2/0/0 10.1.2.2/32 Direct 0 0 D 10.1.2.2 Pos2/0/0 172.17.1.0/24 OSPF 10 3125 D 10.1.2.2 Pos2/0/0 192.168.0.0/24 OSPF 10 3124 D 10.1.1.2 Pos1/0/0 192.168.1.0/24 OSPF 10 3124 D 10.1.2.2 Pos2/0/0

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-85

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

As shown in the display, OSPF chooses the next hop 10.1.2.2 as the unique optimal route because the preference of the next hop 10.1.2.2 (Router C) is higher than that of the next hop 10.1.1.2 (Router B) after you configure the preference of the equal-cost routes. ----End

Configuration files z Configuration file of Router A

# sysname RouterA # interface GigabitEthernet3/0/0 ip address 172.16.1.1 255.255.255.0 # interface pos1/0/0 link-protocol ppp ip address 10.1.1.1 255.255.255.0 # interface pos2/0/0 link-protocol ppp ip address 10.1.2.1 255.255.255.0 # ospf 1 router-id 1.1.1.1 area 0.0.0.0 network 10.0.0.0 0.255.255.255 network 172.16.0.0 0.0.255.255 # return z Configuration file of Router B

sysname RouterB # interface pos1/0/0 link-protocol ppp ip address 10.1.1.2 255.255.255.0 # interface pos2/0/0 link-protocol ppp ip address 192.168.0.1 255.255.255.0 # ospf 1 router-id 2.2.2.2 area 0.0.0.0 network 10.0.0.0 0.255.255.255 network 192.168.0.0 0.0.255.255 # return z Configuration file of Router C

# sysname RouterC # interface pos1/0/0 link-protocol ppp ip address 192.168.1.1 255.255.255.0 #

5-86 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

interface pos2/0/0 link-protocol ppp ip address 10.1.2.2 255.255.255.0 # ospf 1 router-id 3.3.3.3 area 0.0.0.0 network 10.0.0.0 0.255.255.255 network 192.168.0.0 0.0.255.255 # return z Configuration file of Router D

# sysname RouterD # interface pos1/0/0 link-protocol ppp ip address 192.168.1.2 255.255.255.0 # interface pos2/0/0 link-protocol ppp ip address 192.168.0.2 255.255.255.0 # interface GigabitEthernet3/0/0 ip address 172.17.1.1 255.255.255.0 # ospf 1 router-id 4.4.4.4 area 0.0.0.0 network 192.168.0.0 0.0.255.255 network 172.17.0.0 0.0.255.255 # return

5.9.7 Example of configuring OSPF GR

Networking requirements As shown in Figure 5-27, Router A, Router B, and Router C belong to the same OSPF area in one AS. OSPF runs on the three routers and uses OSPF GR. After you establish the OSPF adjacency relationship, Router A, Router B, and Router C start to exchange the routing information. When OSPF restarts on Router C, Router C implements the out-of-band synchronization with adjacent routers in GR mode.

Figure 5-27 OSPF GR configuration

1.1.1.1 3.3.3.3 2.2.2.2 POS1/0/0 POS1/0/0 POS2/0/0 POS1/0/0 100.1.1.1/24 100.1.1.2/24 100.2.1.1/24 100.2.1.2/24

RouterA RouterC RouterB

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-87

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

Configuration roadmap The steps in the configuration roadmap are 1. In the OSPF view of all the routers, enable the signaling capability and the out-of-band synchronization capability of the local link for OSPF. 2. In the OSPF view of all the routers, enable OSPF GR.

Data preparation To complete the configuration, you need the following data:

z IP address for each interface z OSPF process number

Configuration procedure Step 1 Assign IP addresses to the interfaces.

Step 2 Configure basic OSPF functions.

Step 3 Enable OSPF GR. # On Router C, enable the signaling capability and the out-of-band synchronization capability of the local link for OSPF. The configurations on Router A and Router B are the same as those on Router C. This example uses Router C:

[RouterC] ospf 100 [RouterC-ospf-100] enable link-local-signaling [RouterC-ospf-100] enable out-of-band-resynchronization # Enable OSPF GR on Router C. The configurations on Router A and Router B are the same as those on Router C:

[RouterC-ospf-100] graceful-restart Step 4 Verify the configuration. # Run the display fib command on Router C. You can view the forwarding information base (FIB) table:

display fib FIB Table: Total number of Routes : 3

Destination/Mask Nexthop Flag TimeStamp Interface TunnelID 100.2.1.2/32 127.0.0.1 HU t[454] InLoop0 0x0 100.2.1.0/24 100.2.1.2 U t[454] Pos1/0/0 0x0 100.1.1.0/24 100.2.1.1 DGU t[770] Pos1/0/0 0x0 # Restart OSPF process 100, not in GR mode, on Router C:

reset ospf 100 process # Run the display fib command immediately on Router C. You can view the FIB table:

display fib

5-88 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 5 OSPF configuration

FIB Table: Total number of Routes : 2

Destination/Mask Nexthop Flag TimeStamp Interface TunnelID 100.2.1.2/32 127.0.0.1 HU t[454] InLoop0 0x0 100.2.1.0/24 100.2.1.2 U t[454] Pos1/0/0 0x0 You can view that changes occur to the FIB table of Router C and the changes affect the forwarding of services. # Restart OSPF process 100, in GR mode, on Router C:

reset ospf 100 process graceful-restart # Run the display fib command immediately on Router C. You can view the FIB table and check whether GR operates normally. If GR operates normally it indicates no changes to the FIB table and no affect on the forwarding of services, when the OSPF process on Router C restarts in GR mode.

display fib FIB Table: Total number of Routes : 3

Destination/Mask Nexthop Flag TimeStamp Interface TunnelID 100.2.1.2/32 127.0.0.1 HU t[454] InLoop0 0x0 100.2.1.0/24 100.2.1.2 U t[454] Pos1/0/0 0x0 100.1.1.0/24 100.2.1.1 DGU t[770] Pos1/0/0 0x0 You can view that the FIB table of Router C does not change and the forwarding of services remains unaffected. ----End

Configuration files z Configuration file of Router A

# sysname RouterA # router id 1.1.1.1 # interface Pos1/0/0 link-protocol ppp clock slave ip address 100.1.1.1 255.255.255.0 # ospf 100 enable link-local-signaling enable out-of-band-resynchronization graceful-restart area 0.0.0.0 network 100.1.1.0 0.0.0.255 # return z Configuration file of the router

#

Issue 5.3 (30 March 2009) Nortel Networks Inc. 5-89

Nortel Secure Router 8000 Series 5 OSPF configuration Configuration - IP Routing

sysname RouterB # router id 2.2.2.2 # interface Pos1/0/0 link-protocol ppp clock slave ip address 100.2.1.2 255.255.255.0 # ospf 100 enable link-local-signaling enable out-of-band-resynchronization graceful-restart area 0.0.0.0 network 100.2.1.0 0.0.0.255 # return z Configuration file of Router C

# sysname RouterC # router id 3.3.3.3 # interface Pos1/0/0 link-protocol ppp clock master ip address 100.1.1.2 255.255.255.0 # interface Pos2/0/0 link-protocol ppp clock master ip address 100.2.1.1 255.255.255.0 # ospf 100 enable link-local-signaling enable out-of-band-resynchronization graceful-restart area 0.0.0.0 network 100.1.1.0 0.0.0.255 network 100.2.1.0 0.0.0.255 # return

5-90 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing

Contents

6 OSPFv3 configuration ...... 6-1 6.1 Overview...... 6-2 6.1.1 OSPFv3 overview ...... 6-2 6.1.2 OSPFv3 protocol packets...... 6-2 6.1.3 LSA type ...... 6-3 6.1.4 Supported OSPFv3 features...... 6-3 6.1.5 References...... 6-4 6.2 Configuring basic OSPFv3 functions...... 6-4 6.2.1 Establishing the configuration task ...... 6-4 6.2.2 Enabling OSPFv3...... 6-5 6.2.3 Enabling OSPFv3 on the interface...... 6-5 6.2.4 Entering OSPFv3 area view...... 6-6 6.2.5 Checking the configuration...... 6-7 6.3 Configuring OSPFv3 area features...... 6-7 6.3.1 Establishing the configuration task ...... 6-7 6.3.2 Configuring OSPFv3 stub areas...... 6-8 6.3.3 Configuring OSPFv3 virtual links ...... 6-9 6.3.4 Checking the configuration...... 6-9 6.4 Controlling OSPFv3 routing information...... 6-10 6.4.1 Establishing the configuration task ...... 6-10 6.4.2 Configuring OSPFv3 route summary...... 6-11 6.4.3 Configuring OSPFv3 to filter the received routes...... 6-11 6.4.4 Configuring the cost of the OSPFv3 interface ...... 6-12 6.4.5 Configuring the maximum number of equal-cost routes...... 6-12 6.4.6 Configuring OSPFv3 to import external routes ...... 6-13 6.4.7 Checking the configuration...... 6-14 6.5 Adjusting and optimizing OSPFv3 networks ...... 6-14 6.5.1 Establishing the configuration task ...... 6-14 6.5.2 Configuring the OSPFv3 packet timer...... 6-15 6.5.3 Configuring the LSA transmit delay on the interface...... 6-16 6.5.4 Configuring the SPF timer ...... 6-16 6.5.5 Configuring the DR priority of the interface...... 6-17

Issue 5.3 (30 March 2009) Nortel Networks Inc. i

Nortel Secure Router 8000 Series Configuration - IP Routing

6.5.6 Ignoring the MTU check on DD packets ...... 6-17 6.5.7 Suppressing the interface from sending and receiving OSPFv3 packets ...... 6-18 6.5.8 Checking the configuration...... 6-18 6.6 Maintaining OSPFv3...... 6-19 6.7 Configuration examples ...... 6-20 6.7.1 Example of configuring OSPFv3 areas...... 6-20 6.7.2 Example of configuring OSPFv3 DR election...... 6-25 6.7.3 Example of configuring OSPFv3 virtual links...... 6-29

ii Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing

Figures

Figure 6-1 OSPFv3 packet header...... 6-3 Figure 6-2 OSPFv3 area configuration...... 6-20 Figure 6-3 DR election of OSFPv3 ...... 6-25 Figure 6-4 OSPFv3 virtual link configuration...... 6-30

Issue 5.3 (30 March 2009) Nortel Networks Inc. iii

Nortel Secure Router 8000 Series Configuration - IP Routing 6 OSPFv3 configuration

6 OSPFv3 configuration

About this chapter

The following table describes the contents of this chapter.

Section Description 6.1 Overview This section describes the principles and concepts of Open Shortest Path First version 3 (OSPFv3). 6.2 Configuring basic OSPFv3 This section describes how to configure basic OSPFv3 functions functions. 6.3 Configuring OSPFv3 area This section describes how to configure OSPFv3 areas features and virtual links. For configuration examples, see Example of configuring OSPFv3 areas and Example of configuring OSPFv3 virtual links. 6.4 Controlling OSPFv3 This section describes how to control OSPFv3 routing routing information information. 6.5 Adjusting and optimizing This section describes how to adjust and optimize OSPFv3 networks OSPFv3 networks. For a configuration example, see Example of configuring OSPFv3 DR election. 6.6 Maintaining OSPFv3 This section describes how to maintain OSPFv3. 6.7 Configuration examples This section provides several configuration examples of OSPFv3.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-1

Nortel Secure Router 8000 Series 6 OSPFv3 configuration Configuration - IP Routing

6.1 Overview This section describes the following topics that you must understand before you configure OSPFv3:

z OSPFv3 overview z OSPFv3 protocol packets z LSA type z Supported OSPFv3 features z References 6.1.1 OSPFv3 overview OSPFv3 is a dynamic routing protocol for the Autonomous System (AS) internal operation. OSPFv3 is the extension of OSPFv2 in the original IPv4 network. OSPFv3 supports IPv6 networks. OSPFv3 standards conform to RFC 2740 (OSPF for IPv6). The following list indentifies the common factors between OSPFv3 and OSPFv2:

z 32-bit router IDs, area IDs, and link state advertisement (LSA) link-state IDs z five types of packets such as hello, database description (DD), link state request (LSR), link state update (LSU), and link state acknowledgement (LSAck) z neighbor discovery and adjacency establishment mechanisms z flooding and aging mechanisms of the LSA z LSA types The following list indentifies the differences between OSPFv3 and OSPFv2:

z The OSPFv3 routing process runs based on a link and OSPFv2 based on a network segment. z OSPFv3 can run multiple instances on the same link. z The topology of OSPFv3 does not use a relationship with IPv6 address prefixes. z OSPFv3 identifies its neighbors through IPv6 link-local addresses. z OSPFv3 uses three new types of LSA flooding scopes. 6.1.2 OSPFv3 protocol packets Hello, DD, LSR, LSU, and LSAck packets use the same OSPFv3 packet header. OSPFv3 removes the authentication field, but it adds an instance ID field to support multiple instances on the same link. The following figure shows the OSPFv3 packet header.

6-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 6 OSPFv3 configuration

Figure 6-1 OSPFv3 packet header

0 15 31 Version # Type Packet length Router ID Area ID Checksum Instance ID 0

6.1.3 LSA type

LSA is the source for OSPFv3 to calculate and maintain routing information. RFC 2740 defines the following seven types of LSAs:

z Router-LSAs This type originates from each router. Each router-LSA describes the link state and cost of the local router, and only transmits in the area where the router resides. z Network-LSAs This type originates from the designated routers (DR) in broadcast and NonBroadcast Multiple Access (NBMA) networks. Each network-LSA describes the link state of the local network segment, and only transmits in the area where the DR resides. z Inter-Area-Prefix LSAs Similar to an OSPFv2 Type 3 LSA , these LSAs originate from area border routers (ABR) and transmit in the areas related to them. Each inter-area-prefix LSA describes a prefix external to the area, but internal to the Autonomous System (AS). z Inter-Area-Router LSAs Similar to OSPFv2 Type 4 LSAs, these LSAs originate from ABRs. Each inter-area-router-LSA describes a path to a destination OSPF router, an AS boundary router (ASBR), that is external to the area but internal to the AS. z AS-external-LSAs This type originates from ASBRs. Each AS-external-LSA describes a path to a prefix external to the AS and transmits throughout the entire AS, excluding stub areas. AS-external-LSAs can also describe the default routes of an AS. z Link-LSAs The router generates one Link-LSA for each link and the Link-LSAs transmit in the local link scope. Each Link-LSA describes the IPv6 address prefix associated with this link, including the link-local addresses. z Intra-Area-Prefix-LSAs Each Intra-Area-Prefix-LSA includes the IPv6 prefix information on the router, the stub area information, and the network segment information of the transit area. The intra-area-prefix-LSAs transmit in the local area. Because the Router-LSA and the Network-LSA do not include the address information, OSPFv3 introduces the intra-area-prefix-LSAs. 6.1.4 Supported OSPFv3 features The Nortel Secure Router 8000 Series supports the following OSPFv3 features:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-3

Nortel Secure Router 8000 Series 6 OSPFv3 configuration Configuration - IP Routing

z Basic features stipulated in RFC 2740 z OSPFv3 stub areas z Multiple OSPFv3 processes on one router 6.1.5 References For more information about OSPFv3, see the RFCs listed in the following table.

Document number Description RFC 2740 OSPF for IPv6 RFC 2328 OSPF Version 2

6.2 Configuring basic OSPFv3 functions 6.2.1 Establishing the configuration task

Applicable environment Enable the OSPFv3 process first and specify a router ID for it. You can then configure the other functions and they gradually take effect. You must enable OSPFv3 first and specify the interface and area ID before you configure other features. You can configure interface related parameters before you enable OSPFv3.

Preconfiguration tasks Before you configure OSFPv3, complete the following tasks:

z Keep the network layers of the adjacent nodes reachable z Enable IPv6 capabilities

Data preparation The following table lists the data you need to configure OSPFv3.

No. Data 1 Router ID 2 OSPFv3 process number 3 Interfaces where you need to enable OSPFv3 and their areas

6-4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 6 OSPFv3 configuration

Configuration procedures

No. Procedure 1 Enabling OSPFv3 2 Enabling OSPFv3 on the interface 3 Entering OSPFv3 area view 4 Checking the configuration

6.2.2 Enabling OSPFv3 Do as follows on each router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospfv3 [ process-id ] This command enables OSPFv3 and the OSPFv3 view appears. Step 3 Run:

router-id router-id This command configures a router ID. ----End

OSPFv3 supports multiple processes. Multiple OSPFv3 processes that run on one router use different process numbers. Configure the OSPFv3 process number when you enable OSPFv3. The process number is valid locally; it is a local concept, with no effect on packet exchange with other routers. In the form of an IPv4 address, a router ID is a 32-bit unsigned integer that uniquely identifies a router within an AS. You must configure the router ID of OSPFv3 manually. If you do not configure a router ID, OSPFv3 does not run normally. When you configure the router ID manually, ensure that the router IDs of any two routers in an AS are different. When you enable multiple processes on a router, you must specify a unique route ID for each process. To ensure that OSPFv3 runs normally, you must determine the division of router IDs and configure them manually in network planning. 6.2.3 Enabling OSPFv3 on the interface Do as follows for each router in the area on which you enable the OSPFv3 process according to requirements: Step 1 Run:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-5

Nortel Secure Router 8000 Series 6 OSPFv3 configuration Configuration - IP Routing

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

ospfv3 process-id area area-id [ instance instance-id ] This command enables OSPFv3 on the interface. ----End

After you use the ospfv3 command to enable OSPFv3 in the system view, you must enable OSPFv3 on the interfaces. When you enable OSPFv3 on an interface, you must specify which instance of the interface you want to enable because an interface uses multiple instances. If you do not specify an instance ID, the default value is 0. You must enable the same instance on interfaces that establish neighbor relationships. You can input the area ID as a decimal integer and or in IPv4 address form, but the system displays the ID in the IPv4 address form. 6.2.4 Entering OSPFv3 area view Do as follows on each router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospfv3 [ process-id ] The OSPFv3 view appears. Step 3 Run:

area area-id The OSPFv3 area view appears. ----End

You can input the area ID as a decimal integer and or in IPv4 address form, but the system displays the ID in the IPv4 address form. When you configure routers in the same area, you must base most configurations on the area. Otherwise, the neighboring routers cannot exchange information with each other, which leads to the congestion of routing information or routing loops.

6-6 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 6 OSPFv3 configuration

You cannot delete an OSPFv3 area directly. After you delete all the configurations in the area view and shut down the related interfaces in this area, this area becomes invalid automatically. 6.2.5 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the general information display ospfv3 [ process-id ] about the OSPFv3 process. Check the LSDB information display ospfv3 [ process-id ] lsdb [ external | about OSPFv3. inter-prefix | inter-router | intra-prefix | link | network | router [ link-state-id ] [ originate-router advertising-router-id ] | statistics ] Check the information about display ospfv3 [ process-id ] [ area area-id ] peer the OSPFv3 neighbor. [ interface-type interface-number [ verbose ] | neighbor-id ] Check the information about display ospfv3 [ process-id ] routing [ [ ipv6-address the OSPFv3 routing table. prefix-length | ipv6-address/prefix-length ] | abr-routes | asbr-routes | all | statistics ]

6.3 Configuring OSPFv3 area features 6.3.1 Establishing the configuration task

Applicable environment OSPFv3 supports the configuration of stub areas and virtual links. The principles and applicable environment are the same as that of OSPFv2. The Nortel Secure Router 8000 Series does not support OSPFv3 not so stubby area (NSSA) features.

Preconfiguration tasks Before you onfigure OSFPv3 area features, complete the following tasks:

z Enable IPv6 capabilities. z Complete the procedures in Configuring basic OSPFv3 functions.

Data preparation The following table lists the data you need to configure OSPFv3 areas.

No. Data 1 Areas that you must configure as stub areas

Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-7

Nortel Secure Router 8000 Series 6 OSPFv3 configuration Configuration - IP Routing

No. Data 2 Costs of the routes that advertise to stub areas 3 Default routes that advertise to stub areas

Configuration procedures

No. Procedure 1 Configuring OSPFv3 stub areas 2 Configuring OSPFv3 virtual links 3 Checking the configuration

6.3.2 Configuring OSPFv3 stub areas Do as follows on each router in the stub area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospfv3 [ process-id ] The OSPFv3 view appears. Step 3 Run:

area area-id The OSPFv3 area view appears. Step 4 Run:

stub [ no-summary ] This command configures the area as a stub area. Step 5 Run:

default-cost cost This command configures the cost of the default route sent to the stub area. ----End

You must configure all routers in a stub area with the stub command. Only use the command in Step 5 for an ABR in the stub area rather than for other routers. Configure the no-summary parameter of the stub command only on the ABR. If you configure this parameter, the ABR only sends the summary-LSA of a default route to the stub

6-8 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 6 OSPFv3 configuration

area; it does not originate other summary-LSAs. The stub area where no AS-external-LSAs or Summary-LSAs exist is a totally stub area. 6.3.3 Configuring OSPFv3 virtual links Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospfv3 [ process-id ] The OSPFv3 view appears. Step 3 Run:

area area-id The OSPFv3 area view appears. Step 4 Run:

vlink-peer router-id [ hello seconds ] [ retransmit seconds ] [ trans-delay seconds ] [ dead seconds ] [ instance instance-id ] This command creates and configures a virtual link. ----End

The concept of OSPFv3 virtual links is the same as OSPFv2 virtual links. You must configure the virtual link on both ends of the link. 6.3.4 Checking the configuration Use the data in the following table to check the previous configuration.

Action Command Check the information about display ospfv3 interface [ interface-type the OSPFv3 interface. interface-number ] Check the LSDB information display ospfv3 [ process-id ] lsdb [ external | about OSPFv3. inter-prefix | inter-router | intra-prefix | link | network | router [ link-state-id ] [ originate-router advertising-router-id ] | statistics ] Check the information about display ospfv3 [ process-id ] routing [ [ ipv6-address the OSPFv3 routing table. prefix-length | ipv6-address/prefix-length ] | abr-routes | asbr-routes | all | statistics ] Check the information about display ospfv3 [ process-id ] topology [ area area-id ] the OSPFv3 area topology. Check the information about display ospfv3 [ process-id ] vlink the OSPFv3 virtual link.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-9

Nortel Secure Router 8000 Series 6 OSPFv3 configuration Configuration - IP Routing

6.4 Controlling OSPFv3 routing information 6.4.1 Establishing the configuration task

Applicable environment After you complete the procedures in this section, you can control the advertisement and receipt of OSPFv3 routing information and import external routes.

Preconfiguration tasks Before you control OSFPv3 routing information, complete the following tasks:

z Enable IPv6 capabilities. z Complete the procedures in Configuring basic OSPFv3 functions.

Data preparation The following table lists the data you need to control the OSPFv3 routing information.

No. Data 1 IPv6 route prefix after aggregation 2 Number or name of the filtering list to apply for filtering routes 3 Link cost of the OSPFv3 interface 4 The maximum number of equal-cost routes available 5 Name, process number, and cost of the external route to import

Configuration procedures

No. Procedure 1 Configuring OSPFv3 route summary 2 Configuring OSPFv3 to filter the received routes 3 Configuring the cost of the OSPFv3 interface 4 Configuring the maximum number of equal-cost routes 5 Configuring OSPFv3 to import external routes 6 Checking the configuration

6-10 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 6 OSPFv3 configuration

6.4.2 Configuring OSPFv3 route summary Do as follows on the ABR according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospfv3 [ process-id ] The OSPFv3 view appears. Step 3 Run:

area area-id The OSPFv3 area view appears. Step 4 Run:

abr-summary ipv6-address prefix-length [ not-advertise ] This command configures OSPFv3 area route aggregation. ----End

If continuous segments exist in this area, you can use the abr-summary command to summarize these segments into one segment. In this configuration, the ABR only sends an LSA after summary. The ABR does not separately transmit an LSA from the specific aggregation network segment. This action reduces the LSDB size in other areas. If you use the keyword not-advertise, the router sends the route to the network segment. 6.4.3 Configuring OSPFv3 to filter the received routes Do as follows on the router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospfv3 [ process-id ] The OSPFv3 view appears. Step 3 Run:

filter-policy { acl6-number | ipv6-prefix ipv6-prefix-name } import This command configures OSPFv3 to filter the received routes. ----End

Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-11

Nortel Secure Router 8000 Series 6 OSPFv3 configuration Configuration - IP Routing

After OSPF receives LSAs, it determines whether to add the calculated routes to the local routing table according to filtering conditions.

NOTE

The command filter-policy import only filters the routes OSPFv3 calculates. OSPFv3 does not add the routes that do not pass filtering to the local routing table, thus they do not guide packet forwarding. 6.4.4 Configuring the cost of the OSPFv3 interface Do as follows on the router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

ospfv3 cost cost [ instance instance-id ] This command configures the cost of the OSPFv3 interface. ----End

Configure the link cost of OSPFv3 for different interfaces to control the route calculation. By default, OSPFv3 automatically calculates the cost according to the bandwidth of the current interface. 6.4.5 Configuring the maximum number of equal-cost routes Do as follows on the router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospfv3 [ process-id ] The OSPFv3 view appears. Step 3 Run:

maximum load-balancing number This command configures the maximum number of equal-cost routes. ----End

6-12 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 6 OSPFv3 configuration

6.4.6 Configuring OSPFv3 to import external routes Do as follows on the router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospfv3 [ process-id ] The OSPFv3 view appears. Step 3 Run:

default cost cost-value This command configures the default cost of the route imported. Step 4 Run:

import-route protocol [ process-id ] [ cost cost | type type ] * [ route-policy route-policy-name ] This command imports external routing information. Step 5 Run:

filter-policy { acl6-number | ipv6-prefix ipv6-prefix-name } export [ protocol [ process-id ] ] This command filters external, imported routing information. This step is optional. ----End

After you configure an OSPFv3 router with the import-route command and import external routes, this router becomes an ASBR. Because OSPFv3 is a link state-based routing protocol and cannot directly filter the advertised LSAs, OSPFv3 must filter the routes when it imports them. OSPFv3 changes the routes to LSAs and advertises them only if the routes meet the filter conditions. You can specify the protocol to configure OSPFv3 to filter a specific kind of routing information. If you do not specify a protocol, OSPFv3 filters all the imported routing information.

NOTE

z The filter-policy export command takes effect only on the routes the ASBR imports. z Filtered routes do not generate LSAs and OSPFv3 does not advertise them. z If you do not configure the command import-route to import other external routes, the filter-policy export command takes no effect.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-13

Nortel Secure Router 8000 Series 6 OSPFv3 configuration Configuration - IP Routing

6.4.7 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the LSDB information display ospfv3 [ process-id ] lsdb [ external | about OSPFv3. inter-prefix | inter-router | intra-prefix | link | network | router [ link-state-id ] [ originate-router advertising-router-id ] | statistics ] Check the information about display ospfv3 [ process-id ] [ area area-id ] peer the OSPFv3 neighbor. [ interface-type interface-number [ verbose ] | neighbor-id ] Check the information about display ospfv3 [ process-id ] routing [ [ ipv6-address the OSPFv3 routing table. prefix-length | ipv6-address/prefix-length ] | abr-routes | asbr-routes | all | statistics ]

6.5 Adjusting and optimizing OSPFv3 networks 6.5.1 Establishing the configuration task

Applicable environment Change the OSPFv3 packet timer to adjust the convergence speed of the OSPFv3 networks and network overload caused by protocol packets. On some low-speed links, you must consider the delay of LSA transmission on the interface. Adjust the SPF calculation interval to restrain the resource consumption due to frequent network changes. You can specify the DR priorities of the interfaces to affect the DR and BDR election in broadcast networks.

Preconfiguration tasks Before you adjust and optimize OSFPv3 networks, complete the following tasks:

z Enable IPv6 capabilities. z Complete the procedures in Configuring basic OSPFv3 functions.

Data preparation To adjust and optimize OSPFv3 networks, you need the following data.

No. Data 1 Value of the OSPFv3 packet timer 2 Value of the SPF timer 3 DR priority of each interface

6-14 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 6 OSPFv3 configuration

Configuration procedures

No. Procedure 1 Configuring the OSPFv3 packet timer 2 Configuring the LSA transmit delay on the interface 3 Configuring the SPF timer 4 Configuring the DR priority of the interface 5 Ignoring the MTU check on DD packets 6 Suppressing the interface from sending and receiving OSPFv3 packets 7 Checking the configuration

6.5.2 Configuring the OSPFv3 packet timer Do as follows on the router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

ospfv3 timer hello seconds [ instance instance-id ] This command configures the send interval for hello packets on the interface. Step 4 Run:

ospfv3 timer dead seconds [ instance instance-id ] This command configures the dead time for the neighboring routers. Step 5 Run:

ospfv3 timer retransmit seconds [ instance instance-id ] This command configures the interval for LSA retransmission to the neighboring routers. ----End

You can use the commands in Steps 3 and 5 in any order. The most common packets are hello packets. The router periodically sends hello packets to the neighboring router to discover and maintain the neighbor relationship, and to elect the DR and the BDR. According to RFC 2740, you must maintain the consistency of the hello timer

Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-15

Nortel Secure Router 8000 Series 6 OSPFv3 configuration Configuration - IP Routing

between network neighbors. The value of the hello timer is inversely proportional to route convergence speed and network load. If a router does not receive any hello packet from its neighbor in a certain time, the router regards the neighbor router as invalid. This time interval is the dead time between neighboring routers. The dead time of an interface on a router must be at least four times the hello interval. After a router sends an LSA to its neighbor, it waits for the acknowledgement packet from its neighbor. If the router does not receive an acknowledgement from its neighbor, it retransmits the LSA. The value of seconds must be greater than the time for a packet to transmit between two routers.

NOTE

Do not configure too small a value for the LSA retransmission interval or it can cause unnecessary retransmissions. 6.5.3 Configuring the LSA transmit delay on the interface Do as follows on the router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

ospfv3 trans-delay seconds [ instance instance-id ] This command configures the delay of LSA transmission on the interface. ----End

The LSA in the LSDB of the local router ages in time, but it does not age in the transmission process. You must add delay to the aging time of the LSA before the router sends it. This configuration is especially important for low-speed networks. 6.5.4 Configuring the SPF timer Do as follows on the router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospfv3 [ process-id ] The OSPFv3 view appears. Step 3 Run:

6-16 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 6 OSPFv3 configuration

spf timers delay-interval hold-interval This command configures the SPF timer. ----End

After the LSDB changes, SPF recalculates. This calculation consumes resources and affects the operation efficiency of the router. Adjust the delay time and hold interval for SPF to restrain the resource consumption due to frequent network changes. 6.5.5 Configuring the DR priority of the interface Do as follows on all routers in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

ospfv3 dr-priority priority [ instance instance-id ] This command configures the priority for DR election on the interface. Step 4 After you change the priority, use the following methods to reselect the DR and BDR:

z Restart all routers. z Run the shutdown and undo shutdown command on the interface on which the OSPFv3 neighbor exists. ----End

The DR preference on an interface of a router affects the DR election of the interface. If the DR preference is 0, the router cannot become the DR or BDR. 6.5.6 Ignoring the MTU check on DD packets Do as follows on the router in the area according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-17

Nortel Secure Router 8000 Series 6 OSPFv3 configuration Configuration - IP Routing

ospfv3 mtu-ignore [ instance instance-id ] This command configures OSPFv3 to ignore the MTU check on DD packets. After you use the command, the interface does not check the MTU field in the DD packets it receives. ----End

6.5.7 Suppressing the interface from sending and receiving OSPFv3 packets Do as follows on the router in the area according to the requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

ospfv3 [ process-id ] The OSPFv3 view appears. Step 3 Run:

silent-interface interface-type interface-number This command suppresses the interface from sending and receiving OSPFv3 packets. ----End

Use the suppress configuration to ensure routers on a certain network do not acquire OSPFv3 routing information and to ensure the local router does not receive route updates that other routers advertise. Different processes can suppress the same interface from sending and receiving OSPFv3 packets, but the silent-interface command is valid only for the OSPFv3 interface on which you enable the specific process. The command does not affect the interface of other processes. After you configure an OSPFv3 interface with the silent status, the interface can still advertise its direct route through the Intra-Area-Prefix-LSA of the same router. An OSPFv3 neighbor relationship cannot establish on the interface. This configuration enhances the capability for OSPFv3 network adaptability. 6.5.8 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the debugging state of display debugging ospfv3 OSPFv3. Check the information about display ospfv3 interface [ interface-type the OSPFv3 interface. interface-number ]

6-18 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 6 OSPFv3 configuration

Action Command Check the LSDB information display ospfv3 [ process-id ] lsdb [ external | about OSPFv3. inter-prefix | inter-router | intra-prefix | link | network | router [ link-state-id ] [ originate-router advertising-router-id ] | statistics ] Check the information about display ospfv3 [ process-id ] routing [ [ ipv6-address the OSPFv3 routing table. prefix-length | ipv6-address/prefix-length ] | abr-routes | asbr-routes | all | statistics ]

6.6 Maintaining OSPFv3

Debugging affects system performance. After you debug the system, run the undo debugging all command to disable it immediately.

After an OSPFv3 fault occurs, run the following debugging commands in the user view to debug OSPFv3 and locate the fault. For information about the debugging command output, see Nortel Secure Router 8000 Series Configuration Guide - System Management (NN46240-601). For more information about the debugging command, see Nortel Secure Router 8000 Series Commands Reference (NN46240-500).

Action Command Debug the OSPFv3 events. debugging ospfv3 [ process-id ] event { abr | asbr | vlink | all } Debug the OSPFv3 interface debugging ospfv3 [ process-id ] ifsm [ status | event | status mechanism. timer ] Debug OSPFv3 LSA. debugging ospfv3 [ process-id ] lsa { all | flooding | generate | install | maxage | refresh | verbose } Debug the OSPFv3 neighbor debugging ospfv3 [ process-id ] nfsm [ status | event | status mechanism. timer ] Debug the OSPFv3 packets. debugging ospfv3 [ process-id ] packet all [ verbose ] debugging ospfv3 [ process-id ] { hello | dd | request | update | ack } * [ verbose ] Debug the OSPFv3 route debugging ospfv3 [ process-id ] route [ ase | install | spf calculation. | ia ]

Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-19

Nortel Secure Router 8000 Series 6 OSPFv3 configuration Configuration - IP Routing

6.7 Configuration examples The section provides the following examples:

z Example of configuring OSPFv3 areas z Example of configuring OSPFv3 DR election z Example of configuring OSPFv3 virtual links 6.7.1 Example of configuring OSPFv3 areas

Networking requirements As shown in Figure 6-2, all routers run OSPFv3. The autonomous system divides into three areas. Router B and Router C serve as ABRs to forward the inter-area routes. You must configure Area2 as a stub area to reduce the amount of LSAs that advertise to this area, without any effect on the reachability of routes.

Figure 6-2 OSPFv3 area configuration

Area0 RouterC RouterB POS1/0/0 1000::1/64 POS1/0/0 POS2/0/0 1000::2/64 POS2/0/0 1001::1/64 1002::1/64 Area2 Area1 POS2/0/0 POS2/0/0 1001::2/64 1002::2/64

GbE3/0/0 RouterA 2000::1/64 RouterD

Stub

Configuration roadmap The steps in the configuration roadmap are 1. Enable basic OSPFv3 function on each router. 2. Configure Area2 as the stub area and check the OSPFv3 routing list information of Router D. 3. Configure Area2 as the totally stub area and check the OSPFv3 routing list information of Router D.

Data preparation To complete the following configuration, you need the following data:

z The router ID of Router A is 1.1.1.1. The number of the area is 1.

6-20 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 6 OSPFv3 configuration

z The router ID of Router B is 2.2.2.2. The numbers of the areas are 0 and 1. z The router ID of Router C is 3.3.3.3. The numbers of the areas are 0 and 2. z The router ID of Router D is 4.4.4.4. The number of the area is 2.

Configuration procedure Step 1 Configure the IPv6 address for each interface. Step 2 Configure basic OSPFv3 functions. # Configure Router A:

[RouterA] ipv6 [RouterA] ospfv3 [RouterA-ospfv3-1] router-id 1.1.1.1 [RouterA-ospfv3-1] quit [RouterA] interface GigabitEthernet 2/0/0 [RouterA-GigabitEthernet2/0/0] ospfv3 1 area 1 [RouterA-GigabitEthernet2/0/0] quit [RouterA] interface pos1/0/0 [RouterA-Pos1/0/0] ospfv3 1 area 1 [RouterA-Pos1/0/0] quit # Configure Router B:

[RouterB] ipv6 [RouterB] ospfv3 [RouterB-ospf-1] router-id 2.2.2.2 [RouterB-ospf-1] quit [RouterB] interface pos1/0/0 [RouterB-Pos1/0/0] ospfv3 1 area 0 [RouterB-Pos1/0/0] quit [RouterB] interface pos2/0/0 [RouterB-Pos2/0/0] ospfv3 1 area 1 [RouterB-Pos2/0/0] quit # Configure Router C:

[RouterC] ipv6 [RouterC] ospfv3 [RouterC-ospfv3-1] router-id 3.3.3.3 [RouterC-ospfv3-1] quit [RouterC] interface pos 1/0/0 [RouterC-Pos1/0/0] ospfv3 1 area 0 [RouterC-Pos1/0/0] quit [RouterC] interface pos 2/0/0 [RouterC-Pos2/0/0] ospfv3 1 area 2 [RouterC-Pos2/0/0] quit # Configure Router D:

[RouterD] ipv6 [RouterD] ospfv3 [RouterD-ospfv3-1] router-id 4.4.4.4 [RouterD-ospfv3-1] quit [RouterD] interface pos 1/0/0 [RouterD-Pos1/0/0] ospfv3 1 area 2 [RouterD-Pos1/0/0] quit

Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-21

Nortel Secure Router 8000 Series 6 OSPFv3 configuration Configuration - IP Routing

# View the OSPFv3 neighbors of Router B:

[RouterB] display ospfv3 peer

OSPFv3 Process (1)

OSPFv3 Area (0.0.0.1) Neighbor ID Pri State Dead Time Interface Instance ID 1.1.1.1 1 Full/ - 00:00:34 PosS2/0/0 0

OSPFv3 Area (0.0.0.0) Neighbor ID Pri State Dead Time Interface Instance ID 3.3.3.3 1 Full/ - 00:00:32 PosS1/0/0 0 # View OSPFv3 neighbors of Router C:

[RouterC] display ospfv3 peer

OSPFv3 Process (1)

OSPFv3 Area (0.0.0.0) Neighbor ID Pri State Dead Time Interface Instance ID 2.2.2.2 1 Full/ - 00:00:37 Pos1/0/0 0

OSPFv3 Area (0.0.0.2) Neighbor ID Pri State Dead Time Interface Instance ID 4.4.4.4 1 Full/ - 00:00:33 Pos2/0/0 0 # View the OSPFv3 routing table of Router D:

[RouterD] display ospfv3 routing

OSPFv3 Process (1) Destination Metric Next-hop IA 1000::/64 2 via FE80::1572:0:5EF4:1, Pos1/0/0 IA 1001::/64 3 via FE80::1572:0:5EF4:1, Pos1/0/0 1002::/64 1 directly-connected, Pos1/0/0 IA 2000::/64 4 via FE80::1572:0:5EF4:1, Pos1/0/0 Step 3 Configure stub areas. # Configure the stub area of Router D:

[RouterD] ospfv3 [RouterD-ospfv3-1] area 2 [RouterD-ospfv3-1-area-0.0.0.2] stub # Configure the stub area of Router C and configure the cost of the default route advertised to the stub area as 10:

[RouterC] ospfv3 [RouterC-ospfv3-1] area 2 [RouterC-ospfv3-1] stub [RouterC-ospfv3-1] default-cost 10

6-22 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 6 OSPFv3 configuration

# View the OSPFv3 routing table of Router D and you can see a new default route in the routing table. The cost is the sum of the cost of the directly connected routes and the configured cost.

[RouterD] display ospfv3 routing

OSPFv3 Process (1) Destination Metric Next-hop IA ::/0 11 via FE80::1572:0:5EF4:1, Pos1/0/0 IA 1000::/64 2 via FE80::1572:0:5EF4:1, Pos1/0/0 IA 1001::/64 3 via FE80::1572:0:5EF4:1, Pos1/0/0 1002::/64 1 directly-connected, Pos1/0/0 IA 2000::/64 4 via FE80::1572:0:5EF4:1, Pos1/0/0 Step 4 Configure totally stub areas. # Configure Router C and configure Area2 as a totally stub area:

[RouterC-ospfv3-1-area-0.0.0.2] stub no-summary Step 5 Verify the configuration. # View the OSPFv3 routing table of Router D and you can see the number of entries in the routing table are reduced. Other nondirectly connected routes are suppressed and only the default route is reserved.

[RouterD] display ospfv3 routing

OSPFv3 Process (1) Destination Metric Next-hop IA ::/0 11 via FE80::1572:0:5EF4:1, Pos1/0/0 1002::/64 1 directly-connected, Pos1/0/0 ----End

Configuration files z Configuration file of Router A

# sysname RouterA # ipv6 # interface GigabitEthernet2/0/0 ipv6 address 2000::1/64 ospfv3 1 area 0.0.0.1 # interface Pos1/0/0

Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-23

Nortel Secure Router 8000 Series 6 OSPFv3 configuration Configuration - IP Routing

link-protocol ppp ipv6 address 1001::2/64 ospfv3 1 area 0.0.0.1 # ospfv3 1 router-id 1.1.1.1 area 0.0.0.1 # return z Configuration file of Router B

# sysname RouterB # ipv6 # interface Pos1/0/0 link-protocol ppp ipv6 address 1000::1/64 ospfv3 1 area 0.0.0.0 # interface Pos2/0/0 link-protocol ppp ipv6 address 1001::1/64 ospfv3 1 area 0.0.0.1 # ospfv3 1 router-id 2.2.2.2 area 0.0.0.0 area 0.0.0.1 # return z Configuration file of Router C

# sysname RouterC # ipv6 # interface Pos1/0/0 link-protocol ppp ipv6 address 1000::2/64 ospfv3 1 area 0.0.0.0 # interface Pos2/0/0 link-protocol ppp ipv6 address 1002::1/64 ospfv3 1 area 0.0.0.2 # ospfv3 1 router-id 3.3.3.3 area 0.0.0.0 area 0.0.0.2 stub no-summary default-cost 10 #

6-24 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 6 OSPFv3 configuration

return z Configuration file of Router D

# sysname RouterD # ipv6 # interface Pos1/0/0 link-protocol ppp ipv6 address 1002::2/64 ospfv3 1 area 0.0.0.2 # ospfv3 1 router-id 4.4.4.4 area 0.0.0.2 stub # return 6.7.2 Example of configuring OSPFv3 DR election

Networking requirements In Figure 6-3, Router A uses a DR priority of 100, which is the highest in the network, so it becomes the DR. Router C uses the second highest priority, so it becomes the BDR. The priority of Router B is 0, which means that it cannot become the DR. Router D does not use a priority, so the priority is 1 by default.

Figure 6-3 DR election of OSFPv3 RouterA RouterB

GbE1/0/0 GbE1/0/0 1001::1/64 1001::2/64

GbE1/0/0 GbE1/0/0 1001::3/64 1001::4/64

RouterC RouterD

Configuration roadmap The steps in the configuration roadmap are 1. Configure the router ID on each router, enable OSPFv3, and specify the network segment. 2. Check the state of the DR and BDR with the default preference. 3. Configure the DR preference on the interface and check the state of the DR and BDR.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-25

Nortel Secure Router 8000 Series 6 OSPFv3 configuration Configuration - IP Routing

Data preparation To complete the configuration, you need the following data:

z The router ID of Router A is 1.1.1.1. The priority of DR is 100. z The router ID of Router B is 2.2.2.2. The priority of DR is 0. z The router ID of Router C is 3.3.3.3. The priority of DR is 2. z The router ID of Router D is 4.4.4.4. The priority of DR is 1.

Configuration procedure Step 1 Configure the IPv6 address for each interface. Step 2 Configure basic OSPFv3 functions. # Configure Router A, enable OSPFv3, and configure the router ID to 1.1.1.1:

[RouterA] ipv6 [RouterA] ospfv3 [RouterA-ospfv3-1] router-id 1.1.1.1 [RouterA-ospfv3-1] quit [RouterA] interface GigabitEthernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ospfv3 1 area 0 [RouterA-GigabitEthernet1/0/0] quit # Configure Router B, enable OSPFv3, and configure the Router ID to 2.2.2.2:

[RouterB] ipv6 [RouterB] ospfv3 [RouterB-ospfv3-1] router-id 2.2.2.2 [RouterB-ospfv3-1] quit [RouterB] interface GigabitEthernet 1/0/0 [RouterB-GigabitEthernet1/0/0] ospfv3 1 area 0 [RouterB-GigabitEthernet1/0/0] quit # Configure Router C, enable OSPFv3, and configure the Router ID to 3.3.3.3:

[RouterC] ipv6 [RouterC] ospfv3 [RouterC-ospfv3-1] router-id 3.3.3.3 [RouterC-ospfv3-1] quit [RouterC] interface GigabitEthernet 1/0/0 [RouterC-GigabitEthernet1/0/0] ospfv3 1 area 0 [RouterC-GigabitEthernet1/0/0] quit # Configure Router D, enable OSPFv3, and configure the Router ID to 4.4.4.4:

[RouterD] ipv6 [RouterD] ospfv3 [RouterD-ospfv3-1] router-id 4.4.4.4 [RouterD-ospfv3-1] quit [RouterD] interface GigabitEthernet 1/0/0 [RouterD-GigabitEthernet1/0/0] ospfv3 1 area 0 [RouterD-GigabitEthernet1/0/0] quit # View the neighbors of Router A. You can see the DR priority (the default value is 1) and the neighbor status. Router D is the DR and Router C is the BDR.

6-26 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 6 OSPFv3 configuration

NOTE

The router with the greater router ID is the DR when routers use the same priority. If a specific Ethernet interface of a router becomes a DR, the other broadcast interfaces of the router use the highest priority when electing the DR. That is, the DR router is chosen as DR.

[RouterA] display ospfv3 peer

OSPFv3 Process (1) Neighbor ID Pri State Dead Time Interface Instance ID 2.2.2.2 1 2-Way/DROther 00:00:32 GE1/0/0 0 3.3.3.3 1 Full/Backup 00:00:36 GE1/0/0 0 4.4.4.4 1 Full/DR 00:00:38 GE1/0/0 0 # View the neighbors of Router D and you can see that all neighbors of Router D are in the Full state.

[RouterD] display ospfv3 peer

OSPFv3 Process (1) Neighbor ID Pri State Dead Time Interface Instance ID 1.1.1.1 1 Full/DROther 00:00:32 GE1/0/0 0 2.2.2.2 1 Full/DROther 00:00:35 GE1/0/0 0 3.3.3.3 1 Full/Backup 00:00:30 GE1/0/0 0 Step 3 Configure the DR priority of the interface. # Configure the DR priority of Router A to 100:

[RouterA] interface GigabitEthernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ospfv3 dr-priority 100 [RouterA-GigabitEthernet1/0/0] quit # Configure the DR priority of Router B to 0:

[RouterB] interface GigabitEthernet 1/0/0 [RouterB-GigabitEthernet1/0/0] ospfv3 dr-priority 0 [RouterB-GigabitEthernet1/0/0] quit # Configure the DR priority of Router C to 2:

[RouterC] interface GigabitEthernet 1/0/0 [RouterC-GigabitEthernet1/0/0] ospfv3 dr-priority 2 [RouterC-GigabitEthernet1/0/0] quit # View neighbors of Router A and you can see that the DR priority updates and the DR and BDR remain unchanged:

[RouterA] display ospfv3 peer

OSPFv3 Process (1) Neighbor ID Pri State Dead Time Interface Instance ID 2.2.2.2 0 2-Way/DROther 00:00:34 GE1/0/0 0 3.3.3.3 2 Full/Backup 00:00:38 GE1/0/0 0 4.4.4.4 1 Full/DR 00:00:31 GE1/0/0 0 # View the neighbors of Router D and you can see that Router D remains the DR:

[RouterD] display ospfv3 peer

OSPFv3 Process (1)

Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-27

Nortel Secure Router 8000 Series 6 OSPFv3 configuration Configuration - IP Routing

Neighbor ID Pri State Dead Time Interface Instance ID 1.1.1.1 100 Full/DROther 00:00:36 GE1/0/0 0 2.2.2.2 0 Full/DROther 00:00:30 GE1/0/0 0 3.3.3.3 2 Full/Backup 00:00:36 GE1/0/0 0 Step 4 Re-elect the DR and BDR. # Restart all routers (or run the shutdown and undo shutdown commands on the interface that establishes the OSPFv3 neighbor relationship), and force OSPFv3 to re-elect the DR and BDR. Step 5 Verify the configuration. # View the neighbors of Router A and you can see that Router C is the BDR:

[RouterA] display ospfv3 peer

OSPFv3 Process (1) Neighbor ID Pri State Dead Time Interface Instance ID 2.2.2.2 0 Full/DROther 00:00:31 GE1/0/0 0 3.3.3.3 2 Full/Backup 00:00:36 GE1/0/0 0 4.4.4.4 1 Full/DROther 00:00:39 GE1/0/0 0 [RouterA] # View the neighbors of Router D and you can see that Router A is DR:

[RouterD] display ospfv3 peer

OSPFv3 Process (1) Neighbor ID Pri State Dead Time Interface Instance ID 1.1.1.1 100 Full/DR 00:00:39 GE1/0/0 0 2.2.2.2 0 2-Way/DROther 00:00:35 GE1/0/0 0 3.3.3.3 2 Full/Backup 00:00:39 GE1/0/0 0 ----End

Configuration files z Configuration file of Router A

# sysname RouterA # ipv6 # interface GigabitEthernet1/0/0 ipv6 address 1001::1/64 ospfv3 1 area 0.0.0.0 ospfv3 dr-priority 100 # ospfv3 1 router-id 1.1.1.1 area 0.0.0.0 # return z Configuration file of Router B

# sysname RouterB

6-28 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 6 OSPFv3 configuration

# ipv6 # interface GigabitEthernet1/0/0 ipv6 address 1001::2/64 ospfv3 1 area 0.0.0.0 ospfv3 dr-priority 0 # ospfv3 1 router-id 2.2.2.2 area 0.0.0.0 # return z Configuration file of Router C

# sysname RouterC # ipv6 # interface GigabitEthernet1/0/0 ipv6 address 1001::3/64 ospfv3 1 area 0.0.0.0 ospfv3 dr-priority 2 # ospfv3 1 router-id 3.3.3.3 area 0.0.0.0 # return z Configuration file of Router D

# sysname RouterD # ipv6 # interface GigabitEthernet1/0/0 ipv6 address 1001::4/64 ospfv3 1 area 0.0.0.0 # ospfv3 1 router-id 4.4.4.4 area 0.0.0.0 # return 6.7.3 Example of configuring OSPFv3 virtual links

Networking requirements All the routers run OSPFv3 and the autonomous system divides into three areas. Both Router B and Router C are ABRs to forward routes between areas. Area 2 does not connect to the backbone Area 0 directly. Area 1 is the transmit Area that connects Area 0 and Area 2.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-29

Nortel Secure Router 8000 Series 6 OSPFv3 configuration Configuration - IP Routing

You must configure a virtual link in Area 1 on Router B and Router C to enable packets of Router A to reach Router D.

Figure 6-4 OSPFv3 virtual link configuration

Area2 Area1 Area0 POS1/0/0 POS2/0/0 POS2/0/0 1001::2/64 1000::1/64 1002::1/64 POS1/0/0 POS1/0/0 POS1/0/0 1001::1/64 1000::2/64 1002::2/64 RouterD RouterA RouterB RouterC

Configuration roadmap The steps in the configuration roadmap are 1. Enable basic OSPFv3 functions on each router. 2. Configure Router B and Router C with the virtual connection to make the backbone network connect with other networks.

Data preparation To complete the configuration, you need the following data:

z The router ID of Router A is 1.1.1.1. The number of the area is 2. z The router ID of Router B is 2.2.2.2. The numbers of the areas are 1 and 2. z The router ID of Router C is 3.3.3.3. The numbers of the areas are 1 and 0. z The router ID of Router D is 4.4.4.4. The number of the area is 0.

Configuration procedure Step 1 Configure the IP address for each interface. Step 2 Configure basic OSPFv3 functions. # Enable OSPFv3 on Router A and configure the Router ID to 1.1.1.1:

[RouterA] ipv6 [RouterA] ospfv3 [RouterA-ospfv3-1] router-id 1.1.1.1 [RouterA-ospfv3-1] quit [RouterA] interface Pos 1/0/0 [RouterA-Pos1/0/0] ospfv3 1 area 2 [RouterA-Pos1/0/0] quit # Enable OSPFv3 on Router B and configure the Router ID to 2.2.2.2:

[RouterB] ipv6 [RouterB] ospfv3 [RouterB-ospfv3-1] router-id 2.2.2.2 [RouterB-ospfv3-1] quit [RouterB] interface Pos 1/0/0 [RouterB-Pos1/0/0] ospfv3 1 area 2 [RouterB-Pos1/0/0] quit

6-30 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 6 OSPFv3 configuration

[RouterB] interface Pos 2/0/0 [RouterB-Pos2/0/0] ospfv3 1 area 1 [RouterB-Pos2/0/0] quit # Enable OSPFv3 on Router C and configure the Router ID to 3.3.3.3:

[RouterC] ipv6 [RouterC] ospfv3 [RouterC-ospfv3-1] router-id 3.3.3.3 [RouterC-ospfv3-1] quit [RouterC] interface Pos 1/0/0 [RouterC-Pos1/0/0] ospfv3 1 area 1 [RouterC-Pos1/0/0] quit [RouterC] interface Pos 2/0/0 [RouterC-Pos2/0/0] ospfv3 1 area 0 [RouterC-Pos2/0/0] quit # Enable OSPFv3 on Router D and configure the Router ID to 4.4.4.4:

[RouterD] ipv6 [RouterD] ospfv3 [RouterD-ospfv3-1] router-id 4.4.4.4 [RouterD-ospfv3-1] quit [RouterD] interface Pos 1/0/0 [RouterD-Pos1/0/0] ospfv3 1 area 0 [RouterD-Pos1/0/0] quit # View the OSPFv3 routing table of Router C and verify that no routing information of Area 2 exists in the routing table:

[routerC] display ospfv3 routing OSPFv3 Process (1) Destination Metric Next-hop 1000::/64 1 directly-connected, Pos1/0/0 1002::/64 1 directly-connected, Pos2/0/0 Step 3 Configure a virtual link in Area 1 on Router B and Router C. # Configure Router B:

[routerB] ospfv3 [routerB-ospfv3-1] area 1 [routerB-ospfv3-1-area-0.0.0.1] vlink-peer 3.3.3.3 [routerB-ospfv3-1-area-0.0.0.1] quit # Configure Router C:

[routerC] ospfv3 [routerC-ospfv3-1] area 1 [routerC-ospfv3-1-area-0.0.0.1] vlink-peer 2.2.2.2 [routerC-ospfv3-1-area-0.0.0.1] quit Step 4 Verify the configuration. # View the OSPFv3 routing table of Router C:

[routerC] dis ospfv3 routing

Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-31

Nortel Secure Router 8000 Series 6 OSPFv3 configuration Configuration - IP Routing

OSPFv3 Process (1) Destination Metric Next-hop 1000::/64 1 directly-connected, Pos1/0/0 1000::1/128 1 via FE80::4D67:0:EB7D:2, Pos1/0/0 1000::2/128 1 directly-connected, Pos1/0/0 IA 1001::/64 2 via FE80::4D67:0:EB7D:2, Pos1/0/0 1002::/64 1 directly-connected, Pos2/0/0

NOTE

After you configure a virtual link, Area 2 connects with Area 0 through the virtual link. The routing table on Router C includes the route to Area 2. ----End

Configuration files z Configuration file of Router A

# sysname routerA # ipv6 # interface Pos1/0/0 link-protocol ppp ipv6 address 1001::2/64 ospfv3 1 area 0.0.0.2 # ospfv3 1 router-id 1.1.1.1 area 0.0.0.2 # user-interface con 0 user-interface vty 0 4 # return z Configuration file of Router B

# sysname RouterB # ipv6 # interface Pos1/0/0 link-protocol ppp ipv6 address 1001::1/64 ospfv3 1 area 0.0.0.2 # interface Pos2/0/0 link-protocol ppp ipv6 address 1000::1/64

6-32 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 6 OSPFv3 configuration

ospfv3 1 area 0.0.0.1 # ospfv3 1 router-id 2.2.2.2 area 0.0.0.0 area 0.0.0.1 vlink-peer 3.3.3.3 area 0.0.0.2 # return z Configuration file of Router C

# sysname routerC # ipv6 # interface Pos1/0/0 link-protocol ppp ipv6 address 1000::2/64 ospfv3 1 area 0.0.0.1 # interface Pos2/0/0 link-protocol ppp ipv6 address 1002::1/64 ospfv3 1 area 0.0.0.0 # ospfv3 1 router-id 3.3.3.3 area 0.0.0.0 area 0.0.0.1 vlink-peer 2.2.2.2 # user-interface con 0 user-interface vty 0 4 # return z Configuration file of Router D

# sysname routerD # ipv6 # interface Pos1/0/0 link-protocol ppp ipv6 address 1002::2/64 ospfv3 1 area 0.0.0.0 # ospfv3 1 router-id 4.4.4.4 area 0.0.0.0 # user-interface con 0 user-interface vty 0 4 #

Issue 5.3 (30 March 2009) Nortel Networks Inc. 6-33

Nortel Secure Router 8000 Series 6 OSPFv3 configuration Configuration - IP Routing

return

6-34 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing

Contents

7 IS-IS configuration ...... 7-1 7.1 Introduction...... 7-2 7.1.1 Basic concepts...... 7-2 7.1.2 IS-IS areas...... 7-4 7.1.3 IS-IS network types...... 7-7 7.1.4 IS-IS PDU formats...... 7-8 7.1.5 IS-IS support for IPv6...... 7-15 7.1.6 Supported IS-IS features ...... 7-16 7.1.7 References...... 7-19 7.2 Configuring basic IS-IS functions...... 7-20 7.2.1 Establishing the configuration task ...... 7-20 7.2.2 Enabling IS-IS processes ...... 7-21

7.2.3 Configuring NETT ...... 7-21 7.2.4 Configuring the level of a router...... 7-22 7.2.5 Enabling IS-IS on the specified interface...... 7-22 7.2.6 Checking the configuration...... 7-23 7.3 Controlling IS-IS routing information...... 7-24 7.3.1 Establishing the configuration task ...... 7-24 7.3.2 Configuring the preference of IS-IS...... 7-25 7.3.3 Configuring the link cost...... 7-26 7.3.4 Configuring IS-IS route aggregation...... 7-29 7.3.5 Configuring IS-IS to generate default routes ...... 7-29 7.3.6 Configuring IS-IS to filter the routing information received ...... 7-30 7.3.7 Set the state of an IS-IS interface to suppressed ...... 7-30 7.3.8 Configuring IS-IS to import external routes ...... 7-31 7.3.9 Configuring route leaking ...... 7-31 7.3.10 Checking the configuration...... 7-32 7.4 Adjusting and optimizing IS-IS...... 7-33 7.4.1 Establishing the configuration task ...... 7-33 7.4.2 Configuring the network type of an interface ...... 7-34 7.4.3 Configuring the level of an IS-IS interface ...... 7-35 7.4.4 Configuring the DIS priority of the interface...... 7-35

Issue 5.3 (30 March 2009) Nortel Networks Inc. i

Nortel Secure Router 8000 Series Configuration - IP Routing

7.4.5 Configuring IS-IS to ignore the check on IP addresses of received hello packets ...... 7-36 7.4.6 Configuring IS-IS packet timers ...... 7-36 7.4.7 Configuring LSP parameters...... 7-39 7.4.8 Configuring SPF parameters...... 7-43 7.4.9 Enabling LSP fast flooding ...... 7-44 7.4.10 Configuring IS-IS dynamic hostname mapping...... 7-45 7.4.11 Configuring IS-IS authentication ...... 7-46 7.4.12 Configuring LSDB overload flag bit...... 7-48 7.4.13 Configuring output of the adjacency state...... 7-48 7.4.14 Checking the configuration...... 7-49 7.5 Configuring IS-IS GR ...... 7-50 7.5.1 Establishing the configuration task ...... 7-50 7.5.2 Enabling IS-IS GR ...... 7-51 7.5.3 Configuring parameters for an IS-IS GR session...... 7-51 7.5.4 Checking the configuration...... 7-52 7.6 Configuring BFD for IS-IS ...... 7-53 7.6.1 Establishing the configuration task ...... 7-53 7.6.2 Configuring BFD one-hop detection...... 7-53 7.6.3 Enabling IS-IS fast sense ...... 7-55 7.6.4 Checking the configuration...... 7-56 7.7 Configuring IS-IS IPv6 features...... 7-57 7.7.1 Establishing the configuration task ...... 7-57 7.7.2 Enabling IPv6 on IS-IS processes...... 7-57 7.7.3 Enabling IPv6 on IS-IS interfaces...... 7-58 7.7.4 Configuring IPv6 route features of IS-IS ...... 7-58 7.7.5 Checking the configuration...... 7-61 7.8 Maintaining IS-IS...... 7-62 7.8.1 Resetting the IS-IS data structure...... 7-62 7.8.2 Resetting a specific IS-IS peer ...... 7-62 7.8.3 Debugging IS-IS ...... 7-63 7.9 Configuration examples ...... 7-64 7.9.1 Example of configuring basic IS-IS functions ...... 7-65 7.9.2 Example of configuring IS-IS in an NBMA network...... 7-71 7.9.3 Example of configuring route convergence ...... 7-75 7.9.4 Example of configuring the DIS election of IS-IS...... 7-78 7.9.5 Example of configuring IS-IS load balancing...... 7-84 7.9.6 Example of configuring IS-IS GR...... 7-91 7.9.7 Example of configuring BFD for IS-IS...... 7-94 7.9.8 Example of configuring IS-IS fast convergence ...... 7-98 7.9.9 Example of configuring basic IS-IS IPv6 functions...... 7-103

ii Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing

Figures

Figure 7-1 IS-IS address structure...... 7-3 Figure 7-2 IS-IS topology 1...... 7-6 Figure 7-3 IS-IS typology 2...... 7-6 Figure 7-4 DISs and adjacencies in IS-IS broadcast networks...... 7-8 Figure 7-5 PDU format...... 7-8 Figure 7-6 PDU header format...... 7-9 Figure 7-7 Level-1 and Level-2 LAN IIH format ...... 7-10 Figure 7-8 P2P IIH format...... 7-11 Figure 7-9 Level-1 and Level-2 LSP format ...... 7-12 Figure 7-10 LSDB overload schematic diagram ...... 7-13 Figure 7-11 Level-1 and Level-2 CSNP format...... 7-14 Figure 7-12 Level- 1 and Level-2 PSNP format...... 7-14 Figure 7-13 CLV format ...... 7-15 Figure 7-14 Basic IS-IS configuration...... 7-65 Figure 7-15 IS-IS in NBMA network configuration...... 7-71 Figure 7-16 Route convergence of IS-IS configuration...... 7-75 Figure 7-17 DIS election of IS-IS configuration ...... 7-79 Figure 7-18 IS-IS load balancing configuration ...... 7-84 Figure 7-19 IS-IS GR configuration...... 7-91 Figure 7-20 BFD for IS-IS configuration...... 7-94 Figure 7-21 IS-IS fast convergence network diagram...... 7-98 Figure 7-22 Basic IS-IS IPv6 feature network diagram ...... 7-104

Issue 5.3 (30 March 2009) Nortel Networks Inc. iii

Nortel Secure Router 8000 Series Configuration - IP Routing

Tables

Table 7-1 PDU types...... 7-9 Table 7-2 PDU types and the included CLV names...... 7-15 Table 7-3 Relationship between the interface cost and the bandwidth ...... 7-28

Issue 5.3 (30 March 2009) Nortel Networks Inc. v

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

7 IS-IS configuration

About this chapter

The following table shows the contents of this chapter.

Section Description 7.1 Introduction This section describes the principles and concepts of Intermediate System to Intermediate System (IS-IS). 7.2 Configuring basic IS-IS This section describes how to configure basic IS-IS functions functions. For a configuration example, see Example of configuring basic IS-IS. 7.3 Controlling IS-IS routing This section describes how to control IS-IS routing information information. For configuration examples, see Example of configuring the DIS election of IS-IS and Example of configuring IS-IS load balancing. 7.4 Adjusting and optimizing This section describes how to adjust and optimize IS-IS. IS-IS 7.5 Configuring IS-IS GR This section describes how to configure IS-IS Graceful Restart (GR). For a configuration example, see Example of configuring IS-IS GR. 7.6 Configuring BFD for IS-IS This section describes how to implement IS-IS fast convergence by using Bidirectional Forwarding Detection (BFD). For configuration examples, see Example of configuring BFD for IS-IS and Example of configuring IS-IS fast convergence. 7.7 Configuring IS-IS IPv6 This section describes how to configure IS-IS IPv6 features features. For a configuration example, see Example of configuring basic IS-IS IPv6. 7.8 Maintaining IS-IS This section describes how to maintain IS-IS. 7.9 Configuration examples This section provides configuration examples for IS-IS.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-1

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

7.1 Introduction This section describes the following topics that you must understand before you configure IS-IS:

z Basic concepts z IS-IS areas z IS-IS network types z IS-IS PDU formats z IS-IS support for IPv6 z Supported IS-IS features z References 7.1.1 Basic concepts

IS-IS exchanges routing information within a domain. IS-IS is a dynamic routing protocol in the internal autonomous system (AS). The International Organization for Standardization (ISO) initially issued IS-IS for its Connectionless Network Protocol (CLNP). To support IP routing, the Internet Engineering Task Force (IETF) extends and modifies IS-IS in RFC 1195. You can apply IS-IS to TCP/IP and Open Systems Interconnection (OSI) environments at the same time. This type of IS-IS is the Integrated IS-IS or the Dual IS-IS. Use IS-IS as an Interior Gateway Protocol (IGP) inside an AS. IS-IS is a link state protocol; it uses the Shortest Path First (SPF) algorithm to calculate routes. IS-IS is similar to the Open Shortest Path First (OSPF) protocol.

Terminology z Intermediate System (IS): The IS is the basic unit in the IS-IS protocol. The IS transmits routing information and generates routes. This section uses IS to mean the same thing as a the router. z End System (ES): The ES does not particpate in IS-IS processing. The ISO dedicates the ES-IS protocol to define the communication between an ES and an IS. z Routing Domain (RD): A group of ISs exchange routing information through the same routing protocol in a routing domain. z Area: The area is the division unit in the routing domain. z Link State Database (LSDB): All the link states in the network form the LSDB. In an IS, at least one LSDB exists. The IS uses the SPF algorithm and the LSDB to generate its own routes. z Link State Protocol Data Unit (LSP): In IS-IS, each IS generates an LSP that contains all the link state information of the IS. Each IS collects all the LSPs in the local area to generate its own LSDB. z Network Protocol Data Unit (NPDU): The NPDU indicates the network layer packets of the ISO and equals the IP packet of TCP/IP. z Designated IS (DIS): The DIS indicates an elected router on a broadcast network. The DIS is equal to the designated router (DR) of the OSPF protocol. z Network Service Access Point (NSAP): The NSAP indicates a network layer address of ISO. The NSAP identifies an abstract network-service access point and describes the network address structure of the ISO model.

7-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

Address structure of the IS-IS protocol z NSAP Figure 7-1 shows the address structure of IS-IS. The NSAP consists of the Initial Domain Part (IDP) and the Domain Specific Part (DSP). The IDP is equivalent to the network ID in an IP address; the DSP is equivalent to the subnet number and the host address in an IP address. As defined by the ISO, the IDP consists of the Authority and Format Identifier (AFI) and the Initial Domain Identifier (IDI). The AFI specifies the address assignment mechanism and the address format. The IDI identifies a domain. The DSP consists of the High Order DSP (HODSP), the system ID, and the NSAP Selector (SEL). The HODSP partitions areas. The system ID identifies a host and the SEL indicates the service type. The length of the IDP and the DSP is variable. The maximum total length of these two fields is 20 bytes and the minimum is 8 bytes.

Figure 7-1 IS-IS address structure

IDP DSP

SEL AFI IDI High Order DSP System ID (1 octet)

Area Address

z Area address The IDP, with the HODSP of the DSP, can identify the routing domain and the areas in a routing domain. The combination of the IDP and HODSP is the area address. The area address is equal to the area ID in OSPF. The area addresses vary with the areas. Generally, you can configure a router with only one area address. All the nodes in the same area must use the same area address. To support the seamless combination, the division, and the transformation of areas, you can configure a router with a maximum of three area addresses.

z System ID A system ID uniquely identifies a host or a router in an area. The fixed length is 48 bits (6 bytes). Normally, a router ID corresponds to a system ID. For example, a router uses the IP address 168.10.1.1 of the Loopback0 interface as its router ID. You can transform the IS-IS system ID IS-IS with the following method:

− Extend each part of the IP address 168.10.1.1 to three bits. Add 0 to the front of the part that includes less than three bits.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-3

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

− Divide the extended address 168.010.001.001 into three parts, where each part consists of four decimal digits. − 1680.1000.1001 is the system ID. There are many ways to designate a system ID, as long as it can uniquely identify an ES or a router.

z SEL The role of an SEL is similar to that of the protocol ID for the IP. A transport protocol matches an SEL. The SEL is always 00 in the IP.

z Routing As this type of address structure defines an area, the Level-1 routers can easily identify the packets sent to an outside area. The packets forward to the Level-2 routers. Level-1 routers use the system ID to perform the intra-area routing. After a Level-1 router finds that the destination address of a packet is out of its own area, it forwards the packet to the nearest Level-1-2 router. Based on area addresses (IDP, HODSP), the Level-2 routers perform the inter-area routing.

Network Entity Title The Network Entity Title (NET) indicates the network layer information of an IS. The NET excludes the transport layer information (SEL = 0). NET is a special NSAP. The length of the NET is the same as that of the NSAP. The NET can be a maximum of 20 bytes and a minimum of 8 bytes. On an IS-IS router, you can configure only the NET instead of the NSAP. Generally, you configure a router with only one NET. When you need to reconstruct an area, configure multiple NETs on the router. For example, to combine many areas together or to divide an area into subareas, configure multiple NETs. This configuration guarantees route correctness even after the reconfiguration. Because you can configure a maximum of three area addresses on an IS-IS process of a router, you can configure a maximum of three NETs. When you configure multiple NETs, ensure that their system IDs are identical. For example, in the NET ab.cdef.1234.5678.9abc.00, the following values exist: Area = ab.cdef, System ID = 1234.5678.9abc, SEL = 00. 7.1.2 IS-IS areas

Two-level structure To support large-scale routing networks, the IS-IS uses a two-level structure in an RD. A large RD divides into one or more areas. Level-1 routers manage the intra-area routing, whereas the Level-2 routers manage the interarea routing.

Level-1 and Level-2 z Level-1 router

7-4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

The Level-1 router manages the intra-area routing. The router establishes the neighbor relationship only with the Level-1 and the Level-1-2 routers in the same area. The router maintains a Level-1 LSDB. The LSDB contains the routing information for the local area. A packet to a destination outside this area forwards to the nearest Level-1-2 router.

z Level-2 router The Level-2 router manages the interarea routing. The router can establish a neighbor relationship with the Level-2 routers and the Level-1-2 routers in the other areas. The router maintains a Level-2 LSDB. The LSDB contains routing information between the areas. All Level-2 routers form the backbone network of the routing domain. Level-2 routers communicate between areas. The Level-2 routers in the routing domain must be in succession to ensure the continuity of the backbone network. Only the Level-2 routers can exchange the data packets or the routing information with routers outside the routing domain.

z Level-1-2 router A Level-1-2 router is a router that belongs to the Level-1 area and the Level-2 area. The router can establish a Level-1 neighbor relationship with the Level-1 routers and Level-1-2 routers in the same area. In addition, the router can establish a Level-2 neighbor relationship with the Level-2 routers and Level-1-2 routers in the other areas. A Level-1 router must connect to the other areas through a Level-1-2 router. A Level-1-2 router maintains two LSDBs: the Level-1 LSDB for the intra-area routing and the Level-2 LSDB for the interarea routing.

NOTE

z Level-1 routers in different areas cannot establish a neighbor relationship. z Level-2 routers can establish neighbor relationships regardless of the areas. Figure 7-2 shows an IS-IS enabled network, similar to an OSPF typology with multiple areas. Area 1 is a backbone area. All routers in this area are Level-2 routers. The other four areas are nonbackbone areas. The nonbackbone areas connect to Area 1 through the Level-1-2 routers.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-5

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

Figure 7-2 IS-IS topology 1

Area2

Area3 L1 L1/2 L1/2 L2 L2 Area1

L2 L2 Area5

Area4 L1/2 L1/2 L1

L1 L1 L1 L1

Figure 7-3 shows another type of IS-IS topology. The Level-1-2 routers not only connect the Level-1 and the Level-2 routers, but they also establish the backbone network together with the other Level-2 routers. In this typology, no area is a backbone area. The backbone network contains all the Level-2 routers. The Level-2 routers can belong to different areas but they must be successive.

Figure 7-3 IS-IS typology 2

Area1

L1 L2 L1 L1/L2 L1 Area2 L1/L2 Area4

L2 L2 Area3

NOTE

The IS-IS backbone network does not refer to a specific area. The preceding type of networking scheme shows the difference between IS-IS and OSPF. For OSPF, the backbone area forwards the inter-area routes and uses the SPF algorithm in the same area. For IS-IS, both the Level-1 and the Level-2 routers use the SPF algorithm to generate the Shortest Path Tree (SPT).

7-6 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

Interface level The Level-1-2 routers can establish the Level-1 neighbor relationship with a peer and establish the Level-2 neighbor relationship with another peer. You can configure the level of an interface to limit the adjacency on the interface. For example, a Level-1 interface can establish only a Level-1 adjacency and a Level-2 interface can establish only a Level-2 adjacency. For a Level-1-2 router, you can configure some interfaces as Level-2. This configuration does not send the Level-1 hello packets to the Level-2 backbone network and conserves bandwidth.

Route leaking Usually, an IS-IS area is a Level-1 area and Level-1 routers manage the intra-area routes. All the Level-2 routers form a Level-2 area. A routing domain can contain multiple Level-1 areas but only one Level-2 area. The Level-1 areas can connect only to the Level-2 area. The Level-1 areas cannot connect to each other. All the Level-1 areas send their routing information to the Level-2 area through the Level-1-2 routers. The routers in the Level-2 area can obtain the routing information of the entire IS-IS routing domain. The Level-2 routers, by default, do not advertise the routing information of the Level-1 areas and the Level-2 areas known to any Level-1 area. The routers in the Level-1 area cannot obtain the routing information from outside the area. The routers in the Level-1 area cannot choose the best route to the destination outside the area. To solve this problem, the IS-IS routes leak from Level-2 to Level-1. This configuration lets routers in the specified Level-1 area learn the routing information from outside the area. 7.1.3 IS-IS network types

Network types IS-IS only supports two network types, which divide based on physical links:

z Broadcast links, for example, Ethernet and Token-Ring z Point-to-point links, for example, Point-to-Point Protocol (PPP) and High level Data Link Control (HDLC) For NonBroadcast Multiple Access (NBMA) networks such as Asynchronous Transfer Mode (ATM), you must configure its subinterface. The type of the subnet must not be Point-To-Multipoint (P2MP). IS-IS cannot run on P2MP networks.

DIS and pseudo nodes In broadcast networks, the IS-IS needs to elect a Designated Intermediate System (DIS) from all the routers. Level-1 and Level-2 elect their DISs respectively. You can configure different priorities for the different levels. The higher the priority is, the higher the possibility that the router becomes the DIS. If two or more routers with the same priority exist in the broadcast network, the router with the largest Medium Access Control (MAC) address becomes the DIS. The DISs of different levels can be the same router or different routers.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-7

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

If a new router meets all the requirements to become a DIS, it becomes the new DIS, which leads to LSP flooding. This process is different from the OSPF protocol. In IS-IS broadcast networks, routers of the same level in the same network segment can form adjacencies. All nonDIS routers can form adjacencies. This process is different from OSPF, as shown in Figure 7-4.

Figure 7-4 DISs and adjacencies in IS-IS broadcast networks

L1/L2 L1/L2

L1 Adjacencies

L2 Adjacencies

L1 L2 DIS DIS

The DIS creates and updates pseudo nodes. The DIS generates LSPs of the pseudo nodes, which describe the available routers on the network. The pseudo nodes simulate the virtual nodes in the broadcast network. In IS-IS, the system ID of the DIS and the 1-byte Circuit ID identify the pseudo nodes. Pseudo nodes simplify the network topology and shorten the LSP. The router generates fewer LSPs when the network changes. The SPF uses fewer resources.

NOTE

In an IS-IS broadcast network, although all the routers form adjacencies with each other, the DIS synchronizes the LSDBs. 7.1.4 IS-IS PDU formats

PDU header Frames directly encapsulate the IS-IS packets. The PDU consists of the packet header and the variable length fields. The packet header consists of a common header and a specific header. The common headers are the same for all the PDUs, but the specific headers vary with the PDUs, as shown in the following figure.

Figure 7-5 PDU format

PDU Common PDU Specific Variable Length Header Header Fields(CLV)

Common header All the PDUs use the same common header, as shown in the following figure.

7-8 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

Figure 7-6 PDU header format

No. of Octets Intradomain Routeing Protocol Discriminator 1 Length Indicator 1 Version/Protocol ID Extension 1 ID Length 1 R R R PDU Type 1 Version 1 Reserved 1 Maximum Area Address 1

The following list explains the main fields:

z Intradomain Routing Protocol Discriminator—The value of this field is 0x83. z Length Indicator—This field indicates the length of the PDU header, including the common header and the specific header, in bytes. z Version/Protocol ID Extension—The value of this field is 1 (0x01). z ID Length—This field indicates the length of the NSAP address or the length of the system ID in NET.

NOTE

For the Secure Router 8000, the field is 6. This value indicates that the length of System ID is 6 bytes. z Reserved (R)—The value of this field is 0. z PDU Type—For details about this field, see Table 7-1. z Version—The value of this field is 1 (0x01). z Maximum Area Address—This field indicates the maximum number of areas the IS area supports. The value is an integer from 1–254. 0 indicates a maximum of 3 area addresses. The following table lists the possible values for the PDU Type field.

Table 7-1 PDU types

Type value PDU types Acronym 15 Level-1 LAN IS-IS Hello PDU L1 LAN IIH 16 Level-2 LAN IS-IS Hello PDU L2 LAN IIH 17 Point-to-Point IS-IS Hello PDU P2P IIH 18 Level-1 Link State PDU L1 LSP 20 Level-2 Link State PDU L2 LSP 24 Level-1 Complete Sequence Numbers PDU L1 CSNP 25 Level-2 Complete Sequence Numbers PDU L2 CSNP 26 Level-1 Partial Sequence Numbers PDU L1 PSNP

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-9

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

Type value PDU types Acronym 27 Level-2 Partial Sequence Numbers PDU L2 PSNP

Format of hello packets The hello packets, the IS-to-IS Hello PDUs (IIH), establish and maintain the neighbor relationship. The Level-1 LAN IIH applies to the Level-1 routers on the broadcast LAN, the Level-2 LAN IIH applies to the Level-2 routers on the broadcast LAN, and the P2P IIH applies to the nonbroadcast networks. The packets in different networks use different formats. The hello packets in the broadcast networks use the format shown in the following figure (the highlighted part is the common header).

Figure 7-7 Level-1 and Level-2 LAN IIH format

No. of Octets Intradomain Routeing Protocol Discriminator 1 Length Indicator 1 Version/Protocol ID Extension 1 ID Length 1 R R R PDU Type 1 Version 1 Reserved 1 Maximum Area Address 1 Reserved/Circuit Type 1 Source ID ID Length Holding Time 2 PDU Length 2 R Priority 1 LAN ID ID Length+1 Variable Length Fields

The following list explains the main fields:

z Reserved/Circuit Type—The first six bits are reserved and are all zeros. The lower two bits indicate the IS-IS Level of the router: 01 indicates L1, 10 indicates L2, and 11 indicates L1/L2. z Source ID—This field indicates the system ID of the router that sends the hello packets. z Holding Time—If a router does not receive the hello packets from its neighbor in this period of time, it terminates the neighbor relationship. z PDU Length—This field indicates the total length, in bytes, of a PDU.

7-10 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

z Priority— This field indicates the priority for the DIS election. The value ranges from 0–127. The greater the value is, the higher the priority. z LAN ID—This field includes the system ID of the DIS and the 1-byte pseudo-node ID. The following figure shows the hello packets in the P2P network format.

Figure 7-8 P2P IIH format

No. of Octets Intradomain Routeing Protocol Discriminator 1 Length Indicator 1 Version/Protocol ID Extension 1 ID Length 1 R R R PDU Type 1 Version 1 Reserved 1 Maximum Area Address 1 Reserved/Circuit Type 1 Source ID ID Length Holding Time 2 PDU Length 2 Local Circuit ID 1 Variable Length Fields

As shown in Figure 7-8, most fields in the P2P IIH are the same as those in the LAN IIH. The P2P IIH does not use the Priority and LAN ID fields, but uses a Local Circuit ID field.

LSP The LSPs exchange link state information. There are two types of LSPs: the Level-1 LSP and the Level-2 LSP. The Level-2 routers transmit the Level-2 LSPs. The Level-1 routers transmit the Level-1 LSPs. The Level-1-2 routers can transmit both types of LSPs. All LSPs use the same format, as shown in the following figure.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-11

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

Figure 7-9 Level-1 and Level-2 LSP format

No. of Octets Intradomain Routeing Protocol Discriminator 1 Length Indicator 1 Version/Protocol ID Extension 1 ID Length 1 R R R PDU Type 1 Version 1 Reserved 1

Maximum Area Address 1 PDU Length 2 Remaining Lifetime 2 LSP ID ID Length+2 Sequency Number 4 Checksum 2 P ATT OL IS Type 1 Variable Length Fields

The following list explains the main fields:

z PDU Length—This field indicates the total length, in bytes, of a PDU. z Remaining Lifetime—This field indicates the lifetime, in seconds, of the LSP. z LSP ID—This field consists of the system ID, the pseudo-node ID (one byte), and the number of the LSPs (one byte) after fragmentation. z Sequence Number—This field indicates the sequence number of the LSP. z Checksum—This field indicates the checksum value of the LSP. z P (Partition Repair)—This field relates only to the Level-2 LSP. The value indicates whether the router supports automatic partition repair. z ATT (Attachment)—This field only relates to the Level-1 LSPs. The value indicates that the router (the Level-1 or Level-2 router) that generates this LSP attaches to multiple areas. z OL (LSDB Overload)—This field indicates the LSDB of the local router is incomplete for the lack of hardware memories. When the other routers receive this message, they do not send packets that this router must forward. The router still forwards packets for a destination that directly connects to the local router. As shown in Figure 7-10, Router B forwards the packets from Router A to Router C. If the OL field in the packets of Router B is 1, Router A considers that the route of Router B is incomplete. Router A forwards the packet to Router C through Router D and Router E. The packets for a destination that directly connects to Router B are not affected.

7-12 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

Figure 7-10 LSDB overload schematic diagram

RouterD RouterE

Overload

RouterA RouterC RouterB

z IS Type—This field indicates the level of the router that generates the LSP. The value specifies whether it is a Level-1 router or Level-2 router. 01 indicates Level-1 and 11 indicates Level-2.

SNP The Sequence Number PDUs (SNPs) describe the LSPs in all or part of the databases to synchronize and maintain the LSDB. The SNP includes complete SNP (CSNP) and partial SNP (PSNP). The SNPs further divide into the Level-1 CSNP, the Level-2 CSNP, the Level-1 PSNP, and the Level-2 PSNP. The CSNP contains all the LSP summary information in the LSDB. This process maintains the synchronization between the neighboring routers. On a broadcast network, the DIS periodically transmits the CSNP. The default transmission cycle is 10 seconds. On a point-to-point link, the CSNP transmits only when a neighbor relationship initially establishes. The following figure shows the packet format of the CSNP.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-13

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

Figure 7-11 Level-1 and Level-2 CSNP format

No. of Octets

Intradomain Routeing Protocol Discriminator 1 Length Indicator 1 Version/Protocol ID Extension 1 ID Length 1 R R R PDU Type 1 Version 1 Reserved 1 Maximum Area Address 1 PDU Length 2 Source ID ID Length+1 Start LSP ID ID Length+2 End LSP ID ID Length+2 Variable Length Fields

PSNP lists only the sequence number of recently received LSPs. PSNP can acknowledge multiple LSPs at a time. When the LSDB is asynchronous, the packet uses PSNP to request a neighbor send a new LSP. The following figure shows the packet format of the PSNP.

Figure 7-12 Level- 1 and Level-2 PSNP format

No. of Octets

Intradomain Routeing Protocol Discriminator 1 Length Indicator 1 Version/Protocol ID Extension 1 ID Length 1 R R R PDU Type 1 Version 1

Reserved 1 Maximum Area Address 1 PDU Length 2 Source ID ID Length+1 Variable Length Fields

7-14 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

CLV The variable length fields are the multiple Code-Length-Values (CLVs). The format is shown in the following figure.

Figure 7-13 CLV format

No. of Octets

Code 1

Length 1 Value Length

The CLVs vary with the PDU types, as shown in the following table.

Table 7-2 PDU types and the included CLV names

CLV Name Applied PDU type code 1 Area Addresses IIH, LSP 2 IS Neighbors (LSP) LSP 4 Partition Designated Level2 IS L2 LSP 6 IS Neighbors (MAC Address) LAN IIH 7 IS Neighbors (SNPA Address) LAN IIH 8 Padding IIH 9 LSP Entries SNP 10 Authentication Information IIH, LSP, SNP 128 IP Internal Reachability Information LSP 129 Protocols Supported IIH, LSP 130 IP External Reachability Information L2 LSP 131 InterDomain Routing Protocol Information L2 LSP 132 IP Interface Address IIH, LSP

ISO 10589 defines the CLVs with codes that range from 1 to 10. The preceding table does not list two types. RFC 1195 defines the other CLV ranges. 7.1.5 IS-IS support for IPv6 The IS-IS protocol can easily support IPv6. The IETF draft for IPv6, draft-ietf-isis-ipv6-05.txt , defines the extended IS-IS protocol. The draft introduces two Type-Length-Values (TLV) and a Network Layer Protocol Identifier (NLPID).

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-15

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

A TLV is a variable length field in the LSP. The following list identifies the two new TLVs:

z IPv6 Reachability—The type value is 236 (0xEC). This TLV defines the routing information prefix and the measurement to illustrate the network reachability. z IPv6 Interface Address—The type value is 232 (0xE8). This TLV is equal to the IP interface address TLV of the IPv4, but it changes the original 32-bit IPv4 address to a 128-bit IPv6 address. NLPID is an 8-bit field that identifies the network layer protocol packets. The NLPID of the IPv6 is 142 (0x8E). If an IS-IS router supports IPv6, it advertises the routing information outside by using this NLPID value. 7.1.6 Supported IS-IS features

Multi-instance and multiProcess For easy management and effective control, IS-IS supports multiprocess and multi-instance features. The multiprocess feature allows a set of interfaces associate with a specific IS-IS process. This feature ensures that the specific IS-IS process performs all the protocol operations only on the set of interfaces. Multiple IS-IS processes can work on a single router and each process performs protocol operations for a unique set of interfaces. For routers that support a virtual private network (VPN), each IS-IS process associates with a particular VPN instance. In this case, all the interfaces that attach to an IS-IS process must associate to the VPN instance to which this IS-IS process associates.

IS-IS hot standby Routers with a distributed structure support the IS-IS hot standby (HSB) feature. IS-IS backs up data from the Active Main Board (AMB) to the Standby Main Board (SMB). After the AMB fails, the SMB becomes active and replaces the AMB. IS-IS can continue to work normally. IS-IS supports the following two types of HSBs:

z All the IS-IS data synchronizes for backup. When the switchover of the AMB and the SMB occurs, IS-IS resumes the normal work immediately to ensure smooth operation. z Only the configuration information backs up during the switchover of the AMB and the SMB. When you perform a GR, IS-IS resends the request to establish adjacencies with the neighbors to synchronize the LSDB.

IS-IS GR GR is a function that restarts the router gracefully. GR does not affect the traffic forwarding and does not cause route flapping. If IS-IS does not restart in GR mode, it resets the IS-IS session, regenerates an LSP, and floods the LSP. This process causes the SPF calculation in the entire area and leads to route flapping and forwarding interruption in the entire area. RFC 3847 stipulates GR standards to regulate the IS-IS restart when the forwarding information base (FIB) table is reserved and is not reserved.

7-16 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

IS-IS TE The IS-IS Traffic Engineering (TE) supports the establishment and maintenance of the Label Switched Path (LSP). When you construct the constraint-based routed LSP, Multiprotocol Label Switching (MPLS) must learn the traffic attributes of all the links in this area. MPLS can acquire the TE information of the links through IS-IS.

NOTE

For details about IS-IS TE configuration, see Nortel Secure Router 8000 Series Configuration Guide - MPLS (NN46240-506).

Administrative tags The administrative tags carry administrative information about an IP address prefix. The tags control route import between the different levels and the areas, and control the different routing protocols and the multiple IS-IS instances that run on the same router. The tags control the BGP standard or the extended communities. The administrative tag value applies to with certain attributes. When the IS-IS advertises an IP address prefix with these attributes, it adds the administrative tag to the TLV in the prefix. In this method, the tag stays with the prefix and floods throughout the routing domain.

LSP fragment extension When the link state PDUs that IS-IS advertises contain too much information, they advertise in multiple LSP fragments of the same system. An LSP identifier field identifies each LSP fragment. The LSP identifier field uses 1 byte. The maximum number of fragments that an IS-IS router can generate is 256. The IS-IS LSP fragments extension feature allows an IS-IS router to generate more LSP fragments. To implement this feature, you can configure additional system IDs for the router. Each system ID represents a virtual system that can generate 256 LSP fragments. With more additional system IDs, up to 50 virtual systems, the IS-IS router can generate a maximum of 13 056 LSP fragments.

z Related terms − Originating System The originating system is a router that runs the IS-IS protocol. A single IS-IS process can advertise its LSPs as multiple virtual routers and the originating system represents the real IS-IS process. − Normal System ID The normal system ID is the system ID of an originating system. − Additional System ID The network manager assigns an additional system ID. Each additional system ID can generate up to 256 additional or extended LSP fragments. Like the normal system ID, the additional system ID must be unique in the routing domain. − Virtual System The system, which is identified by an additional system ID, generates extended LSP fragments. These fragments carry the additional system IDs in their LSP IDs. z Operation Modes The IS-IS router can run the LSP fragment extension feature in the following two modes:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-17

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

− Mode-1: Use this mode when some of the older routers in the network do not support this feature. In this mode, the originating system advertises a link to each of the virtual systems in its LSPs. Similarly, each of the virtual systems advertises a link to the originating system. In this process, the virtual systems look like the actual routers that connect to the originating system in the network. The one restriction in this mode is that only Leaf Information can advertise in the LSPs of the virtual systems. − Mode-2: Use this mode when all of the routers in the network support this feature. In this mode, all the routers in the network can understand that the LSPs that the virtual systems generate actually belong to the originating system. There is no restriction on the link state information that can advertise in the LSPs of the virtual systems.

Dynamic hostname exchange mechanism To manage and maintain the IS-IS networks more conveniently, IS-IS introduces the dynamic hostname exchange mechanism. This mechanism provides a mapping service from the hostname to system ID for routers in the IS-IS domain. This dynamic name information advertises in the form of a dynamic hostname TLV. The dynamic hostname exchange mechanism provides a service to associate a host name with the DIS in the broadcast network. Then, this mechanism advertises this association information through the pseudo node LSP of the router in the form of a dynamic hostname TLV. The host name is easier to identify and memorize than the system ID. After you configure this function, the display commands you configure on the routers in the network display this host name for the router, instead of the system ID.

IS-IS fast convergence z Incremental SPF (I-SPF) I-SPF calculates only the changed routes rather than all the routes. ISO-10 589 uses the Dijkstra algorithm to calculate the routes. When a node changes in the network, this algorithm must recalculate all the nodes. This method takes a long time, uses too much of the Central Processing Unit (CPU), and affects the convergence speed. I-SPF improves this algorithm. I-SPF calculates all nodes for the first time but then calculates only the changed nodes later . The SPT that I-SPF generates is the same as that generated by the previous algorithm. This process reduces the CPU use and speeds up network convergence.

z Partial Route Calculation Similar to I-SPF, the Partial Route Calculation (PRC) calculates only the changed nodes, but update leaves (routes) that I-SPF calculates, instead of the shortest path. In route calculation, a route represents a leaf and a router represents a node. If the SPT that I-SPF calculates changes, PRC processes all the leaves on the changed node. If the SPT remains unchanged, PRC processes only the changed leaves. For example, if you enable only IS-IS on an interface of a node, then the SPT that I-SPF calculates remains unchanged. In this case, PRC updates only the routes of this interface, which uses less CPU. PRC works with I-SPF to improve the convergence performance of the network. This process is an improvement on the original SPF algorithm.

7-18 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

NOTE

In the Secure Router 8000 implementation, only I-SPF and PRC calculate routes. z LSP Fast Flooding When a router receives new LSPs from other routers, it floods the LSPs in its own LSDB periodically. This process can speed up the network convergence but the LSDB synchronizes slowly. LSP fast flooding addresses the synchronization problem. When you configure the router with this feature and it receives one or more LSPs, it floods the LSPs less than the specific number before route calculation. The LSDB can synchronize quickly. This improves the network convergence speed.

z Intelligent Timer Although the route calculation algorithm is improved, the long interval for triggering the route calculation also affects the convergence speed. You can shorten the interval by using a millisecond-level timer. Frequent network changes also occupy too much CPU. The SPF intelligent timer addresses these problems. The timer responds to burst events quickly and avoids too much CPU occupation. An IS-IS network running normally is stable. Many network changes rarely occur and the IS-IS router does not calculate routes often. Configure a short time period, in milliseconds, for the first time to trigger the route calculation. If the network changes often, the intelligent timer increases with the calculation times and the interval becomes longer. This process avoids too much CPU use. The LSP generation intelligent timer is similar to the SPF intelligent timer. When the LSP generation intelligent timer expires, the system generates a new LSP based on the current topology. The original mechanism adopts a timer with uniform intervals and thus cannot achieve fast convergence and low CPU utilization. The LSP generation timer is an intelligent timer that responds to the burst events (such as interface is Up or Down) quickly and speeds up the network convergence. If the network changes often, the interval for the intelligent timer becomes longer to avoid too much CPU occupation.

NOTE

Be cautious when you configure the timers according to practical network and the router performances.

BFD for IS-IS You can use BFD to detect the IS-IS neighbor relationship. BFD can fast detect the faults on links between IS-IS neighbors and report them to IS-IS. This process implements fast convergence of IS-IS.

NOTE

BFD detects only the one-hop link between IS-IS neighbors because IS-IS establishes only one-hop neighbors. 7.1.7 References

For more information about IS-IS, see the following RFC and ISO documents.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-19

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

Document Description number ISO 10 589 ISO IS-IS Routing Protocol ISO 9542 ES-IS Routing Protocol ISO 8348/Ad2 Network Services Access Points RFC 1195 Use of OSI IS-IS for Routing in TCP/IP and Dual Environments RFC 2763 Dynamic Hostname Exchange Mechanism for IS-IS RFC 2966 Domain-wide Prefix Distribution with Two-Level IS-IS RFC 2973 IS-IS Mesh Groups RFC 3277 IS-IS Transient Black hole Avoidance RFC 3358 Optional Checksums in ISIS RFC 3373 Three-Way Handshake for IS-IS Point-to-Point Adjacencies RFC 3567 IS-IS Cryptographic Authentication RFC 3719 Recommendations for Interoperable Networks using IS-IS RFC 3786 Extending the Number of IS-IS LSP Fragments Beyond the 256 Limit RFC 3787 Recommendations for Interoperable IP Networks using IS-IS RFC 3784 IS-IS extensions for Traffic Engineering RFC 3847 Restart signaling for IS-IS

7.2 Configuring basic IS-IS functions 7.2.1 Establishing the configuration task

Applicable environment Enable the IS-IS processes first before you configure IS-IS. Specify NET and enable IS-IS on the interfaces before you configure the other functions.

Preconfiguration tasks Before you configure IS-IS, complete the following tasks:

z Configure the link layer protocol. z Configure the network layer addresses to keep the network layers of the adjacent nodes reachable.

Data preparation To configure IS-IS, you need the following data.

7-20 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

No. Data 1 NET 2 Process number 3 The router type and its interface level

Configuration procedures

No. Procedure 1 Enabling IS-IS processes 2 Configuring NET 3 Configuring the level of a router 4 Enabling IS-IS on the specified interface 5 Checking the configuration

7.2.2 Enabling IS-IS processes Do as follows on each router that runs IS-IS according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] [ vpn-instance vpn-instance-name ] This command enables the IS-IS process and the IS-IS view appears. The process-id identifies an IS-IS process. Use the isis [ process-id ] vpn-instance vpn-instance-name command to associate the IS-IS process with a VPN-instance. ----End

To enable the IS-IS, create an IS-IS routing process and activate it on the interface that can associate with the other routers. 7.2.3 Configuring NET Do as follows on each router that runs IS-IS according to requirements: Step 1 Run:

system-view The system view appears.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-21

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

network-entity net This command configures a NET. ----End

A NET defines the current IS-IS area address and the system ID of the router. You can configure up to three NETs on a process of one router. 7.2.4 Configuring the level of a router

Do as follows on each router that runs IS-IS according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

is-level { level-1 | level-1-2 | level-2 } This command configures the level of a router. By default, the level of the router is level-1-2. ----End

7.2.5 Enabling IS-IS on the specified interface

Do as follows on each router that runs IS-IS according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

7-22 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

isis enable [ process-id ] This command enables IS-IS on the specific interface. To enable the opposite port to learn the route of the network segment, ensure that the state of the interface on which you enable the IS-IS is Up. ----End

7.2.6 Checking the configuration

Use the commands in the following table to check the previous configuration.

Action Command Check the information about the display isis [ process-id | vpn-instance IS-IS interface you enable. vpn-instance-name ] interface [ tunnel | [ verbose | traffic-eng ] * | tunnel ] [ process-id | vpn-instance vpn-instance-name ]]* ] Check the information about the display isis lsdb [ [ level-1 | l1 ] | [ level-2 | l2 ] ] LSDB. [ verbose ] [ local | lsp-id ] [ process-id | vpn-instance vpn-instance-name ] Check the information about the display isis peer [ verbose ] [ process-id | IS-IS neighbors. vpn-instance vpn-instance-name ] Check the IS-IS routing display isis [ process-id | vpn-instance information. vpn-instance-name ] route [ ipv4 | ipv6] [ ip-address [ mask | mask-length ] ] [ level-1 | level-2 ] [ verbose ] Check the statistics about the IS-IS display isis statistics [ level-1 | level-2 | level-1-2 ] process. [ process-id | vpn-instance vpn-instance-name ]

Run the display isis interface command. The IS-IS neighbors is established, when the IPv4 neighbor of the local router is in the Up state.

display isis interface

Interface information for ISIS(1) ------Interface Id IPV4.State IPV6.State MTU Type DIS Eth6/0/0 001 Up Down 1497 L1/L2 No/No

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-23

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

7.3 Controlling IS-IS routing information 7.3.1 Establishing the configuration task

Applicable environment This section describes how to control the advertisment and the receipt of the IS-IS routing information. For example, advertise the aggregated routes, filter the received routes, and import the external routes. This section describes how to change the attributes of the routing information such as the priority and the cost. After these configurations, you can accurately control the transmission of the IS-IS routing information in the AS.

Preconfiguration tasks Before you configure IS-IS routing information, complete the following tasks:

z Configure the network layer addresses to keep the network layers of the adjacent nodes reachable. z Complete the procedures in Configuring basic IS-IS functions.

Data preparation To configure IS-IS routing, you need the following data.

No. Data 1 The priority of the IS-IS protocol 2 The cost of each interface 3 The aggregated route 4 The filtering list to filter routing information 5 The protocol name and the process number of the external routes to import

Configuration procedures

No. Procedure 1 Configuring the preference of IS-IS 2 Configuring the link cost 3 Configuring IS-IS route aggregation 4 Configuring IS-IS to generate default routes 5 Configuring IS-IS to filter the routing information received 6 Set the state of an IS-IS interface to suppressed

7-24 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

7 Configuring IS-IS to import external routes 8 Configuring route leaking 9 Checking the configuration

7.3.2 Configuring the preference of IS-IS

Configuring the preference of the IS-IS Protocol Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

preference preference This command configures the preference of IS-IS. The smaller the configured value is, the higher the preference. With a routing policy, you can configure the preference for a particular route by running the following commands:

z preference preference route-policy route-policy-name z preference route-policy route-policy-name By default, the preference of the IS-IS protocol is 15. ----End

A router can run multiple routing protocols at the same time. When multiple routing protocols discover routes to the same destination, the protocol with the highest preference takes effect.

Configuring the preference of IS-IS equal-cost routes Do as follows on the related router according to the requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-25

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

Step 3 Run:

nexthop ip-address weight value This command configures the load balancing preference of IS-IS. ----End

After the SPF algorithm calculates the equal-cost routes of the IS-IS protocol, you can use the nexthop command to choose the equal-cost route with the highest preference as the next hop. The smaller the weight is, the higher the routing preference. By default, the weight is 255. The weight indicates that the equal-cost routes perform load balancing without distinguishing the preference. 7.3.3 Configuring the link cost IS-IS determines the cost of the interface in the following three ways, in descending order:

z Interface cost—indicates the link cost you configure for a single interface z Global cost—indicates the link cost you configure for all the interfaces z Auto-cost—indicates the link cost you calculate automatically based on the interface bandwidth If you do not configure a command explicitly, the default cost of the IS-IS interface is 10.

Configuring the IS-IS cost style Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

cost-style { narrow | wide | wide-compatible } | { narrow-compatible | compatible } [ relax-spf-limit ] The IS-IS cost style appears. ----End

For different cost styles, the cost range of an interface is different and the cost range of the received route is also different.

z If the cost style is narrow, the cost of the interface ranges from 0 to 63. The maximum cost of the received route is 1023. z If the cost type is narrow-compatible or compatible, the cost of the interface ranges from 1 to 63. The cost of the received route is related to the relax-spf-limit parameter.

7-26 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

− If relax-spf-limit is not set, the following situations may occur: If the cost of the route is smaller than or equal to 1023 and the link costs of all interfaces that the route passes through are smaller than or equal to 63, the route is received and the cost of the route is the actual one. If the cost of the route is smaller than or equal to 1023 but the link costs of the interfaces that the route passes through are greater than 63, the router can learn only the routes of the network segment where the interface resides and the routes imported by the interface. The cost of the route is the actual one. The routes forwarded by the interface are discarded. If the cost of the route is greater than 1023, the router can learn the routes of the interface whose link cost exceeds 1023 for the first time. The link cost of each interface before this interface is not greater than 63. The routes of the network segment where the interface resides and routes imported by the interface can be learned by the router. The cost of the route is 1023. The routes forwarded by the interface are discarded. − If relax-spf-limit is set, there is no limit to the link costs of interfaces and route costs. The cost of the route is the actual one. z If the cost style is wide or wide-compatible, the cost of the interface ranges from 0 to 16 777 215. If the cost is 16 777 215, the router cannot use the neighbor TLV that generates on the link in the routing calculation and can only use the neighbor TLV to deliver the TE information. The maximum cost of the received routes is 0 x FFFFFFFF.

Configuring the cost of the IS-IS interface Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

isis cost cost [ level-1 | level-2 ] This command configures the cost of the IS-IS interface. ----End

You can use the command to configure the cost of a particular interface.

Configuring the global cost Do as follows on the related router according to the requirements: Step 1 Run:

system-view The system view appears.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-27

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

circuit-cost cost [ level-1 | level-2 ] This command configures the global IS-IS cost. ----End

You can use the command to change the cost of all the interfaces at the same time.

Enabling autocost Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

bandwidth-reference value This command configures the reference value of the bandwidth. Step 4 Run:

auto-cost enable This command configures the interface to automatically calculate the cost of its bandwidth. ----End

When the cost style is wide or wide-compatible, the bandwidth reference value in Step 3 is valid. The cost of each interface = (bandwidth – reference/interface bandwidth) x 10. When the cost style is narrow, narrow-compatible, or compatible, obtain the cost of each interface from the following table.

Table 7-3 Relationship between the interface cost and the bandwidth

Cost Interface bandwidth range 60 interface bandwidth <= 10M 50 10M < interface bandwidth <= 100M

7-28 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

40 100M < interface bandwidth <= 155M 30 155M < interface bandwidth <= 622M 20 622M < interface bandwidth <= 2.5G 10 2.5G < interface bandwidth

NOTE

If you want to change the cost of the loopback interface, run the isis cost command in the interface view. 7.3.4 Configuring IS-IS route aggregation Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

summary ip-address mask [ avoid-feedback | generate_null0_route | tag tag | [ level-1 | level-1-2 | level-2 ] ] * This command configures IS-IS route aggregation. ----End

You can configure the routes with the same next hops as one route to reduce the number of entries in the routing table. 7.3.5 Configuring IS-IS to generate default routes Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

default-route-advertise [ route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ] *

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-29

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

This command configures IS-IS to generate the default routes. ----End

The default routes that this command generates advertise only to the routers of the same level. With a routing policy, you can change the parameter of the default routes, for example, cost or tag.

You can only change the parameter of the default route, so when you create the router-policy, you can use the apply syntax directly instead of the if-match syntax. 7.3.6 Configuring IS-IS to filter the routing information received Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

filter-policy { acl-number | ip-prefix ip-prefix-name | route-policy route-policy-name } import This command configures IS-IS to filter the routing information received. ----End

7.3.7 Set the state of an IS-IS interface to suppressed Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

isis silent This command suppresses the IS-IS interface. ----End

7-30 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

When an IS-IS network connects to other ASs, you must enable IS-IS on the outgoing interface so that the routers inside the area can learn the egress routes. The interface sends IS-IS hello packets to other network segments, which is unnecessary. You can run the isis silent command to enable the suppression of the IS-IS interface. When the state of the IS-IS interface becomes suppressed, the interface no longer sends or receives any IS-IS packet. The routes of the network segment where the interface resides can still advertise to other routers inside the AS.

NOTE

If the state of the IS-IS protocol on the interfaces in the area is Down, the routers within the area cannot learn the outgoing routes. 7.3.8 Configuring IS-IS to import external routes Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

import-route protocol [ process-id ] [ cost-type { external | internal } | cost cost | tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ] * This command imports routes of the other protocols. Step 4 Run:

filter-policy { acl-number | ip-prefix ip-prefix-name | route-policy route-policy-name } export [ protocol [ process-id ] ] This command filters imported routes. ----End

IS-IS regards the routes that other routing protocols discover as external routes. When you import the routes of the other protocols, you can specify their default costs. If you do not specify a level in the import-route command, the routes import to the Level-2 routing table. The default level is Level-2. 7.3.9 Configuring route leaking Do as follows on the related Level-1-2 router according to requirements: Step 1 Run:

system-view The system view appears.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-31

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

import-route isis level-2 into level-1 [ filter-policy { acl-number | ip-prefix ip-prefix-name | route-policy route-policy-name } ] [ tag tag ] This command enables IS-IS route leaking. ----End

The command is run on the Level-1-2 router which connects with the external area. By default, the routing information of the Level-2 router does not advertise to the Level-1 area. By means of IS-IS route leaking, a Level-2 router can advertise the routing information in the Level-1 area and the Level-2 area to a router in the Level-1 area. 7.3.10 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the information about the display isis [ process-id | vpn-instance IS-IS interface. vpn-instance-name ] interface [ tunnel | [ verbose | traffic-eng ] * | tunnel ] [ process-id | vpn-instance vpn-instance-name ]]* ] Check the information about the display isis lsdb [ [ level-1 | l1 ] | [ level-2 | l2 ] ] LSDB. [ verbose ] [ local | lsp-id ] [ process-id | vpn-instance vpn-instance-name ] Check the IS-IS routing display isis [ process-id | vpn-instance information. vpn-instance-name ] route [ ipv4 | ipv6] [ ip-address [ mask | mask-length ] ] [ level-1 | level-2 ] [ verbose ]

Run the display isis route command. The IS-IS neighbor is established when IS-IS process 1 on the local router imports a static route 169.1.1.0/24.

display isis route

ISIS(1) Level-2 Forwarding Table ------

IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags ------123.1.1.0/24 10 NULL Eth6/0/0 Direct D/-/L/-

Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut, U-Up/Down Bit Set

7-32 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

ISIS(1) Level-2 Redistribute Table ------

Type IPV4 Destination IntCost ExtCost Tag ------S 169.1.1.0/24 0 NULL

Type: D-Direct, I-ISIS, S-Static, O-OSPF, B-BGP, R-RIP

7.4 Adjusting and optimizing IS-IS 7.4.1 Establishing the configuration task

Applicable environment This section describes the adjustment and optimization of the IS-IS networks. The details are as follows:

z Change the network type of the interface to P2P to simulate a P2P interface on the interface. z When the neighbor relationship establishes, the P2P interface does not check the IP address. You can establish the neighbor relationship between two P2P interfaces that are in different network segments. z Adjust the timer of the IS-IS packets, the LSP, and the SPF. z Configure the IS-IS dynamic hostname and the authentication functions to meet the user requirements for security and maintenance.

Preconfiguration tasks Before you adjust and optimize IS-IS, complete the following tasks:

z Configure the network layer addresses to keep the network layers of the adjacent nodes reachable. z Complete the procedures in Configuring basic IS-IS functions.

Data preparation To adjust and optimize IS-IS, you need the following data.

No. Data 1 The DIS priority of the interface 2 The value of each timer 3 The mapping between the system ID and the hostname 4 The authentication mode and password

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-33

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

Configuration procedures

No. Procedure 1 Configuring the network type of an interface 2 Configuring the level of an IS-IS interface 3 Configuring the DIS priority of the interface 4 Configuring IS-IS to ignore the check on IP addresses of received hello packets 5 Configuring IS-IS packet timers 6 Configuring LSP parameters 7 Configuring SPF parameters 8 Enabling LSP fast flooding 9 Configuring IS-IS dynamic hostname mapping 10 Configuring IS-IS authentication 11 Configuring LSDB overload flag bit 12 Configuring output of the adjacency state 13 Checking the configuration

7.4.2 Configuring the network type of an interface Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

isis circuit-type p2p This command configures the network type of the interface as P2P.

You must make the network type of the IS-IS interfaces on the two ends of the link to be identical. Otherwise, the two interfaces cannot set up the neighbor relationship. ----End

By default, the physical interface determines the network type of an interface.

7-34 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

7.4.3 Configuring the level of an IS-IS interface Do as follows on the related router according to the requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

isis circuit-level [ level-1 | level-1-2 | level-2 ] This command configures the circuit level of an interface. By default, the circuit level of the interface is level-1-2. ----End

NOTE

Only the current router is a Level-1-2 router. If the current router is not a Level-1-2 router, the level of the router determines the level of the adjacency. 7.4.4 Configuring the DIS priority of the interface Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

isis dis-priority priority [ level-1 | level-2 ] This command configures the DIS priority of the interface. ----End

The routers elect the Level-1 DISs and the Level-2 DISs respectively and you can configure different priorities for them. If you do not specify a level in the command, the Level-1-2 DIS is the default. The higher the priority is, the higher the possibility that the router becomes the DIS. If two or more routers use the same priority in the broadcast network, the router with the largest MAC

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-35

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

address becomes the DIS. If the DIS priorities of all routers are 0, the router with the largest MAC address becomes the DIS.

NOTE

z The DIS priority is valid only to the broadcast network. z If you change the Ethernet interface P2P through the isis circuit-type command, the isis circuit-type command does not effect Ethernet interfaces. 7.4.5 Configuring IS-IS to ignore the check on IP addresses of received hello packets Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

isis peer-ip-ignore This command configures IS-IS to ignore the check on the IP addresses of the hello packets it receives. ----End

When the interface for which you change the network type to P2P with the isis circuit-type command, simulates the P2P interface, the following situations can occur:

z IS-IS checks the IP address of a hello packet it receives. Only when the IP address and the address of the interface that receives the hello packets belong to the same network segment, can the neighbor relationship establish between them. z If the IP addresses of the two interfaces belong to different network segments, and you configure the isis peer-ip-ignore command on both interfaces, the neighbor relationship can establish between them. The routing table uses routes of the two different network segments, but they cannot ping through. 7.4.6 Configuring IS-IS packet timers

Configuring the interval for sending hello packets Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

7-36 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

interface interface-type interface-number The interface view appears. Step 3 Run:

isis timer hello hello-interval1 [ level-1 | level-2 ] This command configures the interval for sending the hello packets. ----End

On the broadcast links, there are the Level-1 and the Level-2 hello packets. For different packets, you can configure different intervals. By default, the level of hello packets is level-1-2. On the point-to-point links, the hello packets do not divide into levels, and so you do not need to configure the level.

Configuring the invalid number of hello packets Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

isis timer holding-multiplier value [ level-1 | level-2 ] This command configures the number of invalid hello packets. ----End

The IS-IS protocol sends and receives hello packets to maintain the adjacencies betwen the routers. If a local router does not receive the hello packets from its peer within the holding time, it declares that the peer is dead. You can configure the number of times that the hello packets become invalid to adjust the holding time. By default, the level of hello packets is level-1-2.

Configuring the interval for sending CSNP packets Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-37

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

interface interface-type interface-number The interface view appears. Step 3 Run:

Isis timer csnp seconds [ level-1 | level-2 ] This command configures the send interval for the CSNP packets. ----End

The DIS transmits the CSNP packets over the broadcast network to synchronize the LSDB. If you do not specify the level, the interval for broadcasting the CSNP packets of the current level is configured by default.

Configuring the Interval for Retransmitting LSPs Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

isis timer lsp-retransmit retransmit-interval This command configures the retransmission interval for the LSPs on a P2P link. ----End

On a P2P link, if the local router does not receive a response within a period of time after it sends an LSP packet, it considers that the LSP packet is lost or dropped. To guarantee reliable transmissions, configure the local router to retransmit the LSP packet. The LSPs that transmit on a broadcast link do not need responses.

Configuring the minimum interval for sending LSPs Do as follows on the related router according to the requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears.

7-38 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

Step 3 Run:

isis timer lsp-throttle throttle-interval [ count count ] This command configures the minimum interval for sending the LSPs. ----End

You can configure the interval, the delay between two continuous LSPs, to send the LSPs on the interface.,. 7.4.7 Configuring LSP parameters

Configuring LSP refreshment period Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

timer lsp-refresh refresh-interval This command configures the LSP refreshment period. ----End

To synchronize the LSPs in the area, all the current LSPs transmit periodically. When you configure the LSP refreshment period, note that it must be smaller than the lifetime of the LSP.

Configuring LSP lifetime Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

timer lsp-max-age age-time

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-39

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

This command configures the LSP lifetime. ----End

When a router generates an LSP, it configures the lifetime for the LSP. When this LSP is transmitted in the area, its lifetime decreases as time passes. If the router does not receive the updated LSP all the time and the lifetime of this LSP decreases to 0. The LSP is kept for 60 seconds. If no new LSP is received after 60 seconds,this LSP is deleted from the LSDB.

Configuring the intelligent timer for generating LSPs Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

timer lsp-generation max-interval [ initial-interval [ incremental-interval ] [ level-1 | level-2 ] This command configures the intelligent timer to generate LSPs. ----End

In IS-IS, when the local routing information changes, the router must generate new LSPs to advertise this change. When the change is frequent, you must delay the interval to generate a new LSP. This configuration avoids the use of too many system resources, which impairs the system performance. If the delay is too long, the changes of the local routing information cannot advertise to the neighbors on a timely basis and the network converges slowly. The intelligent timer solves these problems because it adjusts the delay according to the network changes. The interval to initially generate the LSP is the initial-interval. Add an incremental interval to it when each change occurs until the interval is the value of max-interval. When the interval reaches the value of max-interval three times, it drops to the initial-interval value again. When you set the intelligent timer used to generate LSPs, the default level is Level-1 or Level-2 if level-1 or level-2 is not set in the command.

Ignoring LSP checksum error

7-40 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

For the versions prior to V200R005C03B560, when configuring IS-IS, you configure the ignore-lsp-checksum-error command to discard the LSPs with checksum errors. For V200R005C03B560 or later, you delete the ignore-lsp-checksum-error command.

Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

ignore-lsp-checksum-error This command ignores the LSP checksum error. ----End

When the local IS-IS receives an LSP, it verifies its checksum. If the checksum is inconsistent with the calculated checksum, you can configure the aging time and the checksum of the LSP to 0. The LSP packet ages. If you ignore the checksum error through the ignore-lsp-checksum-error command, this packet processes as a normal one even if the LSP checksum errors are found.

Configuring the LSP cache size Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

lsp-length originate mtu-size This command configures the size of the cache that originates LSPs. Step 4 Run:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-41

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

lsp-length receive mtu-size This command configures the size of the cache that receives LSPs. ----End

The mtu-size of cache that generates LSPs must be smaller than or equal to value of mtu-size of the cache that receives LSPs.

NOTE

After you enable the IS-IS on the interface, the MTU on the interface must be greater than the mtu-size you configure globally through the lsp-length originate command. Otherwise, the router considers the interface in the MTU down state. At the same time, the MTU on the interface must be greater than the mtu-size you configure through the lsp-length receive command. Otherwise, the forwarding of IS-IS packets can fail.

Configuring the mesh-group of the interface Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

isis mesh-group [ mesh-group-number | mesh-blocked ] This command configures the interface to join a mesh group. ----End

On the NBMA network, the interface of a router floods the received LSP to the other interfaces. For a network with a higher connectivity and multiple P2P links, the flooding method causes repeated LSP flooding and wastes bandwidth. To avoid such a problem, you can configure several interfaces to join a mesh group. The interface does not flood the LSP received from inside the group to the other interfaces of the same group, but floods it outside the group. When the mesh-blocked is configured on an interface, the interface is blocked and cannot flood the LSPs. All the interfaces that join the mesh group ensure the LSDP synchronization in the entire network segment by using the CSNP and PSNP mechanisms.

NOTE

In an ATM or Frame Relay (FR) network, IS-IS connects by the virtual circuits (VCs) and the interface is the logical PPP subinterface.

Configuring LSP fragment extension Do as follows on the related router according to requirements:

7-42 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

lsp-fragments-extend [ mode-1 | mode-2 ] [ level-1 | level-2 | level-1-2 ] This command enables the LSP fragment extension of the IS-IS processes. Step 4 Run: virtual-system virtual-system-id This command configures a virtual system. ----End

At least one virtual system ID must be configured in order for the router to generate extended LSP fragments. One IS-IS process can be configured with up to 50 virtual system IDs. The virtual system IDs must be unique in the entire route domain. When you configure the LSP fragment extension, you use the default mode-1 and Level-1-2 a if the mode and level are not specified. 7.4.8 Configuring SPF parameters

Configuring SPF intelligent timer Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

timer spf max-interval [ init-interval [ incr-interval ] ] This command configures the SPF intelligent timer. ----End

When the LSDB of IS-IS changes, the router must recalculate the shortest path. If the shortest path recalculates after each change, it occupies too many resources and affects the router

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-43

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

efficiency. Delay SPF calculation to improve the router efficiency to some extent and reduce the resource consumption. A long delay slows the network convergence. The SPF intelligent timer can adjust the delay according to the LSDB changes. The interval that initially calculates the SPF is the initial interval. Add one incremental interval to the original when each change occurs until the interval is up to the value of the max-interval. When the interval reaches the value of the max-interval for three times, it drops to the initial-interval again.

Configuring the duration for SPF calculation Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

spf-slice-size duration-time This command configures the duration for each SPF calculation. ----End

When many routing entries exist, for example, more than 150 000, in a routing table, the SPF calculation of IS-IS occupies the CPU for a long time. To avoid this problem, you can divide the SPF calculation. The routes that do not process at one time can calculate one second later. 7.4.9 Enabling LSP fast flooding Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

flash-flood [ lsp-count ] [ max-timer-interval interval ] [ level-1 | level-2 ] This command enables LSP fast flooding. ----End

7-44 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

You can use the flash-flood command to increase the speed of LSP flooding. You can specify the number of LSPs that flood each time for all the interfaces. If the LSPs to be sent exceed this number, the specific number of LSPs flood. If the timer you configure does not time out before the route calculation, the LSPs flood instantly. Otherwise, the LSPs transmit when the timer times out. When you configure LSP fast flooding, you use the default Level-1or Level-2 if Level-1 and Level-2 are not specified. 7.4.10 Configuring IS-IS dynamic hostname mapping

Configuring the hostname for the local IS Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

is-name symbolic –name This command configures the hostname for the local IS. ----End

This command configures a symbolic name for the local IS-IS process and enables the mapping of the system ID to the hostname. The name you configure advertises to the other routers in the area in the form of the LSP. You must run the is-name command before you enable the dynamic hostname mapping of IS-IS processes. Otherwise, the display command cannot display the mapping between the system ID and the hostname.

Configuring the hostname for the remote IS Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-45

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

is-name map system-id symbolic-name This command configures the hostname for the remote IS. ----End

Use this command locally to configure a symbolic name for a remote IS-IS router. Each system ID matches only one name. If a router in the network advertises a mapping between the hostname and the system ID in its LSPs, that mapping overrides the static mapping in the local router.

Configuring the hostname for DIS Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

isis dis-name symbolic-name This command configures the hostname of the DIS. ----End

This configuration applies only on the DIS. The dis-name command run on an interface advertises the symbolic name you configure in the form of a pseudo-node LSP that the local router generates for the network that connects to that particular interface. This command associates a symbolic name for the DR. This command does not take effect on point-to-point interfaces. 7.4.11 Configuring IS-IS authentication

Configuring area or domain authentication Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears.

7-46 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

Step 3 Run:

area-authentication-mode { simple password | md5 password-key } [ ip | osi ] This command configures the area authentication mode. Step 4 Run:

domain-authentication-mode { simple password | md5 password-key } [ ip | osi ] This command configures the domain authentication mode. ----End

If the area authentication is needed, the area authentication password is encapsulated into the Level-1 LSP, the CSNP, and the PSNP packets in the specified mode. If the other routers in the same area have also started the area authentication, the authentication mode and the password of a router must be identical to those of other routers in the area. Similarly, for routing domain authentication, the password is also encapsulated into the Level-2 LSP, the CSNP, and the PSNP packets in the specified mode. If the routers in the backbone layer (Level-2) also need routing domain authentication, the authentication mode and the password of a router must be identical to those of other routers in the domain. The establishment of Level-1 or Level-2 neighbor relationship is not affected regardless of whether IS-IS packets pass the area authentication or domain authentication. When you configure the area or domain authentication, the selection of ip and osi is not affected by the actual network environment.

Configuring the interface authentication Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

isis authentication-mode { simple password | md5 password-key } [ level-1 | level-2 ] [ ip | osi ] This command configures the authentication mode and the password for the interface. ----End

The authentication set on the interface is mainly used in the hello packet to confirm the validity and correctness of its peers. The authentication passwords at the same level should be identical on all the interfaces of a network.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-47

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

When you configure the interface authentication, the selection of ip and osi is not affected by the actual network environment.

NOTE

Use the isis enable command to enable the Ethernet interface. After you enable the interface, such parameters as level-1 and level-2 are visible. 7.4.12 Configuring LSDB overload flag bit Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

set-overload [ on-startup [ timeout1 | start-from-nbr system-id [ timeout1 [ timeout2 ] ] | wait-for-bgp [ timeout1 ] ] ] [ allow { interlevel | external } * ] The overload flag is configured. ----End

After you configure the LSPs with the overload fields, they flood in the network. When the router calculates routes that pass the overload router, it does not use these LSPs. When you configure the overload flag bit for a router, the other routers do not forward any packet to the router. Packets that send to a destination that directly connects to this router still forward to this router. In the IS-IS domain, the router can encounter some problems in operation, and thus errors can occur in the whole routing area. To avoid these problems, you can configure the overload flag bit for this router to isolate it from the IS-IS network temporarily. Then, you can locate the fault easily. 7.4.13 Configuring output of the adjacency state Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

7-48 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

log-peer-change This command enables the output of the adjacency state. ----End

After you enable the local terminal monitor and the output of the adjacency state, the changes of IS-IS adjacency state are output on the configuration terminal until you disable the output. 7.4.14 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the mesh-group of IS-IS. display isis mesh-group [ process-id | vpn-instance vpn-instance-name ] Check the table of relations display isis name-table [ process-id | vpn-instance between the local router names and vpn-instance-name ] their mappings to the system ID. Check the SPF log of IS-IS. display isis spf-log [ process-id | vpn-instance vpn-instance-name ] Check the SPF tree of IS-IS. display isis spf-tree [ level-1 | level-2 ] [ verbose ] [ process-id | vpn-instance vpn-instanc-name ] Check the statistics information display isis traffic-eng { statistics | sub-tlvs | about the TE. { advertisements [ local | lsp-id ] | link [ verbose ] | network } [ level-1 | level-2 | level-1-2 ] } [ process-id | vpn-instance vpn-instance-name ] Check the restarting status of IS-IS. display isis graceful-restart status [ level-1 | level-2 ] [ process-id | vpn-instance vpn-instance-name ] Check the statistics information display isis statistics [ level-1 | level-2 | level-1-2 ] about the IS-IS process. [ process-id | vpn-instance vpn-instance-name ]

Run the display isis name-table 1 command,to to displayt the IS hostname of the local router as abc.

display isis name-table 1 System ID Hostname Type 1111.1111.1111 abc DYNAMIC

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-49

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

7.5 Configuring IS-IS GR 7.5.1 Establishing the configuration task

Applicable environment When you restart IS-IS, the adjacency relationship of the router that runs IS-IS and the neighbors disconnects, and the router deletes the LSP. This action results in incorrect route calculation and loss of packets. As a result, the network is interrupted temporarily. You can use IS-IS GR to solve the preceding problem. When you enable IS-IS GR, the router notifies its neighbor of its restarting state and maintains the adjacency relationship to ensure uninterrupted forwarding of services. IS-IS GR provides the following advantages:

z When you restart IS-IS, the router sends a request to re-establish the connection with neighbors and does not terminate the adjacency relationship. z Before the LSP generates, GR reduces the interference on the network caused by the time to synchronize the LSDBs. z For the router that starts for the first time, configure an overload tag in the LSP until the LSDBs synchronize. This configuration prevents a routing loop in the network.

Preconfiguration tasks Before you configure IS-IS GR, complete the following task:

z Configure basic IS-IS functions.

Data preparation To configure IS-IS GR, you need the following data.

No. Data 1 IS-IS process number 2 Time interval to re-establish the GE session 3 Whether advertisement of the adjacency relationship is suppressed when the GR restarter restarts

Configuration procedures

No. Procedure 1 Enabling IS-IS GR 2 Configuring parameters for an IS-IS GR session 3 Checking the configuration

7-50 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

7.5.2 Enabling IS-IS GR Do as follows on the router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis process-id The IS-IS view appears. Step 3 Run:

graceful-restart This command enables IS-IS GR. By default, IS-IS GR is disabled. ----End

7.5.3 Configuring parameters for an IS-IS GR session Do as follows on the router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis process-id The IS-IS view appears. Step 3 Run:

graceful-restart interval timer This command configures the interval to re-establish the GR session for IS-IS. The restart interval specifies the time taken by a router to restart. The restart interval is set to the Holdtime in the IS-IS Hello PDU. Thus, the neighbor relationship is not torn down in the duration that the router restarts. By default, the restart period is 300 seconds. Step 4 (Optional) Run:

graceful-restart suppress-sa The GR restarter is configured to suppress the Suppress-Advertisement (SA) bit of restart TLV. The router that starts for the first time does not maintain the forwarding status. If the router does not start for the first time, the LSPs generated when the router runs last time may exist in the LSP database of other routers in the network.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-51

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

The sequence number of the LSP fragment is reinitialized when the router starts, so the LSPs stored in the LSP database of other routers may be newer than the LSPs generated after the router starts. This leads to the black hole in the network, and the black hole lasts until the router regenerates its LSPs and advertises the LSPs with the highest sequence number. You can avoid the preceding case when the neighbor of this router starts and the neighbor suppresses the advertisement of the adjacency relationship until this router advertises the updated LSPs,. If the administrator does not want a router to set the SA bit in the Hello PDU, the administrator can run the undo graceful-restart suppress-sa command. By default, the SA bit is not suppressed. ----End

7.5.4 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the status of IS-IS GR. display isis graceful-restart status [ level-1 | level-2 ] [ process-id | vpn-instance vpn-instance-name ]

Run the display isis graceful-restart status command, to display that IS-IS process 1 on the local router is enabled with GR and the default values of all GR parameters are used.

display isis graceful-restart status

Restart information for ISIS(1) ------

IS-IS(1) Level-1 Restart Status Restart Interval: 300 SA Bit Supported Total Number of Interfaces = 1 Restart Status: RESTART COMPLETE

IS-IS(1) Level-2 Restart Status Restart Interval: 300 SA Bit Supported Total Number of Interfaces = 1 Restart Status: RESTART COMPLETE

7-52 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

7.6 Configuring BFD for IS-IS 7.6.1 Establishing the configuration task

Applicable environment To accelerate IS-IS convergence speed when the link status changes, you can configure BFD on the IS-IS link. To configure the static BFD session, you need to manually configure the BFD session parameters including local identifier and remote identifier through command lines, and then manually deliver the request for setting up the BFD session.

NOTE

BFD can detect the one-hop links between IS-IS neighbors because IS-IS can establish only one-hop neighbors.

Preconfiguration tasks Before you configure BFD for IS-IS, complete the following tasks:

z Configure IP address for the interface to ensure that the neighboring nodes are reachable. z Configure basic IS-IS functions.

Data preparation To configure BFD for IS-IS, you need the following data.

No. Data 1 Type and ID of the interface on which BFD feature is enabled

Configuration procedures

No. Procedure 1 Configuring BFD one-hop detection 2 Enabling IS-IS fast sense 3 Checking the configuration

7.6.2 Configuring BFD one-hop detection Enable BFD one-hop detection before you configure IS-IS fast detection. Do as follows on both routers between which you establish the BFD session: Step 1 Run:

system-view The system view appears.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-53

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

Step 2 Run:

bfd This command enables the global BFD capability for the node. Step 3 Run:

quit Back to the system view. Step 4 Run:

interface interface-type interface-number The interface view appears.

NOTE

Enable BFD capability only on the physical interface. Step 5 Run:

isis enable IS-IS is enabled on the current interface. Step 6 Run:

isis bfd static Static BFD is enabled on the current interface. Step 7 Run:

quit Back to the system view. Step 8 Run:

bfd cfg-name bind peer-ip ip-address [ interface interface-type interface-number ] [ source-ip ip-address ] This command creates the BFD binding. If you do not specify the source IP when you create the BFD binding, the system searches the IP address of outgoing interface connected to the peer, and uses the IP address of the interface as the source IP address of the BFD packets sent by the local node. If the configuration of BFD session succeeds, the source IP address of BGP packets does not update when you change the IP address of the outgoing interface. source-ip cannot be a multicast or broadcast address. Step 9 Perform the following to configure identifiers for both nodes; Run:

discriminator local discr-value This command configures the local identifier. And

7-54 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

Run:

discriminator remote discr-value This command configures the remote identifier. The corresponding relation between the local identifier and the remote identifier of devices at both ends of the BFD session must be correct; otherwise, the session does not establish. After the configuration of local identifier and the remote identifier succeeds, you can not change them.

NOTE

The local identifier of the local router corresponds to the remote identifier of the remote router, and the remote identifier of the local router corresponds to the local identifier of the remote router. Step 10 Run:

commit This command commits the configuration of BFD one-hop detection. ----End

7.6.3 Enabling IS-IS fast sense Do as follows on the router on which you enable IS-IS fast detection: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view of the specified interface appears. Step 3 Enable IS-IS fast detection as required.

z Run:

isis bfd static BFD is configured. And Run:

isis fast-sense rpr RPR fast sense is configured on the IS-IS specific interface.

z Run:

isis fast-sense IS-IS fast detection is enabled.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-55

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

z The effect of the isis fast-sense command is equal to the effect of the isis bfd static command plus the isis fast-sense rpr command. z The isis fast-sense rpr command is required only on the RPR interface. IS-IS fast detection is used to process the fault reported by the static BFD. ----End

7.6.4 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check BFD session. display bfd session { all | discriminator discr-value } [ verbose ] [ slot slot-id ] Check the configuration of BFD for the display isis interface verbose IS-IS feature.

Only after you configure the parameters of a BFD session and the BFD session establishes, can you check the information on BFD session. If the configurations are correct, the status of the Fast-Sense field is YES. Run the display isis interface verbose command to ensure the status of the static BFD of IS-IS process 1 is Yes.

display isis interface verbose

Interface information for ISIS(1) ------Interface Id IPV4.State IPV6.State MTU Type DIS Eth6/0/0 001 Up Down 1497 L1/L2 No/No SNPA Address : 00e0-c72d-da01 IP Address : 123.1.1.1 IPV6 Link Local Address : IPV6 Global Address(es) : Csnp Timer Value : L1 10 L2 10 Hello Timer Value : L1 10 L2 10 DIS Hello Timer Value : L1 3 L2 3 Hello Multiplier Value : L1 3 L2 3 Retransmit-Throttle Timer : L12 50 Cost : L1 20 L2 20 Ipv6 Cost : L1 20 L2 20 Priority : L1 64 L2 64 Retransmit Timer Value : L12 5 Bandwidth-Value : Low 100000000 High 0 Static Bfd : YES Dynamic Bfd : NO Fast-Sense Rpr : NO

7-56 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

7.7 Configuring IS-IS IPv6 features 7.7.1 Establishing the configuration task

Applicable environment IS-IS supports multiple network-layer protocols, including IPv6. In an IPv6 network, you can configure the IS-IS routing protocol to implement network intercommunication. The functions and configurations of most IS-IS IPv6 route features are similar to that of IS-IS IPv4 routes. This section lists only the configuration procedures.

Preconfiguration tasks Before you configure IS-IS IPv6, complete the following tasks:

z Enable IPv6. z Configure the network layer addresses to keep the network layers of the adjacent nodes reachable. z Complete the procedures in Enabling IS-IS processes.

Data preparation To configure IS-IS IPv6 features, you need the following data.

No. Data 1 The preference of the IS-IS protocol 2 IS-IS aggregated routes 3 The filtering list to filter the IS-IS routing information and the name of the routing policy 4 The name and the process number of the external IPv6 routing protocol to import

Configuration procedures

No. Procedure 1 Enabling IPv6 on IS-IS processes 2 Enabling IPv6 on IS-IS interfaces 3 Configuring IPv6 route features of IS-IS 4 Checking the configuration

7.7.2 Enabling IPv6 on IS-IS processes Do as follows on each router that runs IS-IS according to requirements:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-57

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] This command enables the IS-IS process and the IS-IS view appears. Step 3 Run:

ipv6 enable This command enables IPv6 on the IS-IS processes. ----End

To enable IS-ISv6, you must first create an IS-IS routing process and then enable IPv6. 7.7.3 Enabling IPv6 on IS-IS interfaces Do as follows on each router that runs IS-IS according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

interface interface-type interface-number The interface view appears. Step 3 Run:

isis ipv6 enable [ process-id ] [ silent ] This command enables IS-IS on the specific interfaces. ----End

After you enable IS-IS, you also need to enable the IPv6 functions of the specific interface. After you use the silent parameter, the interface on which the IS-IS packets are sent or received is suppressed. The routes in the network segment where the interface resides can still advertise through the other interfaces. 7.7.4 Configuring IPv6 route features of IS-IS

Configuring the preference of IS-IS routes Do as follows on the related router according to requirements: Step 1 Run:

system-view

7-58 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

ipv6 preference { preference | route-policy route-policy-name } * This command configures the preference of IS-ISv6 routes. ----End

Configuring IS-IS route aggregation Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

ipv6 summary ipv6-address prefix-length [ avoid-feedback | generate_null0_route | tag tag | [ level-1 | level-1-2 | level-2 ] ] * This command configures the IS-ISv6 route aggregation. ----End

Configuring IS-IS to generate default IPv6 routes Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

ipv6 default-route-advertise [ route-policy route-policy-name ] [ level-1 | level-2 | level-1-2 ] This command configures IS-ISv6 to generate default IPv6 routes.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-59

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

----End

Configuring IS-IS to filter the received routes Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

ipv6 filter-policy { acl6-number | ipv6-prefix ipv6-prefix-name | route-policy route-policy-name } import This command configures IS-ISv6 to filter the received routes. ----End

Configuring IS-IS to import IPv6 routes of other protocols Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

ipv6 import-route protocol [ process-id ] [ cost cost ] [ tag tag ] [ route-policy route-policy-name ] [ level-1 | level-2 | level-1-2 ] This command configures IS-IS to import routes of the other protocols. Step 4 Run:

ipv6 filter-policy {acl6-number | ipv6-prefix ipv6-prefix-name | route-policy route-policy-name } export [ protocol [ process-id ] ] This command configures IS-IS to filter the routes imported. ----End

The filter-policy export command works with the ipv6 import-route command. The command filters only the imported routes, which advertise to the other routers. If you do not

7-60 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

specify the parameter protocol, the command filters the imported routes of all the protocols. If you do specify the protocol parameter, it only filters the imported routes of the particular protocol. If you do not specify a level in the import-route command, routes import to the Level-2 routing table.

Configuring IS-IS route leaking Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

isis [ process-id ] The IS-IS view appears. Step 3 Run:

ipv6 import-route isis level-2 into level-1 [ filter-policy { acl6-number | ipv6-prefix ipv6-prefix-name | route-policy route-policy-name } ] [ tag tag] This command configures IS-IS route leaking. ----End

With this command, a Level-1-2 router can advertise the IPv6 routing information in the Level-1 area and the other Level-2 areas to a specific Level-1 area. 7.7.5 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the information about the display isis interface [ [ verbose | traffic-eng ] * | IS-IS interface. tunnel ] [ process-id | vpn-instance vpn-instance-name ] Check the information about the display isis lsdb [ [ level-1 | l1 ] | [ level-2 | l2 ] ] LSDB. [ verbose ] [ local | lsp-id ] [ process-id | vpn-instance vpn-instance-name ] Check the information about the display isis peer [ verbose ] [ process-id | IS-IS neighbor. vpn-instance vpn-instance-name ] Check the IS-IS routing display isis route [ ipv4 | ipv6 ] [ level-1 | level-2 ] information. [ verbose ] [ process-id | vpn-instance vpn-instance-name ] Check the statistics information display isis statistics [ level-1 | level-2 | level-1-2 ] about the IS-IS process. [ process-id | vpn-instance vpn-instance-name ]

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-61

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

7.8 Maintaining IS-IS This section covers the following topics:

z Resetting the IS-IS data structure z Resetting a specific IS-IS peer z Debugging IS-IS 7.8.1 Resetting the IS-IS data structure

You cannot restore the IS-IS data structure after you reset it. All the previous structure information and the neighbor relationship reset. Confirm the action before you use the command.

To clear the IS-IS data structure, run the following reset command in the user view.

Action Command Reset the IS-IS data structures. reset isis all [ process-id | vpn-instance vpn-instance-name ]

By default, the IS-IS data structure is not reset. 7.8.2 Resetting a specific IS-IS peer

The specific IS-IS neighboring connections delete after you reset the specific IS-IS peer with the reset isis command. Confirm the action before you use the command.

After you modify the IS-IS routing policy or protocol, you need to reset the IS-IS connections to make the modification take effect. To reset IS-IS connections, run the following reset command in the user view.

Action Command Reset a specific IS-IS peer. reset isis peer system-id [ process-id | vpn-instance vpn-instance-name ]

7-62 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

7.8.3 Debugging IS-IS

Debugging affects system performance. After you debug the system, run the undo debugging all command to disable it immediately.

After an IS-IS fault occurs, run the following debugging commands in the user view to debug IS-IS and locate the fault. For information about the output of the debugging command, see Nortel Secure Router 8000 Series Configuration Guide - System Management (NN46250-601). For information about the debugging command, see Nortel Secure Router 8000 Series Commands Reference (NN46240-500).

Action Command Debug IS-IS. debugging isis all [ process-id | vpn-instance vpn-instance-name ] Debug IS-IS adjacencies. debugging isis adjacency [ process-id | vpn-instance vpn-instance-name ] Debug IS-IS authentication error. debugging isis authentication-error [ process-id | vpn-instance vpn-instance-name ] Debug LSP checksum error. debugging isis checksum-error [ process-id | vpn-instance vpn-instance-name ] Debug the interface level information. debugging isis circuit-information [ process-id | vpn-instance vpn-instance-name ] Debug the IS-IS configuration error. debugging isis configuration-error [ process-id | vpn-instance vpn-instance-name ] Debug the IS-IS data link that receives debugging isis datalink-receiving-packet packets. [ process-id | vpn-instance vpn-instance-name ] Debug the IS-IS data link that sends debugging isis datalink-sending-packet packets. [ process-id | vpn-instance vpn-instance-name ] Debug the IS-IS events. debugging isis event [ process-id | vpn-instance vpn-instance-name ] Debug the IS-IS general errors. debugging isis general-error [ process-id | vpn-instance vpn-instance-name ]

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-63

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

Action Command Debug the IS-IS interface information. debugging isis interface-information [ process-id | vpn-instance vpn-instance-name ] Debug the IS-IS memory allocation. debugging isis memory-allocating [ process-id | vpn-instance vpn-instance-name ] Debug the IS-IS miscellaneous errors. debugging isis miscellaneous-errors Debug the packets received. debugging isis receiving-packet-content [ process-id | vpn-instance vpn-instance-name ] Debug the local update packets. debugging isis self-originate-update [ process-id | vpn-instance vpn-instance-name ] Debug the packets transmitted. debugging isis sending-packet-content [ process-id | vpn-instance vpn-instance-name ] Debug the SNP packets. debugging isis snp-packet [ process-id | vpn-instance vpn-instance-name ] Debug the SPF event. debugging isis spf-event [ process-id | vpn-instance vpn-instance-name ] Debug the SPF summary. debugging isis spf-summary [ process-id | vpn-instance vpn-instance-name ] Debug the SPF timers. debugging isis spf-timer [ process-id | vpn-instance vpn-instance-name ] Debug the task error. debugging isis task-error [ process-id | vpn-instance vpn-instance-name ] Debug the timers. debugging isis timer [ process-id | vpn-instance vpn-instance-name ] Debug the traffic engineering. debugging isis traffic-eng { advertisement | event } [ process-id | vpn-instance vpn-instance-name ] Debug the IS-IS update packets. debugging isis update-packet [ process-id | vpn-instance vpn-instance-name ]

7.9 Configuration examples

This section provides the following examples:

z Example of configuring basic IS-IS functions z Example of configuring IS-IS in an NBMA network

7-64 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

z Example of configuring route convergence z Example of configuring the DIS election of IS-IS z Example of configuring IS-IS load balancing z Example of configuring IS-IS GR z Example of configuring BFD for IS-IS z Example of configuring IS-IS fast convergence z Example of configuring basic IS-IS IPv6 functions 7.9.1 Example of configuring basic IS-IS functions

Networking requirements As shown in Figure 7-14:

z Router A, Router B, Router C, and Router D belong to the same AS. The IS-IS routing protocol runs on these four routers to implement the IP network interconnection. z The area IDs of Router A, Router B, and Router C are all 10, and the area ID of Router D is 20. z Router A and Router B are Level-1 routers and Router D is a Level-2 router. Router C serves as the Level-1-2 router to connect the two areas.

Figure 7-14 Basic IS-IS configuration

POS1/0/0 10.1.1.2/24 RouterA GbE2/0/0 L1 172.16.1.1/16 POS3/0/0 POS1/0/0 192.168.0.1/24 10.1.1.1/24 POS1/0/0 POS2/0/0 RouterC 192.168.0.2/24 RouterD 10.1.2.1/24 L1/2 L2 IS-IS IS-IS Area10 POS1/0/0 10.1.2.2/24 Area20

RouterB L1

Configuration roadmap The steps in the configuration roadmap are 1. Enable IS-IS on each router, configure the type of level, and specify the network entity. 2. Check the IS-IS database of each router and the routing table.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-65

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

Data preparation To complete the configuration, you need the following data:

z Area number of Router A, Router B, Router C, and Router D z Level of Router A, Router B, Router C, and Router D

Configuration procedure Step 1 Configure the IP addresses of each interface. Step 2 Configure basic IS-IS functions. # Configure Router A:

[RouterA] isis 1 [RouterA-isis-1] is-level level-1 [RouterA-isis-1] network-entity 10.0000.0000.0001.00 [RouterA-isis-1] quit [RouterA] interface pos 1/0/0 [RouterA-Pos1/0/0] isis enable 1 [RouterA-Pos1/0/0] quit # Configure Router B:

[RouterB] isis 1 [RouterB-isis-1] is-level level-1 [RouterB-isis-1] network-entity 10.0000.0000.0002.00 [RouterB-isis-1] quit [RouterB] interface pos 1/0/0 [RouterB-Pos1/0/0] isis enable 1 [RouterB-Pos11/0/0] quit # Configure Router C:

[RouterC] isis 1 [RouterC-isis-1] network-entity 10.0000.0000.0003.00 [RouterC-isis-1] quit [RouterC] interface pos 1/0/0 [RouterC-Pos1/0/0] isis enable 1 [RouterC-Pos1/0/0] quit [RouterC] interface pos 2/0/0 [RouterC-Pos2/0/0] isis enable 1 [RouterC-Pos2/0/0] quit [RouterC] interface pos 3/0/0 [RouterC-Pos3/0/0] isis enable 1 [RouterC-Pos3/0/0] quit # Configure Router D:

[RouterD] isis 1 [RouterD-isis-1] is-level level-2 [RouterD-isis-1] network-entity 20.0000.0000.0004.00 [RouterD-isis-1] quit [RouterD] interface GigabitEthernet 2/0/0 [RouterD-GigabitEthernet2/0/0] isis enable 1 [RouterD-GigabitEthernet2/0/0] quit [RouterD] interface pos 1/0/0

7-66 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

[RouterD-Pos1/0/0] isis enable 1 [RouterD-Pos1/0/0] quit Step 3 Verify the configuration. # Display the IS-IS LSDB of each router:

[RouterA] display isis lsdb

Database information for ISIS(1) ------

Level-1 Link State Database

LSPID Seq Num Checksum Holdtime Length ATT/P/OL ------0000.0000.0001.00-00* 0x00000006 0xbf7d 649 68 0/0/0 0000.0000.0002.00-00 0x00000003 0xef4d 545 68 0/0/0 0000.0000.0003.00-00 0x00000008 0x3340 582 111 1/0/0

*(In TLV)-Leaking Route, *(By LSPID)-Self LSP, +-Self LSP(Extended), ATT-Attached, P-Partition, OL-Overload

[RouterB] display isis lsdb

Database information for ISIS(1) ------

Level-1 Link State Database

LSPID Seq Num Checksum Holdtime Length ATT/P/OL ------0000.0000.0001.00-00 0x00000006 0xbf7d 642 68 0/0/0 0000.0000.0002.00-00* 0x00000003 0xef4d 538 68 0/0/0 0000.0000.0003.00-00 0x00000008 0x3340 574 111 1/0/0

*(In TLV)-Leaking Route, *(By LSPID)-Self LSP, +-Self LSP(Extended), ATT-Attached, P-Partition, OL-Overload

[RouterC] display isis lsdb

Database information for ISIS(1) ------

Level-1 Link State Database

LSPID Seq Num Checksum Holdtime Length ATT/P/OL ------0000.0000.0001.00-00 0x00000006 0xbf7d 638 68 0/0/0 0000.0000.0002.00-00 0x00000003 0xef4d 533 68 0/0/0 0000.0000.0003.00-00* 0x00000008 0x3340 569 111 1/0/0

*(In TLV)-Leaking Route, *(By LSPID)-Self LSP, +-Self LSP(Extended), ATT-Attached, P-Partition, OL-Overload

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-67

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

Level-2 Link State Database

LSPID Seq Num Checksum Holdtime Length ATT/P/OL ------0000.0000.0003.00-00* 0x00000008 0x55bb 650 100 0/0/0 0000.0000.0004.00-00 0x00000005 0x651 629 84 0/0/0

*(In TLV)-Leaking Route, *(By LSPID)-Self LSP, +-Self LSP(Extended), ATT-Attached, P-Partition, OL-Overload

[RouterD] display isis lsdb

Database information for ISIS(1) ------

Level-2 Link State Database

LSPID Seq Num Checksum Holdtime Length ATT/P/OL ------0000.0000.0003.00-00 0x00000008 0x55bb 644 100 0/0/0 0000.0000.0004.00-00* 0x00000005 0x651 624 84 0/0/0

*(In TLV)-Leaking Route, *(By LSPID)-Self LSP, +-Self LSP(Extended), ATT-Attached, P-Partition, OL-Overload

# Display the IS-IS routing information of each router. A default route must be available in the Level-1 routing table and the next hop is a Level-1-2 router. The Level-2 routing table must include all Level-1 and Level-2 routes.

[RouterA] display isis route

Route information for ISIS(1) ------

ISIS(1) Level-1 Forwarding Table ------

IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags ------10.1.1.0/24 10 NULL P1/0/0 Direct D/L/- 10.1.2.0/24 20 NULL P1/0/0 10.1.1.1 R/-/- 192.168.0.0/24 20 NULL P1/0/0 10.1.1.1 R/-/- 0.0.0.0/0 10 NULL P1/0/0 10.1.1.1 R/-/-

Flags: D-Direct, R-Added to RM, L-Advertised in LSPs, U-Up/Down Bit Set [RouterC] display isis route

Route information for ISIS(1) ------

ISIS(1) Level-1 Forwarding Table ------

IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags ------

7-68 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

10.1.1.0/24 10 NULL P1/0/0 Direct D/L/- 10.1.2.0/24 10 NULL P2/0/0 Direct D/L/- 192.168.0.0/24 10 NULL P3/0/0 Direct D/L/-

Flags: D-Direct, R-Added to RM, L-Advertised in LSPs, U-Up/Down Bit Set

ISIS(1) Level-2 Forwarding Table ------

IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags ------10.1.1.0/24 10 NULL P1/0/0 Direct D/L/- 10.1.2.0/24 10 NULL P2/0/0 Direct D/L/- 192.168.0.0/24 10 NULL P3/0/0 Direct D/L/- 172.16.0.0/16 20 NULL P3/0/0 192.168.0.2 R/-/-

Flags: D-Direct, R-Added to RM, L-Advertised in LSPs, U-Up/Down Bit Set

[RouterD] display isis route

Route information for ISIS(1) ------

ISIS(1) Level-2 Forwarding Table ------

IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags ------192.168.0.0/24 10 NULL P1/0/0 Direct R/L/- 10.1.1.0/24 20 NULL P3/0/0 192.168.0.1 R/-/- 10.1.2.0/24 20 NULL P3/0/0 192.168.0.1 R/-/- 172.16.0.0/16 10 NULL GE2/0/0 Direct R/L/- Flags: D-Direct, R-Added to RM, L-Advertised in LSPs, U-Up/Down Bit Set ----End

Configuration files z Configuration file of Router A

# sysname RouterA # isis 1 is-level level-1 network-entity 10.0000.0000.0001.00 # interface Pos1/0/0 link-protocol ppp ip address 10.1.1.2 255.255.255.0 isis enable 1 # return z Configuration file of Router B

#

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-69

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

sysname RouterB # isis 1 is-level level-1 network-entity 10.0000.0000.0002.00 # interface Pos1/0/0 link-protocol ppp ip address 10.1.2.2 255.255.255.0 isis enable 1 return z Configuration file of Router C

# sysname RouterC # isis 1 network-entity 10.0000.0000.0003.00 # interface Pos1/0/0 link-protocol ppp ip address 10.1.1.1 255.255.255.0 isis enable 1 # interface Pos2/0/0 link-protocol ppp ip address 10.1.2.1 255.255.255.0 isis enable 1 # interface Pos3/0/0 link-protocol ppp ip address 192.168.0.1 255.255.255.0 isis enable 1 # return z Configuration file of Router D

# sysname RouterD # isis 1 is-level level-2 network-entity 20.0000.0000.0004.00 # interface GigabitEthernet2/0/0 ip address 172.16.1.1 255.255.0.0 isis enable 1 # interface Pos1/0/0 link-protocol ppp ip address 192.168.0.2 255.255.255.0 isis enable 1 # return

7-70 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

7.9.2 Example of configuring IS-IS in an NBMA network

Networking requirements As shown in Figure 7-15:

z Router A, Router B, and Router C connect by ATM links. The IS-IS routing protocol runs on these four routers. z Router A and Router B belong to area 10. Router C belongs to area 20. z Router A is a Level-1 router, Router B is a Level-1-2 router, and Router C is a Level-2 router.

Figure 7-15 IS-IS in NBMA network configuration

RouterA RouterB RouterC L1 L1/L2 ATM1/0/0.1 ATM2/0/0.1 L2 10.1.1.2/24 10.1.2.2/24 ATM1/0/0.1 ATM2/0/0.1 10.1.1.1/24 10.1.2.1/24

Area 10 Area 20

Configuration roadmap The steps in the configuration roadmap are 1. Configure the subinterface to the type of point-to-point because IS-IS does not support an NBMA network. 2. Enable IS-IS on each router, configure the type of level, and specify the network entity.

Data preparation To complete the configuration, you need the following data:

z Area number of Router A, Router B, and Router C z Level of Router A, Router B, and Router C

Configuration procedure Step 1 Configure ATM network. # Configure Router A:

[RouterA] interface atm 1/0/0.1 p2p [RouterA-Atm1/0/0.1] ip address 10.1.1.1 24 [RouterA-Atm1/0/0.1] pvc 2/2 [RouterA-atm-pvc-Atm1/0/0.1-2/2] map ip 10.1.1.2broadcast [RouterA-atm-pvc-Atm1/0/0.1-2/2] quit

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-71

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

[RouterA-Atm1/0/0.1] quit # Configure Router B:

[RouterB] interface atm 1/0/0.1 p2p [RouterB-Atm1/0/0.1] ip address 10.1.1.2 24 [RouterB-Atm1/0/0.1] pvc 2/2 [RouterB-atm-pvc-Atm1/0/0.1-2/2] map ip 10.1.1.1broadcast [RouterB-atm-pvc-Atm1/0/0.1-2/2] quit [RouterB-Atm1/0/0.1] quit [RouterB] interface atm 2/0/0.1 p2p [RouterB-Atm2/0/0.1] ip address 10.1.2.1 24 [RouterB-Atm2/0/0.1] pvc 2/2 [RouterB-atm-pvc-Atm2/0/0.1-2/2] map ip 10.1.2.2broadcast [RouterB-atm-pvc-Atm2/0/0.1-2/2] quit [RouterB-Atm2/0/0.1] quit # Configure Router C:

[RouterC] interface atm 2/0/0.1 p2p [RouterC-Atm2/0/0.1] ip address 10.1.2.2 24 [RouterC-Atm2/0/0.1] pvc 2/2 [RouterC-atm-pvc-Atm2/0/0.1-2/2] map ip 10.1.2.1broadcast [RouterC-atm-pvc-Atm2/0/0.1-2/2] quit [RouterC-Atm2/0/0.1] quit Step 2 Configure basic IS-IS functions. # Configure Router A:

[RouterA] isis 1 [RouterA-isis-1] is-level level-1 [RouterA-isis-1] network-entity 10.0000.0000.0001.00 [RouterA-isis-1] quit [RouterA] interface atm 1/0/0.1 p2p [RouterA-Atm1/0/0.1] isis enable [RouterA-Atm1/0/0.1] quit # Configure Router B:

[RouterB] isis 1 [RouterB-isis-1] network-entity 10.0000.0000.0002.00 [RouterB-isis-1] quit [RouterB] interface atm 1/0/0.1 p2p [RouterB-Atm1/0/0.1] isis enable 1 [RouterB-Atm1/0/0.1] quit [RouterB] interface atm 2/0/0.1 p2p [RouterB-Atm2/0/0.1] isis enable 1 [RouterB-Atm2/0/0.1] quit # Configure Router C:

[RouterC] isis 1 [RouterC-isis-1] is-level level-2 [RouterC-isis-1] network-entity 20.0000.0000.0003.00 [RouterC-isis-1] quit [RouterC] interface atm 2/0/0.1 p2p [RouterC-Atm2/0/0.1] isis enable 1 [RouterC-Atm2/0/0.1] quit

7-72 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

Step 3 Verify the configuration. # Display the information of the IS-IS routing table of each router:

[RouterA] display isis route

Route information for ISIS(1) ------

ISIS(1) Level-1 Forwarding Table ------

IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags ------0.0.0.0/0 10 NULL Atm1/0/0.1 10.1.1.2 R/-/- 10.1.1.0/24 10 NULL Atm1/0/0.1 Direct D/L/- 10.1.2.0/24 20 NULL Atm1/0/0.1 10.1.1.2 D/L/- Flags: D-Direct, R-Added to RM, L-Advertised in LSPs, U-Up/Down Bit Set

[RouterB] display isis route

Route information for ISIS(1) ------

ISIS(1) Level-1 Forwarding Table ------

IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags ------10.1.1.0/24 10 NULL Atm1/0/0.1 Direct D/L/- 10.1.2.0/24 10 NULL Atm2/0/0.1 Direct D/L/-

Flags: D-Direct, R-Added to RM, L-Advertised in LSPs, U-Up/Down Bit Set

ISIS(1) Level-2 Forwarding Table ------

IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags ------10.1.1.0/24 10 NULL Atm1/0/0.1 Direct D/L/- 10.1.2.0/24 10 NULL Atm2/0/0.1 Direct D/L/-

Flags: D-Direct, R-Added to RM, L-Advertised in LSPs, U-Up/Down Bit Set [RouterC] dislay isis route

Route information for ISIS(1) ------

ISIS(1) Level-2 Forwarding Table ------

IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags ------10.1.1.0/24 20 NULL Atm2/0/0.1 10.1.2.1 R/-/- 10.1.2.0/24 10 NULL Atm2/0/0.1 Direct D/L/-

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-73

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

Flags: D-Direct, R-Added to RM, L-Advertised in LSPs, U-Up/Down Bit Set ----End

Configuration files z Configuration file of Router A

# sysname RouterA # isis 1 is-level level-1 network-entity 10.0000.0000.0001.00 # interface Atm1/0/0 # interface Atm1/0/0.1 p2p ip address 10.1.1.1 255.255.255.0 pvc 2/2 map ip 10.1.1.2 broadcast isis enable 1 # return z Configuration file of Router B

# sysname RouterB # isis 1 network-entity 10.0000.0000.0002.00 # interface Atm1/0/0 # interface Atm1/0/0.1 p2p ip address 10.1.1.2 255.255.255.0 pvc 2/2 map ip 10.1.1.1 broadcast isis enable 1 # interface Atm2/0/0 # interface Atm2/0/0.1 p2p ip address 10.1.2.1 255.255.255.0 pvc 2/2 map ip 10.1.2.2 broadcast isis enable 1 # Return z Configuration file of Router C

# sysname RouterC # isis 1 is-level level-2 network-entity 20.0000.0000.0003.00

7-74 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

# interface Atm2/0/0 # interface Atm2/0/0.1 p2p ip address 10.1.2.2 255.255.255.0 pvc 2/2 map ip 10.1.2.1 broadcast isis enable 1 # Return 7.9.3 Example of configuring route convergence

Network requirements As shown in Figure 7-16:

z Router A, Router B, and Router C connect by running the IS-IS routing protocol. z Router A belongs to area20. Router B and Router C belong to area 10. z Router A is a Level-2 router, Router B is a Level-1-2 router, and Router C is a Level-1 router. z The address in area10 can be summarized as 172.1.0.0/16.

Figure 7-16 Route convergence of IS-IS configuration

network1 172.1.1.0/24

GbE2/0/0 172.1.1.1/24 RouterC RouterB RouterA L1 L1/L2 GbE3/0/0 GbE1/0/0 GbE2/0/0 L2 172.2.1.1/24 network2 172.1.2.1/24 172.1.4.2/24 172.1.2.0/24 GbE1/0/0 GbE2/0/0 172.1.4.1/24 172.2.1.2/24 Area10 Area20 GbE4/0/0 172.1.3.1/24

network3 172.1.3.0/24

Configuration roadmap The steps in the configuration roadmap are 1. Enable IS-IS on each router, configure the type of level, and specify the network entity. 2. Check the IS-IS routing table of Router A. 3. Configure the route convergence on Router B.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-75

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

Data preparation To complete the configuration, you need the following data:

z Area number of Router A, Router B, and Router C z Level of Router A, Router B, and Router C

Configuration procedure Step 1 Configure the IP address for each interface. Step 2 Configure basic IS-IS functions. # Configure Router A:

[RouterA] isis 1 [RouterA-isis-1] is-level level-2 [RouterA-isis-1] network-entity 20.0000.0000.0001.00 [RouterA-isis-1] quit [RouterA] interface GigabitEthernet 2/0/0 [RouterA-GigabitEthernet2/0/0] isis enable 1 [RouterA-GigabitEthernet2/0/0] quit # Configure Router B:

[RouterB] isis 1 [RouterB-isis-1] network-entity 10.0000.0000.0002.00 [RouterB-isis-1] quit [RouterB] interface GigabitEthernet 2/0/0 [RouterB-GigabitEthernet2/0/0] isis enable 1 [RouterB-GigabitEthernet2/0/0] quit [RouterB] interface GigabitEthernet 1/0/0 [RouterB-GigabitEthernet1/0/0] isis enable 1 [RouterB-GigabitEthernet1/0/0] quit # Configure Router C:

[RouterC] isis 1 [RouterC-isis-1] is-level level-1 [RouterC-isis-1] network-entity 10.0000.0000.0003.00 [RouterC-isis-1] quit [RouterC] interface GigabitEthernet 1/0/0 [RouterC-GigabitEthernet1/0/0] isis enable 1 [RouterC-GigabitEthernet1/0/0] quit The configurations of GigabitEthernet 2/0/0, GigabitEthernet 3/0/0, and GigabitEthernet 4/0/0 are similar to that of GigabitEthernet 1/0/0. Step 3 Check the IS-IS routing table of Router A:

[RouterA] display isis route

Route information for ISIS(1) ------

ISIS(1) Level-2 Forwarding Table ------

IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags

7-76 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

------172.1.1.0/24 20 NULL GE2/0/0 172.2.1.2 R/-/- 172.1.2.0/24 20 NULL GE2/0/0 172.2.1.2 R/-/- 172.1.3.0/24 20 NULL GE2/0/0 172.2.1.2 R/-/- 172.1.4.0/24 20 NULL GE2/0/0 172.2.1.2 R/-/- 172.2.1.0/24 10 NULL GE2/0/0 Direct D/L/-

Flags: D-Direct, R-Added to RM, L-Advertised in LSPs, U-Up/Down Bit Set Step 4 Configure route convergence on Router B. # Converge 172.1.1.0/24, 172.1.2.0/24, 172.1.3.0./24, and 172.1.4.0/24 as 172.1.0.0/16 on Router B:

[RouterB] isis 1 [RouterB-isis-1] summary 172.1.0.0 255.255.0.0 level-1-2 [RouterB-isis-1] quit Step 5 Verify the configuration. # Check the routing table of Router A, you can find that 172.1.1.0/24, 172.1.2.0/24, 172.1.3.0./24, and 172.1.4.0/24 converge as 172.1.0.0/16:

[RouterA] display isis route

Route information for ISIS(1) ------

ISIS(1) Level-2 Forwarding Table ------

IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags ------172.1.0.0/16 20 NULL GE2/0/0 172.2.1.2 R/-/- 172.2.1.0/24 10 NULL GE2/0/0 Direct D/L/-

Flags: D-Direct, R-Added to RM, L-Advertised in LSPs, U-Up/Down Bit Set ----End

Configuration files z Configuration file of Router A

# sysname RouterA # isis 1 is-level level-2 network-entity 20.0000.0000.0001.00 # interface GigabitEthernet2/0/0 ip address 172.2.1.1 255.255.255.0 isis enable 1 # return z Configuration file of Router B

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-77

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

# sysname RouterB # isis 1 network-entity 10.0000.0000.0002.00 # interface GigabitEthernet2/0/0 ip address 172.2.1.2 255.255.255.0 isis enable 1 # interface GigabitEthernet1/0/0 ip address 172.1.4.2 255.255.255.0 isis enable 1 # return z Configuration file of Router C

# sysname RouterC # isis 1 is-level level-1 network-entity 10.0000.0000.0003.00 # interface GigabitEthernet1/0/0 ip address 172.1.4.1 255.255.255.0 isis enable 1 # interface GigabitEthernet2/0/0 ip address 172.1.1.1 255.255.255.0 isis enable 1 # interface GigabitEthernet3/0/0 ip address 172.1.2.1 255.255.255.0 isis enable 1 # interface GigabitEthernet4/0/0 ip address 172.1.3.1 255.255.255.0 isis enable 1 return 7.9.4 Example of configuring the DIS election of IS-IS

Networking requirements As shown in Figure 7-17:

z The IS-IS routing protocol runs on Router A, Router B, Router C, and Router D to implement the IP network interconnection. z These four routers belong to area 10, and the network type is broadcast (Ethernet). z Router A and Router B are Level-1-2 routers, Router C is a Level-1 router, and Router D is a Level-2 router. z You can change the DIS priority of the interface to configure Router A to a Level-1-2 DIS (DR).

7-78 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

Figure 7-17 DIS election of IS-IS configuration RouterA RouterB L1/L2 L1/L2

GbE1/0/0 GbE1/0/0 10.1.1.1/24 10.1.1.2/24

GbE1/0/0 GbE1/0/0 10.1.1.3/24 10.1.1.4/24

RouterC RouterD L1 L2

Configuration roadmap The steps in the configuration roadmap are 1. Enable IS-IS on each router and specify the network entity to realize the connection. 2. Check the information of the IS-IS interface on each router with the default preference. 3. Configure the DIS preference of the router and check the information of the IS-IS interface on each router.

Data preparation To complete the configuration, you need the following data:

z Four routers are in one area. The number of the area is Area10. z The system ID of Router A is 0000.0000.0001. The DIS preference is 100. The router is Level-1-2. z The system ID of Router B is 0000.0000.0002. The router is Level-1-2. z The system ID of Router C is 0000.0000.0003. The router is Level-1. z The system ID of Router D is 0000.0000.0004. The router is Level-2.

Configuration procedure Step 1 Configure the IPv4 addresses of the interfaces. Step 2 Check the MAC address of GE interface on each router. # Check the MAC address of GigabitEthernet1/0/0 on Router A:

[RouterA] display arp interface GigabitEthernet 1/0/0 IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN PVC ------10.1.1.1 00e0-fc10-afec I GE1/0/0 ------Total:1 Dynamic:0 Static:0 Interface:1 # Check the MAC address of GigabitEthernet1/0/0 on Router B:

[RouterB] display arp interface GigabitEthernet 1/0/0

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-79

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN PVC ------10.1.1.2 00e0-fccd-acdf I GE1/0/0 ------Total:1 Dynamic:0 Static:0 Interface:1 # Check the MAC address of GigabitEthernet1/0/0 on Router C:

[RouterC] display arp interface GigabitEthernet 1/0/0 IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN PVC ------10.1.1.3 00e0-f100-25fe I GE1/0/0 ------Total:1 Dynamic:0 Static:0 Interface:1 # Check the MAC address of GigabitEthernet1/0/0 on Router D:

[RouterD] display arp interface GigabitEthernet 1/0/0 IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE VLAN PVC ------10.1.1.4 00e0-ff1d-305c I GE1/0/0 ------Total:1 Dynamic:0 Static:0 Interface:1 Step 3 Enable IS-IS. # Configure Router A:

[RouterA] isis 1 [RouterA-isis-1] network-entity 10.0000.0000.0001.00 [RouterA-isis-1] quit [RouterA] interface GigabitEthernet 1/0/0 [RouterA-GigabitEthernet1/0/0] isis enable 1 [RouterA-GigabitEthernet1/0/0] quit # Configure Router B:

[RouterB] isis 1 [RouterB-isis-1] network-entity 10.0000.0000.0002.00 [RouterB-isis-1] quit [RouterB] interface GigabitEthernet 1/0/0 [RouterB-GigabitEthernet1/0/0] isis enable 1 [RouterB-GigabitEthernet1/0/0] quit # Configure Router C:

[RouterC] isis 1 [RouterC-isis-1] network-entity 10.0000.0000.0003.00 [RouterC-isis-1] is-level level-1 [RouterC-isis-1] quit [RouterC] interface GigabitEthernet 1/0/0 [RouterC-GigabitEthernet1/0/0] isis enable 1 [RouterC-GigabitEthernet1/0/0] quit # Configure Router D:

7-80 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

[RouterD] isis 1 [RouterD-isis-1] network-entity 10.0000.0000.0004.00 [RouterD-isis-1] is-level level-2 [RouterD-isis-1] quit [RouterD] interface GigabitEthernet 1/0/0 [RouterD-GigabitEthernet1/0/0] isis enable 1 [RouterD-GigabitEthernet1/0/0] quit # Display the IS-IS peers of Router A:

[RouterA] display isis peer

Peer information for ISIS(1) ------System Id Interface Circuit Id State HoldTime Type PRI 0000.0000.0002 GE1/0/0 0000.0000.0002.01 Up 9s L1(L1L2) 64 0000.0000.0003 GE1/0/0 0000.0000.0002.01 Up 27s L1 64 0000.0000.0002 GE1/0/0 0000.0000.0004.01 Up 28s L2(L1L2) 64 0000.0000.0004 GE1/0/0 0000.0000.0004.01 Up 7s L2 64 # Display the IS-IS interfaces of Router A:

[RouterA] display isis interface

Interface information for ISIS(1) ------Interface Id IPV4.State IPV6.State MTU Type DR GE1/0/0 001 Up Down 1497 L1/L2 No/No # Display the IS-IS interfaces on Router B:

[RouterB] display isis interface

Interface information for ISIS(1) ------Interface Id IPV4.State IPV6.State MTU Type DR GE1/0/0 001 Up Down 1497 L1/L2 Yes/No # Display the IS-IS interfaces of Router C:

[RouterC] display isis interface

Interface information for ISIS(1) ------Interface Id IPV4.State IPV6.State MTU Type DR GE1/0/0 001 Up Down 1497 L1/L2 Yes/No # Display the IS-IS interfaces of Router D:

[RouterD] display isis interface

Interface information for ISIS(1) ------Interface Id IPV4.State IPV6.State MTU Type DR GE1/0/0 001 Up Down 1497 L1/L2 No/Yes

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-81

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

NOTE

When you use the default DIS preference, the MAC address of the interfaces on Router B is the largest among the routers of Level 1. Router B is the DIS of Level1. The MAC address of interfaces on Router D is the largest among the routers of Level 2. Router D is the DIS of Level2. The pseudo nodes of Level1 and Level2 are 0000.0000.0002.01 and 0000.0000.0004.01 respectively. Step 4 Configure the DIS priority of Router A:

[RouterA] interface GigabitEthernet 1/0/0 [RouterA-GigabitEthernet1/0/0] isis dis-priority 100 # Display the IS-IS peers of Router A:

[RouterA] display isis peer

Peer information for ISIS(1) ------System Id Interface Circuit Id State HoldTime Type PRI 0000.0000.0002 GE1/0/0 0000.0000.0001.01 Up 21s L1(L1L2) 64 0000.0000.0003 GE1/0/0 0000.0000.0001.01 Up 27s L1 64 0000.0000.0002 GE1/0/0 0000.0000.0001.01 Up 28s L2(L1L2) 64 0000.0000.0004 GE1/0/0 0000.0000.0001.01 Up 30s L2 64 Step 5 Verify the configuration. # Display the IS-IS interfaces of Router A:

[RouterA] display isis interface

Interface information for ISIS(1) ------Interface Id IPV4.State IPV6.State MTU Type DR GE1/0/0 001 Up Down 1497 L1/L2 Yes/Yes

NOTE

As shown in the preceding output, after the DIS priority of the IS-IS interface changes, Router A becomes a Level-1-2 DR (DIS) instantly and its pseudo node is 0000.0000.0001.01. # Display the IS-IS neighbor and IS-IS interfaces on Router B:

[RouterB] display isis peer

Peer information for ISIS(1) ------System Id Interface Circuit Id State HoldTime Type PRI 0000.0000.0001 GE1/0/0 0000.0000.0001.01 Up 7s L1(L1L2) 100 0000.0000.0003 GE1/0/0 0000.0000.0001.01 Up 25s L1 64 0000.0000.0001 GE1/0/0 0000.0000.0001.01 Up 7s L2(L1L2) 100 0000.0000.0004 GE1/0/0 0000.0000.0001.01 Up 25s L2 64 [RouterB] display isis interface

Interface information for ISIS(1) ------Interface Id IPV4.State IPV6.State MTU Type DR GE1/0/0 001 Up Down 1497 L1/L2 No/No # Display the IS-IS peers and interfaces of Router D:

[RouterD] display isis peer

7-82 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

Peer information for ISIS(1) ------System Id Interface Circuit Id State HoldTime Type PRI 0000.0000.0001 GE1/0/0 0000.0000.0001.01 Up 9s L2 100 0000.0000.0002 GE1/0/0 0000.0000.0001.01 Up 28s L2 64 [RouterD] display isis interface

Interface information for ISIS(1) ------Interface Id IPV4.State IPV6.State MTU Type DR GE1/0/0 001 Up Down 1497 L1/L2 No/No ----End

Configuration files z Configuration file of Router A

# sysname RouterA # isis 1 network-entity 10.0000.0000.0001.00 # interface GigabitEthernet1/0/0 ip address 10.1.1.1 255.255.255.0 isis enable 1 isis dis-priority 100 # return z Configuration file of Router B

# sysname RouterB # isis 1 network-entity 10.0000.0000.0002.00 # interface GigabitEthernet1/0/0 ip address 10.1.1.2 255.255.255.0 isis enable 1 # return z Configuration file of Router C

# sysname RouterC # isis 1 is-level level-1 network-entity 10.0000.0000.0003.00 # interface GigabitEthernet1/0/0 ip address 10.1.1.3 255.255.255.0 isis enable 1 # return

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-83

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

z Configuration file of Router D

# sysname RouterD # isis 1 is-level level-2 network-entity 10.0000.0000.0004.00 # interface GigabitEthernet1/0/0 ip address 10.1.1.4 255.255.255.0 isis enable 1 # return 7.9.5 Example of configuring IS-IS load balancing

Networking requirements As shown in Figure 7-18:

z Router A, Router B, Router C, and Router D connect to the IS-IS protocol in the IPv6 network. z Router A, Router B, Router C, and Router D are Level-2 routers in area10. z You need load balancing to transmit the traffic of Router A to Router D through Router B and Router C.

Figure 7-18 IS-IS load balancing configuration

Area10

POS1/0/0 POS2/0/0 RouterB L2 POS1/0/0 POS1/0/0 GbE3/0/0 GbE3/0/0 POS2/0/0 POS2/0/0 RouterA RouterD L2 L2

POS1/0/0 POS2/0/0

RouterC L2

Router Interface IP Address Router Interface IP Address Router A GbE1/0/0 172.16.1.1./24 Router C POS1/0/0 10.1.2.2/24 POS1/0/0 10.1.1.1/24 POS2/0/0 192.168.1.1/24 POS2/0/0 10.1.2.1/24 Router B POS1/0/0 10.1.1.2/24 Router D GbE3/0/0 172.17.1.1/24 POS2/0/0 192.168.0.1/24 POS1/0/0 192.168.0.2/24 POS2/0/0 192.168.1.2/24

7-84 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

Configuration roadmap The configuration roadmap is as follows: 1. Enable basic IS-IS functions and realize the connection with each other. 2. Cancel the load balancing and check the routing table. 3. Configure the load balancing on Router A and check the routing table. 4. Configure the form of load balancing on Router A. 5. Configure the preference for equal-cost routes on Router A.(Optional)

Data preparation To complete the configuration, you need the following data:

z The Level and the area number of the four routers z The number of the load balancing item on Router A is 1 z The form of the load balancing on Router A z The weight for the preference of the equal-route on Router C is 1

Configuration procedure Step 1 Assign IP addresses for the interfaces. Step 2 Configure basic IS-IS functions. Step 3 Cancel the load balancing on Router A:

[RouterA] isis 1 [RouterA-isis-1] maximum load-balancing 1 # Check the routing table of Router A:

[RouterA] display isis route

Route information for ISIS(1) ------

ISIS(1) Level-2 Forwarding Table ------

IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags ------192.168.1.0/24 20 NULL P2/0/0 10.1.2.2 R/-/- 10.1.1.0/24 10 NULL P1/0/0 Direct D/L/- 172.16.1.0/24 10 NULL GE1/0/0 Direct D/L/- 172.17.1.0/24 30 NULL P1/0/0 10.1.1.2 R/-/- 10.1.2.0/24 10 NULL P2/0/0 Direct D/L/- 192.168.0.0/24 20 NULL P1/0/0 10.1.1.2 R/-/-

Flags: D-Direct, R-Added to RM, L-Advertised in LSPs, U-Up/Down Bit Set As shown in the routing table, when you configure the maximum number of equal-cost routes in the load balancing as 1, the IS-IS first chooses the next hop 10.1.1.2 (Router B) as the only best route to the destination network 172.17.1.0, because Router B uses a smaller system ID. Step 4 Restore the default value of the load balancing path on Router A:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-85

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

[RouterA] isis 1 [RouterA-isis-1] undo maximum load-balancing # Check the routing table of Router A:

[RouterA] display isis route

Route information for ISIS(1) ------

ISIS(1) Level-2 Forwarding Table ------

IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags ------192.168.1.0/24 20 NULL P2/0/0 10.1.2.2 R/-/- 10.1.1.0/24 10 NULL P1/0/0 Direct D/L/- 172.16.1.0/24 10 NULL GE1/0/0 Direct D/L/- 172.17.1.0/24 30 NULL P1/0/0 10.1.1.2 R/-/- P2/0/0 10.1.2.2 10.1.2.0/24 10 NULL P2/0/0 Direct D/L/- 192.168.0.0/24 20 NULL P1/0/0 10.1.1.2 R/-/-

Flags: D-Direct, R-Added to RM, L-Advertised in LSPs, U-Up/Down Bit Set As shown in the routing table, the router uses the default when you cancel the load balancing configuration. The two next hops of Router A, 10.1.1.2 (that is, Router B) and 10.1.1.2 (that is, Router C) are valid routes, because the default value of the maximum equal-cost route number is 3.

NOTE

For different products and different protocols, the maximum number of equal-cost routes is different. Purchase licenses to adjust the maximum number. Step 5 Configure the form of the load balancing on Router A. Load balancing supports two type forms: load balancing based on packets and load balancing based on flow. # Configure load balancing based on packets:

[RouterA] load-balance packet #Verify the configuration:

[RouterA] acl 3000 [RouterA -acl-adv-3000] rule permit icmp destination 172.17.1.1 0 [RouterA -acl-adv-3000] quit [RouterA] quit debugging ip packet acl 3000 terminal debugging terminal monitor ping 172.17.1.1 PING 172.17.1.1: 56 data bytes, press CTRL_C to break *0.3207850 RouterA IP/8/debug_case: Sending, interface = pos1/0/0, version = 4, headlen = 20, tos = 0, pktlen = 84, pktid = 8, offset = 0, ttl = 255, protocol = 1, checksum = 909, s = 10.1.1.1, d = 172.17.1.1

7-86 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

prompt: Sending the packet from local at pos1/0/0 Reply from 172.17.1.1: bytes=56 Sequence=1 ttl=254 time=70 ms *0.3208320 RouterA IP/8/debug_case: Sending, interface = pos2/0/0, version = 4, headlen = 20, tos = 0, pktlen = 84, pktid = 9, offset = 0, ttl = 255, protocol = 1, checksum = 652, s = 10.1.2.1, d = 172.17.1.1 prompt: Sending the packet from local at pos2/0/0

Reply from 172.17.1.1: bytes=56 Sequence=2 ttl=254 time=50 ms *0.3208840 RouterA IP/8/debug_case: Sending, interface = pos1/0/0, version = 4, headlen = 20, tos = 0, pktlen = 84, pktid = 10, offset = 0, ttl = 255, protocol = 1, checksum = 907, s = 10.1.1.1, d = 172.17.1.1 prompt: Sending the packet from local at pos1/0/0

Reply from 172.17.1.1: bytes=56 Sequence=3 ttl=254 time=40 ms *0.3209340 RouterA IP/8/debug_case: Sending, interface = pos2/0/0, version = 4, headlen = 20, tos = 0, pktlen = 84, pktid = 11, offset = 0, ttl = 255, protocol = 1, checksum = 650, s = 10.1.2.1, d = 172.17.1.1 prompt: Sending the packet from local at pos2/0/0

Reply from 172.17.1.1: bytes=56 Sequence=4 ttl=254 time=70 ms *0.3209820 RouterA IP/8/debug_case: Sending, interface = pos1/0/0, version = 4, headlen = 20, tos = 0, pktlen = 84, pktid = 12, offset = 0, ttl = 255, protocol = 1, checksum = 905, s = 10.1.1.1, d = 172.17.1.1 prompt: Sending the packet from local at pos1/0/0

Reply from 172.17.1.1: bytes=56 Sequence=5 ttl=254 time=40 ms

--- 172.17.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 40/54/70 ms As shown in the preceding debugging output, the packets to 172.17.1.1 send on Pos1/0/0 and Pos2/0/0 of Router A, that is the load balancing based on the packets. # Configure load balancing based on flow:

[RouterA] load-balance flow # Verify the configuration:

[RouterA] acl 3000 [RouterA -acl-adv-3000] rule permit icmp destination 172.17.1.1 0 [RouterA -acl-adv-3000] quit [RouterA] quit debugging ip packet acl 3000 terminal debugging terminal monitor ping 172.17.1.1 PING 172.17.1.1: 56 data bytes, press CTRL_C to break *0.2542700 RouterA IP/8/debug_case: Sending, interface = pos1/0/0, version = 4, headlen = 20, tos = 0,

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-87

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

pktlen = 84, pktid = 3, offset = 0, ttl = 255, protocol = 1, checksum = 658, s = 10.1.2.1, d = 172.17.1.1 prompt: Sending the packet from local at pos1/0/0

Reply from 172.17.1.1: bytes=56 Sequence=1 ttl=254 time=810 ms Reply from 172.17.1.1: bytes=56 Sequence=2 ttl=254 time=40 ms *0.2542930 RouterA IP/8/debug_case: Sending, interface = pos1/0/0, version = 4, headlen = 20, tos = 0, pktlen = 84, pktid = 4, offset = 0, ttl = 255, protocol = 1, checksum = 657, s = 10.1.2.1, d = 172.17.1.1 prompt: Sending the packet from local at pos1/0/0

*0.2543400 RouterA IP/8/debug_case: Sending, interface = pos1/0/0, version = 4, headlen = 20, tos = 0, pktlen = 84, pktid = 5, offset = 0, ttl = 255, protocol = 1, checksum = 656, s = 10.1.2.1, d = 172.17.1.1 prompt: Sending the packet from local at pos1/0/0

Reply from 172.17.1.1: bytes=56 Sequence=3 ttl=254 time=60 ms *0.2543900 RouterA IP/8/debug_case: Sending, interface = pos1/0/0, version = 4, headlen = 20, tos = 0, pktlen = 84, pktid = 6, offset = 0, ttl = 255, protocol = 1, checksum = 655, s = 10.1.2.1, d = 172.17.1.1 prompt: Sending the packet from local at pos1/0/0

Reply from 172.17.1.1: bytes=56 Sequence=4 ttl=254 time=60 ms *0.2544400 RouterA IP/8/debug_case: Sending, interface = pos1/0/0, version = 4, headlen = 20, tos = 0, pktlen = 84, pktid = 7, offset = 0, ttl = 255, protocol = 1, checksum = 654, s = 10.1.2.1, d = 172.17.1.1 prompt: Sending the packet from local at pos1/0/0

Reply from 172.17.1.1: bytes=56 Sequence=5 ttl=254 time=80 ms

--- 172.17.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 40/210/810 ms As shown in the preceding debugging output, all the packets to 172.17.1.1 send on Pos1/0/0 of Router A, that is, the load balancing based on flow.

NOTE

The principle of load balancing based on flow is that routers send packets to the same destination following the previous path. Because the packets send on pos1/0/0 to the destination, the load balancing based on flow chooses Pos1/0/0. Step 6 Configure the preference of equal-cost routes on Router A.(Optional) If you do not perform load balancing through Router B and Router C, configure the preference of the equal-cost routes and specify the next hop:

[RouterA] isis [RouterA-isis-1] nexthop 10.1.2.2 weight 1 Step 7 Verify the configuration.

7-88 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

# Check the routing table of Router A:

[RouterA] display isis route Route information for ISIS(1) ------

ISIS(1) Level-2 Forwarding Table ------

IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags ------192.168.1.0/24 20 NULL P2/0/0 10.1.2.2 R/-/- 10.1.1.0/24 10 NULL P1/0/0 Direct D/L/- 172.16.1.0/24 10 NULL GE3/0/0 Direct D/L/- 172.17.1.0/24 30 NULL P1/0/0 10.1.2.2 R/-/- 10.1.2.0/24 10 NULL P2/0/0 Direct D/L/- 192.168.0.0/24 20 NULL P1/0/0 10.1.1.2 R/-/-

Flags: D-Direct, R-Added to RM, L-Advertised in LSPs, U-Up/Down Bit Set As shown in the routing table, because the preference (metric is 1) of the next hop 10.1.2.2 (Router C) is higher than that of the next hop 10.1.1.2 (Router B), the IS-IS chooses the next hop 10.1.2.2 as the best route. ----End

Configuration files z Configuration file of Router A

# sysname Router A # isis 1 is-level level-2 network-entity 10.0000.0000.0001.00 # interface GigabitEthernet1/0/0 ip address 172.16.1.1 255.255.255.0 isis enable 1 # interface POS1/0/0 link-protocol ppp ip address 10.1.1.1 255.255.255.0 isis enable 1 # interface POS2/0/0 link-protocol ppp ip address 10.1.2.1 255.255.255.0 isis enable 1 # return z Configuration file of Router B

# sysname RouterB #

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-89

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

isis 1 is-level level-2 network-entity 10.0000.0000.0002.00 # interface POS1/0/0 link-protocol ppp ip address 10.1.1.2 255.255.255.0 isis enable 1 # interface POS2/0/0 link-protocol ppp ip address 192.168.0.1 255.255.255.0 isis enable 1 # return z Configuration file of Router C

# sysname RouterC # isis 1 is-level level-2 network-entity 10.0000.0000.0003.00 # interface POS1/0/0 link-protocol ppp ip address 10.1.2.2 255.255.255.0 isis enable 1 # interface POS2/0/0 link-protocol ppp ip address 192.168.1.1 255.255.255.0 isis enable 1 # return z Configuration file of Router D

# sysname Router C # isis 1 is-level level-2 network-entity 10.0000.0000.0004.00 # interface GigabitEthernet3/0/0 ip address 172.17.1.1 255.255.255.0 isis enable 1 # interface POS1/0/0 link-protocol ppp ip address 192.168.0.2 255.255.255.0 isis enable 1 # interface POS2/0/0 link-protocol ppp ip address 192.168.1.2 255.255.255.0

7-90 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

isis enable 1 # return 7.9.6 Example of configuring IS-IS GR

Networking requirements As shown in Figure 7-19, Router A, Router B, and Router C belong to the same AS. IS-IS runs on the three routers and provide IS-IS GR. After the IS-IS adjacency relationship establishes, Router A, Router B, and Router C start to exchange the routing information. When IS-IS restarts on Router C, Router C resends the connection request to the neighbors to synchronize the LSDBs in GR mode.

Figure 7-19 IS-IS GR configuration

POS1/0/0 POS1/0/0 POS2/0/0 POS1/0/0 100.1.1.1/24 100.1.1.2/24 100.2.1.1/24 100.2.1.2/24

RouterA RouterC RouterB L1 L1/2 L2

Configuration roadmap The step in the configuration roadmap is In the IS-IS view of all the routers, enable GR and configure the same restarting time interval.

Data preparation To complete the configuration, you need the following data:

z IS-IS process number z Restarting time interval

Configuration procedure Step 1 Assign IP addresses to the interfaces. Step 2 Configure basic IS-IS functions. Step 3 Enable IS-IS GR. # Enable IS-IS GR on Router C and configure the restarting time interval. The configurations on Router A and Router B are the same as those on Router C. Use Router C as an example:

[RouterC] isis 1 [RouterC-isis-1] graceful-restart [RouterC-isis-1] graceful-restart interval 150 Step 4 Verify the configuration. # Run the display fib command on Router C. You can view the FIB table:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-91

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

display fib FIB Table: Total number of Routes : 3

Destination/Mask Nexthop Flag TimeStamp Interface TunnelID 100.2.1.2/32 127.0.0.1 HU t[454] InLoop0 0x0 100.2.1.0/24 100.2.1.2 U t[454] Pos1/0/0 0x0 100.1.1.0/24 100.2.1.1 DGU t[19216] Pos1/0/0 0x0 # Restart IS-IS process on Router C in GR mode:

reset isis all

The router restarts the IS-IS process in GR mode only after you enable GR in the IS-IS process. # Run the display fib command immediately on Router C. You can view the FIB table and check whether GR works normally. If GR works normally, it indicates that the FIB table did not change and the forwarding of services is not affected, when the IS-IS process on Router C is restarted in GR mode.

display fib FIB Table: Total number of Routes : 3

Destination/Mask Nexthop Flag TimeStamp Interface TunnelID 100.2.1.2/32 127.0.0.1 HU t[454] InLoop0 0x0 100.2.1.0/24 100.2.1.2 U t[454] Pos1/0/0 0x0 100.1.1.0/24 100.2.1.1 DGU t[19216] Pos1/0/0 0x0 You can view that the FIB table of Router C did not change and the forwarding of services is not affected. # Disable IS-IS GR on Router C:

[RouterC] isis 1 [RouterC-isis-1] undo graceful-restart # Restart IS-IS process on Router C not in GR mode:

reset isis all # Run the display fib command immediately on Router C. You can view the FIB table:

display fib FIB Table: Total number of Routes : 2

Destination/Mask Nexthop Flag TimeStamp Interface TunnelID 100.2.1.2/32 127.0.0.1 HU t[454] InLoop0 0x0 100.2.1.0/24 100.2.1.2 U t[454] Pos1/0/0 0x0 You can view that changes occur to the forwarding information table of Router C and the forwarding of services is affected. ----End

Configuration files z Configuration file of Router A

7-92 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

# sysname RouterA # isis 1 graceful-restart graceful-restart interval 150 is-level level-1 network-entity 10.0000.0000.0001.00 # interface Pos1/0/0 link-protocol ppp clock slave ip address 100.1.1.1 255.255.255.0 isis enable 1 # return z Configuration file of Router B

# sysname RouterB # isis 1 graceful-restart graceful-restart interval 150 is-level level-2 network-entity 10.0000.0000.0002.00 # interface Pos1/0/0 link-protocol ppp clock slave ip address 100.2.1.2 255.255.255.0 isis enable 1 # return z Configuration file of Router C

# sysname RouterC # isis 1 graceful-restart graceful-restart interval 150 network-entity 10.0000.0000.0003.00 # interface Pos1/0/0 link-protocol ppp clock master ip address 100.1.1.2 255.255.255.0 isis enable 1 # interface Pos2/0/0 link-protocol ppp clock master ip address 100.2.1.1 255.255.255.0 isis enable 1 #

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-93

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

return 7.9.7 Example of configuring BFD for IS-IS

Networking requirements As show in Figure 7-20:

z Run IS-IS on Router A, Router B, and Router C. z Use BFD to detect the IS-IS neighbor relationship between Router A and Router B. If the link between Router A and Router B is faulty, BFD can fast detect the default and report it to IS-IS.

Figure 7-20 BFD for IS-IS configuration

POS1/0/0 POS2/0/0 100.1.1.1/24 100.2.1.1/24 POS1/0/0 POS1/0/0 RouterA 100.1.1.2/24 RouterB 100.2.1.2/24RouterC

NOTE

You cannot use the BFD for IS-IS feature to detect the multihop links from Router A and Router B because the IS-IS neighbor relationship cannot establish between Router A and Router B.

Configuration roadmap The steps in the configuration roadmap are 1. Enable basic IS-IS functions on each router. 2. Enable the BFD detection mechanism on Router A and Router B.

Configuration procedure Step 1 Configure IP address for each interface. Step 2 Configuration basic IS-IS functions. # Configure Router A:

[RouterA] isis 1 [RouterA-isis-1] is-level level-2 [RouterA-isis-1] network-entity aa.1111.1111.1111.00 [RouterA-isis-1] quit [RouterA] interface pos 1/0/0 [RouterA-Pos1/0/0] isis enable 1 [RouterA-Pos1/0/0] quit # Configure Router B:

[RouterB] isis 1 [RouterB-isis-1] is-level level-2 [RouterB-isis-1] network-entity aa.2222.2222.2222.00 [RouterB-isis-1] quit [RouterB] interface pos 1/0/0

7-94 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

[RouterB-Pos1/0/0] isis enable 1 [RouterB-Pos1/0/0] quit [RouterB] interface pos 2/0/0 [RouterB-Pos2/0/0] isis enable 1 [RouterB-Pos2/0/0] quit # Configure Router C:

[RouterC] isis 1 [RouterC-isis-1] is-level level-2 [RouterC-isis-1] network-entity aa.3333.3333.3333.00 [RouterC-isis-1] quit [RouterC] interface pos 1/0/0 [RouterC-Pos1/0/0] isis enable 1 [RouterC-Pos1/0/0] quit After you complete the preceding configurations, you can view that neighbor relationship establishes between Router A and Router B:

[RouterA] display isis peer Peer information for ISIS(1) ------System Id Interface Circuit Id State HoldTime Type PRI 2222.2222.2222 Pos1/0/0 001 Up 23s L2 -- The IS-IS routing table of Router A uses entries to Router B and Router C:

[RouterA] display isis route Route information for ISIS(1) ------ISIS(1) Level-2 Forwarding Table ------IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags ------100.1.1.0/24 10 NULL Pos1/0/0 Direct D/L/- 100.2.1.0/24 20 NULL Pos1/0/0 100.1.1.2 R/-/- Flags: D-Direct, R-Added to RM, L-Advertised in LSPs, U-Up/Down Bit Set Step 3 Configure BFD. # Enable BFD on Router A and configure the BFD session:

[RouterA] bfd [RouterA-bfd] quit [RouterA] bfd atob bind peer-ip 100.1.1.2 interface pos 1/0/0 [RouterA-bfd-session-atob] discriminator local 1 [RouterA-bfd-session-atob] discriminator remote 2 [RouterA-bfd-session-atob] commit [RouterA-bfd-session-atob] quit # Enable BFD on Router B and configure BFD session:

[RouterB] bfd [RouterB-bfd] quit [RouterB] bfd btoa bind peer-ip 100.1.1.1 interface pos 1/0/0 [RouterB-bfd-session-btoa] discriminator local 2 [RouterB-bfd-session-btoa] discriminator remote 1 [RouterB-bfd-session-btoa] commit [RouterB-bfd-session-btoa] quit

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-95

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

After you complete the preceding configurations, you can view that the state of BFD session is Up when you run the display bfd session command on Router A or Router B. The display on Router A is as follows:

[RouterA] display bfd session all ------Local Remote Peer IP Address Interface Name State Type ------1 2 100.1.1.2 Pos1/0/0 Up Static ------Total UP/DOWN Session Number : 1/0 Step 4 Enable IS-IS fast sense. # Configure Router A:

[RouterA] interface pos 1/0/0 [RouterA-Pos1/0/0] isis bfd static [RouterA-Pos1/0/0] quit # Configure Router B:

[RouterB] interface pos 1/0/0 [RouterB-Pos1/0/0] isis bfd static Step 5 Verify the configuration. # Debug Router A:

debugging isis circuit-information terminal debugging terminal logging terminal monitor # Run the shutdown command on POS1/0/0 of Router B to simulate a link fault:

[RouterB-Pos1/0/0] shutdown # On Router A, the following log information and debugging information appears. The output indicates that BFD notifies the link fault to ISIS and removes the ISIS neighbor relationship between Router A and Router B.

%May 12 19:14:57 2006 RouterA BFD/5/BFD:Slot=1;IO(1) BFD Session(Discr:1) FSM Change To Down(Detect) %May 12 19:14:57 2006 RouterA RM/4/RMLOG:ISIS-FastSense: Deleting Neighbour by IP Address 100.1.1.2 On Pos1/0/0

*0.16074343 RouterA ISIS/7/ISIS: ISIS-1-FastSense: Deleting Neighbour by IP Address 100.1.1.2 On Pos1/0/0 *0.16079875 RouterA ISIS/7/ISIS: ISIS-1-CIRC: The IP is set to DOWN for ISIS on interface Pos1/0/0 *0.16079875 RouterA ISIS/7/ISIS: *0.16079875 RouterA ISIS/7/ISIS: ISIS-1-CIRC :The state of circuit is Down *0.16079875 RouterA ISIS/7/ISIS: ISIS-1-Received DOWN event 67109126-a301440.

7-96 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

If you run the display isis route command or the display isis peer command on Router A, no information appears. This result indicates that the IS-IS neighbor relationship between Router A and Router B is removed. ----End

Configuration files z Configuration file of Router A

# sysname RouterA # bfd # isis 1 is-level level-2 network-entity aa.1111.1111.1111.00 # interface Pos1/0/0 link-protocol ppp ip address 100.1.1.1 255.255.255.0 isis enable 1 isis bfd static # bfd atob bind peer-ip 100.1.1.2 interface Pos1/0/0 discriminator local 1 discriminator remote 2 commit # return z Configuration file of Router B

# sysname RouterB # bfd # isis 1 is-level level-2 network-entity aa.2222.2222.2222.00 # interface Pos1/0/0 link-protocol ppp ip address 100.1.1.2 255.255.255.0 isis enable 1 isis bfd static # interface Pos2/0/0 ip address 100.2.1.1 255.255.255.0 isis enable 1 # bfd btoa bind peer-ip 100.1.1.1 interface Pos1/0/0 discriminator local 2 discriminator remote 1 commit

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-97

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

return z Configuration file of Router C

# sysname RouterC # isis 1 is-level level-2 network-entity aa.3333.3333.3333.00 # interface Pos1/0/0 ip address 100.2.1.2 255.255.255.0 isis enable 1 # return 7.9.8 Example of configuring IS-IS fast convergence

Networking requirements As shown in Figure 7-21:

z Run IS-IS on Router A and Router B. z Router A and Router B belong to area 10; they are Level-2 routers.

Figure 7-21 IS-IS fast convergence network diagram

GbE1/0/0 GbE1/0/0 10.1.1.1/24 10.1.1.2/24

RouterA RouterB

Configuration roadmap The steps in the configuration roadmap are

z Enable basic IS-IS functions on each router. z Enable the BFD detection mechanism on Router A and Router B. z Close the padding of hello packets on Router A and Router B. z Configure the time parameters of fast convergence on Router A and Router B.

Data preparation To configure IS-IS fast convergence, you need the following data:

z Level and area number of the two routers z Time parameters of fast convergence

Configuration procedure Step 1 Configure IP address for each interface.

7-98 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

Step 2 Configure basic IS-IS functions. # Configure Router A:

[RouterA] isis 1 [RouterA-isis-1] is-level level-2 [RouterA-isis-1] network-entity 10.0000.0000.0001.00 [RouterA-isis-1] quit [RouterA] interface GigabitEthernet 1/0/0 [RouterA- GigabitEthernet1/0/0] isis enable 1 [RouterA- GigabitEthernet1/0/0] quit # Configure Router B:

[RouterB] isis 1 [RouterB-isis-1] is-level level-2 [RouterB-isis-1] network-entity 10.0000.0000.0002.00 [RouterB-isis-1] quit [RouterB] interface GigabitEthernet 1/0/0 [RouterB-GigabitEthernet1/0/0] isis enable 1 [RouterB-GigabitEthernet1/0/0] quit # View the neighbor status and routing calculation on Router A. Run the shutdown command on GbE1/0/0 of Router B to simulate the link in down state:

[RouterB] interface GigabitEthernet 1/0/0 [RouterB-GigabitEthernet1/0/0] shutdown View the information on neighbor on Router A:

debugging isis spf-summary terminal debugging terminal monitor display isis peer

Peer information for ISIS(1) ------System Id Interface Circuit Id State HoldTime Type PRI 0000.0000.0002 Ge1/0/0 0000.0000.0002.01 Up 7s L2 64 After you run the shutdown command on the GbE port of Router B, the system does not immediately advertise that the neighbor becomes invalid but deletes the neighbor after the Holdtime timer times out, and then begins the routing calculation.

*0.11042110 Nortel ISIS/7/ISIS: Prc job completed at Sec = 11019, MSec = 750.

*0.11042110 Nortel ISIS/7/ISIS: Signal SPF at Sec = 11042, MSec = 110.

*0.11052110 Nortel ISIS/7/ISIS: Signal SPF at Sec = 11042, MSec = 110.

*0.11052110 Nortel ISIS/7/ISIS: ISpf starts at Sec = 11052, MSec = 110.ISIS-1-SPF-STATS: RT Calculation: Elaps ed time: 0 Milliseconds

*0.11052110 Nortel ISIS/7/ISIS:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-99

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

ISIS-1-SPF-PRC: Received L2 System Change Event for 0000.0000.0002.00, Change = 2

*0.11052110 Nortel ISIS/7/ISIS: ISIS-1-SPF-PRC: Received L2 System Change Event for 0000.0000.0002.01, Change = 2

*0.11052110 Nortel ISIS/7/ISIS: ISIS-1-DEC-PRC: Igorning pseudo-node system change information from the ISPF mo dule.

*0.11052110 Nortel ISIS/7/ISIS:

*0.11052110 Nortel ISIS/7/ISIS: ISpf ends(and prc starts) at Sec = 11052, MSec = 110.

*0.11052110 Nortel ISIS/7/ISIS: Prc job starts to run at Sec = 11052, MSec = 110.ISIS-1-SPF-PRC: Processing L2 LSPs of System :0000.0000.0002, Change Type = 2 In the holdtime period, packets cannot correctly reach the destination because the route passing GbE1/0/0 is discarded. You must enable BFD features and configure the time parameters of fast convergence. Routers can quickly sense the change of topology and recalculate routes when the network changes. Step 3 Configure BFD features. # Configure Router A:

[RouterA] bfd [RouterA-bfd] quit [RouterA] bfd atob bind peer-ip 10.1.1.2 interface GigabitEthernet 1/0/0 [RouterA-bfd-session-atob] discriminator local 1 [RouterA-bfd-session-atob] discriminator remote 2 [RouterA-bfd-session-atob] commit [RouterA-bfd-session-atob] quit [RouterA] interface GigabitEthernet 1/0/0 [RouterA-GigabitEthernet1/0/0] isis bfd static [RouterA-GigabitEthernet1/0/0] quit # Configure Router B:

[RouterB] bfd [RouterB-bfd] quit [RouterB] bfd atob bind peer-ip 10.1.1.1 interface GigabitEthernet 1/0/0 [RouterB-bfd-session-atob] discriminator local 2 [RouterB-bfd-session-atob] discriminator remote 1 [RouterB-bfd-session-atob] commit [RouterB-bfd-session-atob] quit [RouterB] interface GigabitEthernet 1/0/0 [RouterB-GigabitEthernet1/0/0] isis bfd static [RouterB-GigabitEthernet1/0/0] quit Step 4 Close the padding of hello packets. # Configure Router A:

7-100 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

[RouterA] interface GigabitEthernet 1/0/0 [RouterA-GigabitEthernet1/0/0] isis small-hello [RouterA-GigabitEthernet1/0/0] quit # Configure Router B:

[RouterB] interface GigabitEthernet 1/0/0 [RouterB-GigabitEthernet1/0/0] isis small-hello [RouterB-GigabitEthernet1/0/0] quit When the neighbor relationship establishes, IS-IS needs to check whether the MTU values at the both end of the link are consistent. By default, IS-IS increases the size of hello packets to the MTU value. You can simplify the receiving and sending of the hello packets by using the command to save the network bandwidth. Step 5 Configure the time parameters of fast convergence. # Configure Router A:

[RouterA] isis [RouterA-isis-1] timer spf 1 50 100 [RouterA-isis-1] timer lsp-generation 1 1 120 # Configure Router B:

[RouterB] isis [RouterB-isis-1] timer spf 1 50 100 [RouterB-isis-1] timer lsp-generation 1 1 120

NOTE

z Default values of spf: 10 seconds, 100 milliseconds, 5 seconds. z Default values of lsp-generation: 5 seconds, 50 milliseconds, 5 seconds Step 6 Verify the configuration. # Run the shutdown command on GbE1/0/0 of Router B to simulate the link in Down state:

[RouterB] interface GigabitEthernet 1/0/0 [RouterB-GigabitEthernet1/0/0] shutdown # Check the calculation time of routes on Router A:

debugging isis spf-summary terminal debugging terminal monitor %Sep 26 12:10:29 2006 Nortel BFD/5/BFD:IO(6) BFD Session(Discr:1) FSM Change To Down(Detect) %Sep 26 12:10:29 2006 Nortel RM/4/RMLOG:ISIS-FastSense: Deleting Neighbour by I P Address 10.1.1.2 On GigabitEthernet1/0/0 *0.9978760 Nortel ISIS/7/ISIS: Prc job completed at Sec = 09919, MSec = 390.

*0.9978760 Nortel ISIS/7/ISIS: Signal SPF at Sec = 09978, MSec = 760.

*0.9978870 Nortel ISIS/7/ISIS: Signal SPF at Sec = 09978, MSec = 760.

*0.9978870 Nortel ISIS/7/ISIS: ISpf starts at Sec = 09978, MSec = 810.ISIS-1-SPF-STATS: RT Calculation: Elaps

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-101

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

ed time: 0 Milliseconds

*0.9978870 Nortel ISIS/7/ISIS: ISIS-1-SPF-PRC: Received L2 System Change Event for 0000.0000.0002.00, Change = 2

*0.9978870 Nortel ISIS/7/ISIS: ISIS-1-SPF-PRC: Received L2 System Change Event for 0000.0000.0002.01, Change = 2

*0.9978870 Nortel ISIS/7/ISIS: ISIS-1-DEC-PRC: Igorning pseudo-node system change information from the ISPF mo dule.

*0.9978870 Nortel ISIS/7/ISIS:

*0.9978870 Nortel ISIS/7/ISIS: ISpf ends(and prc starts) at Sec = 09978, MSec = 810.

*0.9978870 Nortel ISIS/7/ISIS: Prc job starts to run at Sec = 09978, MSec = 810.ISIS-1-SPF-PRC: Processing L2 LSPs of System :0000.0000.0002, Change Type = 2 When it senses that the link becomes Down, BFD immediately deletes the neighbor and starts route calculation. The network convergence speed increases. ----End

Configuration files z Configuration file of Router A

# sysname RouterA # bfd # isis 1 is-level level-2 timer lsp-generation 1 1 120 level-1 timer lsp-generation 1 1 120 level-2 network-entity 10.0000.0000.0001.00 timer spf 1 50 100 # interface GigabitEthernet1/0/0 ip address 10.1.1.1 255.255.255.0 isis enable 1 isis bfd static isis small-hello # bfd 1 bind peer-ip 10.1.1.2 interface GigabitEthernet1/0/0 discriminator local 1 discriminator remote 2 commit #

7-102 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

return z Configuration file of Router B

# sysname RouterB # bfd # isis 1 is-level level-2 timer lsp-generation 1 1 120 level-1 timer lsp-generation 1 1 120 level-2 network-entity 10.0000.0000.0002.00 timer spf 1 50 100 # interface GigabitEthernet1/0/0 ip address 10.1.1.2 255.255.255.0 isis enable 1 isis bfd static isis small-hello # bfd 1 bind peer-ip 10.1.1.1 interface GigabitEthernet1/0/0 discriminator local 2 discriminator remote 1 commit # return 7.9.9 Example of configuring basic IS-IS IPv6 functions

Networking requirements As shown in Figure 7-22:

z Router A, Router B, Router C, and Router D belong to the same AS. You enable IPv6 capability on all the routers. The routers connect by the IS-ISv6 protocol in the IPv6 network. z Router A, Router B, and Router C belong to area10. Router D belongs to area 20. z Router A and Router B are Level-1 routers. Router C is a Level-1-2 router. Router D is a Level-2 router.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-103

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

Figure 7-22 Basic IS-IS IPv6 feature network diagram

POS1/0/0 10:1::2/64 RouterA GbE2/0/0 L1 20::1/64 POS3/0/0 POS1/0/0 30::1/64 10:1::1/64 POS1/0/0 POS2/0/0 RouterC 30::2/64 RouterD 10:2::1/64 L1/2 L2 IS-IS IS-IS Area10 POS1/0/0 10:2::2/64 Area20

RouterB L1

Configuration roadmap The steps in the configuration roadmap are 1. Enable IS-IS on each router, configure the class of level, and specify the network entity. 2. Check the IS-IS neighbor of each router and the routing table.

Data preparation To complete the configuration, you need the following data:

z the area number of Router A, Router B, Router C, and Router D z the level of Router A, Router B, Router C, and Router D

Configuration procedure Step 1 Configure the IPv6 addresses of each interface. Step 2 Configure IS-IS. # Configure Router A:

[RouterA] isis 1 [RouterA-isis-1] is-level level-1 [RouterA-isis-1] network-entity 10.0000.0000.0001.00 [RouterA-isis-1] ipv6 enable [RouterA-isis-1] quit [RouterA] interface pos 1/0/0 [RouterA-Pos1/0/0] isis ipv6 enable 1 [RouterA-Pos1/0/0] quit # Configure Router B:

7-104 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

[RouterB] isis 1 [RouterB-isis-1] is-level level-2 [RouterB-isis-1] network-entity 10.0000.0000.0002.00 [RouterB-isis-1] ipv6 enable [RouterB-isis-1] quit [RouterB] interface pos 1/0/0 [RouterB-Pos1/0/0] isis ipv6 enable 1 [RouterB-Pos1/0/0] quit # Configure Router C:

[RouterC] isis 1 [RouterC-isis-1] network-entity 10.0000.0000.0003.00 [RouterC-isis-1] ipv6 enable [RouterC-isis-1] quit [RouterC] interface pos 1/0/0 [RouterC-Pos1/0/0] isis ipv6 enable 1 [RouterC-Pos1/0/0] quit [RouterC] interface pos 2/0/0 [RouterC-Pos2/0/0] isis ipv6 enable 1 [RouterC-Pos2/0/0] quit [RouterC] interface pos 3/0/0 [RouterC-Pos3/0/0] isis ipv6 enable 1 [RouterC-Pos3/0/0] isis circuit-level level-2 [RouterC-Pos3/0/0] quit # Configure Router D:

[RouterD] isis 1 [RouterD-isis-1] is-level level-2 [RouterD-isis-1] network-entity 20.0000.0000.0004.00 [RouterD-isis-1] ipv6 enable [RouterD-isis-1] quit [RouterD] interface pos 1/0/0 [RouterD-Pos1/0/0] isis ipv6 enable 1 [RouterD-Pos1/0/0] quit [RouterD] interface GigabitEthernet 2/0/0 [RouterD-GigabitEthernet2/0/0] isis ipv6 enable 1 [RouterD-GigabitEthernet2/0/0] quit Step 3 Verify the configuration. # Display the IS-IS routing table of Router A:

[RouterA] display isis route Route information for ISIS(1) ------

ISIS(1) Level-1 Forwarding Table ------

IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags ------0.0.0.0/0 10 NULL

IPV6 Destination Cost ExitInterface NextHop Flags ------

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-105

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

::/0 10 P1/0/0 FE80::A83E:0:3ED2:1 R/-/- 10:1::/64 10 P1/0/0 Direct D/L/- 10:2::/64 20 P1/0/0 FE80::A83E:0:3ED2:1 R/-/-

Flags: D-Direct, R-Added to RM, L-Advertised in LSPs, U-Up/Down Bit Set

# Display the IS-IS peers of Router C:

[RouterC] display isis peer verbose Peer information for ISIS(1) ------System Id Interface Circuit Id State HoldTime Type PRI 0000.0000.0001 P1/0/0 001 Up 24s L1 -- Area Address(es):10 Peer IPV6 Address(es): FE80::996B:0:9419:1 Uptime: 00:44:43 Adj Protocol: IPV6

0000.0000.0002 P2/0/0 002 Up 28s L1 -- Area Address(es):10 Peer IPV6 Address(es): FE80::DC40:0:47A9:1 Uptime: 00:46:13 Adj Protocol: IPV6

0000.0000.0004 P3/0/0 003 Up 24s L2 -- Area Address(es):20 Peer IPV6 Address(es): FE80::F81D:0:1E24:2 Uptime: 00:53:18 Adj Protocol: IPV6

# Display the IS-IS LSDB of Router C:

[RouterC] display isis lsdb verbose

Database information for ISIS(1) ------

Level-1 Link State Database

LSPID Seq Num Checksum Holdtime Length ATT/P/OL ------

0000.0000.0001.00-00 0x0000000c 0x4e06 1117 113 0/0/0 SOURCE 0000.0000.0001.00 NLPID IPV4 NLPID IPV6 AREA ADDR 10 INTF ADDR V6 10:1::2 NBR ID 0000.0000.0003.00 COST: 10 IPV6 10:1::/64 COST: 10

0000.0000.0002.00-00 0x00000009 0x738c 1022 83 0/0/0 SOURCE 0000.0000.0002.00 NLPID IPV4 NLPID IPV6

7-106 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

AREA ADDR 10 INTF ADDR V6 10:2::2 NBR ID 0000.0000.0003.00 COST: 10 IPV6 10:2::/64 COST: 10

0000.0000.0003.00-00* 0x00000020 0x6b10 771 140 1/0/0 SOURCE 0000.0000.0003.00 NLPID IPV4 NLPID IPV6 AREA ADDR 10 INTF ADDR V6 30::1 INTF ADDR V6 10:2::1 INTF ADDR V6 10:1::1 NBR ID 0000.0000.0002.00 COST: 10 NBR ID 0000.0000.0001.00 COST: 10 IPV6 10:2::/64 COST: 10 IPV6 10:1::/64 COST: 10

Level-2 Link State Database

LSPID Seq Num Checksum Holdtime Length ATT/P/OL ------

0000.0000.0003.00-00* 0x00000017 0x61b4 771 157 0/0/0 SOURCE 0000.0000.0003.00 NLPID IPV4 NLPID IPV6 AREA ADDR 10 INTF ADDR V6 30::1 INTF ADDR V6 10:2::1 INTF ADDR V6 10:1::1 NBR ID 0000.0000.0004.00 COST: 10 IPV6 30::/64 COST: 10 IPV6 10:2::/64 COST: 10 IPV6 10:1::/64 COST: 10

0000.0000.0004.00-00 0x0000000b 0x6dfa 1024 124 0/0/0 SOURCE 0000.0000.0004.00 NLPID IPV4 NLPID IPV6 AREA ADDR 20 INTF ADDR V6 30::2 INTF ADDR V6 20::1 NBR ID 0000.0000.0003.00 COST: 10 NBR ID 0000.0000.0005.00 COST: 10 IPV6 30::/64 COST: 10 IPV6 20::/64 COST: 10 ----End

Configuration files z Configuration file of Router A

# sysname RouterA

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-107

Nortel Secure Router 8000 Series 7 IS-IS configuration Configuration - IP Routing

# ipv6 # isis 1 is-level level-1 network-entity 10.0000.0000.0001.00 # ipv6 enable # # interface Pos1/0/0 link-protocol ppp ipv6 address 10:1::2/64 isis ipv6 enable 1 # return z Configuration file of Router B

# sysname RouterB # ipv6 # isis 1 is-level level-1 network-entity 10.0000.0000.0002.00 # ipv6 enable # # interface Pos1/0/0 link-protocol ppp ipv6 address 10:2::2/64 isis ipv6 enable 1 # return z Configuration file of Router C

# sysname RouterC # ipv6 # isis 1 network-entity 10.0000.0000.0003.00 # ipv6 enable # # interface Pos1/0/0 link-protocol ppp ipv6 address 10:1::1/64 isis ipv6 enable 1 # interface Pos2/0/0 link-protocol ppp

7-108 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 7 IS-IS configuration

ipv6 address 10:2::1/64 isis ipv6 enable 1 # interface Pos3/0/0 link-protocol ppp ipv6 address 30::1/64 isis ipv6 enable 1 isis circuit-level level-2 # return z Configuration file of Router D

# sysname RouterD # ipv6 # isis 1 is-level level-2 network-entity 20.0000.0000.0004.00 # ipv6 enable # # interface GigabitEthernet2/0/0 ipv6 address 20::1/64 isis ipv6 enable 1 # interface Pos1/0/0 link-protocol ppp ipv6 address 30::2/64 isis ipv6 enable 1 # return

Issue 5.3 (30 March 2009) Nortel Networks Inc. 7-109

Nortel Secure Router 8000 Series Configuration - IP Routing

Contents

8 BGP configuration ...... 8-1 8.1 Introduction...... 8-3 8.1.1 BGP...... 8-3 8.1.2 BGP message ...... 8-4 8.1.3 BGP route attributes...... 8-7 8.1.4 Principles of route selection...... 8-11 8.1.5 IBGP and IGP synchronization ...... 8-13 8.1.6 Issues in large-scale BGP networks ...... 8-13 8.1.7 MP-BGP...... 8-17 8.1.8 BGP GR ...... 8-18 8.1.9 References...... 8-18 8.2 Configuring basic BGP functions...... 8-19 8.2.1 Establishing the configuration task ...... 8-19 8.2.2 Configuring basic BGP functions ...... 8-20 8.2.3 Configure BGP to advertise the local routes...... 8-21 8.2.4 Configuring the local interfaces used for BGP connections...... 8-21 8.2.5 Configuring the maximum number of hops in EBGP connections...... 8-22 8.2.6 Entering BGP extended address family view...... 8-23 8.2.7 Checking the configuration...... 8-25 8.3 Controlling the advertising and receiving of routing information...... 8-26 8.3.1 Establishing the configuration task ...... 8-26 8.3.2 Configuring BGP to import IGP routes...... 8-28 8.3.3 Configuring BGP to filter the imported routes...... 8-28 8.3.4 Configuring BGP route aggregation ...... 8-29 8.3.5 Configuring a router to advertise default routes to its peer...... 8-31 8.3.6 Configuring related access lists...... 8-31 8.3.7 Configuring related routing policies ...... 8-33 8.3.8 Policies for advertising BGP routing information...... 8-35 8.3.9 Configuring the policies for receiving BGP routing information...... 8-37 8.3.10 Configuring BGP route dampening...... 8-39 8.3.11 Checking the configuration ...... 8-40 8.4 Configuring BGP route attributes...... 8-41

Issue 5.3 (30 March 2009) Nortel Networks Inc. i

Nortel Secure Router 8000 Series Configuration - IP Routing

8.4.1 Establishing the configuration task ...... 8-41 8.4.2 Configuring the BGP preference...... 8-42 8.4.3 Configuring the default local_pref attribute...... 8-42 8.4.4 Configuring the MED attribute...... 8-43 8.4.5 Configuring the next_hop attribute ...... 8-45 8.4.6 Configuring the AS-Path attribute...... 8-46 8.4.7 Checking the configuration...... 8-49 8.5 Adjusting and optimizing BGP networks ...... 8-49 8.5.1 Establishing the configuration task ...... 8-49 8.5.2 Configuring BGP timers ...... 8-51 8.5.3 Configuring the interval for sending update packets...... 8-52 8.5.4 Configuring BGP soft resetting...... 8-53 8.5.5 Enabling quick resetting of EBGP connections ...... 8-54 8.5.6 Configuring MD5 authentication ...... 8-55 8.5.7 Configuring the maximum number of equal-cost routes...... 8-55 8.5.8 Configuring EBGP split horizon...... 8-56 8.5.9 Checking the configuration...... 8-56 8.6 Building large-sized BGP networks ...... 8-57 8.6.1 Establishing the configuration task ...... 8-57 8.6.2 Configuring a BGP peer group...... 8-58 8.6.3 Configuring the BGP community ...... 8-60 8.6.4 Configuring the BGP route reflector...... 8-62 8.6.5 Configuring the BGP confederation...... 8-63 8.6.6 Checking the configuration...... 8-64 8.7 Configuring BGP GR ...... 8-65 8.7.1 Establishing the configuration task ...... 8-65 8.7.2 Enabling BGP GR...... 8-66 8.7.3 Configuring GR parameters for the BGP session...... 8-66 8.7.4 Checking the configuration...... 8-67 8.8 Maintaining BGP ...... 8-68 8.8.1 Resetting BGP connections...... 8-68 8.8.2 Clearing BGP information ...... 8-69 8.8.3 Debugging BGP...... 8-69 8.9 Configuration examples ...... 8-70 8.9.1 Example of configuring basic BGP functions...... 8-70 8.9.2 Example of configuring AS-Path filter ...... 8-76 8.9.3 Example of configuring BGP to interact with IGP ...... 8-80 8.9.4 Example of configuring BGP load balancing and MED attribute...... 8-84 8.9.5 Example of configuring the BGP community...... 8-89 8.9.6 Example of configuring the BGP route reflector ...... 8-93 8.9.7 Example of configuring the BGP confederation ...... 8-97

ii Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing

Figures

Figure 8-1 BGP message packet header ...... 8-4 Figure 8-2 Open message format ...... 8-5 Figure 8-3 Update message format...... 8-5 Figure 8-4 Notification message format...... 8-6 Figure 8-5 BGP route-refresh message format...... 8-6 Figure 8-6 AS-Path attribute...... 8-8 Figure 8-7 Next_Hop attribute ...... 8-9 Figure 8-8 MED attribute...... 8-10 Figure 8-9 Local_Pref attribute ...... 8-10 Figure 8-10 IBGP and IGP synchronization...... 8-13 Figure 8-11 BGP route dampening...... 8-14 Figure 8-12 Route reflector ...... 8-15 Figure 8-13 Confederation ...... 8-16 Figure 8-14 Basic BGP configuration ...... 8-71 Figure 8-15 AS-Path filter ...... 8-76 Figure 8-16 Interaction between BGP and IGP...... 8-80 Figure 8-17 BGP route selection ...... 8-85 Figure 8-18 BGP community ...... 8-89 Figure 8-19 BGP route reflector configuration...... 8-93 Figure 8-20 Confederation configuration ...... 8-98

Issue 5.3 (30 March 2009) Nortel Networks Inc. iii

Nortel Secure Router 8000 Series Configuration - IP Routing

Tables

Table 8-1 Route attributes and their types ...... 8-7

Issue 5.3 (30 March 2009) Nortel Networks Inc. v

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

8 BGP configuration

About this chapter

The following table describes the contents of this chapter.

Section Description 8.1 Introduction This section describes the principles and concepts of the Border Gateway Protocol (BGP). 8.2 Configuring basic BGP This section describes how to enable BGP and how to functions configure BGP peers or peer groups. For a configuration example, see Example of configuring basic BGP functions. 8.3 Controlling the advertising This section describes how BGP controls the received and and receiving of routing sent routes and how BGP imports external routes. For information configuration examples, see Example of configuring BGP to interact with IGP and Example of configuring AS-Path filter. 8.4 Configuring BGP route This section describes how to change BGP route selection Selection Policy policy. For a configuration example, see Example of configuring BGP load balancing and MED attribute. 8.5 Adjusting and optimizing This section describes how to configure certain BGP BGP networks features in special network environments and how to adjust and optimize the performance of BGP networks. For a configuration example, see Example of configuring BGP load balancing and MED attribute. 8.6 Building large-sized BGP This section describes how to simplify the management networks of a routing policy and to enhance route advertisement efficiency. For configuration examples, see Example of configuring the BGP community, Example of configuring the BGP route reflector, and Example of configuring the BGP confederation. 8.7 Configuring BGP GR This section describes how to configure BGP Graceful Restart (GR).

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-1

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

Section Description 8.8 Maintaining BGP This section describes how to reset a BGP connection, clear BGP statistics, and debug BGP. 8.9 Configuration examples This section provides configuration examples for BGP.

8-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

8.1 Introduction This section covers the following topics that you must understand before you configure BGP:

z BGP z BGP message z BGP route attributes z Principles of route selection z IBGP and IGP z Issues in large-scale BGP networks z MP-BGP z BGP GR z References 8.1.1 BGP BGP is a dynamic routing protocol used between autonomous systems (ASs). BGP provides three early versions, BGP-1 (RFC 1105), BGP-2 (RFC 1163), and BGP-3 (RFC 1267). The current version of BGP is BGP-4 (RFC 1771). Internet Service Providers (ISP) use BGP-4 as an extended exterior routing protocol on the Internet.

NOTE

The BGPs stated in this manual refer to BGP-4 unless otherwise stated. The following list identifies the characteristics of BGP:

z BGP focuses on route propagation control and selection of optimal routes rather than discovery and calculation of routes. These features distinguish BGP from Interior Gateway Protocols (IGPs) such as Open Shortest Path First (OSPF) and the Routing Information Protocol (RIP). BGP is an Exterior Gateway Protocol (EGP). z BGP uses TCP as the transport layer protocol to enhance the reliability of the protocol. The port number is 179. z BGP supports Classless Inter-Domain Routing (CIDR). z BGP transmits updated routes only. This process occupies less bandwidth and is suitable for propagating a large amount of routing information on the Internet. z BGP eliminates route loops by adding AS-path information to BGP routes. z BGP provides abundant routing policies to implement flexible filtering and route selection. z BGP extends easily to support new development of the network. BGP runs on a router in either of the following modes:

z Interior BGP (IBGP) z Exterior BGP (EBGP) The BGP is an IBGP when it runs within an AS. The BGP is an EBGP when it runs between ASs.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-3

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

8.1.2 BGP message

Part in the message z Speaker—The router that transmits BGP messages is the BGP speaker. The speaker continuously receives and generates new routing information. The speaker advertises the routing information to the other BGP speakers. When a BGP speaker receives a new route from another AS, it compares the route with the current route. If the learned route is better or it is a new one, the speaker advertises it to all the other BGP speakers in the AS. z Peer—The peer of a BGP speaker is a BGP speaker with which it exchanges information. Multiple related peers compose a peer group.

Message header format BGP uses five types of messages. These messages use the same packet header, as shown in the following figure.

Figure 8-1 BGP message packet header

0 7 15 31

Marker

Length Type

The following list explains the main fields:

z Marker—This field provides calculation for BGP authentication. If no authentication exists, the value is all ones. z Length—This field indicates the total length of a BGP message, including the packet header, in bytes. z Type—This field indicates the message type. The value can be 1 to 5, representing Open, Update, Notification, Keepalive, and Route-refresh messages respectively. RFC 1771 defines the first four message types and RFC 2918 defines the last message type.

Open message The open message is the first message that sends after the creation of a TCP connection, which connects BGP peers. The following figure shows the format of an open message.

8-4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

Figure 8-2 Open message format

07 15 31 Version

My Autonomous System

Hold Time

BGP Identifier

Opt Parm Len

Optional Parameters

The following list explains the main fields:

z Version—This field indicates BGP version number. For BGP-4, the value is 4. z My Autonomous System—This field indicates the local AS number. You can determine whether it is an EBGP connection or an IBGP connection by comparing the AS numbers of the BGP peers. z Hold Time—BGP peers must negotiate the hold time when they establish the peer relationship and they must keep the time consistent. If the hold time of all sides is not the same, BGP selects the smallest value. If one side does not receive Keepalive or Update messages from its peer within this time, it considers the BGP connection closed. z BGP Identifier—This field identifies a BGP router; it is in the form of IP address. z Opt Parm Len (Optional Parameters Length)—This field indicates the length of the Optional Parameters field. The value 0 indicates no optional parameters. z Optional Parameters—This field indicates the optional parameters for BGP authentication or multiprotocol extensions.

Update message The update messages exchange routing information between BGP peers. The message can advertise one feasible route, or withdraw multiple unfeasible routes. The following figure shows the message format of an update message.

Figure 8-3 Update message format

Unfeasible Routes Length (2 octets)

Withdrawn Routes (variable)

Total Path Attribute Length (2 octets)

Path Attributes (variable)

Network Layer Reachability Information (variable)

The following list explains the main fields:

z Unfeasible Routes Length—This field indicates the length of the Withdrawn Routes field in bytes. The value 0 represents no Withdrawn Routes field. z Withdrawn Routes—This field contains a list of unfeasible routes.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-5

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

z Total Path Attribute Length—This field indicates the length of the Path Attributes field in bytes. The value 0 represents no Path Attributes or Network Layer Reachability Information (NLRI) field. z Path Attributes—This field contains a list of all path attributes that relate to NLRI. Each path attribute is a triple Type-Length-Value (TLV). z NLRI—This field indicates the prefix of a feasible route and the length of the prefix.

Notification message One side of a connection uses the notification message to notify errors to its peer. After the notification, the BGP connection closes. The following figure shows the message format of a notification message.

Figure 8-4 Notification message format

0 7 15 31 Error Code Error Subcode Data

The following list explains the main fields:

z Error Code—This field specifies the error type. z Error Subcode—This field specifies the details of the error type. z Data—Use this field to diagnose the reason for the error. The length is variable.

Keepalive message The keepalive message checks the validity of a connection. The message only contains the packet header without any other fields.

Route-refresh message The route-refresh message notifies the peer that the local end supports the route refreshment. The following figure shows the format of the BGP route-refresh message.

Figure 8-5 BGP route-refresh message format

0 7 15 23 31 AFI Res. SAFI

The following list explains the main fields:

z AFI—This field is the Address Family Identifier. The field is 16 bits in length. z Res.—This field is the Reserved field (Res). The field is 8 bits long. The sending router should configure it as 0. The receiving router can ignore this field. z SAFI—This field is the Subsequent Address Family Identifier. The field is 8 bits in length.

8-6 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

If you enable all BGP routers of BGP with the route-refresh capability, the local BGP router sends route-refresh information to peers when the routing policy of BGP changes. The peers that receive the information resend it to the local BGP router. The routing table of BGP can dynamically refresh and the router can use the new routing policy without interrupting BGP connections. 8.1.3 BGP route attributes

Route attribute classification The BGP route attributes are a set of parameters that further describe a specific route for BGP to filter and select routes. All BGP route attributes fall into the following categories:

z Well-known mandatory—All BGP routers can identify the attributes. The attributes are mandatory and each update message must include them. Without the attributes, errors occur in routing information. z Well-known discretionary—All BGP routers can identify the attributes. The attributes are discretionary and each update message can included them. The message selects the attributes according to practical conditions. z Optional transitive—This category indicates the transitive attributes among ASs. A BGP router may not support this attribute, but it still receives the routes with this attribute and advertises them to other peers. z Optional nontransitive—If a BGP router does not support this attribute, it ignores the update messages with this attribute and does not advertise them to other peers. The following table shows the BGP route attributes and their corresponding types.

Table 8-1 Route attributes and their types

Attribute name Type Origin Well-known mandatory AS-Path Well-known mandatory Next_Hop Well-known mandatory Local_Pref Well-known discretionary Atomic_Aggregate Well-known discretionary Aggregator Optional transitive Community Optional transitive Multi_Exit_Disc(MED) Optional nontransitive Originator_ID Optional nontransitive Cluster_List Optional nontransitive

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-7

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

Several main route attributes z Origin The origin attribute defines the origin of a route. This attribute marks the paths of a BGP route. The origin attribute uses the following three types:

− IGP: This attribute uses the highest priority. For example, the origin attribute for the routes that the network command generates is IGP. − EGP: This attribute uses the second highest priority. For example, the origin attribute for the routes that EGP generates is EGP. − Incomplete: This attribute uses the lowest priority. This attribute indicates that the route origin cannot be determined. For example, the routes imported by BGP. z AS-Path The AS-Path attribute records all ASs that a route passes, in a certain order, from the local area to the destination. When BGP advertises a route to other ASs, it adds the local AS number at the beginning of the AS-Path list. The BGP router that receives this route learns the ASs that the route passes through before it reaches the destination. The BGP router learns this information based on the AS-Path attribute. The number of the adjacent AS nearest to the local AS is at the top of the list and the other AS numbers list in ascending order of their distance from the AS, as shown in the following figure.

Figure 8-6 AS-Path attribute

8.0.0.0

AS10

D=8.0.0.0 D=8.0.0.0 (10) (10)

AS20 AS40

D=8.0.0.0 D=8.0.0.0 (20,10) (40,10)

D=8.0.0.0 AS30 (30,20,10) AS50

If the BGP needs to advertise the route 8.0.0.0 of AS10 to other ASs, it adds 10, the AS number of AS10, to the AS-Path list (10). When the route pass AS20, BGP adds 20, the AS number of AS20, at the left of AS-Path list (20, 10). When the route passes AS 30 and AS 40, the BGP follows the same process. After the AS50 router receives the route, it knows that

8-8 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

there are two paths to AS10 based on the AS-Path list. One path is from AS30 and AS 20 to AS10; the other path is from AS40 to AS10. The AS-Path attribute can avoid route loops. Usually, a BGP router does not accept the routes containing its own AS number.

In the Secure Router 8000 Series implementation, you can configure the peer allow-as-loop command to allow repetitive AS numbers. Use the AS-Path attribute to select and filter routes. When all other factors are the same, BGP selects the shortest route. For example, in Figure 8-6, the BGP router in AS 50 selects the route that passes AS 40 as the optimum route to the destination 8.0.0.0. In some applications, you can prolong the AS route by using routing policies to control the route selection. After you configure the list of the AS-Path attributes, you can filter routes based on the AS numbers contained in the AS-Path attribute.

NOTE

An IBGP router advertises routes to its peers without changing the AS-Path attribute. z Next_Hop The Next_Hop attribute of BGP is different from that of IGP. The next hop may not be the IP address of the neighbor. As shown in Figure 8-7, when the BGP speaker advertises a certain route to EBGP peers, it configures the next hop as the address of the local interface that connects with the peer. When the BGP speaker advertises this route to IBGP peers, it does not change the next_hop attribute. You can configure the BGP to change the next hop of IBGP transmission.

Figure 8-7 Next_Hop attribute

D=8.0.0.0 Next_Hop=1.1.1.1 AS200 AS100 EBGP 1.1.1.1/24 8.0.0.0 1.1.2.1/24

EBGP

D=8.0.0.0 Next_Hop=1.1.2.1

IBGP

D=8.0.0.0 Next_Hop=1.1.2.1 AS300

z Muti-Exit-Disc The Multi-Exit-Disc (MED) attribute only exchanges between two adjacent ASs. The AS that receives this attribute does not advertise it to any other ASs.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-9

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

The MED attribute is equivalent to the IGP metrics. MED determines the optimum route for the traffic that enters the AS. When a BGP router obtains multiple routes to the same destination address but with different next hops through EBGP peers, the route with the lowest MED attribute is the optimum route. The router considers the MED if all the other conditions are the same. As shown in the following figure, the traffic from AS10 to AS20 selects Router B as the ingress.

Figure 8-8 MED attribute

MED=0 RouterB 2.1.1.1 > D=9.0.0.0 IBGP EBGP Next_Hop=2.1.1.1 MED=0 9.0.0.0 RouterA IBGP D=9.0.0.0 Next_Hop=3.1.1.1 RouterD EBGP MEd=100 IBGP AS10 3.1.1.1 AS20 RouterC MED=100

Usually, BGP only compares the MED attributes of the routes from the same AS.

In the Secure Router 8000 Series implementation, you can configure the compare-different-as-med command. You force BGP to compare the MED attributes of the routes from different ASs. z Local_Pref The Local_Pref attribute exchanges only between IBGP peers and does not advertise to other ASs. This attribute indicates the preference of the BGP router. The Local_Pref attribute determines the optimum route for the traffic to leave the AS. After a BGP router obtains multiple routes to the same destination address but with different next hops through IBGP peers, it selects the route with the highest Local_Pref attribute. As shown in the following figure, the traffic from AS 20 to AS 10 selects Router C as the egress.

Figure 8-9 Local_Pref attribute

Local_Pref-100 RouterB 2.1.1.1 EBGP D=8.0.0.0 8.0.0.0 IBGP Next_Hop=2.1.1.1 Local_Pref=100

IBGP RouterD

AS10 > D=8.0.0.0 RouterA Next_Hop=3.1.1.1 EBGP IBGP Local_Pref=200 3.1.1.1 RouterC Local_Pref=200 AS20

8-10 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

z Community The community attribute simplifies the application of the routing policies. The attribute is an aggregation of the destination addresses that use the same attribute. The addresses have no physical boundary and they are independent of ASs. The following list identifies the well-known community attributes:

− Internet: By default, all routes belong to the Internet community. The routes with this attribute can advertise to all BGP peers. − No_Export: After a router receives a route with this attribute, it does not advertise the route outside the local AS. If a confederation exists, this route cannot advertise outside the confederation, but it can advertise to other subASs in the confederation. For details about confederations, see Issues in large-scale BGP networks). − No_Advertise: After a router receives a route with this attribute, it does not advertise the route to other BGP peers. − No_Export_Subconfed: After a router receives a route with this attribute, it does not advertise the route outside the local AS or to other subASs in the confederation. 8.1.4 Principles of route selection

Routing policies In the Secure Router 8000 Series implementation, when there are multiple routes to the same destination, BGP selects routes based on the following policies: 1. BCP chooses the locally generated route with the lower preference. The preference is the preference value of various protocol routes that includes direct routes and static routes in the IP routing table. You can run the display ip routing-table command to view the preference in the IP routing table. The smaller the value of preference is, the higher the preference. The route with the smallest preference value uses the highest preference.

NOTE

The locally generated route refers to the routes imported by BGP using the import and network commands or the routes aggregated by using the aggregate and the summary automatic commands. Compared with the routes received from BGP neighbors, the local route is defined. 2. If different protocol routes use the same preference value, the system chooses a protocol route in the following order: OSPF, Intermediate System-to-Intermediate System (IS-IS) Level-1, IS-IS Level-2, EBGP (includes BGP aggregated routes), static, RIP, OSPF (external routes), and IBGP routes.

NOTE

BGP prefers the direct routes because the minimum preference value of direct routes is 0. 3. BGP discards the routes with an unreachable next hop. 4. BGP selects the labeled IPv4 routes. 5. BGP selects the route with the greatest preferred value (PreVal). 6. BGP selects the route with the highest Local_Pref. 7. BGP selects the aggregated route. The preference of the aggregated routes is higher than that of the nonaggregated routes. 8. BGP selects the route with the shortest AS-Path. 9. BGP compares original attributes and selects the routes with an Origin of IGP, EGP, or Incomplete. 10. BGP selects the route with the lowest MED.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-11

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

11. BGP selects the route learned from EBGP. The preference of EBGP routes is higher than that of IBPG routes. 12. BGP selects the route of IGP with the lowest Metric in an AS. The load balancing performs according to the number of configured routes if you configure load balancing and multiple external routes exist with the same AS-Path. 13. BGP selects the route with the shortest Cluster List. 14. BGP selects the route with the smallest originator_ID. 15. BGP selects the route advertised by the router with the smallest router ID. 16. BGP compares the IP address of peers and selects the route that is learned from the peer with the smallest IP address.

Routing policies for load balancing applications In BGP, the next-hop address of a generated route may not be the address of the peer that connects directly with the local router. A common reason is that the next hop does change when routing information advertises between IBGP routers. In this situation, the router must first find a directly reachable address to forward the packet. The packet can then reach the next hop the routing table specifes. In this process, the route to the directly reachable address is the dependent route. BGP routers depend on the route to guide packet forwarding. The process of finding the dependent route based on the next hop address is route iterative. The Secure Router 8000 Series supports BGP load balancing based on iteration. If you configure the dependent route for load balancing, and three next-hop addresses exist, BGP generates the same number of next-hop addresses to guide packet forwarding. The Secure Router 8000 Series always enables this feature; you do not need to configure it. BGP load balancing is different from that of IGP with respect to the following implementations:

z For different routes to the same destination address, IGP calculates the route metric based on its own routing algorithm. The load balancing performs on the routes with the same metric. z BGP does not use its own routing algorithm. BGP cannot determine whether to perform load balancing on routes based on explicit metrics. BGP contains many route attributes, which use different priorities in the route selection policy. BGP load balancing is one part of the route selection policy. BGP performs load balancing according to the number of maximum load balancing routes only when all attributes of priority routes are the same.

NOTE

z BGP performs load balancing only on the routes with the same AS-Path attribute. z You can apply BGP load balancing to the ASs inside the confederation.

Routing policies for route advertisement In the Secure Router 8000 Series implementation, BGP advertises routes based on the following policies:

z When there are multiple valid routes, the BGP speaker only advertises the optimum route to its peer. z The BGP speaker sends only the routes that it uses to its peer.

8-12 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

z The BGP speaker advertises the routes it obtains from EBGP to all of its BGP peers (including EBGP peers and IBGP peers). z The BGP speaker does not advertise the routes it obtains from IBGP to its IBGP peers. z The BGP speaker advertises the routes it obtains from IBGP to its EBGP peers (when BGP and IGP are not synchronous). z After the connection establishes, the BGP speaker advertises all of its BGP routes to the new peers. 8.1.5 IBGP and IGP synchronization The synchronization of IBGP and IGP avoids misleading external AS routers. If a non-BGP router exists in an AS to provide forwarding services, IP packets that this AS forwards can be discarded because the destination address is unreachable. As shown in Figure 8-10, Router E learns the route 8.0.0.0/8 of Router A from Router D through BGP, and then it forwards this packet to Router D. Router D queries the routing table and finds that the next hop is Router B. Because Router D learns the route to Router B through IGP, Router D forwards the packet to Router C based on route iteration. Router C, however, does not know the route to 8.0.0.0/8 and so it discards the packet.

Figure 8-10 IBGP and IGP synchronization

8.0.0.0/8 IGP RouterC IGP RouterE IBGP EBGP RouterA EBGP AS10 RouterD AS30 RouterB AS20

If you configure the synchronization feature, the router checks the IGP routing table before it adds the IBGP route to the routing table and advertises it to the EBGP peers. When IGP knows this IBGP route, the router adds the IBGP route to the routing table and advertises it to the EBGP peers. You can disable the synchronization feature in the following situations:

z The local AS is not a transitive AS (The AS20 in Figure 8-10 is a transitive AS). z All routers in the local AS establish an IBGP full connection. 8.1.6 Issues in large-scale BGP networks

Route aggregation In a large network, the BGP routing table is large. You can use route aggregation to reduce the size of the routing table. Route aggregation can aggregate multiple routes. BGP only advertises the aggregated route to its peers, rather than all the specific routes.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-13

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

The Secure Router 8000 Series supports automatic aggregation and manual aggregation. The latter can also control the attribute of the aggregated route and determine whether to advertise the specific routes.

Route dampening Route dampening solves the problem of unstable routes or route flapping. Route flapping occurs when a route is inconsistently present in the routing table. When route flapping occurs, the routing protocol sends an update packet to its neighbors. The routers that receive the update packet recalculate routes and modify the routing tables. Frequent route flapping consumes a lot of bandwidth and CPU resources, which affects the normal operation of the network. In most cases, BGP applies to complex network environments and the routes change frequently. To avoid the impact of frequent route flapping, BGP uses route dampening to suppress unstable routes. Route dampening measures the stability of a route by using a penalty value. The higher the penalty value is, the more unstable the route. After route flapping occurs once, BGP adds the penalty value, 1000, to this route. After the penalty value exceeds the suppression threshold, the route is suppressed. BGP does not add the route to the IP routing table nor does it advertise update packets to other BGP peers. The penalty value of the suppressed route decreases to half after a period of time. This period is the half life. When the penalty value decreases to the recovery threshold, the route is reusable and BGP adds it to the IP routing table. BGP also advertises update packets to other BGP peers.

Figure 8-11 BGP route dampening

Punishment value

Suppression threshold

Recovery threshold Suppression time

Time

Half-life

8-14 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

Peer group A peer group is a group of peers with the same attribute. When you add a peer to the peer group, the peer configuration is the same as the group. The configuration of the peers in the group also changes when the configuration of the peer group changes. In a large-sized BGP network, many peers exist and most of them use the same policies. The configuration involves repetitive commands. In most cases, you can simplify the configurations by using the peer group. Add peers to a peer group to improve the efficiency of route advertisement.

Community Peer groups allow only a group of peers to share the same policy, while a community allows a group of BGP routers in multiple ASs to share the same policy. The community is a route attribute. The attribute transmits between BGP peers regardless of the ASs. Before a BGP router advertises the route with the community attribute to peers, it can change all the community attributes of this route. In addition to using the public community attribute, you can define the extended community attribute using the community attribute list to control routing policies more flexibly.

Route reflector To ensure connectivity among IBGP peers, you must establish a full connection between IBGP peers. If n routers exist inside an AS, then you must establish n (n-1)/2 IBGP connections. When a lot of IBGP peers exist, packet exchange between the peers consumes many network and CPU resources. Route reflection solves this problem. In an AS, one router severs as the route reflector (RR) and the other routers serve as the clients. The clients establish IBGP connections with the RR. The RR transmits (reflects) routing information among clients, and the clients do not establish BGP connections. A BGP router which is neither the RR nor a client is a nonclient. A nonclient must establish a full connection with the RR and all other nonclients, as shown in the following figure.

Figure 8-12 Route reflector

Route Nonclient Reflector IBGP IBGP

Client IBGP Cluster IBGP IBGP IBGP

Client Client Nonclient AS65000

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-15

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

The route reflector and its clients constitute a cluster. Within an AS, each route reflector uses only one Cluster_ID as identification. The route reflector uses a CLUSTER_LIST to record all the CLUSTER_ID that the reflecting routes passes to prevent a routing loop.

z When the RR reflects the route between its clients or between its client and nonclient, the RR adds the local CLUSTER_ID before the CLUSTER_LIST. If the CLUSTER_LIST is null, the RR creates one. z When the RR receives an updated route, it checks the CLUSTER_LIST. If a local CLUSTER_ID exists in the CLUSTER_LIST, the route is discarded; if not, the local CLUSTER_ID is added to the CLUSTER_LIST and the updated route is reflected. You can configure multiple route reflectors in a cluster to enhance the network reliability and prevent a single point of failure.

NOTE

Only the RR uses the CLUSTER_LIST to check for a routing loop. The client and nonclient do not check the CLUSTER_LIST. In certain networks, the clients of a route reflector establish a full connection and they can exchange routing information with each other directly. The route reflection between clients is unnecessary and occupies bandwidth resources. The Secure Router 8000 Series supports disabling route reflection between clients. After you disable the route reflection between clients, the route between the client and nonclient can still be reflected.

Confederation The confederation is another method to handle too many IBGP connections in an AS. The confederation divides an AS into several subASs. A full connection establishes among the IBGP peers in each sub-AS, and the EBGP connection establishes among sub-ASs, as shown in the following figure.

Figure 8-13 Confederation

AS65002 AS65003

EBGP EBGP

EBGP IBGP

AS100 IBGP IBGP AS65001

AS200

For BGP speakers outside the confederation, the sub-ASs in the same confederation are integral. The outside does not need to know the situations of internal sub-AS. The

8-16 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

confederation ID is the AS number that identifies the whole confederation. For example, the AS200 in the preceding figure is the confederation ID. The confederation provides some disadvantages. You must configure the routers after the nonconfederation networking plan shifts to the confederation plan. You must change the logical typology. In a large-sized BGP network, use can use the route reflector and the confederation at the same time. 8.1.7 MP-BGP

Introduction to MP-BGP The traditional BGP-4 manages only the IPv4 routing information. The inter-AS transmissions apply only to the applications using other network layer protocols, for example, IPv6. To support multiple network layer protocols, the Internet Engineering Task Force (IETF) extends BGP-4 to form Multiprotocol BGP (MP-BGP). The current MP-BGP standard is RFC 2858 (Multiprotocol Extensions for BGP-4). MP-BGP is backward compatible. Routers that support BGP extensions can communicate with the routers that do not support BGP extensions.

Extended attributes of MP-BGP Update packets carry three IPv4 related attributes: NLRI, Next_Hop, and the Aggregator in the path attribute. The Aggregator contains the IP address of the BGP speaker after route aggregation. To support multiple network layer protocols, BGP-4 must reflect the network layer protocol information to NLRI and Next_Hop. MP-BGP introduces two path attributes:

z MP_REACH_NLRI (Multiprotocol Reachable NLRI) advertises the reachable routes and the next hop information z MP_UNREACH_NLRI (Multiprotocol Unreachable NLRI) withdraws the unreachable routes Both of the attributes are Optional nontransitive. The BGP speakers that do not provide the multiprotocol capability ignore the information of the two attributes and do not advertise them to other neighbors.

Address family BGP uses the address family to distinguish different network layer protocols. See RFC 1700 Assigned Numbers for the values of the address family. The Secure Router 8000 Series implements multiple MP-BGP extension applications, including extending the virtual private network (VPN) and IPv6. Configure different extension applications in each address family view.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-17

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

NOTE

This chapter does provide details for the commands of specific applications in the MP-BGP address family view. For more information about the configuration of the BGP IPv6 address family, see BGP4+ Configuration. For more information about the application of MP-BGP in multicast, see MBGP Configuration. For more information about the configuration of the BGP VPNv4 address family, BGP VPN instance address family, and BGP L2VPN address family, see Nortel Secure Router 8000 Series Configuration Guide - VPN (NN46240-507). 8.1.8 BGP GR The restarting of BGP causes reestablishment of peer relationships and the interruption of forwarding. Enable the GR function to avoid traffic interruption. When the system performs GR, it requires the following roles:

z GR restarter—This role refers to the restarting router that you or a fault triggers. The router must be a GR capable router. That is, you enable BGP with the GR function. z GR helper—This role refers to the neighbor of the GR restarter or a GR aware router. That is, the GR helper is not GR capable but can identify the GR capability field of the neighbor so it can help the GR restarter perform GR. To establish the BGP session with the BGP peer, the GR restarter that runs BGP must first send an OPEN message to the BGP peer. The OPEN message carries the GR capability. After it receives the OPEN message, the BGP peer learns that the GR restarter has the GR capability and uses the OPEN message to exchange the GR capability. In this process, the GR session establishes between the GR restarter and the BGP peer after negotiation. If the GR capability does not exchange, the BGP session that establishes does not have the GR capability. If the router loses entries of the BGP session when BGP restarts or when the neighbor relationship is re-established, the GR aware BGP peer labels all the routes related to the GR restarter invalid. During the GR time, packets can still forward according to the routes. This process ensures that no packet is discarded when the new active main board (AMB) recollects routes from the BGP peer. After BGP is restarts, the following actions occur:

z The GR restarter resets the GR session with the BGP peer and sends new GR messages. This action indicates that the GR restarter has restarted. z The two BGP peers exchange routing information. z The GR restarter updates the routing table and the forwarding table to replace invalid routes based on the new forwarding information. In this way, the BGP convergence is complete. The GR unaware router ignores the GR capability of the OPEN message and remains the BGP session with the GR restarter. This BGP session does not have the GR capability. 8.1.9 References For more information about BGP, see the following RFC documents.

Document number Description RFC 1771 A Border Gateway Protocol 4 (BGP-4)

8-18 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

Document number Description RFC 2858 Multiprotocol Extensions for BGP-4 RFC 3392 Capabilities Advertisement with BGP-4 RFC 2918 Route Refresh Capability for BGP-4 RFC 2439 BGP Route Flap Damping RFC 1997 BGP Communities Attribute RFC 2796 BGP Route Reflection RFC 3065 Autonomous System Confederations for BGP

The features of Graceful Restart and the extended community attribute are still in the draft phase of RFC.

8.2 Configuring basic BGP functions

NOTE

z BGP and MP-BGP use no strict distinctions in this section. For suitable conditions of the command, see the related view. z For configuration convenience, the commands in the BGP-IPv4 unicast address family view can be used in the BGP view. The commands, however, are still in the BGP-IPv4 unicast address family view in the configuration files. 8.2.1 Establishing the configuration task

Applicable environment This section describes the fundamental BGP network configurations. Because the BGP uses the TCP connections, you must specify the IP address of the peer when you configure the BGP. The BGP peer cannot be the adjacent router. You can create the BGP peer relationship using logical links. Use the loopback interface addresses for these connections to enhance the stability of the BGP connections.

Preconfiguration tasks Before you configure basic BGP functions, ensure the network layers of the adjacent nodes are reachable.

Data preparation To configure basic BGP functions, you need the following data.

No. Data 1 The local AS number and the router ID

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-19

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

No. Data 2 The IPv4 address of the peer and the AS number 3 The interface that originates the update packet

Configuration procedures

No. Procedure 1 Configuring basic BGP functions 2 (Optional) Configure BGP to advertise the local routes 3 (Optional) Configuring the local interfaces used for BGP connections 4 (Optional) Configuring the maximum number of hops in EBGP connections 5 (Optional) Entering BGP extended address family view 6 Checking the configuration

8.2.2 Configuring basic BGP functions Do as follows on the router on which you must establish the BGP connection: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number This command enables the BGP and the BGP view appears. Step 3 Run:

router-id ip-address This command configures the router ID. If you configure or change the router ID of BGP, it leads to the resetting of the BGP peer relationship between routers.

This command is optional. To enhance the network reliability, you can configure the address of the loopback interface as the router ID manually. If you do not configure the router ID, BGP chooses the Router ID in the system view as the Router ID. For the selection of Router ID in the system view, see Nortel Secure Router 8000 Series Commands Reference (NN46240-500).

Step 4 Run:

peer ip-address as-number as-number

8-20 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

This command specifies the IP address and the AS number of the specific BGP peers. The IP address of the specific peer can be either the IP address of the direct peer or that of the loopback interface of the reachable peer. Step 5 Run:

peer { ip-address | group-name } description description-text This command configures the description of the peers or the peer group. The command is optional. Configure the descriptions for easy management. ----End

8.2.3 (Optional) Configure BGP to advertise the local routes Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. The command is optional. By default, the command runs in the unicast address family view. Step 4 Run:

network ip-address [ mask | mask-length ] [ route-policy route-policy-name ] This command configures the BGP to advertise the local routers. The local IP routing table must contain the local routes to advertise. You can use routing policies to control the routes to advertise. ----End

8.2.4 (Optional) Configuring the local interfaces used for BGP connections Do as follows on the BGP router: Step 1 Run:

system-view The system view appears.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-21

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

peer { ip-address | group-name } connect-interface interface-type interface-number This command configures the local interfaces used for the BGP connections. By default, the BGP uses the physical interface that directly connects with the peer as the local interface for the TCP connections. To make the BGP connections more reliable and stable, you can configure the local interface of the BGP connections as the loopback interface. In this way, when there are redundant links in the network, the BGP connections cannot break due to the failure of a certain interface or a link. ----End

NOTE

When you establish many peers between two routers through multiple links, run the peer connect-interface command to specify the interface through which the BGP connection establishes. 8.2.5 (Optional) Configuring the maximum number of hops in EBGP connections Do as follows on the related router according to requirements: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

peer { ip-address | group-name } ebgp-max-hop [ number ] This command configures the maximum number of hops in the EBGP connections. A direct physical link must be available between the EBGP peers. If a direct link is not available, you can use the peer ebgp-max-hop command to configure the EBGP peers to establish the TCP connections through multiple hops. ----End

8-22 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

8.2.6 (Optional) Entering BGP extended address family view

Entering the IPv4 unicast address family view Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The IPv4 unicast address family view appears. ----End

Entering the L2VPN address family view Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

l2vpn-family The L2VPN address family view appears. ----End

Entering the VPLS address family view Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-23

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

bgp as-number The BGP view appears. Step 3 Run:

vpls-family The VPLS address family view appears. ----End

Entering the VPNv4 address family view Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family vpnv4 [ unicast ] The VPNv4 address family view appears. ----End

Entering the BGP-VPN instance view Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family vpn-instance vpn-instance-name The BGP-VPN instance view appears. ----End

8-24 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

Entering the IPv6 address family view Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv6-family The IPv6 address family view appears. ----End

If you want to configure the IPv6 application, the BGP Multiprotocol Label Switching (MPLS) VPN application, or the MPLS L2 VPN application in the Kompella mode by using the BGP extended feature, enable the BGP first. Then, you can enter the corresponding extended address family view for the related configurations.

NOTE

Most commands in the BGP extended address family view are the same as that in the BGP view. The commands you configure in the extended address family view, however, are valid only in the related applications. 8.2.7 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the information about the display bgp network route BGP advertises. Check the information about the display bgp peer [ verbose ] BGP peers. display bgp peer ip-address { log-info | verbose } display bgp peer group-name log-info Check the information about the display bgp routing-table [ network ] [ mask | BGP routing table. mask-length ] [ longer-prefixes ] Check the routing information of display bgp routing-table regular-expression the regular expression matched with as-regular-expression the AS.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-25

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

For the use of the regular expression, refer to chapter "Command Line Introduction" of the VRP Configuration Guide Basic Configuration. Run the display bgp peer command. If the neighbor relationship between peers is in the Established state,then the BGP neighbor relationship is correctly set up.

display bgp peer

BGP local router ID : 3.3.3.3 Local AS number : 200 Total number of peers : 1 Peers in established state : 1

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

3.3.3.1 4 200 2 2 0 00:00:15 Established 0

8.3 Controlling the advertising and receiving of routing information 8.3.1 Establishing the configuration task

Applicable environment z Importing external routes The BGP can send the internal routing information to its neighboring ASs. The BGP does not find the internal routing information by itself. Instead, it imports the IGP routing information to the BGP routing table and advertises it to the peers. When IGP imports the IGP routes, it filters the routing information for different routing protocols.

z BGP route aggregation In medium or large-sized BGP networks, you must configure the route aggregation when the routing information advertises to the peers. This configuration reduces the size of the routing table. The BGP supports two aggregation modes: automatic aggregation and manual aggregation.

z Related access list The BGP uses two private access lists: the AS-Path filter and the community filter. These lists display the running status of the BGP and the routing policies. The AS-Path filter matches the AS-Path attribute in the BGP routing information and filters out the routing information that does not match the conditions. You can define multiple rules (permit or deny) for the same filter number. The community filter identifies the community information. The community uses two types: the standard community access list and the extended community access list.

z Related routing policies The routing policy matches the routing information or some attributes of routing information, and changes these attributes when certain conditions are met. The matching conditions can be the filtering lists discussed previously.

8-26 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

A routing policy can have multiple nodes. Each node divides into the following clauses:

− if-match clause: This clause defines the matching rules. When the routing information meets the filtering conditions of the current route-policy, the matching objects are some attributes of the routing information. − apply clause: This clause specifies actions, which are the configuration commands run after a route satisfies the filtering conditions that the if-match clauses specify. The apply clause can change some attributes of the route. z Controlling the routing information received The BGP can filter the global routing information that it receives. In addition, BGP can filter or perform routing policies on only the routing information it receives from a certain peer (or a peer group).

z Controlling the routing information advertised The BGP can filter or perform routing policies on only the routing information advertised by a certain peer (or a peer group).

z BGP dampening The BGP dampening can suppress unstable routing information. BGP does not advertise this information to the routing table or advertise it to other BGP peers.

Preconfiguration tasks Before you control the receipt and advertisement of the BGP routing information, complete the procedures in Configuring basic BGP functions.

Data preparation To control the receipt and advertisement of the BGP routing information, you need the following data.

No. Data 1 The aggregation mode and the route aggregated 2 The access list number 3 The name of the routing policy, the sequence number of node, and the matching condition 4 The filtering direction (advertising or receiving) and the name of the routing policy 5 Various parameters of dampening, including half-life of a reachable route, half-life of an unreachable route, threshold for freeing the suppressed routes, threshold for suppressing routes, and upper limit of the penalty

Configuration procedures

No. Procedure 1 Configuring BGP to import IGP routes

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-27

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

No. Procedure 2 Configuring BGP to filter the imported routes 3 Configuring BGP route aggregation 4 Configuring a router to advertise default routes to its peer 5 Configuring related access lists 6 Configuring related routing policies 7 Configuring the policies for receiving BGP routing information 8 Configuring BGP route dampening 9 Checking the configuration

8.3.2 Configuring BGP to import IGP routes Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Run:

default-route imported This command configures the BGP to import default routes. If you do not use the default-route imported command, the default routes cannot import when you run the import-route command to import routes of other protocols. Step 5 Run:

import-route protocol [ process-id ] [ med med | route-policy route-policy-name ] The BGP is configured to import the routes of other protocols.

When the type of an imported route is IS-IS, OSPF, or RIP, you must specify the process ID. ----End

8-28 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

8.3.3 Configuring BGP to filter the imported routes Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Run:

filter-policy { acl-number | ip-prefix ip-prefix-name } export [ protocol [ process-id ] ] This command filters imported routing information. After the BGP filters the imported routing information, the router adds only the routing information that meets certain conditions to the local BGP routing table and advertises it to BGP peers. If you specify the parameter protocol, you can filter the routing information of a specific routing protocol. If you do not specify the protocol, all the routing information to advertise is filtered, including the routes imported and the local routes advertised by using the network command.

NOTE

If you use an access control list (ACL) in the filter-policy command and do not specify a VPN instance in the ACL filtering rules, the BGP filters the routing information in all the address families, including the routing information of both the public network and the private network. If you do specify a VPN instance, the BGP filters the data traffic from this VPN instance rather than the routing formation. ----End

8.3.4 Configuring BGP route aggregation The following are two modes of the BGP route aggregation:

z Automatic aggregation: This mode aggregates the imported IGP subnet routes. After you configure this mode, BGP aggregates routes according to the natural network segment and sends the aggregated routes only to peers. For example, the 10.1.1.1/24 and 10.2.1.1/24 are aggregated as the 10.0.0.0/8, which is a Class A address. z Manual aggregation: This mode aggregates the routes in the local BGP routing table. Generally, the preference of the manual aggregation is higher than that of the automatic aggregation.

Configuring the automatic summary Do as follows on the BGP router:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-29

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 view appears. Step 4 Run:

summary automatic This command configures the automatic aggregation of the subnet routes. Use this command to aggregate the routes imported by BGP. These routes can be direct routes, static routes, RIP routes, OSPF routes, or IS-IS routes but the command is invalid for the routes imported by using the network command. ----End

Configuring the manual aggregation Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Run:

aggregate ip-address { mask | mask-length } [ as-set | attribute-policy route-policy-name1 | detail-suppressed | origin-policy route-policy-name2 | suppress-policy route-policy-name3 ] * This command configures the manual route aggregation. Manual aggregation is valid for the entries in the local BGP routing table. For example, 10.1.1.1/24 does not exist in the BGP routing table. Even through the aggregate 10.1.1.1 16 command aggregates routes, BGP does not advertise the aggregated route.

8-30 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

----End

You can apply multiple policies and configure the route attributes through manual aggregation. 8.3.5 Configuring a router to advertise default routes to its peer Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Run:

peer { group-name | ipv4-address } default-route-advertise [ route-policy route-policy-name ] [ conditional-route-match-all ipv4-address1 { mask1 | mask-length1 } &<1-4> | conditional-route-match-any ipv4-address2 { mask2 | mask-length2 } &<1-4> ] This command sends the default route to the peer or peer group.

NOTE

After you use the peer default-route-advertise command, the router sends a default route with the local address as the next hop to the specified peer, regardless of whether there are default routes in the routing table. ----End

8.3.6 Configuring related access lists

Configuring the AS-Path filter Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

ip as-path-filter as-path-filter-number { permit | deny } regular-expression This command configures the AS-path filter.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-31

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

When the routing policy applies to the BGP routes, use the peer as-path-filter command to filter the routes that do not meet requirements according to the AS-Path filter. ----End

AS-Path filter defines the matching rules with the regular expression. The regular expression is composed of the following two parts:

z Meta character, which defines the matching rule. z General character, which defines the matching object. For example, ^10 indicates that only the AS-Path attribute with 10 as the first character is matched. ^ indicates matching the beginning of a string character. For the same filter, you can define multiple filtering rules (permit or deny). During the matching, these rules are in OR relation. That is, when the routing information passes through the filter, it means that the routing information passes through this AS-Path filter.

NOTE

For more information about regular expressions, see Nortel Secure Router 8000 Series Configuration Guide - Basic Configurationss (NN46240-501).

Configuring the community attributes list Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

ip community-filter This command configures the community attributes filter.

z Run:

ip community-filter basic-comm-filter-num { deny | permit } [ community-number | aa:nn ] * &<1-16> [ internet | no-export-subconfed | no-advertise | no-export ] * This command configures the standard community attributes filter.

z Run:

ip community-filter adv-comm-filter-num { permit | deny } regular-expression This command configures the advanced community attributes filter. ----End

Configuring the extended community attributes list Do as follows on the BGP router: Step 1 Run:

system-view

8-32 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

The system view appears. Step 2 Run:

ip extcommunity-filter extcomm-filter-number { deny | permit } rt { as-number : nn | ipv4-address : nn } &<1-16> This command configures the list of extended community attributes. You can define many entries for the same extended community attributes list. These entries are in OR relation. That is, only if the routing information matches one entry in the list, it means the routing information passes the attributes list. ----End

8.3.7 Configuring related routing policies

NOTE

The section describes only the routing policies related to BGP. For details about route-policy, see Routing Policy Configuration.

Creating a routing policy Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

route-policy route-policy-name { permit | deny } node node This command creates the node of the route-policy and the route-policy view appears. ----End

Configuring an if-match clause Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

route-policy route-policy-name { permit | deny } node node The route-policy appears. Step 3 Perform as required to configure the if-match clause of the routing policy.

z Run:

if-match as-path-filter as-path-filter-number &<1-16>

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-33

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

This command matches the AS-Path domain of the BGP routing information.

z Run:

if-match community-filter { basic-comm-filter-num [ whole-match ] | adv-comm-filter-num } &<1-16> This command matches the community attribute of the BGP routing information.

z Run:

if-match extcommunity-filter extcomm-filter-number &<1-16> This command matches the BGP extended community attribute. You can run the commands in step 3 regardless of the order. There can be no If-match clause or multiple If-match clauses in a node.

NOTE

z For the same Route-Policy clause, the relation between nodes is AND. That is, only when the routing information meets all the matching conditions, you can perform the action of the apply clause. z If you do not specify the if-match clause, all routing information can pass the filtering of the node. ----End

Configuring the apply clause Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

route-policy route-policy-name { permit | deny } node node The route-policy view appears. Step 3 Perform as required to configure the apply clause of the routing policy.

z Run:

apply as-path as-number This command substitutes or adds the specifc AS number to the AS-Path attribute of BGP.

z Run:

apply comm-filter comm-filter-number delete This command deletes the specified BGP community attribute.

Use the apply comm-filter delete command to delete the community attribute according to the specified value in the community filter. Each community filter you define with the ip community-filter command contains only one community attribute. If you want to delete many community attributes, configure the ip community-filter command many times. If you configure multiple community attributes under the same filter number, you cannot delete an attribute. For an example, see Nortel Secure Router 8000 Series Commands Reference (NN46240-500). z Run:

8-34 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

apply community { community-number | aa:nn | internet | no-advertise | no-export | no-export-subconfed }* [ additive ] This command configures the community attribute of BGP routes.

z Run:

apply community none This command deletes the community attribute of BGP routes.

z Run:

apply extcommunity rt { as-number : nn | ipv4-address : nn } [ additive ] This command configures the BGP extended community attribute.

z Run:

apply local-preference preference This command configures the local preference of the BGP routing information.

z Run:

apply origin { igp | egp as-number | incomplete } This command configures the origin of the BGP routing information.

z Run:

apply preferred-value preferred-value This command configures the preferred value of the BGP routing information. You can run the commands in step 3 regardless of the order. ----End

8.3.8 Policies for advertising BGP routing information

Apply routing policies to the advertised routing information Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast family view appears. Step 4 Run:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-35

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

peer { ip-address | group-name } route-policy route-policy-name export This command configures the export routing policies.

NOTE

The routing policy you apply in the peer route-policy export command does not support using a certain interface as one of the match rules. That is, the routing policy does not support the if-match interface command. ----End

Filtering the routing information advertised to peers Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast family view appears. Step 4 Do as follows to configure BGP to filter routing information according to different filters:

z Run:

peer { ip-address | group-name } filter-policy acl-number export This command configures BGP to filter the routing information according to the ACL.

z Run:

peer { ip-address | group-name } as-path-filter as-path-filter-number export This command configures BGP to filter the routing information according to the AS-Path filter.

z Run:

peer { ip-address | group-name } ip-prefix ip-prefix-name export This command configures BGP to filter the routing information according to the prefix list. The export route update policies that the members of a peer group use can be different from that the group uses. That is, each group can choose its policy when it advertises routes outside the group. ----End

8-36 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

8.3.9 Configuring the policies for receiving BGP routing information

Filtering the received global routing information Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast family view appears. Step 4 Run:

filter-policy { acl-number | ip-prefix ip-prefix-name } import This command filters the global routing information received. The routes that the BGP receives can be filtered, and BGP adds only those routes that meet certain conditions to the routing table. ----End

Applying routing policies to the received routing information Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast family view appears. Step 4 Run:

peer { ip-address | group-name } route-policy route-policy-name import

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-37

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

This command applies the routing policies to the routing information received.

NOTE

The routing policy you apply in the peer route-policy import command does not support using a certain interface as one of the match rules. That is, the routing policy does not support the if-match interface command. ----End

Filtering the routing information received from the peers Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast family view appears. Step 4 Do as follows to configure BGP to filter the routing information according to different filters:

z Run:

peer { ip-address | group-name } filter-policy acl-number import This command configures the BGP to filter the routes according to the ACL.

z Run:

peer { ip-address | group-name } as-path-filter as-path-filter-number import This command configures the BGP to filter the routes according to the AS-path filter.

z Run:

peer { ip-address | group-name } ip-prefix ip-prefix-name import This command configures the BGP to filter the routes according to the IP prefix list. The import routing policies that the members in a peer group use can be different from what the group uses. That is, each peer can select its own policy when it receives routes. ----End

Limiting the number of the routes received by peers Do as follows on the BGP router: Step 1 Run:

system-view

8-38 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

peer { group-name | ipv4-address } route-limit limit [ percentage ] [ alert-only | idle-forever | idle-timeout times] This command configures the number of routes received by a peer or peer group. The command provides the control of the peer level. You can choose specific parameters of the command to control BGP after the number of the routes received from a peer exceeds the limit.

z alert-only: The neighbor relationship is still maintained. The neighbor does not receive any routing entry and records an alarm in the log. z idle-forever: The neighbor relationship closes. Routers do not try to re-establish a connection. The neighbor records an alarm in the log. Use the display bgp peer or display bgp peer verbose command to view that the status of the peer is Idle. You can run the reset bgp command to restore the BGP connection. z idle-timeout: The neighbor relationship closes. Routers try to re-establish a connection after the timer times out. The neighbor records an alarm in the log. Use the display bgp peer or display bgp peer verbose command to view that the status of the peer is Idle. If you want to restore the BGP connection before the timer times out, run the reset bgp command. z If you do not configure the three parameters, the neighbor relationship closes. Routers try to re-establish a connection after 30 seconds. The neighbor records an alarm in the log. ----End

8.3.10 Configuring BGP route dampening Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast family view appears. Step 4 Run:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-39

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

dampening [ half-life-reach half-life-unreach reuse suppress ceiling | route-policy route-policy-name ] * This command configures the BGP route dampening parameters. When you configure the BGP route dampening, the values of reuse, suppress, and ceiling must meet the relation of reuse < suppress < ceiling. The dampening command is valid only for the EBGP routes. ----End

8.3.11 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the routing information that display bgp network the BGP advertises. Check the routing information that display bgp routing-table as-path-filter matches the specified AS-path as-path-filter-number filter. Check the routing information of display bgp routing-table cidr the CIDR. Check the route that matches the display bgp routing-table community-filter specified BGP community table. community-filter-number [ whole-match ] Check the dampened route of the display bgp routing-table dampened BGP. Check the configuration parameter display bgp routing-table dampening parameter of the BGP dampening. Check the statistics of route display bgp routing-table flap-info flapping. [ regular-expression as-regular-expression | as-path-filter as-path-filter-number | network-address [ { mask | mask-length } [ longer-match ] ] ] Check the routing information that display bgp routing-table peer ip-address the BGP peers advertise and { advertised-routes | received-routes } [ statistics ] receive.

Run the display bgp network command. If you can view the advertised BGP routes, then BGP is advertising the routes correctly.

display bgp network BGP Local Router ID is 3.3.3.3 Local AS Number is 300 Network Mask Route-policy

5.5.5.0 255.255.255.0

8-40 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

Run the command. If you can find the dampened routes, then BGP dampening is configured and route flapping is occuring.

display bgp routing-table dampened

Total Number of Routes: 1

BGP Local router ID is 3.3.3.3 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network From Reuse Path/Origin d 6.6.6.6/32 3.3.3.1 00:41:00 200?

8.4 Configuring BGP route Selection Policy 8.4.1 Establishing the configuration task

Applicable environment BGP uses many route attributes. You can change the route selection policies using these attributes.

Preconfiguration tasks Before you configure BGP route selection policies, complete the following tasks:

z Configure the network layer addresses of the interface to keep the network layers of the adjacent nodes reachable. z Complete the procedures in Configuring basic BGP functions.

Data preparation To configure BGP route selection policies, you need the following data.

No. Data 1 The protocol preference of the BGP 2 The Local_Pref value 3 The MED value

Configuration procedures

No. Procedure 1 Configuring the BGP preference 2 Configuring the default local_pref attribute

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-41

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

3 Configuring the MED attribute 4 Configuring the next_hop attribute 5 Configuring the AS-Path attribute 6 Checking the configuration

8.4.2 Configuring the BGP preference Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Run:

preference { external internal local | route-policy route-policy-name } This command configures the BGP preference. BGP uses the following types of routes:

z routes learned from external peers (EBGP) z routes learned from internal peers (IBGP) z routes that originated locally (Local Originated) You can configure different preferences for these three types of routes. You can also use the routing policy to configure the preference for the specified routes that meet the requirements. You can configure the default preference for the routes that do not meet requirements. ----End

NOTE

You cannot use the peer route-policy command to configure the preference for the BGP protocol by the application routing policy on peers. 8.4.3 Configuring the default local_pref attribute Do as follows on the BGP router:

8-42 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Run:

default local-preference preference This command configures the default Local_Pref attribute of the local router. ----End

8.4.4 Configuring the MED attribute

Configuring the default MED value of the local router Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Run:

default med med This command configures the default MED value. The default med command is valid only for the routes that import by using the import-route command and the routes that BGP aggregates. ----End

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-43

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

Comparing the MED values of the routes from different ASs Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Run:

compare-different-as-med This command compares the MED values of the routes from different ASs. In general, the BGP router compares only the MED values of the routes from the same AS (different peers). After you configure this command, you can allow BGP to compare the MED values of the routes from different ASs. ----End

Configuring the disposal method when the MED value is lost Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Run:

bestroute med-none-as-maximum Configure the MED value as the maximum when it is lost If you configure this command, fter the MED value is lost, BGP takes the MED as the maximum value during route selection. If you do not configure this command, the MED is 0.

8-44 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

----End

Comparing the MED values of the routes in a confederation Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Run:

bestroute med-confederation This command configures the MED values of the routes in a confederation. ----End

8.4.5 Configuring the next_hop attribute Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Run:

peer { ip-address | group-name } next-hop-local This command configures the address of a router as the next hop for route advertisement. In certain networks, to ensure that the IBGP neighbors can find the correct next hop, configure local address as the next hop address when routes are advertised to IBGP peers.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-45

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

----End

NOTE

If you configure BGP load balancing, the local router uses the local address as the next hop address when it advertises routes to IBGP peer groups, regardless of whether you configure the peer next-hop-local command. 8.4.6 Configuring the AS-Path attribute

Allowing repetitive local AS numbers Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Run:

peer { ip-address | group-name } allow-as-loop [ number ] The local AS numbers can be repetitive. In general, BGP checks the AS-Path attribute of the routes sent from the peers. If the local AS number already exists, BGP ignores this route to avoid route loops. In special cases, you can allow the AS-Path attribute of the routes sent from the peers to contain the local AS number by using this command. You can also configure the repetitive times of the local AS numbers. ----End

Configuring the AS-Path attribute not as one of the route selection rules Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number

8-46 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Run:

bestroute as-path-neglect This command prevents the AS-Path attribute from becoming one of the route selection rules. ----End

Configuring fake AS number Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

peer { ip-address | group-name } fake-as fake-as-number This command configures the fake AS number. You can hide the actual AS number by using this command. EBGP peers in other ASs can only see this fake AS number.

NOTE

This command applies only to EBGP peers. ----End

Substituting the AS number in the AS-Path attribute Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-47

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

Step 3 Run:

peer { ip-address | group-name } substitute-as This command substitutes the AS number in the AS-Path attribute. After you configure this command, if the AS-Path attribute contains the AS number of the peer, you can substitute the local AS number for that number before advertising them.

If the configuration is not correct, the command can cause routing loops.

----End

Configuring the AS-Path attribute to carry only the public AS number Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Run:

peer { ip-address | group-name } public-as-only This command configures the AS-Path attribute to carry only the public AS number. In general, the AS number ranges from 1 to 65 535. The common AS number ranges from 1 to 64 511 and the private AS number ranges from 64 512 to 65 534. You can use 65 535 as the reserved AS number in certain circumstances. You can use the AS number on the Internet, because Internet Assigned Number Authority (IANA ) manages and assigns Internet addresses. You cannot advertise the private AS number to the Internet and can use it only in the internal routing domain. In general, BGP carries an AS number (either public or private) when it advertises routes. In some cases, the private AS number does not need to transmit. You can then configure the AS-Path attribute to carry only the public AS number by using this command. This command applies only to the EBGP peers. ----End

8-48 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

8.4.7 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the information about the display bgp paths [ as-regular-expression ] AS-path. Check the routes with different display bgp routing-table different-origin-as source ASs but with the same destination. Check the routing information that display bgp routing-table regular-expression matches the regular expression of as-regular-expression the AS. Check the information about the display bgp routing-table [ network ] [ mask | BGP routing table. mask-length ] [ longer-prefixes ]

Run the display bgp routing-table command. If you can view the routes in the BGP routing table,then BGP is correctly configured.

display bgp routing-table

Total Number of Routes: 2

BGP Local router ID is 3.3.3.3 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn

*> 5.5.5.0/24 0.0.0.0 0 0 i d 6.6.6.6/32 3.3.3.1 0 0 200?

8.5 Adjusting and optimizing BGP networks 8.5.1 Establishing the configuration task

Applicable environment z BGP timers After peers create a BGP connection, the peers periodically send Keepalive messages to each other. If a router does not receive any Keepalive message or other kinds of packets from the peer within the specified hold time, the BGP connection closes. When a router creates a BGP connection with its peer, they negotiate for the hold time. The smaller hold time of them is taken as the negotiated hold time. If the negotiation result is 0, no Keepalive message transmits and it is not detected when the hold time times out.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-49

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

If the timer value changes, the BGP can be interrupted for a short time, because the router and its peer need to negotiate again.

z Resetting BGP connections After you change BGP policies, you must reset the current BGP connection to validate the new configuration. The BGP connection is interrupted temporarily. In the Secure Router 8000 Series implementation, BGP supports the route-refresh capability. After you change the policies, the system refreshes the BGP routing table automatically. Hence the BGP connections are not interrupted. If the neighbor supports Route-Refresh, you can run the refresh bgp command on the local router to manually perform soft resetting for the BGP connection. The routing table of the local router is thus refreshed. If the neighbor does not support Route-Refresh, you can run the peer keep-all-routes command on the local router. In this way, the BGP routing table of the local router can be refreshed.

z BGP authentication BGP uses TCP as the transport layer protocol. To enhance BGP security, you can perform Message Digest 5 (MD5) authentication when routers create TCP connections. The MD5 authentication however, does not authenticate BGP packets. Instead, MD5 configures the MD5 authentication password for TCP connections and TCP implements the authentication. If the authentication fails, TCP connections do not establish.

z EBGP split horizon If multiple EBGP peers establish between two ASs, the router in an AS can receive multiple routes that the two different EBGP peers advertise. After the routes reach the EBGP peer, the EBGP peer discards the route according to AS-Path if you do not configure the EBGP Peer with AS loop. This process wastes resources. You can run the as-split-horizon command to prohibit the route received from an AS from forwarding to the AS. This process can reduce unnecessary route advertisement.

Preconfiguration tasks Before you adjust BGP timers, complete the procedures in Configuring basic BGP functions.

Data preparation To configure BGP timers and authentication, you need the following data.

No. Data 1 The value of the BGP timer 2 The interval for sending update packets 3 MD5 authentication password

8-50 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

Configuration procedures

No. Procedure 1 Configuring BGP timers 2 Configuring the interval for sending update packets 3 Configuring BGP soft resetting 4 Enabling quick resetting of EBGP connections 5 Configuring MD5 authentication 6 Configuring the maximum number of equal-cost routes 7 Configuring EBGP split horizon 8 Checking the configuration

8.5.2 Configuring BGP timers

If the timer value (with timer or peer timer command) changes, the BGP peer relationship among routers is interrupted. Confirm the action before you use the command.

Configuring global timers Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

timer keepalive keepalive-time hold hold-time This command configures the BGP timers. The reasonable maximum interval for sending a keepalive message is one third of the Holdtime and is not less than one second. Thus, if you do not configure the hold time to 0, it is 3 seconds at least. By default, the Keepalive period is 60 seconds and the Holdtime period is 180 seconds.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-51

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

Note the following when you set the values of the keepalive-time and the hold-time:

z The values of keepalive-time and hold-time cannot be 0 at the same time. Otherwise, the BGP timer becomes invalid. That is, BGP does not detect link faults according to the timer. z The value of hold-time is greater than that of the keepalive-time, such as, timer keepalive 1 hold 65535. If the Holdtime is too long, the link fault cannot be detected quickly. ----End

After peers establish connections, the actual values of keepalive-time and hold-time are negotiated by both peers. Open packets of both peers uses the smaller value of the hold-time as the actual value of hold-time. The smaller value between the actual hold-time/3 and the keepalive-time is the actual value of the keepalive-time.

Configuring peer timers Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

peer { ip-address | group-name } timer keepalive keepalive-time hold hold-time This command configures the interval for sending keepalive messages and the Holdtime of the peer or the peer group. For the relation between Keepalive period and Holdtime period, see Configuring global timers. The priority of the peer timers is higher than that of the global timers. ----End

8.5.3 Configuring the interval for sending update packets Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number

8-52 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

The BGP view appears. Step 3 Run:

peer { ip-address | group-name } route-update-interval interval This command configures the interval for sending update packets. ----End

8.5.4 Configuring BGP soft resetting

Enabling the route-refresh capability Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

peer { ip-address | group-name } capability-advertise { route-refresh | conventional } This command enables the route-refresh capability. ----End

If you enable the route-refresh capability on all BGP routers, the local router advertises route-refresh messages to its peer if the BGP routing policy changes. The peer that receives this message sends its routing information to the local router again. In this way, the BGP routing table updates dynamically and the new policy applies without interrupting the BGP connections.

Keeping all the route updates of the peers Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-53

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Run:

peer { ip-address | group-name } keep-all-routes This command keeps all the routing updates of the peer. After you use this command, the router keeps all route updates of the specified peer regardless of whether it uses the filtering policy. When BGP connections are soft reset, this information can be used to generate BGP routes. ----End

Soft resetting BGP connections Do as follows on the BGP router: Step 1 Run:

refresh bgp [ vpn-instance vpn-instance-name | vpnv4 ] { all | ipv4-address | group group-name | external | internal } { export | import } This command soft resets BGP connections. ----End

8.5.5 Enabling quick resetting of EBGP connections Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ebgp-interface-sensitive This command enables quick resetting of EBGP connections.

z After you enable this function, BGP understands the failure of the EBGP link quickly and then resets BGP connections on the interface immediately. z After you disable this function, it avoids the repeated setup and deletion of the BGP session, which is caused by route flapping. This saves the network bandwidth. ----End

8-54 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

8.5.6 Configuring MD5 authentication Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

peer { ip-address | group-name } password { cipher | simple } password This command configures the MD5 authentication password.

NOTE

When you use this command in the BGP view, the extensions on VPNv4 of MP-BGP are also valid because they use the same TCP connections. ----End

8.5.7 Configuring the maximum number of equal-cost routes Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Run:

maximum load-balancing number This command configure the maximum number of equal-cost routes. ----End

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-55

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

8.5.8 Configuring EBGP split horizon Do as follows on the BGP router on which EBGP connection is set up: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

as-split-horizon This command configures split horizon between EBGP peers. This command applies after multiple EBGP peers establish between two ASs. After you use the command, the route received from an AS does not forward to the peers of the AS. This reduces unnecessary route advertisement. ----End

8.5.9 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the routing information that BGP display bgp network advertises. Check the information about the BGP peers display bgp peer [ verbose ] and peer-groups. display bgp peer ip-address { log-info | verbose } display bgp peer group-name log-info Check the information in the BGP routing display bgp routing-table [ network ] table. [ mask | mask-length ] [ longer-prefixes ] Check the routing information that the BGP display bgp routing-table peer ip-address peers advertise or receive. { advertised-routes | received-routes } [ statistics ]

Run the display bgp peer verbose command. If you can find detailed peers information, then the configuration is correct.

display bgp peer verbose

Peer: 3.3.3.1 Local router ID: 3.3.3.3 Type: EBGP link

8-56 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

BGP version 4, Remote router ID 2.2.2.1 BGP current state: Established, Up for 00h07m25s BGP current event: KATimerExpired BGP last state: OpenConfirm Port: Local - 179 Remote - 51482 Configured: Active Hold Time: 180 sec Keepalive Time:60 sec Received : Active Hold Time: 180 sec Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec Peer optional capabilities: Peer supports bgp multi-protocol extension Peer supports bgp route refresh capability Address family IPv4 Unicast: advertised and received

Received: Total 20 messages Update messages 11 Open messages 1 KeepAlive messages 8 Notification messages 0 Refresh messages 0

Sent: Total 13 messages Update messages 1 Open messages 2 KeepAlive messages 10 Notification messages 0 Refresh messages 0 Last keepalive received: 2007-08-19 16:05:50 OutQ: 0 Minimum route advertisement interval is 30 seconds Optional capabilities: Route refresh capability has been enabled Peer Preferred Value: 0 Routing policy configured: No routing policy is configured

8.6 Building large-sized BGP networks 8.6.1 Establishing the configuration task

Applicable environment In a large-sized BGP network, many peers exist, which is not convenient for configuration and maintenance. Use peer groups to simplify management and improve the efficiency of route advertisement. According to the AS where the peers reside, you can divide peer groups into IBGP peer groups and EBGP peer groups. For EBGP peer groups, you can divide them into pure EBGP peer groups and mixed EBGP peer groups. Perform this division according to whether the included peers are in the same external AS. The community can also simplify the management of routing policies, but it has a wider management scope. A community can control routing policies of multiple BGP routers. To ensure the connectivity between IBGP peers inside an AS, you must establish a full connection among IBGP peers. When many IBGP peers exist, it is expensive to establish a

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-57

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

full connection network. Use the route reflector and the confederation to solve this problem. In a large-sized AS, you can use the route reflector and the confederation at the same time.

Preconfiguration tasks Before you build a large-sized BGP network, complete the following tasks:

z Keep the network layers of the adjacent nodes reachable. z Enable BGP and configure the router ID.

Data preparation To configure BGP peer groups, you need the following data.

No. Data 1 Type, name of the peer group, and the included peers 2 Name of the routing policy to apply if you use the community 3 The roles of each router (client, non-client) if you use the route reflector 4 The confederation ID and the sub-AS number if you use the confederation

Configuration procedures

No. Procedure 1 Configuring a BGP peer group 2 Configuring the BGP community 3 Configuring the BGP route reflector 4 Configuring the BGP confederation 5 Checking the configuration

8.6.2 Configuring a BGP peer group

Creating an IBGP peer group Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number

8-58 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

The BGP view appears. Step 3 Run:

group group-name [ internal ] This command creates an IBGP peer group. Step 4 Run:

peer ip-address group group-name This command adds a peer to this peer group. You do not need to specify the AS number when you create an IBGP peer group.

NOTE

Repeat Step 4 to add multiple peers to the peer group. The system creates each peer in the BGP view automatically, and configures the AS number to the local AS number. ----End

Creating a pure EBGP peer group Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

group group-name external This command creates an EBGP peer group. Step 4 Run:

peer group-name as-number as-number This command configures the AS number of this peer group. Step 5 Run:

peer ip-address group group-name This command adds peers to this peer group. ----End

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-59

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

NOTE

Repeat Step 5 to add multiple peers to the peer group. The system creates each peer in the BGP view automatically, and configures the AS number to the local AS number. If peers already exist in this peer group, you can neither change the AS number of this peer group nor delete the specific AS number by using the undo command.

Creating a mixed EBGP peer group Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

group group-name external This command creates an EBGP peer group. Step 4 Run:

peer ip-address as-number as-number This command creates all peers and configures their AS numbers. Step 5 Run:

peer ip-address group group-name This command adds peers to the peer group. ----End

NOTE

Repeats Step 4 and Step 5 to add multiple peers to the peer group. In a mixed EBGP peer group, you must specify the AS number of each peer respectively. 8.6.3 Configuring the BGP community

Configuring to advertise the community attribute to peers Do as follows on the BGP router: Step 1 Run:

system-view The system view appears.

8-60 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Do as follows to configure the BGP to advertise community attribute peers or peer groups

z Run:

peer { ip-address | group-name } advertise-community This command configures the BGP to advertise the standard community attribute to peers or peer groups.

z Run:

peer { ip-address | group-name } advertise-ext-community This command configures the BGP to advertise the extended community attribute to peers or peer groups. ----End

Applying routing policies to the advertised routing information Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Run:

peer { ip-address | group-name } route-policy route-policy-name export This command configures the export routing policy.

NOTE

When you configure the BGP community, you can use the routing policy to define the specific community attribute. Apply these routing policies when the router advertises the routing information. For information about routing policy configuration, see Routing Policy Configuration. ----End

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-61

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

8.6.4 Configuring the BGP route reflector

Configuring the route reflector and specifying the clients Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Run:

peer { ip-address | group-name } reflect-client This command configures the route reflector and its clients. The router you configure with this command serves as the route reflector. This command specifies the peers that serve as its clients. ----End

Enabling the route reflection between clients Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Run:

reflect between-clients This command enables the route reflection between clients.

8-62 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

If the clients of the route reflector fully connect, you can use the undo reflect between-clients command to disable the route reflection between clients. This action reduces cost. You can configure this command on the route reflector only. ----End

Configuring the cluster ID of the route reflector Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The BGP IPv4 unicast address family view appears. Step 4 Run:

reflector cluster-id cluster-id This command configures the cluster ID of the route reflector. When multiple route reflectors exist in a cluster, you can configure all the route reflectors in this cluster with the same cluster-ID by using this command. This configuration avoids route loops. ----End

8.6.5 Configuring the BGP confederation

Configuring basic BGP confederation Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-63

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

confederation id as-number This command configures the confederation ID. Step 4 Run:

confederation peer-as as-number &<1-32> This command connects the sub-AS number of other EBGP peers with the local AS. A confederation includes up to 32 sub-ASs. The as-number is valid for the confederation to which it belongs. You must configure the confederation id and confederation peer-as commands for all the EBGP peers that belong to a confederation, and specify the same confederation ID for them. ----End

Configuring the compatibility of the confederation Do as follows on the BGP router: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

confederation nonstandard This command configures the compatibility of the confederation. Some routers can implement a confederation that is not compliant with the specifications of the RFC. In this situation, you can use this command to make standard devices compatible with nonstandard devices. ----End

8.6.6 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the information about display bgp group [ group-name ] peer-groups. Check the routing information display bgp routing-table community [ aa:nn about the specified BGP &<1-13> ] [ internet | no-advertise | no-export | community. no-export-subconfed ] * [ whole-match ]

8-64 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

Action Command Check the routes that match the display bgp routing-table community-filter specified BGP community community-filter-number [ whole-match ] attribute filter.

Run the display bgp group command. If you can find information about the peer group, then the peer group is correctly set up.

display bgp group

BGP peer-group: 123 Remote AS number isn't specified Type : external PeerSession Members: 3.3.3.1

Peer Members: 3.3.3.1

8.7 Configuring BGP GR 8.7.1 Establishing the configuration task

Applicable environment To prevent interruption of services that restarting BGP causes, you must enable BGP GR to establish a BGP session with the GR capability between the GR restarter and the BGP peers through negotiation.

Preconfiguration tasks Before you configure BGP GR, complete the following task: configure basic BGP functions.

Data preparation To configure BGP GR, you need the following data.

No. Data 1 AS number of BGP 2 Maximum time to re-establish the BGP session 3 Time to wait for the End-of-RIB message

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-65

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

Configuration procedures

No. Procedure 1 Enabling BGP GR 2 Configuring GR parameters for the BGP session 3 Checking the configuration

8.7.2 Enabling BGP GR Do as follows on the router where you enable BGP GR: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

graceful-restart This command enables the BGP GR. By default, BGP GR is disabled. ----End

8.7.3 Configuring GR parameters for the BGP session Do as follows on the router where you enable BGP GR: Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

graceful-restart timer restart timer This command configures the maximum time to re-establish the BGP session.

8-66 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

The restarting time refers to the maximum time to restart the router, that is, the maximum time to wait from the moment the receiving speaker detects the peer restart until the moment the BGP session establishes again. By default, the restarting time is 150 seconds.

If you modify the maximum time to re-establish the BGP session, the BGP peer relationship re-establishes.

Step 4 Run:

graceful-restart timer wait-for-rib timer This command configures the time to wait for the End-of-RIB message between the restarting speaker and the receiving speaker. By default, the time to wait for the End-of-RIB message is 600 seconds. ----End

Based on requirements, you can adjust GR parameters for the BFD session. However, Nortel recommends that you use the default values. 8.7.4 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the state of BGP GR. display bgp peer verbose

Run the display bgp peer verbose command. If you find that GR is advertised and received, then the BGP GR is correctly configured.

display bgp peer verbose

Peer: 3.3.3.1 Local router ID: 3.3.3.3 Type: EBGP link BGP version 4, Remote router ID 2.2.2.1 BGP current state: Established, Up for 00h01m49s BGP current event: KATimerExpired BGP last state: OpenConfirm Port: Local - 179 Remote - 50646 Configured: Active Hold Time: 180 sec Keepalive Time:60 sec Received : Active Hold Time: 180 sec Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec Peer optional capabilities: Peer supports bgp multi-protocol extension Peer supports bgp route refresh capability Graceful Restart Capability: advertised and received Restart Timer Value received from Peer: 150 seconds Address families preserved for peer in GR: IPv4 Unicast (was preserved) Address family IPv4 Unicast: advertised and received

Received: Total 23 messages

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-67

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

Update messages 2 Open messages 2 KeepAlive messages 19 Notification messages 0 Refresh messages 0

Sent: Total 29 messages Update messages 2 Open messages 4 KeepAlive messages 22 Notification messages 1 Refresh messages 0 Last keepalive received: 2007-08-19 16:16:14 OutQ: 0 Minimum route advertisement interval is 30 seconds Optional capabilities: Route refresh capability has been enabled Peer Preferred Value: 0 Routing policy configured: Peer's BFD has been enabled No routing policy is configured

8.8 Maintaining BGP This section covers the following topics:

z Resetting BGP connections z Clearing BGP information z Debugging BGP 8.8.1 Resetting BGP connections

After you reset BGP connections with the reset bgp command, the router deletes the BGP peer relationship. Confirm the action before you use the command.

After you modify the BGP routing policy or protocol, reset BGP connections to make the modification take effect. To reset the BGP connection, run the following reset commands in the user view.

Action Command Reset all BGP connections. reset bgp all Reset the BGP connection between the reset bgp as-number specified AS.

8-68 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

Action Command Reset the BGP connection between the reset bgp ip-address specified peers. Reset all the EBGP connection. reset bgp external Reset the BGP connection with the reset bgp group group-name specified peer-groups. Reset all IBGP connections. reset bgp internal

8.8.2 Clearing BGP information

You cannot restore BGP statistics after you clear them. Confirm the action before you use the command.

To clear the BGP information, run the following reset commands in the user view.

Action Command Clear the flapping statistics of routes. reset bgp flap-info [ regexp as-path-regexp | as-path-filter as-path-filter-number | ipv4-address [ mask | mask-length ] ] Clear the route dampening information reset bgp dampening [ ipv4-address [ mask | and advertise the restrained routes. mask-length ] ] Clear the flapping statistics of specific reset bgp ip-address flap-info peers. Clear the statistics of the BGP reset ip bgp-accounting inbound interface accounting. [ interface-type interface-number ]

8.8.3 Debugging BGP

Debugging affects system performance. After you debug the system, run the undo debugging all command to disable it immediately.

After a BGP fault occurs, run the following debugging commands in the user view to debug BGP and locate the fault.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-69

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

For information about the output of the debugging command, see Nortel Secure Router 8000 Series Configuration Guide - System Management (NN46240-601). For information about the related debugging command, see Nortel Secure Router 8000 Series Commands Reference (NN46240-500).

Action Command Debug BGP. debugging bgp all Debug BGP events. debugging bgp event Debug BGP packets. debugging bgp { keepalive | open | packet | route-refresh } [ receive | send ] [ verbose ] Debug BGP update packets. debugging bgp update [ acl acl-number | label-route | ipv4 | ipv6 | vpnv4 | vpn-instance vpn-instance-name | l2vpn ] [ peer { ip-address | group-name } | ip-prefix ip-prefix-name ] [ receive | send ] [ verbose ]

8.9 Configuration examples This section provides the following examples:

z Example of configuring basic BGP functions z Example of configuring AS-Path filter z Example of configuring BGP to interact with IGP z Example of configuring BGP load balancing and MED attribute z Example of configuring the BGP community z Example of configuring the BGP route reflector z Example of configuring the BGP confederation 8.9.1 Example of configuring basic BGP functions

Networking requirements As shown in Figure 8-14, all routers are BGP routers. An EBGP connection establishes between Router A and Router B. Mesh IBGP connections exist among Router B, Router C, and Router D.

8-70 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

Figure 8-14 Basic BGP configuration

POS3/0/0 POS2/0/0 GbE1/0/0 9.1.3.2/24 9.1.2.1/24 8.1.1.1/8 POS2/0/0 RouterC 200.1.1.2/24 POS2/0/0 POS3/0/0 9.1.2.2/24 9.1.3.1/24 AS65009 RouterA AS65008 POS2/0/0 POS1/0/0 200.1.1.1/24 9.1.1.1/24 RouterB POS1/0/0 RouterD 9.1.1.2/24

Configuration roadmap The steps in the configuration roadmap are 1. Configure IBGP connections among Router B, Router C, and Router D. 2. Configure EBGP connections between Router A and Router B. 3. Advertise routes by running the network command on Router A and check the routing table of Router A, Router B, and Router C. 4. Configure BGP on Router B to import the cross route and check the routing table of Router A and Router C.

Data preparation To complete the configuration, you need the following data:

z Route ID of Router A and its AS number z Router IDs of Router B, Router C, and Router D and the number of the area where they exist

Configuration procedure Step 1 Configure the IP address for each interface. Step 2 Configure IBGP connections. # Configure Router B:

[RouterB] bgp 65009 [RouterB-bgp] router-id 2.2.2.2 [RouterB-bgp] peer 9.1.1.2 as-number 65009 [RouterB-bgp] peer 9.1.3.2 as-number 65009 # Configure Router C:

[RouterC] bgp 65009 [RouterC-bgp] router-id 3.3.3.3 [RouterC-bgp] peer 9.1.3.1 as-number 65009 [RouterC-bgp] peer 9.1.2.2 as-number 65009 # Configure Router D:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-71

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

[RouterD] bgp 65009 [RouterD-bgp] router-id 4.4.4.4 [RouterD-bgp] peer 9.1.1.1 as-number 65009 [RouterD-bgp] peer 9.1.2.1 as-number 65009 Step 3 Configure EBGP. # Configure Router A:

[RouterA] bgp 65008 [RouterA-bgp] router-id 1.1.1.1 [RouterA-bgp] peer 200.1.1.1 as-number 65009 # Configure Router B:

[RouterB-bgp] peer 200.1.1.2 as-number 65008 # Display the connection status of the BGP peers:

[RouterB] display bgp peer

BGP local router ID : 2.2.2.2 Local AS number : 65009 Total number of peers : 3 Peers in established state : 3

Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv

9.1.3.2 4 65009 56 56 0 00:40:54 Established 0 9.1.1.2 4 65009 49 62 0 00:44:58 Established 0 200.1.1.2 4 65008 49 65 0 00:44:03 Established 1 As shown in the output, Router B establishes BGP connections with other routers. Step 4 Configure Router A to advertise 8.0.0.0/8. # Configure Router A to advertise routes:

[RouterA-bgp] ipv4-family unicast [RouterA-bgp-af-ipv4] network 8.0.0.0 255.0.0.0 # Display the routing table of Router A:

[RouterA] display bgp routing-table

Total Number of Routes: 1

BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn

*> 8.0.0.0 0.0.0.0 0 0 i # Display the routing table of Router B:

[RouterB] display bgp routing-table

Total Number of Routes: 1

8-72 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

BGP Local router ID is 2.2.2.2 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn

*> 8.0.0.0 200.1.1.2 0 0 65008i # Display the routing table of Router C:

[RouterC] display bgp routing-table Total Number of Routes: 1

BGP Local router ID is 3.3.3.3 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn

i 8.0.0.0 200.1.1.2 0 100 0 65008i

NOTE

From the routing table, you can see that Router C learns the route to the destination 8.0.0.0 in AS65008, but the next hop 200.1.1.2 is unreachable. Therefore, this route is not valid.

Step 5 Configure BGP to import directly-connected routes. # Configure Router B:

[RouterB-bgp] ipv4-family unicast [RouterB-bgp-af-ipv4] import-route direct # Display the BGP routing table of Router A:

[RouterA] display bgp routing-table

Total Number of Routes: 7 BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn

*> 8.0.0.0 0.0.0.0 0 0 i *> 9.1.1.0/24 200.1.1.1 0 0 65009? *> 9.1.1.2/32 200.1.1.1 0 0 65009? *> 9.1.3.0/24 200.1.1.1 0 0 65009? *> 9.1.3.2/32 200.1.1.1 0 0 65009? * 200.1.1.0 200.1.1.1 0 0 65009? * 200.1.1.2/32 200.1.1.1 0 0 65009? # Display the BGP routing table of Router C:

[RouterC] display bgp routing-table

Total Number of Routes: 7

BGP Local router ID is 3.3.3.3 Status codes: * - valid, > - best, d - damped,

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-73

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn

*>i 8.0.0.0 200.1.1.2 0 100 0 65008i *>i 9.1.1.0/24 9.1.3.1 0 100 0 ? *>i 9.1.1.2/32 9.1.3.1 0 100 0 ? * i 9.1.3.0/24 9.1.3.1 0 100 0 ? * i 9.1.3.2/32 9.1.3.1 0 100 0 ? *>i 200.1.1.0 9.1.3.1 0 100 0 ? *>i 200.1.1.2/32 9.1.3.1 0 100 0 ? As shown in the output, the route to 8.0.0.0 becomes valid, and the next hop is the address of Router A. # Verify the configuration through ping:

[RouterC] ping 8.1.1.1 PING 8.1.1.1: 56 data bytes, press CTRL_C to break Reply from 8.1.1.1: bytes=56 Sequence=1 ttl=254 time=31 ms Reply from 8.1.1.1: bytes=56 Sequence=2 ttl=254 time=47 ms Reply from 8.1.1.1: bytes=56 Sequence=3 ttl=254 time=31 ms Reply from 8.1.1.1: bytes=56 Sequence=4 ttl=254 time=16 ms Reply from 8.1.1.1: bytes=56 Sequence=5 ttl=254 time=31 ms

--- 8.1.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 16/31/47 ms ----End

Configuration files z Configuration file of Router A

# sysname RouterA # interface GigabitEthernet1/0/0 ip address 8.1.1.1 255.0.0.0 # interface Pos2/0/0 link-protocol ppp ip address 200.1.1.2 255.255.255.0 # bgp 65008 router-id 1.1.1.1 peer 200.1.1.1 as-number 65009 # ipv4-family unicast undo synchronization network 8.0.0.0 peer 200.1.1.1 enable # return

8-74 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

z Configuration file of Router B

# sysname RouterB # interface Pos1/0/0 link-protocol ppp ip address 9.1.1.1 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 200.1.1.1 255.255.255.0 # interface Pos3/0/0 link-protocol ppp ip address 9.1.3.1 255.255.255.0 # bgp 65009 router-id 2.2.2.2 peer 9.1.1.2 as-number 65009 peer 200.1.1.2 as-number 65008 peer 9.1.3.2 as-number 65009 # ipv4-family unicast undo synchronization import-route direct peer 9.1.1.2 enable peer 200.1.1.2 enable peer 9.1.3.2 enable # return z Configuration file of Router C

# sysname RouterC # interface Pos2/0/0 link-protocol ppp ip address 9.1.2.1 255.255.255.0 # interface Pos3/0/0 link-protocol ppp ip address 9.1.3.2 255.255.255.0 # bgp 65009 router-id 3.3.3.3 peer 9.1.2.2 as-number 65009 peer 9.1.3.1 as-number 65009 # ipv4-family unicast undo synchronization peer 9.1.2.2 enable peer 9.1.3.1 enable # return z Configuration file of Router D

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-75

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

# sysname RouterD # interface Pos1/0/0 link-protocol ppp ip address 9.1.1.2 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 9.1.2.2 255.255.255.0 # bgp 65009 router-id 4.4.4.4 peer 9.1.1.1 as-number 65009 peer 9.1.2.1 as-number 65009 # ipv4-family unicast undo synchronization peer 9.1.1.1 enable peer 9.1.2.1 enable # return 8.9.2 Example of configuring AS-Path filter

Networking requirements As shown in Figure 8-15, the EBGP connection establishes between Router A, Router B, and Router C. By configuring the AS-Path filter, AS20 does not advertise routes that direct to AS30 or AS10.

Figure 8-15 AS-Path filter

POS2/0/0 POS1/0/0 200.1.2.1/24 200.1.4.1/24 RouterA

AS 10 EBGP EBGP

POS2/0/0 POS1/0/0 200.1.2.2/24 200.1.4.2/24 EBGP POS2/0/0 AS 20 200.1.3.2/24 POS1/0/0 RouterB AS 30 200.1.3.1/24 RouterC

8-76 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

Configuration roadmap The steps in the configuration roadmap are

z Configure the EBGP that connects between Router A and Router B, Router B and Router C, and Router C and Router A respectively. z Configure the AS-Path on Router B, and apply the filtering rule. z Check the information of the routing table on Router A.

Data preparation To complete the configuration, you need the following data:

z The router id of Router A is1.1.1.1 and the number of its AS is 10. z The router id of Router B is 2.2.2.2 and the number of its AS is 20. z The router id of Router C is 3.3.3.3 and the number of its AS is 30.

Configuration procedure Step 1 Configure the IP address for each interface. Step 2 Configure the IBGP connections. # Configure Router A:

[RouterA] bgp 10 [RouterA-bgp] router-id 1.1.1.1 [RouterA-bgp] peer 200.1.4.2 as-number 30 [RouterA-bgp] peer 200.1.2.2 as-number 20 [RouterA-bgp] import-route direct # Configure Router B:

[RouterB] bgp 20 [RouterB-bgp] router-id 2.2.2.2 [RouterB-bgp] peer 200.1.2.1 as-number 10 [RouterB-bgp] peer 200.1.3.2 as-number 30 [RouterB-bgp] import-route direct [RouterB-bgp] quit # Configure Router C:

[RouterC] bgp 30 [RouterC-bgp] router-id 3.3.3.3 [RouterC-bgp] peer 200.1.3.1 as-number 20 [RouterC-bgp] peer 200.1.4.1 as-number 10 [RouterC-bgp] import-route direct [RouterC-bgp] quit # Check the routing table of Router A. Router B advertises a route that points at AS30 to Router A:

display bgp routing-table

Total Number of Routes: 16

BGP Local router ID is 1.1.1.1

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-77

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn

*> 200.1.2.0 0.0.0.0 0 0 ? * 200.1.2.2 0 0 20? *> 200.1.2.1/32 0.0.0.0 0 0 ? * 200.1.4.2 0 30 20? * 200.1.2.2 0 0 20? *> 200.1.2.2/32 0.0.0.0 0 0 ? *> 200.1.3.0 200.1.2.2 0 0 20? * 200.1.4.2 0 0 30? *> 200.1.3.1/32 200.1.4.2 0 0 30? *> 200.1.3.2/32 200.1.2.2 0 0 20? *> 200.1.4.0 0.0.0.0 0 0 ? * 200.1.4.2 0 0 30? *> 200.1.4.1/32 0.0.0.0 0 0 ? * 200.1.4.2 0 0 30? * 200.1.2.2 0 20 30? *> 200.1.4.2/32 0.0.0.0 0 0 ? Step 3 Configure the AS-Path filter on Router B, and apply the filter on the outgoing interface of Router B:

[RouterB] ip as-path-filter 1 deny _30_ [RouterB] bgp 20 [RouterB-bgp] peer 200.1.2.1 as-path-filter 1 export [RouterB-bgp] quit Step 4 Check the BGP routing table of Router A. No route from Router B to AS30 exists in the table:

display bgp routing-table

Total Number of Routes: 11

BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn

*> 200.1.2.0 0.0.0.0 0 0 ? *> 200.1.2.1/32 0.0.0.0 0 0 ? * 200.1.4.2 0 30 20? *> 200.1.2.2/32 0.0.0.0 0 0 ? *> 200.1.3.0 200.1.4.2 0 0 30? *> 200.1.3.1/32 200.1.4.2 0 0 30? *> 200.1.4.0 0.0.0.0 0 0 ? * 200.1.4.2 0 0 30? *> 200.1.4.1/32 0.0.0.0 0 0 ? * 200.1.4.2 0 0 30? *> 200.1.4.2/32 0.0.0.0 0 0 ? ----End

8-78 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

Configuration files z Configuration file of Router A.

# sysname RouterA # interface Pos2/0/0 link-protocol ppp ip address 200.1.2.1 255.255.255.0 # interface Pos1/0/0 link-protocol ppp ip address 200.1.4.1 255.255.255.0 # bgp 10 router-id 1.1.1.1 peer 200.1.4.2 as-number 30 peer 200.1.2.2 as-number 20 # ipv4-family unicast undo synchronization import-route direct peer 200.1.4.2 enable peer 200.1.2.2 enable # return z Configuration file of Router B.

# sysname RouterB # interface Pos1s/0/0 link-protocol ppp ip address 200.1.3.1 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 200.1.2.2 255.255.255.0 # bgp 20 router-id 2.2.2.2 peer 200.1.2.1 as-number 10 peer 200.1.3.2 as-number 30 # ipv4-family unicast undo synchronization import-route direct peer 200.1.2.1 enable peer 200.1.2.1 as-path-filter 1 export peer 200.1.3.2 enable # ip as-path-filter 1 deny _30_ # Return z Configuration file of Router C.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-79

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

# sysname RouterC # interface Pos1/0/0 link-protocol ppp ip address 200.1.4.2 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 200.1.3.2 255.255.255.0 # bgp 30 router-id 3.3.3.3 peer 200.1.4.1 as-number 10 peer 200.1.3.1 as-number 20 # ipv4-family unicast undo synchronization import-route direct peer 200.1.4.1 enable peer 200.1.3.1 enable # return 8.9.3 Example of configuring BGP to interact with IGP

Networking requirements As shown in Figure 8-16, OSPF is the IGP inside the AS65009. Router A and Router B uses EBGP. Router C is a non-BGP router inside the AS.

Figure 8-16 Interaction between BGP and IGP

GbE1/0/0 8.1.1.1/24 POS2/0/0 GbE2/0/0 3.1.1.2/24 POS1/0/0 9.1.2.1/24 9.1.1.1/24

POS2/0/0 RouterA POS1/0/0 3.1.1.1/24 AS 65008 RouterB 9.1.1.2/24 RouterC

AS 65009

Configuration roadmap The steps in the configuration roadmap are

z Configure the OSPF protocol on Router B and Router C to realize the interconnection. z Configure the EBGP connection on Router A and Router B. z Enable the BGP and the OSPF to import routes from each other on Router B, and check the routing information.

8-80 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

z Configure the BGP route aggregation and simplify the BGP routing table.

Data preparation To complete the configuration, you need the following data:

z The router ID of Router A is 1.1.1.1 and its AS number is 65008. z The router IDs of Router B is 2.2.2.2 and its AS number is 65009.

Configuration procedure Step 1 Configure the IP address for each interface. Step 2 Configure the OSPF. # Configure Router B:

[RouterB] ospf 1 [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 9.1.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] quit # Configure Router C:

[RouterC] ospf 1 [RouterC-ospf-1] area 0 [RouterC-ospf-1-area-0.0.0.0] network 9.1.1.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] network 9.1.2.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] quit [RouterC-ospf-1] quit Step 3 Configure the EBGP connections. # Configure Router A:

[RouterA] bgp 65008 [RouterA-bgp] router-id 1.1.1.1 [RouterA-bgp] peer 3.1.1.1 as-number 65009 [RouterA-bgp] ipv4-family unicast [RouterA-bgp-af-ipv4] network 8.1.1.0 255.255.255.0 # Configure Router B:

[RouterB] bgp 65009 [RouterB-bgp] router-id 2.2.2.2 [RouterB-bgp] peer 3.1.1.2 as-number 65008 Step 4 Configure BGP to exchange routes with IGP. # Configure BGP on Router B to import OSPF routes:

[RouterB-bgp] ipv4-family unicast [RouterB-bgp-af-ipv4] import-route ospf 1 [RouterB-bgp-af-ipv4] quit [RouterB-bgp] quit # Display the routing table of Router A:

[RouterA] display bgp routing-table

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-81

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

Total Number of Routes: 3

BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn *> 8.1.1.0/24 0.0.0.0 0 0 i *> 9.1.1.0/24 3.1.1.1 0 0 65009? *> 9.1.2.0/24 3.1.1.1 2 0 65009? # Configure OSPF on Router B to import BGP routes:

[RouterB] ospf [RouterB-ospf-1] import-route bgp [RouterB-ospf-1] quit # Display the routing table of Router C:

[RouterC] display ip routing-table Route Flags: R - relay, D - download to fib ------Routing Tables: Public Destinations : 8 Routes : 8

Destination/Mask Proto Pre Cost Flags NextHop Interface

8.1.1.0/24 O_ASE 150 10 D 9.1.1.1 Pos1/0/0 9.1.1.0/24 Direct 0 0 D 9.1.1.2 Pos1/0/0 9.1.1.1/32 Direct 0 0 D 9.1.1.1 Pos1/0/0 9.1.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0 9.1.2.0/24 Direct 0 0 D 9.1.2.1 GigabitEthernet2/0/0 9.1.2.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Step 5 Configure the automatic route aggregation. # Configure Router B:

[RouterB] bgp 65009 [RouterB-bgp] ipv4-family unicast [RouterB-bgp-af-ipv4] summary automatic # Display the routing table of Router A:

[RouterA] display bgp routing-table

Total Number of Routes: 2

BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn

8-82 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

*> 8.1.1.0/24 0.0.0.0 0 0 i *> 9.0.0.0 3.1.1.1 0 65009? [RouterA] # Verify the configuration through ping:

[RouterA] ping -a 8.1.1.1 9.1.2.1 PING 9.1.2.1: 56 data bytes, press CTRL_C to break Reply from 9.1.2.1: bytes=56 Sequence=1 ttl=254 time=15 ms Reply from 9.1.2.1: bytes=56 Sequence=2 ttl=254 time=31 ms Reply from 9.1.2.1: bytes=56 Sequence=3 ttl=254 time=47 ms Reply from 9.1.2.1: bytes=56 Sequence=4 ttl=254 time=46 ms Reply from 9.1.2.1: bytes=56 Sequence=5 ttl=254 time=47 ms

--- 9.1.2.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 15/37/47 ms

[RouterA] ----End

Configuration files z Configuration file of Router A

# sysname RouterA # interface GigabitEthernet1/0/0 ip address 8.1.1.1 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 3.1.1.2 255.255.255.0 # bgp 65008 router-id 1.1.1.1 peer 3.1.1.1 as-number 65009 # ipv4-family unicast undo synchronization network 8.1.1.0 255.255.255.0 peer 3.1.1.1 enable # return z Configuration file of Router B

# sysname RouterB # interface Pos1/0/0 link-protocol ppp ip address 9.1.1.1 255.255.255.0 #

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-83

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

interface Pos2/0/0 link-protocol ppp ip address 3.1.1.1 255.255.255.0 # bgp 65009 router-id 2.2.2.2 peer 3.1.1.2 as-number 65008 # ipv4-family unicast undo synchronization summary automatic import-route ospf 1 peer 3.1.1.2 enable # ospf 1 import-route bgp area 0.0.0.0 network 9.1.1.0 0.0.0.255 return z Configuration file of Router C

# sysname RouterC # interface GigabitEthernet2/0/0 ip address 9.1.2.1 255.255.255.0 # interface Pos1/0/0 link-protocol ppp ip address 9.1.1.2 255.255.255.0 # ospf 1 area 0.0.0.0 network 9.1.1.0 0.0.0.255 network 9.1.2.0 0.0.0.255 # return 8.9.4 Example of configuring BGP load balancing and MED attribute

Networking requirements The example explains how to configure BGP load balancing and how use the MED attribute to affect BGP route selection. As shown in Figure 8-17, all routers use BGP. Router A is in AS65008. Both Router B and Router C are in AS65009. EBGP runs among Router A, Router B, and Router C. IBGP runs between Router B and Router C.

8-84 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

Figure 8-17 BGP route selection

RouterB POS2/0/0 200.1.1.1/24 POS1/0/0 200.1.1.2/24 GbE1/0/0 9.1.1.1/24 EBGP GbE3/0/0 POS2/0/0 IBGP 8.1.1.1/8 200.1.2.2/24 AS 65009 RouterA

AS 65008 GbE1/0/0 EBGP 9.1.1.2/24

POS2/0/0 200.1.2.1/24 RouterC

Configuration roadmap The steps in the configuration roadmap are 1. Configure the EBGP connections between Router A and Router B, as well as between Router A and Router C. 2. Configure the IBGP connections between Router B and Router C. 3. Configure the load balancing and the MED value on Router B and check the routing information on Router A.

Data preparation To complete the configuration, you need the following data:

z The router ID of Router A and its AS number as well as the number of the load balancing z The router IDs of Router B and Router C and the AS number, as well as the default MED value of Router B

Configuration procedure Step 1 Configure the IP address for each interface. Step 2 Configure the BGP connection. # Configure Router A:

[RouterA] bgp 65008 [RouterA-bgp] router-id 1.1.1.1 [RouterA-bgp] peer 200.1.1.1 as-number 65009 [RouterA-bgp] peer 200.1.2.1 as-number 65009 [RouterA-bgp] ipv4-family unicast [RouterA-bgp-af-ipv4] network 8.0.0.0 255.0.0.0 [RouterA-bgp-af-ipv4] quit # Configure Router B:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-85

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

[RouterB] bgp 65009 [RouterB-bgp] router-id 2.2.2.2 [RouterB-bgp] peer 200.1.1.2 as-number 65008 [RouterB-bgp] peer 9.1.1.1 as-number 65009 [RouterB-bgp] ipv4-family unicast [RouterB-bgp-af-ipv4] peer 9.1.1.1 next-hop-local [RouterB-bgp-af-ipv4] network 9.1.1.0 255.255.255.0 [RouterB-bgp-af-ipv4] quit # Configure Router C:

[RouterC] bgp 65009 [RouterC-bgp] router-id 3.3.3.3 [RouterC-bgp] peer 200.1.2.2 as-number 65008 [RouterC-bgp] peer 9.1.1.1 as-number 65009 [RouterC-bgp] ipv4-family unicast [RouterC-bgp-af-ipv4] peer 9.1.1.1 next-hop-local [RouterC-bgp-af-ipv4] network 9.1.1.0 255.255.255.0 [RouterC-bgp-af-ipv4] quit # Display the routing table of Router A:

[RouterA] display bgp routing-table

Total Number of Routes: 3

BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn

*> 8.0.0.0 0.0.0.0 0 0 i *> 9.1.1.0/24 200.1.1.1 0 0 65009i * 200.1.2.1 0 0 65009i As displayed in the routing table, two valid routes to the destination 9.1.1.0/24 exist. The route with the next hop of 200.1.1.1 is the optimum route because the Router ID of Router B is smaller than Router C. Step 3 Configure load balancing. # Configure Router A:

[RouterA] bgp 65008 [RouterA-bgp] ipv4-family unicast [RouterA-bgp-af-ipv4] maximum load-balancing 2 # Display the routing table of Router A:

[RouterA] display bgp routing-table

Total Number of Routes: 3

BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn

8-86 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

*> 8.0.0.0 0.0.0.0 0 0 i *> 9.1.1.0/24 200.1.1.1 0 0 65009i *> 200.1.2.1 0 0 65009i As displayed in the routing table, the BGP route 9.1.1.0/24 uses two next hops: 200.1.1.1 and 200.1.2.1. Both of the next hops are optimum routes. Step 4 Configure MED attributes. # Configure the default MED value of Router B:

[RouterB] bgp 65009 [RouterB-bgp] ipv4-family unicast [RouterB-bgp-af-ipv4] default med 100 # Display the routing table of Router A:

[RouterA] display bgp routing-table

Total Number of Routes: 3

BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn

*> 8.0.0.0 0.0.0.0 0 0 i *> 9.1.1.0/24 200.1.2.1 0 0 65009i * 200.1.1.1 100 0 65009i As displayed in the routing table, the MED value of the next hop 200.1.1.1 (Router B) is 100, and that of the next hop 200.1.2.1 is 0. The router selects the route with the smaller MED. ----End

Configuration files z Configuration file of Router A

# sysname RouterA # interface GigabitEthernet3/0/0 ip address 8.1.1.1 255.0.0.0 # interface Pos1/0/0 link-protocol ppp ip address 200.1.1.2 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 200.1.2.2 255.255.255.0 # bgp 65008 router-id 1.1.1.1 peer 200.1.1.1 as-number 65009

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-87

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

peer 200.1.2.1 as-number 65009 # ipv4-famlily unicast undo synchronization network 8.0.0.0 maximum load-balancing 2 peer 200.1.1.1 enable peer 200.1.2.1 enable # return z Configuration file of Router B

# sysname RouterB # interface GigabitEthernet1/0/0 ip address 9.1.1.1 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 200.1.1.1 255.255.255.0 # bgp 65009 router-id 2.2.2.2 peer 9.1.1.2 as-number 65009 peer 200.1.1.2 as-number 65008 # ipv4-family unicast undo synchronization default med 100 network 9.1.1.0 255.255.255.0 peer 9.1.1.2 enable peer 9.1.1.2 next-hop-local peer 200.1.1.2 enable # return z Configuration file of Router C

# sysname RouterC # interface GigabitEthernet1/0/0 ip address 9.1.1.2 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 200.1.2.1 255.255.255.0 # bgp 65009 router-id 3.3.3.3 peer 9.1.1.1 as-number 65009 peer 200.1.2.2 as-number 65008 # ipv4-family unicast undo synchronization network 9.1.1.0 255.255.255.0

8-88 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

peer 9.1.1.1 enable peer 9.1.1.1 next-hop-local peer 200.1.2.2 enable #

return 8.9.5 Example of configuring the BGP community

Networking requirements As shown in Figure 8-18, Router B creates EBGP connections with Router A and Router C respectively. You can configure the No_Export community attribute on Router A. Thus, the routes that advertise from AS10 to AS20 do not advertise to other ASs.

Figure 8-18 BGP community

GbE1/0/0 9.1.1.1/24 POS2/0/0 AS 10 200.1.2.1/24 RouterA

EBGP

POS2/0/0 POS3/0/0 200.1.2.2/24 EBGP 200.1.3.2/24 AS 20 AS 30 POS3/0/0 RouterC RouterB 200.1.3.1/24

Configuration roadmap The steps in the configuration roadmap are

z Configure the EBGP connection between Router A and Router B, as well as between Router B and Router C. z Configure the No_Export community features on Router A, and check the routing information on Router B and Router C.

Data preparation To complete the configuration, you need the following data:

z The router ID of Router A is 1.1.1.1 and its AS number is 10. z The router ID of Router B is 2.2.2.2 and its AS number is 20. z The router ID of Router C is 3.3.3.3 and its AS number is 30.

Configuration procedure Step 1 Configure the IP address for each interface.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-89

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

Step 2 Configure the EBGP. # Configure Router A:

[RouterA] bgp 10 [RouterA-bgp] router-id 1.1.1.1 [RouterA-bgp] peer 200.1.2.2 as-number 20 [RouterA-bgp] ipv4-family unicast [RouterA-bgp-af-ipv4] network 9.1.1.0 255.255.255.0 [RouterA-bgp-af-ipv4] quit # Configure Router B:

[RouterB] bgp 20 [RouterB-bgp] router-id 2.2.2.2 [RouterB-bgp] peer 200.1.2.1 as-number 10 [RouterB-bgp] peer 200.1.3.2 as-number 30 [RouterB-bgp] quit # Configure Router C:

[RouterC] bgp 30 [RouterC-bgp] router-id 3.3.3.3 [RouterC-bgp] peer 200.1.3.1 as-number 100 [RouterC-bgp] quit # Display the routing table of Router B:

[RouterB] display bgp routing-table 9.1.1.0

BGP local router ID : 2.2.2.2 Local AS number : 20 Paths: 1 available, 1 best

BGP routing table entry information of 9.1.1.0/24: From: 200.1.2.1 (1.1.1.1) Original nexthop: 200.1.2.1 AS-path 10, origin igp, MED 0, pref-val 0, valid, external, best, pre 255 Advertised to such 1 peers: 200.1.3.2 You can see that Router B advertises the received routes to Router C in AS30. # Display the routing table of Router C:

[RouterC] display bgp routing-table

Total Number of Routes: 1

BGP Local router ID is 3.3.3.3 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn

*> 9.1.1.0/24 200.1.3.1 0 20 10i From the routing table, you can confirm that Router C learns a route to the destination 9.1.1.0/24 from Router B.

8-90 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

Step 3 Configure BGP community attributes. # Configure routing policies:

[RouterA] route-policy comm_policy permit node 0 Info: New Sequence of this List !! [RouterA-route-policy] apply community no-export [RouterA-route-policy] quit # Apply routing policies:

[RouterA] bgp 10 [RouterA-bgp] ipv4-family unicast [RouterA-bgp-af-ipv4] peer 200.1.2.2 route-policy comm_policy export [RouterA-bgp-af-ipv4] peer 200.1.2.2 advertise-community # Display the routing table of Router B:

[RouterB] display bgp routing-table 9.1.1.0

BGP local router ID : 2.2.2.2 Local AS number : 20 Paths: 1 available, 1 best

BGP routing table entry information of 9.1.1.0/24: From: 200.1.2.1 (1.1.1.1) Original nexthop: 200.1.2.1 Community: No-Export AS-path 10, origin igp, MED 0, pref-val 0, valid, external, best, pre 255 Not advertised to any peers yet

You can see the configured community attribute in the routing table of Router B. At this time, no routes to the destination 9.1.1.0/24 exist in the routing table of Router C. ----End

Configuration files z Configuration file of Router A

# sysname RouterA # interface GigabitEthernet1/0/0 ip address 9.1.1.1 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 200.1.2.1 255.255.255.0 # bgp 10 router-id 1.1.1.1 peer 200.1.2.2 as-number 20 # ipv4-family unicast undo synchronization network 9.1.1.0 255.255.255.0

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-91

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

peer 200.1.2.2 enable peer 200.1.2.2 route-policy comm_policy export peer 200.1.2.2 advertise-community # route-policy comm_policy permit node 0 apply community no-export # return z Configuration file of Router B

# sysname RouterB # interface Pos2/0/0 link-protocol ppp ip address 200.1.2.2 255.255.255.0 # interface Pos3/0/0 link-protocol ppp ip address 200.1.3.1 255.255.255.0 # bgp 20 router-id 2.2.2.2 peer 200.1.2.1 as-number 10 peer 200.1.3.2 as-number 30 # ipv4-family unicast undo synchronization peer 200.1.2.1 enable peer 200.1.3.2 enable # return z Configuration file of Router C

# sysname RouterC # interface Pos3/0/0 link-protocol ppp ip address 200.1.3.2 255.255.255.0 # bgp 30 router-id 3.3.3.3 peer 200.1.3.1 as-number 20 # ipv4-family unicast undo synchronization peer 200.1.3.1 enable # return

8-92 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

8.9.6 Example of configuring the BGP route reflector

Networking requirements As shown in Figure 8-19, Router A is a nonclient. Router B is the route reflector of Cluster1. Router D and Router E are two clients of Cluster1. As the IBGP connection exists between Router D and Router E, they do not need a route reflector. Router C is the route reflector of Cluster2. Router F, Router G, and Router H are the clients of Cluster2. Use peer groups to simplify configuration and management.

Figure 8-19 BGP route reflector configuration

GbE3/0/0 9.1.1.1/24

POS1/0/0 POS2/0/0 AS 65010 RouterA POS2/0/0

POS1/0/0 POS2/0/0 POS5/0/0 RouerB POS4/0/0 POS1/0/0 POS2/0/0 POS4/0/0 POS3/0/0 RouterC RouterH

POS3/0/0 Cluster1 Cluster2 POS1/0/0 POS3/0/0 POS1/0/0 POS2/0/0 POS1/0/0 POS2/0/0 RouterD RouterE RouterF RouterG

Router A GbE3/0/0 9.1.1.1/24 Router C POS4/0/0 10.1.8.1/24 POS1/0/0 10.1.1.2/24 POS5/0/0 10.1.9.1/24 POS2/0/0 10.1.3.2/24 Router D POS1/0/0 10.1.4.2/24 Router B POS1/0/0 10.1.1.1/24 POS2/0/0 10.1.6.1/24 POS2/0/0 10.1.4.1/24 Router E POS2/0/0 10.1.6.2/24 POS3/0/0 10.1.5.1/24 POS3/0/0 10.1.5.2/24 POS4/0/0 10.1.2.1/24 Router F POS1/0/0 10.1.7.2/24 Router C POS1/0/0 10.1.2.2/24 Router G POS1/0/0 10.1.8.2/24 POS2/0/0 10.1.3.1/24 Router H POS2/0/0 10.1.9.2/24 POS3/0/0 10.1.7.1/24 - - -

Configuration roadmap The steps in the configuration roadmap are 1. Configure the connection between the client and route reflector, as well as Router A and the route reflector. 2. Configure the route reflector on Router B and Router C, specify the clients, and check the routing information.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-93

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

Data preparation To complete the configuration, you need the following data:

z The AS number is 65010. z The router ID of Router A, Router B, Router C, Router D, Router E, Router F, Router G, and Router H are 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4, 5.5.5.5, 6.6.6.6, 7.7.7.7, and 8.8.8.8 respectively. z The cluster ID of the cluster to which Router B belongs is 1.

Configuration procedure Step 1 Configure the IP address for each interface. Step 2 Configure the IBGP connections between the clients and the route reflector and that between the nonclients and the route reflector. Step 3 Configure the route reflector. # Configure Router B:

[RouterB] bgp 65010 [RouterB–bgp] router-id 2.2.2.2 [RouterB–bgp] group in_rr internal [RouterB–bgp] peer 10.1.4.2 group in_rr [RouterB–bgp] peer 10.1.5.2 group in_rr [RouterB–bgp] ipv4-family unicast [RouterB–bgp-af-ipv4] peer in_rr reflect-client [RouterB–bgp-af-ipv4] undo reflect between-clients [RouterB–bgp-af-ipv4] reflector cluster-id 1 [RouterB–bgp-af-ipv4] quit # Configure Router C:

[RouterC] bgp 65010 [RouterC-bgp] router-id 3.3.3.3 [RouterC-bgp] group in_rr internal [RouterC-bgp] peer 10.1.7.2 group in_rr [RouterC-bgp] peer 10.1.8.2 group in_rr [RouterC-bgp] peer 10.1.9.2 group in_rr [RouterC-bgp] ipv4-family unicast [RouterC-bgp-af-ipv4] peer in_rr reflect-client [RouterC-bgp-af-ipv4] quit # Display the routing table of Router D:

[RouterD] display bgp routing-table 9.1.1.0

BGP local router ID : 4.4.4.4 Local AS number : 65010 Paths: 1 available, 0 best

BGP routing table entry information of 9.1.1.0/24: From: 10.1.4.1 (2.2.2.2) Original nexthop: 10.1.1.2 AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, internal, pre 255 Originator: 1.1.1.1 Cluster list: 1

8-94 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

Not advertised to any peers yet

From the routing table, you can see that Router D learns the route advertised by Router A from Router B. For details, see the Originator and Cluster_ID attributes of the route. ----End

Configuration files z Configuration file of Router A

# sysname RouterA # interface GigabitEthernet2/0/0 ip address 9.1.1.1 255.255.255.0 # interface Pos1/0/0 link-protocol ppp ip address 10.1.1.2 255.255.255.0 # bgp 65010 router-id 1.1.1.1 peer 10.1.1.1 as-number 65010 peer 10.1.3.1 as-number 65010 # ipv4-family unicast undo synchronization network 9.1.1.0 255.255.255.0 peer 10.1.1.1 enable peer 10.1.3.1 enable # return z Configuration file of Router B

# sysname RouterB # interface Pos1/0/0 link-protocol ppp ip address 10.1.1.1 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 10.1.4.1 255.255.255.0 # interface Pos3/0/0 link-protocol ppp ip address 10.1.5.1 255.255.255.0 # bgp 65010 router-id 2.2.2.2 peer 10.1.1.2 as-number 65010 peer 10.1.2.2 as-number 65010 group in_rr internal peer 10.1.4.2 as-number 65010

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-95

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

peer 10.1.4.2 group in_rr peer 10.1.5.2 as-number 65010 peer 10.1.5.2 group in_rr # ipv4-family unicast undo synchronization undo reflect between-clients reflector cluster-id 1 peer 10.1.1.2 enable peer 10.1.2.2 enable peer in_rr enable peer in_rr reflect-client peer 10.1.4.2 enable peer 10.1.4.2 group in_rr peer 10.1.5.2 enable peer 10.1.5.2 group in_rr # return z Configuration file of Router C

# sysname RouterC # interface Pos1/0/0 link-protocol ppp ip address 10.1.2.2 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 10.1.3.1 255.255.255.0 # interface Pos1/0/2 link-protocol ppp ip address 10.1.7.1 255.255.255.0 # interface Pos3/0/0 link-protocol ppp ip address 10.1.8.1 255.255.255.0 # interface Pos4/0/0 link-protocol ppp ip address 10.1.9.1 255.255.255.0 # bgp 65010 router-id 2.2.2.2 peer 10.1.2.1 as-number 65010 peer 10.1.3.2 as-number 65010 group in_rr internal peer 10.1.7.2 as-number 65010 peer 10.1.7.2 group in_rr peer 10.1.8.2 as-number 65010 peer 10.1.8.2 group in_rr peer 10.1.9.2 as-number 65010 peer 10.1.9.2 group in_rr # ipv4-family unicast

8-96 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

undo synchronization peer 10.1.2.1 enable peer 10.1.3.2 enable peer in_rr enable peer in_rr reflect-client peer 10.1.7.2 enable peer 10.1.7.2 group in_rr peer 10.1.8.2 enable peer 10.1.8.2 group in_rr peer 10.1.9.2 enable peer 10.1.9.2 group in_rr # return z Configuration file of Router D

# sysname RouterD # interface Pos1/0/0 link-protocol ppp ip address 10.1.4.2 255.255.255.0 # interface LoopBack0 ip address 8.1.1.1 255.255.255.0 # bgp 65010 router-id 4.4.4.4 peer 10.1.4.1 as-number 65010 # ipv4-family unicast undo synchronization peer 10.1.4.1 enable #

return

NOTE

The configuration file of other routers is similar to that of Router D. 8.9.7 Example of configuring the BGP confederation

Networking requirements As shown in Figure 8-20, several BGP routers exist in AS200. To reduce the IBGP connections, divide the AS200 into AS65001, AS65002, and AS65003. In addition, create full IBGP connections among the three routers in AS65003.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-97

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

Figure 8-20 Confederation configuration

RouterB POS1/0/0 RouterC 10.1.2.2/24 AS 65002 POS1/0/0 AS 65003 10.1.1.2/24 POS3/0/0 10.1.2.1/24 GbE2/0/0 9.1.1.1/24 POS2/0/0 AS 65001 RouterD 10.1.1.1/24 POS4/0/0 POS1/0/0 10.1.3.1/24 10.1.3.2/24 POS1/0/0 POS5/0/0 POS2/0/0 RouterF 200.1.1.1/24 RouterA 10.1.4.1/24 10.1.5.1/24 POS1/0/0 POS1/0/0 AS 100 200.1.1.2/24 10.1.4.2/24 POS2/0/0 10.1.5.2/24 AS 200 RouterE

Configuration roadmap The steps in the configuration roadmap are 1. Configure the BGP confederation on each router. 2. Configure the IBGP connection in the AS65001. 3. Configure the EBGP connection between AS100 and AS200, and check the routing information.

Data preparation To complete the configuration, you need the following data:

z The router IDs of Router A, Router B, Router C, Router D, Router E, Router F, are 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.4, 5.5.5.5, and 6.6.6.6 respectively. z The AS number is 100. The three sub-AS numbers of AS200 are AS65001, AS65002, and AS65003 respectively.

Configuration procedure Step 1 Configure the IP address for each interface. Step 2 Configure the BGP confederation. # Configure Router A:

[RouterA] bgp 65001 [RouterA-bgp] router-id 1.1.1.1 [RouterA-bgp] confederation id 200 [RouterA-bgp] confederation peer-as 65002 65003 [RouterA-bgp] peer 10.1.1.2 as-number 65002 [RouterA-bgp] peer 10.1.2.2 as-number 65003 [RouterA-bgp] ipv4-family unicast

8-98 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

[RouterA-bgp-af-ipv4] peer 10.1.1.2 next-hop-local [RouterA-bgp-af-ipv4] peer 10.1.2.2 next-hop-local [RouterA-bgp-af-ipv4] quit # Configure Router B:

[RouterB] bgp 65002 [RouterB-bgp] router-id 2.2.2.2 [RouterB-bgp] confederation id 200 [RouterB-bgp] confederation peer-as 65001 65003 [RouterB-bgp] peer 10.1.1.1 as-number 65001 [RouterB-bgp] quit # Configure Router C:

[RouterC] bgp 65003 [RouterC-bgp] router-id 3.3.3.3 [RouterC-bgp] confederation id 200 [RouterC-bgp] confederation peer-as 65001 65002 [RouterC-bgp] peer 10.1.2.1 as-number 65001 [RouterC-bgp] quit Step 3 Configure IBGP connections inside the AS65001. # Configure Router A:

[RouterA] bgp 65001 [RouterA-bgp] peer 10.1.3.2 as-number 65001 [RouterA-bgp] peer 10.1.4.2 as-number 65001 [RouterA-bgp] ipv4-family unicast [RouterA-bgp-af-ipv4] peer 10.1.3.2 next-hop-local [RouterA-bgp-af-ipv4] peer 10.1.4.2 next-hop-local [RouterA-bgp-af-ipv4] quit # Configure Router D:

[RouterD] bgp 65001 [RouterD-bgp] router-id 4.4.4.4 [RouterD-bgp] peer 10.1.3.1 as-number 65001 [RouterD-bgp] peer 10.1.5.2 as-number 65001 [RouterD-bgp] quit # Configure Router E:

[RouterE] bgp 65001 [RouterE-bgp] router-id 5.5.5.5 [RouterE-bgp] peer 10.1.4.1 as-number 65001 [RouterE-bgp] peer 10.1.5.1 as-number 65001 [RouterE-bgp] quit Step 4 Configure the EBGP connection between AS100 and AS200. # Configure Router A:

[RouterA] bgp 65001 [RouterA-bgp] peer 200.1.1.2 as-number 100 [RouterA-bgp] quit # Configure Router F:

[RouterF] bgp 100

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-99

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

[RouterF-bgp] router-id 6.6.6.6 [RouterF-bgp] peer 200.1.1.1 as-number 200 [RouterF-bgp] ipv4-family unicast [RouterF-bgp-af-ipv4] network 9.1.1.0 255.255.255.0 [RouterF-bgp-af-ipv4] quit Step 5 Verify the configuration. # Display the routing table of Router B:

[RouterB] display bgp routing-table Total Number of Routes: 1

BGP Local router ID is 2.2.2.2 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn

*>i 9.1.1.0/24 10.1.1.1 0 100 0 (65001) 100i [RouterB] display bgp routing-table 9.1.1.0

BGP local router ID : 2.2.2.2 Local AS number : 65002 Paths: 1 available, 1 best

BGP routing table entry information of 9.1.1.0/24: From: 10.1.1.1 (1.1.1.1) Relay Nexthop: 0.0.0.0 Original nexthop: 10.1.1.1 AS-path (65001) 100, origin igp, MED 0, localpref 100, pref-val 0, valid, extern nal-confed, best, pre 255 Not advertised to any peers yet

# Display the BGP routing table of Router D:

[RouterD] display bgp routing-table

Total Number of Routes: 1

BGP Local router ID is 4.4.4.4 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete Network NextHop MED LocPrf PrefVal Path/Ogn

*>i 9.1.1.0/24 10.1.3.1 0 100 0 100i [RouterD] display bgp routing-table 9.1.1.0

BGP local router ID : 4.4.4.4 Local AS number : 65001 Paths: 1 available, 1 best BGP routing table entry information of 9.1.1.0/24: From: 10.1.3.1 (1.1.1.1) Relay Nexthop: 0.0.0.0 Original nexthop: 10.1.3.1

8-100 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

AS-path 100, origin igp, MED 0, localpref 100, pref-val 0, valid, internal, best, pre 255 Not advertised to any peers yet ----End

Configuration files z Configuration file of Router A

# sysname RouterA # interface Pos1/0/0 link-protocol ppp ip address 200.1.1.1 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 10.1.1.1 255.255.255.0 # interface Pos3/0/0 link-protocol ppp ip address 10.1.2.1 255.255.255.0 # interface Pos4/0/0 link-protocol ppp ip address 10.1.3.1 255.255.255.0 # interface Pos5/0/0 link-protocol ppp ip address 10.1.4.1 255.255.255.0 # bgp 65001 router-id 1.1.1.1 confederation id 200 confederation peer-as 65002 65003 peer 200.1.1.2 as-number 100 peer 10.1.1.2 as-number 65002 peer 10.1.2.2 as-number 65003 peer 10.1.3.2 as-number 65001 peer 10.1.4.2 as-number 65001 # ipv4-family unicast undo synchronization peer 200.1.1.2 enable peer 10.1.1.2 enable peer 10.1.1.2 next-hop-local peer 10.1.2.2 enable peer 10.1.2.2 next-hop-local peer 10.1.3.2 enable peer 10.1.3.2 next-hop-local peer 10.1.4.2 enable peer 10.1.4.2 next-hop-local # return

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-101

Nortel Secure Router 8000 Series 8 BGP configuration Configuration - IP Routing

z Configuration file of Router B

# sysname RouterB # interface Pos1/0/0 link-protocol ppp ip address 10.1.1.2 255.255.255.0 # bgp 65002 router-id 2.2.2.2 confederation id 200 confederation peer-as 65001 65003 peer 10.1.1.1 as-number 65001 # ipv4-family unicast undo synchronization peer 10.1.1.1 enable # return

NOTE

The configuration file of Router C is similar to that of Router B. z Configuration file of Router D

# sysname RouterD # interface Pos1/0/0 link-protocol ppp ip address 10.1.3.2 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 10.1.5.1 255.255.255.0 # bgp 65001 router-id 4.4.4.4 peer 10.1.3.1 as-number 65001 peer 10.1.5.2 as-number 65001 # ipv4-family unicast undo synchronization peer 10.1.3.1 enable peer 10.1.5.2 enable # return

NOTE

The configuration file of Router E is similar to that of Router D. z Configuration file of Router F

# sysname RouterF # interface GigabitEthernet2/0/0 ip address 9.1.1.1 255.255.255.0

8-102 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 8 BGP configuration

# interface Pos1/0/0 link-protocol ppp ip address 200.1.1.2 255.255.255.0 # bgp 100 router-id 6.6.6.6 peer 200.1.1.1 as-number 200 # ipv4-family unicast undo synchronization network 9.1.1.0 255.255.255.0 peer 200.1.1.1 enable # Return

Issue 5.3 (30 March 2009) Nortel Networks Inc. 8-103

Nortel Secure Router 8000 Series Configuration - IP Routing

Contents

9 BGP4+ configuration...... 9-1 9.1 Introduction...... 9-2 9.2 Configuring basic BGP4+ functions ...... 9-2 9.2.1 Establishing the configuration task ...... 9-2 9.2.2 Configuring an IPv6 peer...... 9-3 9.2.3 Configuring BGP4+ to advertise local IPv6 routes...... 9-3 9.2.4 Configuring the local interfaces used for BGP4+ connections ...... 9-4 9.2.5 Configuring the maximum number of hops in EBGP connections...... 9-4 9.2.6 Checking the configuration...... 9-5 9.3 Controlling the routing information ...... 9-5 9.3.1 Establishing the configuration task ...... 9-5 9.3.2 Configuring BGP4+ to import and filter external routes ...... 9-6 9.3.3 Configuring routers to advertise default routes to peers ...... 9-7 9.3.4 Configuring the policies for advertising BGP routing information...... 9-8 9.3.5 Configuring the policies for receiving BGP routing information...... 9-8 9.3.6 Configuring BGP route dampening...... 9-9 9.3.7 Checking the configuration...... 9-10 9.4 Configuring the BGP4+ route attributes ...... 9-10 9.4.1 Establishing the configuration task ...... 9-10 9.4.2 Configuring the preference of BGP4+ protocol...... 9-11 9.4.3 Configuring the default local_pref attribute of the local router ...... 9-12 9.4.4 Configuring the MED attributes...... 9-12 9.4.5 Configuring the next_hop attributes...... 9-13 9.4.6 Configuring the AS_path attributes...... 9-14 9.4.7 Checking the configuration...... 9-15 9.5 Adjusting and optimizing BGP+ networks...... 9-15 9.5.1 Establishing the configuration task ...... 9-15 9.5.2 Configuring the peer timer...... 9-17 9.5.3 Configuring the interval for sending update packets...... 9-17 9.5.4 Configuring BGP4+ soft resetting ...... 9-18 9.5.5 Configuring the maximum number of equal-cost routes...... 9-19 9.5.6 Checking the configuration...... 9-20

Issue 5.3 (30 March 2009) Nortel Networks Inc. i

Nortel Secure Router 8000 Series Configuration - IP Routing

9.6 Building large-scale BGP4+ networks ...... 9-20 9.6.1 Establishing the configuration task ...... 9-20 9.6.2 Configuring a BGP4+ peer group ...... 9-21 9.6.3 Configuring the BGP4+ community ...... 9-23 9.6.4 Configuring the BGP4+ route reflector...... 9-25 9.6.5 Checking the configuration...... 9-26 9.7 Maintaining BGP4+ ...... 9-27 9.7.1 Debugging BGP4+...... 9-27 9.7.2 Resetting BGP4+ connections ...... 9-28 9.7.3 Clearing BGP4+ statistics...... 9-28 9.8 Configuration examples ...... 9-29 9.8.1 Example of configuring basic BGP4+ functions...... 9-29 9.8.2 Example of configuring BGP4+ route reflection ...... 9-34

ii Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing

Figures

Figure 9-1 Basic BGP4+ functions...... 9-29 Figure 9-2 BGP route reflector...... 9-34

Issue 5.3 (30 March 2009) Nortel Networks Inc. iii

Nortel Secure Router 8000 Series Configuration - IP Routing 9 BGP4+ configuration

9 BGP4+ configuration

About this chapter

The following table shows the contents of this chapter.

Section Description 9.1 Introduction This section describes the principles and concepts of the extended Border Gateway Protocol version 4 (BGP4+). 9.2 Configuring basic BGP4+ This section describes how to enable BGP and to functions configure a BGP4+ peer. For a configuration example, see Example of configuring basic BGP4+ functions. 9.3 Controlling the routing This section describes how to filter BGP4+ routing information information, apply a routing policy, and aggregate routes. 9.4 Configuring the BGP4+ This section describes how to change BGP4+ route route attributes selection by configuring certain attributes. 9.5 Adjusting and optimizing This section describes how to configure certain BGP4+ BGP+ networks features in special network environments, and adjust and optimize the performance of the BGP4+ network. 9.6 Building large-scale This section describes how to simplify the management BGP4+ networks of a routing policy and enhance the efficiency of route advertisement in a large-scale BGP4+ network. For a configuration example, see Example of configuring BGP4+ route reflection. 9.7 Maintaining BGP4+ This section describes how to reset BGP4+ connection, clear BGP4+ statistics, and debug BGP4+. 9.8 Configuration examples This section provides configuration examples for BGP4+.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-1

Nortel Secure Router 8000 Series 9 BGP4+ configuration Configuration - IP Routing

9.1 Introduction The BGP4+ is a dynamic routing protocol for the autonomous system (AS) and is the extension of the BGP. The traditional BGP4 can manage only the IPv4 routing information. The inter-AS becomes unusable if other network layer protocols, such as the IPv6, transmit data. The IETF introduces BGP4+ to supplement the BGP4 and support the IPv6. The current RFC standard for the BGP4+ is RFC 2858 Multiprotocol Extensions for BGP4. To support the IPv6, the BGP4 must reflect the IPv6 network layer protocol information to the Network Layer Reachable Information (NLRI) and the Next_Hop attribute. The BGP4+ introduces two NLRI attributes:

z Multiprotocol Reachable NLRI (MP_REACH_NLRI)—This attribute advertises the reachable routes and the next-hop information. z Multiprotocol Unreachable NLRI (MP_UNREACH_NLRI)—This attribute withdraws the unreachable routes. The Next_Hop attribute of the BGP4+ uses the form of an IPv6 address. This attribute can be an IPv6 global unicast address or the link local address of the next hop. The BGP IPv6 applies to the IPv6 networks by using the multiple protocol extension attribute of the BGP. The original message mechanism and routing mechanism of the BGP remain unchanged.

9.2 Configuring basic BGP4+ functions 9.2.1 Establishing the configuration task

Applicable environment Configure the BGP4+ in the IPv6 networks.

Preconfiguration tasks Before you configure basic BGP4+ functions, complete the following tasks:

z Configure the network layer addresses of the interfaces. z Enable the IPv6.

Data preparation To c onfigure the BGP4+, you need the following data.

No. Data 1 The IPv6 address of the peer 2 The number of the AS where the peer resides 3 The local IPv6 networks to advertise

9-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 9 BGP4+ configuration

Configuration procedures

No. Procedure 1 Configuring an IPv6 peer 2 Configuring BGP4+ to advertise local IPv6 routes 3 Configuring the local interfaces used for BGP4+ connections 4 Configuring the maximum number of hops in EBGP connections 5 Checking the configuration

9.2.2 Configuring an IPv6 peer Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

peer ipv6-address as-number as-number This command configures the peer address and the AS where the peer resides. Step 4 Run:

ipv6-family The IPv6 address family view appears. Step 5 Run:

peer ipv6-address enable This command configures the IPv6 peers. ----End

After you configure the BGP4+ peers in the BGP view, you must enable these peers in the IPv6 address family view. 9.2.3 Configuring BGP4+ to advertise local IPv6 routes Step 1 Run:

system-view The system view appears. Step 2 Run:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-3

Nortel Secure Router 8000 Series 9 BGP4+ configuration Configuration - IP Routing

bgp as-number The BGP view appears. Step 3 Run:

ipv6-family The IPv6 address family view appears. Step 4 Run:

network ipv6-address/prefix [ route-policy route-policy-name ] This command advertises local IPv6 routes. You can use the network command to add the IPv6 routing information to the BGP4+ routing table. ----End

9.2.4 Configuring the local interfaces used for BGP4+ connections Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

peer { ipv6-address | group-name } connect-interface interface-type interface-number This command configures the interface that specifies the TCP connection. Usually, the BGP4+ uses the physical interface that directly connects with the peer as the local interface for the TCP connection. To make the BGP4+ connections more reliable and stable, configure the local interface as the loopback interface. In this way, when redundant links exist on the network, the BGP4+ connections do not break due to the failure of a certain interface or a link. ----End

9.2.5 Configuring the maximum number of hops in EBGP connections Step 1 Run:

system-view The system view appears. Step 2 Run:

9-4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 9 BGP4+ configuration

bgp as-number The BGP view appears. Step 3 Run:

peer { ipv6-address | group-name } ebgp-max-hop [ number ] This command configures the maximum number of hops in the EBGP connections. A direct physical link must be available between the EBGP peers. If this link does not exist, you can use the peer ebgp-max-hop command to configure the EBGP peers to establish the TCP connections through multiple hops. ----End

9.2.6 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the routing information that display bgp ipv6 network the local BGP4+ advertises. Check the information about the display bgp ipv6 peer [ ipv6-address ] [ verbose ] BGP4+ peers. Check the information about the display bgp ipv6 routing-table [ ipv6-address specified routes in the BGP4+ prefix-length ] routing table. Check the routing information that display bgp ipv6 routing-table regular-expression matches the regular expression of as-regular-expression the AS.

9.3 Controlling the routing information 9.3.1 Establishing the configuration task

Applicable environment This section describes how to control the BGP4+ routing information, the application of the route policies, and the aggregation of the routes.

Preconfiguration tasks Before you control the advertisement and receipt of the routing information, complete the following tasks:

z Enable the IPv6. z Complete the procedures in Configuring basic BGP4+ functions.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-5

Nortel Secure Router 8000 Series 9 BGP4+ configuration Configuration - IP Routing

Data preparation To control the BGP4+ routing information, you need the following data.

No. Data 1 The name and process number of the external route to import 2 The name of the filter list to use in the route policies 3 The route dampening parameters

Configuration procedures

No. Procedure 1 Configuring BGP4+ to import and filter external routes 2 Configuring routers to advertise default routes to peers 3 Configuring the policies for advertising BGP routing information 4 Configuring the policies for receiving BGP routing information 5 Configuring BGP route dampening 6 Checking the configuration

9.3.2 Configuring BGP4+ to import and filter external routes Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv6-family The IPv6 address family view appears. Step 4 Run:

default-route imported This command configures the BGP4+ to import the default routes. If you do not use the default-route imported command, you cannot import the default routes from other protocols by using the import-route command.

9-6 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 9 BGP4+ configuration

Step 5 Run:

import-route protocol [ process-id ] [ cost cost-value ] [ route-policy route-policy-name ] This command configures the BGP4+ to import routes of the other protocols. Step 6 Run:

filter-policy ipv6-prefix ipv6-prefix-name export [ protocol ] This command filters the imported routing information. After the BGP4+ filters the imported routing information, only the routing information that meets certain conditions is added to the BGP4+ local routing table and advertised to BGP4+ peers. If you specify the protocol [ process-id ] parameter, you can filter the routing information of the specific routing protocol. If you do not specify the protocol [ process-id ], you can filter all the local BGP routing information to advertise, including the imported routes and the local routes that advertise through the network command. ----End

9.3.3 Configuring routers to advertise default routes to peers Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv6-family The IPv6 address family view appears. Step 4 Run:

peer { ipv4-address | ipv6-address | group-name } default-route-advertise [ route-policy route-policy-name ] This command advertises default routes to peers or a peer group.

NOTE

After you use the command peer default-route-advertise, the router sends a default route with the local address as the next hop to the specified peer, regardless of whether default routes exist in the routing table. ----End

Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-7

Nortel Secure Router 8000 Series 9 BGP4+ configuration Configuration - IP Routing

9.3.4 Configuring the policies for advertising BGP routing information Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv6-family The IPv6 address family view appears. Step 4 Choose the following command to configure the export routing policy based on different filters:

z Based on the route-policy Run:

peer { ipv4-address | ipv6-address | group-name } filter-policy acl6-number export z Based on AS_Path list Run:

peer { ipv4-address | ipv6-address | group-name } as-path-filter as-path-filter-number export z Based on prefix list Run:

peer { ipv4-address | ipv6-address | group-name } ipv6-prefix ip-prefix-name export You can configure the commands in step 4 regardless of the order. The export route update policies that the members of a peer group use can be different from those that the group uses. That is, each group can choose its policy when it advertises routes outside the group. ----End

9.3.5 Configuring the policies for receiving BGP routing information Step 1 Run:

system-view The system view appears. Step 2 Run:

9-8 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 9 BGP4+ configuration

bgp as-number The BGP view appears. Step 3 Run:

ipv6-family The IPv6 address family view appears. Step 4 Run:

filter-policy ipv6-prefix ipv6-prefix-name import This command filters the global routing information received. Step 5 Run:

peer { ipv4-address | ipv6-address | group-name } route-policy policy-name import This command configures the BGP to filter the routing information received from the specified peers. Step 6 Run:

peer { ipv4-address | ipv6-address | group-name } filter-policy acl-number import This command configures the BGP to filter the routes based on the access control list (ACL). Step 7 Run:

peer { ipv4-address | ipv6-address | group-name } as-path-filter as-path-filter-number import This command configures the BGP to filter the routes based on AS path list. Step 8 Run:

peer { ipv4-address | ipv6-address | group-name } ipv6-prefix ipv6-prefix-name import This command configures the BGP to filter the routes based on the prefix list. You can configure the commands from step 4 to step 8 regardless of the order. The routes that BGP receives can be filtered, and the BGP receives only those routes that meet certain conditions and adds them to the routing table. The import route policies that the members in a peer group use can be different from those the group uses. That is, each peer can select its own policies when it receives routes. ----End

9.3.6 Configuring BGP route dampening Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number

Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-9

Nortel Secure Router 8000 Series 9 BGP4+ configuration Configuration - IP Routing

The BGP view appears. Step 3 Run:

ipv6-family The IPv6 address family view appears. Step 4 Run:

dampening [ half-life-reachable half-life-unreachable reuse suppress-limit maximum-ceiling-value ] [ route-policy route-policy-name ] This command configures the parameters for the BGP route dampening. ----End

9.3.7 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the routing information that display bgp ipv6 network the local BGP4+ advertises. Check the routes that match the display bgp ipv6 routing-table as-path-filter specified AS-Path filter. as-path-filter-number Check the routes that match the display bgp ipv6 routing-table community-filter specified BGP4+ community filter. community-filter-number [ whole-match ] Check the route of the dampened display bgp ipv6 routing-table dampened BGP4+ routes. Check the statistics of the BGP4+ display bgp ipv6 routing-table flap-info route flaps. [ regular-expression as-regular-expression | as-path-filter as-path-filter-number | ipv6-address [ prefix-length ] [ longer-match ] ] Check the routing information that display bgp ipv6 routing-table peer ipv6-address BGP4+ peers advertise or receive. { advertised-routes | received-routes } [ statistics ]

9.4 Configuring the BGP4+ route attributes 9.4.1 Establishing the configuration task

Applicable environment You can change the BGP4+ route selection rules by using the route attributes.

9-10 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 9 BGP4+ configuration

Preconfiguration tasks Before you configure the BGP4+ route selection rules, complete the following tasks:

z Enable the IPv6. z Complete the procedures in Configuring basic BGP4+ functions.

Data preparation To configure the BGP4+ route filtering, you need the following data.

No. Data 1 The protocol preference 2 The Local_Pref attribute 3 The MED attribute

Configuration procedures

No. Procedure 1 Configuring the preference of BGP4+ protocol 2 Configuring the default local_pref attribute of the local router 3 Configuring the MED attributes 4 Configuring the next_hop attributes 5 Configuring the AS_path attributes 6 Checking the configuration

9.4.2 Configuring the preference of BGP4+ protocol Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv6-family The IPv6 address family view appears. Step 4 Run:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-11

Nortel Secure Router 8000 Series 9 BGP4+ configuration Configuration - IP Routing

preference { external internal local | route-policy route-policy-name } This command configures the preference of the BGP4+ protocol. ----End

9.4.3 Configuring the default local_pref attribute of the local router Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv6-family The IPv6 address family view appears. Step 4 Run:

default local-preference preference-value This command configures the default local_pref attribute of the local router. ----End

9.4.4 Configuring the MED attributes Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv6-family The IPv6 address family view appears. Step 4 Run:

default med med-value This command configures the default MED attribute.

9-12 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 9 BGP4+ configuration

Step 5 Run:

compare-different-as-med This command configures the MED values from different ASs. Step 6 Run:

bestroute med-none-as-maximum This command configures a MED value as the maximum one when the current MED is lost. Step 7 Run:

bestroute med-confederation This command compares the MED values of the routes inside a confederation. You can configure the commands from Step 4 and step 7 regardless of the order. ----End

9.4.5 Configuring the next_hop attributes Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv6-family The IPv6 address family view appears. Step 4 Run:

peer { ipv6-address | group-name } next-hop-local This command configures the local address as the next hop when the router advertises routes. In some networking environments, to ensure that the IBGP neighbors find the correct next hop, configure the local address as the next-hop address when the router advertises routes to the IBGP peers. ----End

Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-13

Nortel Secure Router 8000 Series 9 BGP4+ configuration Configuration - IP Routing

NOTE

If you configure the BGP load balancing, the local router changes the next-hop address as its own address when it advertises routes to the IBGP peer groups, regardless of whether you use the peer next-hop-local command. 9.4.6 Configuring the AS_path attributes

Configuring the AS_path attribute in the IPv6 address family view Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv6-family The IPv6 address family view appears. Step 4 Run:

peer { ipv4-address | ipv6-address | group-name } allow-as-loop [ number ] This command permits the repeated use of the local AS number. Step 5 Run:

bestroute as-path-neglect This command prevents using the AS_Path as part of one of the route selection rules. Step 6 Run:

peer { ipv4-address | ipv6-address | group-name } public-as-only This command configures the AS_Path attribute to carry only the public AS number. You can configure the commands from step 4 and step 6 regardless of the order. ----End

Configuring the AS_Path attribute in the BGP view Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears.

9-14 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 9 BGP4+ configuration

Step 3 Run:

peer { ipv6-address | group-name } fake-as as-number This command configures the fake AS number. Step 4 Run:

peer { ipv6-address | group-name } substitute-as This command substitutes the AS number in the AS_Path attribute. To configure the AS_Path attributes in the BGP view, specify the different peer and the group of the AS. That is, you must establish the EBGP connection. ----End

9.4.7 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the AS routing information. display bgp ipv6 paths [ as-regular-expression ] Check the route inconsistent with the source display bgp ipv6 routing-table AS. different-origin-as Check the routing information that matches display bgp ipv6 routing-table the regular expression of the AS. regular-expression as-regular-expression

9.5 Adjusting and optimizing BGP+ networks 9.5.1 Establishing the configuration task

Applicable environment z BGP4+ timers After you create a BGP4+ connection between peers, they periodically send keepalive messages to each other. This action prevents the routers from considering that the BGP4+ connection is closed. If a router does not receive any keepalive message or any kinds of packets from the peer within the specified hold-time, the router considers the BGP4+ connection as closed. When a router creates a BGP4+ connection with its peer, they need negotiation. The hold-time of the negotiation is the shorter time between the hold time of the BGP router and that of its peer. If the negotiation result is 0, no keepalive message transmits and no detection of whether the hold-time times out occurs. If the value of the timer changes, the BGP4+ connection interrupts for a short time as the router and its peer must negotiate again.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-15

Nortel Secure Router 8000 Series 9 BGP4+ configuration Configuration - IP Routing

z Soft resetting the BGP4+ connections After you change the BGP4+ route selection rules, you must reset the current BGP4+ connection to validate the new configuration. The BGP4+ connection is interrupted temporarily. In the Secure Router 8000 implementation, the BGP4+ supports the route-refresh capability. When you change the policies, the system can refresh the BGP4+ routing table automatically without interrupting the BGP4+ connections. If routers that do not support route-refresh exist in the network, you can run the peer keep-all-routes command to save all route refreshment locally. Then, you can run the refresh bgp command to soft reset the BGP4+ connections manually.

Preconfiguration tasks Before you adjust the BGP4+ timers, complete the following tasks:

z Enable the IPv6. z Complete the procedures in Configuring basic BGP4+ functions.

Data preparation To configure and authenticate the BGP4+ timer, you need the following data.

No. Data 1 The values of the BGP4+ timers 2 The interval to send the update packets

Configuration procedures

No. Procedure 1 Configuring the peer timer 2 Configuring the interval for sending update packets 3 Configuring BGP4+ soft resetting 4 Configuring the maximum number of equal-cost routes 5 Checking the configuration

9-16 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 9 BGP4+ configuration

9.5.2 Configuring the peer timer

If you change the timer with peer timer command, it breaks the BGP peer relationship between routers. Confirm the action before you use the command.

Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

peer { ipv6-address | group-name } timer keepalive keepalive-interval hold holdtime-interval This command configures the interval to send the keepalive messages and the hold-time of the peer or peer group. In practice, the value of the holdtime-interval is at least three times that of the keepalive-interval. By default, the Keepalive period is 60 seconds and the Holdtime period is 180 seconds. Understand the following when you configure the values of the keepalive-time and the hold-time:

z The values of the keepalive-time and the hold-time cannot be 0 at the same time. Otherwise, the BGP timer becomes invalid. That is, BGP does not detect link faults according to the timer. z The value of hold-time is greater than that of the keepalive-time, such as, timer keepalive 1 hold 65535. If the Holdtime is too long, the link fault cannot be detected timely. ----End

9.5.3 Configuring the interval for sending update packets Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number

Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-17

Nortel Secure Router 8000 Series 9 BGP4+ configuration Configuration - IP Routing

The BGP view appears. Step 3 Run:

ipv6-family The IPv6 address family view appears. Step 4 Run:

peer { ipv6-address | group-name } route-update-interval interval This command configures the interval to send the update packets. ----End

9.5.4 Configuring BGP4+ soft resetting

Enabling the route-refresh capability Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

peer { ipv6-address | group-name } capability-advertise route-refresh This command enables the route-refresh capability. ----End

If you enable the route-refresh capability on all the BGP4+ routers, the local router advertises the route-refresh messages to its peer if the BGP4+ route policies change. The peer that receives this message sends its routing information to the local router again. In this way, the BGP4+ routing table updates dynamically and the new policies apply without interrupting the BGP4+ connections.

Keeping all route updates of the peers Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears.

9-18 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 9 BGP4+ configuration

Step 3 Run:

ipv6-family The IPv6 address family view appears. Step 4 Run:

peer { ipv6-address | group-name } keep-all-routes This command keeps all route updates of the peers. After you run this command, the router keeps all the route updates of the specified peer regardless of the filtering policies. After you perform a soft reset for the BGP connections, this information generates the BGP4+ routes. ----End

Soft resetting the BGP4+ connections manually Step 1 Run:

refresh bgp ipv6 { ipv6-address | all | external | group group-name | internal } { export | import } This command performs a soft reset on the BGP4+ connections. Perform a soft reset of the BGP4+ connections in the user view. ----End

9.5.5 Configuring the maximum number of equal-cost routes Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv6-family The IPv6 address family view appears. Step 4 Run:

maximum load-balancing max-limit This command configures the maximum number of BGP4+ equal-cost routes. ----End

Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-19

Nortel Secure Router 8000 Series 9 BGP4+ configuration Configuration - IP Routing

9.5.6 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the routing information that display bgp ipv6 network the local BGP4+ advertises. Check the information about the display bgp ipv6 peer [ ipv6-address ] [ verbose ] BGP4+ peers. Check the information about the display bgp ipv6 routing-table [ ipv6-address specified routes in the BGP4+ prefix-length ] table. Check the routing information that display bgp ipv6 routing-table peer ipv6-address the BGP4+ peers advertise or { advertised-routes | received-routes } [ statistics ] receive.

9.6 Building large-scale BGP4+ networks 9.6.1 Establishing the configuration task

Applicable environment In a large-scale BGP network, configuration and maintenance are inconvenient due to the large number of peers. Use of peer groups can simplify management and enhance efficiency of advertising routes. Peer groups divide into the IBGP peer group and the EBGP peer group according to whether the peer groups are in the same AS. The EBGP divides into the pure EBGP peer group and the hybrid EBGP peer group according to whether the contained peer group belongs to the same external AS. To ensure the connectivity between the IBGP peers inside an AS, you must establish a full connection among the IBGP peers. When many IBGP peers exist, it costs a lot to establish a mesh-connection network. Use the route reflector and the confederation to solve this problem. The confederation configurations of BGP4+ are the same as those of the BGP4. This chapter does not describe these configurations.

Preconfiguration tasks Before you configure a BGP4+ peer group, complete the following tasks:

z Keep the network layers of the adjacent nodes reachable. z Enable the BGP and configure the router ID.

Data preparation To configure a BGP4+ peer group, you need the following data.

9-20 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 9 BGP4+ configuration

No. Data 1 The type, the name, and the peers of the peer group 2 The routing policy name if you use the confederation 3 The rules of each router if you use a route reflector

Configuration procedures

No. Procedure 1 Configuring a BGP4+ peer group 2 Configuring the BGP4+ community 3 Configuring the BGP4+ route reflector 4 Checking the configuration

9.6.2 Configuring a BGP4+ peer group

Creating an IBGP peer group Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

group group-name [ internal ] This command creates a peer group. Step 4 Run:

ipv6-family The IPv6 address family view appears. Step 5 Run:

peer group-name enable This command enables the peer group. Step 6 Run:

peer ipv6-address group group-name

Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-21

Nortel Secure Router 8000 Series 9 BGP4+ configuration Configuration - IP Routing

This command adds the IPv6 peers to the peer group. ----End

After you add an IBGP peer to a peer group, the system creates each IPv6 peer in the BGP view automatically. The system enables this IBGP peer in the IPv6 address family view.

Creating a pure EBGP peer group Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

group group-name external This command configures a pure EBGP peer group. Step 4 Run:

peer group-name as-number as-number This command configures the AS number of the peer group. Step 5 Run:

ipv6-family The IPv6 address family view appears. Step 6 Run:

peer group-name enable This command enables the peer group. Step 7 Run:

peer ipv6-address group group-name This command adds the IPv6 peer to the specified peer group. ----End

After you add an EBGP peer to the peer group, the system creates each EBGP peer in the BGP view automatically. The system enables this EBGP peer in the IPv6 address family view. When you create a pure EBGP peer group, you must specify the AS number of the peer group. If peers exist in the peer group, you cannot specify the AS number for this peer group.

9-22 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 9 BGP4+ configuration

Creating a mixed EBGP peer group Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

group group-name external This command creates a mixed EBGP peer group. Step 4 Run:

peer ipv6-address as-number as-number This command configures the AS number of the IPv6 peers. Step 5 Run:

ipv6-family The IPv6 address family view appears. Step 6 Run:

peer group-name enable This command enables the peer group. Step 7 Run:

peer ipv6-address group group-name This command adds the IPv6 peers to the peer group. ----End

After you add an EBGP peer to the peer group, the system enables each EBGP peer in the IPv6 address family view automatically. When you create a mixed EBGP peer group, you must create peers separately and configure different AS numbers for them. You cannot configure the AS number, however, of the peer group. 9.6.3 Configuring the BGP4+ community

Configuring the routers to advertise the community attribute to the peers Step 1 Run:

system-view The system view appears.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-23

Nortel Secure Router 8000 Series 9 BGP4+ configuration Configuration - IP Routing

Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv6-family The IPv6 address family view appears. Step 4 Choose the following commands to advertise community attributes to the peer group: Run:

peer { ipv4-address | ipv6-address | group-name } advertise-community This command configures routers to advertise the standard community attribute to a peer group. Run:

peer { ipv4-address | ipv6-address | group-name } advertise-ext-community This command configures routers to advertise the extended community attribute to a peer group. ----End

Applying the routing policies to the routing information advertised Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv6-family The IPv6 address family view appears. Step 4 Run:

peer { ipv4-address | ipv6-address | group-name } route-policy route-policy-name export This command configures the outbound routing policies. ----End

9-24 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 9 BGP4+ configuration

NOTE

z When you configure a BGP4+ community, you must define the specific community attribute by using the route policies. Then, apply these route policies to the outbound routing information. z For information about the configuration of route policies, see Routing policy configuration. For information about the configuration of the community attribute, see BGP configuration. 9.6.4 Configuring the BGP4+ route reflector

Configuring the route reflector and specifying its clients Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv6-family The IPv6 address family view appears. Step 4 Run:

peer { ipv4-address | ipv6-address | group-name } reflect-client This command configures the route reflector and its clients. The router you configure through this command serves as the route reflector. This command specifies the peers that serve as clients. ----End

Enabling the route reflection between the clients Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv6-family The IPv6 address family view appears. Step 4 Run:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-25

Nortel Secure Router 8000 Series 9 BGP4+ configuration Configuration - IP Routing

reflect between-clients This command enables the route reflections between the clients. If the clients of the route reflector use a mesh connection, you can use the undo reflect between-clients command to disable the route reflection between the clients. This configuration reduces cost. Only use this command on the reflector. ----End

Configuring the cluster ID of the route reflector Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv6-family The IPv6 address family view appears. Step 4 Run:

reflector cluster-id cluster-id This command configures the cluster ID of the route reflector. ----End

When multiple route reflectors exist in a cluster, you can use the command to configure all the route reflectors in this cluster with the same cluster-ID. This configuration avoids routing loops. 9.6.5 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the peer information. display bgp ipv6 group [ group-name ] Check the routing information of display bgp ipv6 routing-table community [ aa:nn the specified BGP4+ community. &<1-13> ] [ internet | no-advertise | no-export | no-export-subconfed ] * [ whole-match ] Check the routes that match the display bgp ipv6 routing-table community-filter BGP4+ community filter. community-filter-number [ whole-match ]

9-26 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 9 BGP4+ configuration

9.7 Maintaining BGP4+ The section describes the following topics:

z Debugging BGP4+ z Resetting BGP4+ connections z Clearing BGP4+ statistics 9.7.1 Debugging BGP4+

Debugging affects system performance. After you debug the system, run the undo debugging all command to disable it immediately.

After a BGP4+ fault occurs, run the following debugging commands in the user view to debug and locate the fault. For more information about the output of the debugging command, see Nortel Secure Router 8000 Series Configuration Guide - System Management (NN46240-601). For more information about the related debugging command, see Nortel Secure Router 8000 Series Commands Reference (NN46240-500).

Action Command Debug the BGP4+ update packets. debugging bgp update ipv6 [ [ peer { ipv6-address | group-name } ] | [ ip-prefix ipv6-prefix-name ] ] [ receive | send ]

Debug all the BGP4+. debugging bgp [ ipv6-address ] all

Debug the BGP4+ events. debugging bgp [ ipv6-address ] event

Debug the BGP4+ packets. debugging bgp [ ipv6-address ] { keepalive | open | packet | route-refresh } [ receive | send ] [ verbose ] Debug the BGP4+ update packets. debugging bgp update ipv6 [ peer [ ipv6-address | ipv4-address ] | ip-prefix ipv6-prefix-name ] [ receive | send ] [ verbose ]

Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-27

Nortel Secure Router 8000 Series 9 BGP4+ configuration Configuration - IP Routing

9.7.2 Resetting BGP4+ connections

The peer relationship ends after you use the reset bgp ipv6 command to reset the BGP4+ connections. Confirm the action before you use the command.

After you modify the BGP4+ routing policy or protocol, reset the BGP4+ connections to make the modification take effect. To reset the BGP4+ connections, run the following reset command in the user view.

Action Command Reset all the BGP4+ connections. reset bgp ipv6 all Reset the BGP+4 connections between reset bgp ipv6 as-number the peers in an AS. Reset the BGP+4 connections with the reset bgp ipv6 { ipv6-address | group specified peer or peer group. group-name } Reset the external BGP4+ connections. reset bgp ipv6 external Reset the internal BGP4+ connections. reset bgp ipv6 internal

9.7.3 Clearing BGP4+ statistics

You cannot restore the BGP4+ statistics after you clear them. Confirm the action before you use the command.

To clear the BGP4+ statistics, run the following reset commands in the user view.

Action Command Clear the route dampening information reset bgp ipv6 dampening [ ipv6-address and release the dampened routes. prefix-length] Clear the route flap statistics. reset bgp ipv6 flap-info [ ipv6-address /prefix-length | regexp regexp | as-path-filter as-path-acl-number ]

9-28 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 9 BGP4+ configuration

9.8 Configuration examples

NOTE

Most configuration examples of the BGP4+ are similar to the examples of the BGP4. For details about the configurations, see BGP configuration. The section provides the following examples:

z Example of configuring basic BGP4+ functions z Example of configuring BGP4+ route reflection 9.8.1 Example of configuring basic BGP4+ functions

Networking requirement As shown in Figure 9-1, there are two ASs: 65008 and 65009. Router A belongs to AS 65008 and Router B, Router C, and Router D belong to AS65009. Use the BGP4+ to exchange the routing information between the two ASs.

Figure 9-1 Basic BGP4+ functions

POS3/0/0 POS2/0/0 GbE1/0/0 8::1/64 9:3::2/64 9:2::1/64 POS2/0/0 RouterC 10::2/64 POS3/0/0 POS2/0/0 9:3::1/64 AS65009 9:2::2/64 RouterA POS1/0/0 AS65008 POS2/0/0 10::1/64 9:1::1/64 RouterB POS1/0/0 RouterD 9:1::2/64

Configuration roadmap The steps in the configuration roadmap are 1. Configure the IBGP connections among Router B, Router C, and Router D. 2. Configure the EBGP connection between Router A and Router B.

Data preparation To complete the configuration, you need the following data:

z The router ID of Router A is 1.1.1.1. The AS number is 65008. z The router IDs of Router B, Router C, and Router D are 2.2.2.2, 3.3.3.3, and 4.4.4.4 respectively. The AS number is 65009.

Configuration procedure Step 1 Configure the IPv6 address for each interface. Step 2 Configure IBGP.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-29

Nortel Secure Router 8000 Series 9 BGP4+ configuration Configuration - IP Routing

# Configure Router B:

[RouterB] ipv6 [RouterB] bgp 65009 [RouterB-bgp] router-id 2.2.2.2 [RouterB-bgp] peer 9:1::2 as-number 65009 [RouterB-bgp] peer 9:3::2 as-number 65009 [RouterB-bgp] ipv6-family [RouterB-bgp-af-ipv6] peer 9:1::2 enable [RouterB-bgp-af-ipv6] peer 9:3::2 enable [RouterB-bgp-af-ipv6] network 9:1:: 64 [RouterB-bgp-af-ipv6] network 9:3:: 64 # Configure Router C:

[RouterC] ipv6 [RouterC-bgp] router-id 3.3.3.3 [RouterC-bgp] peer 9:3::1 as-number 65009 [RouterC-bgp] peer 9:2::2 as-number 65009 [RouterC-bgp] ipv6-family [RouterC-bgp-af-ipv6] peer 9:3::1 enable [RouterC-bgp-af-ipv6] peer 9:2::2 enable [RouterC-bgp-af-ipv6] network 9:3:: 64 [RouterC-bgp-af-ipv6] network 9:2:: 64 # Configure Router D:

[RouterD] ipv6 [RouterD] bgp 65009 [RouterD-bgp] router-id 4.4.4.4 [RouterD-bgp] peer 9:1::1 as-number 65009 [RouterD-bgp] peer 9:2::1 as-number 65009 [RouterD-bgp] ipv6-family [RouterD-bgp-af-ipv6] peer 9:1::1 enable [RouterD-bgp-af-ipv6] peer 9:2::1 enable [RouterD-bgp-af-ipv6] network 9:2:: 64 [RouterD-bgp-af-ipv6] network 9:1:: 64 Step 3 Configure EBGP. # Configure Router A:

[RouterA] ipv6 [RouterA] bgp 65008 [RouterA-bgp] router-id 1.1.1.1 [RouterA-bgp] peer 10::1 as-number 65009 [RouterA-bgp] ipv6-family [RouterA-bgp-af-ipv6] peer 10::1 enable [RouterA-bgp-af-ipv6] network 10:: 64 [RouterA-bgp-af-ipv6] network 8:: 64 # Configure Router B:

[RouterB] bgp 65009 [RouterB-bgp] peer 10::2 as-number 65008 [RouterB-bgp] ipv6-family [RouterB-bgp-af-ipv6] peer 10::2 enable [RouterB-bgp-af-ipv6] network 10:: 64

9-30 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 9 BGP4+ configuration

# Check the connection state of BGP4+ peers:

[routerB] display bgp ipv6 peer BGP local router ID : 2.2.2.2 Local AS number : 65009 Total number of peers : 3 Peers in established state : 3 Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv 9:1::2 4 65009 8 9 0 00:05:37 Established 0 9:3::2 4 65009 2 2 0 00:00:09 Established 0 10::2 4 65008 9 7 0 00:05:38 Established 0 The routing table shows that Router B establishes a BGP4+ connection with other routers. # Display the routing list of Router A:

[routerA]display bgp ipv6 routing-table Total Number of Routes: 6 BGP Local router ID is 1.1.1.1 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete *> Network : 8:: PrefixLen : 64 NextHop : :: LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : i *> Network : 9:1:: PrefixLen : 64 NextHop : 10::1 LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : 65009 i *> Network : 9:2:: PrefixLen : 64 NextHop : 10::1 LocPrf : MED : PrefVal : 0 Label : Path/Ogn : 65009 i *> Network : 9:3:: PrefixLen : 64 NextHop : 10::1 LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : 65009 i *> Network : 10:: PrefixLen : 64 NextHop : :: LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : i * NextHop : 10::1 LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : 65009 i The routing table shows that Router A learns the route from AS 65009. AS 65008 and AS 65009 can exchange their routing information. ----End

Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-31

Nortel Secure Router 8000 Series 9 BGP4+ configuration Configuration - IP Routing

Configuration files z Configuration file of Router A

# sysname routerA # ipv6 # interface GigabitEthernet1/0/0 ipv6 address 8::1/64 # interface Pos2/0/0 link-protocol ppp ipv6 address 10::2/64 # bgp 65008 router-id 1.1.1.1 peer 10::1 as-number 65009 # ipv6-family undo synchronization network 8:: 64 network 10:: 64 peer 10::1 enable # return z Configuration file of Router B

# sysname routerB # ipv6 # interface Pos1/0/0 link-protocol ppp ipv6 address 9:1::1/64 # interface Pos2/0/0 link-protocol ppp ipv6 address 10::1/64 # interface Pos3/0/0 link-protocol ppp ipv6 address 9:3::1/64 # bgp 65009 router-id 2.2.2.2 peer 10::2 as-number 65008 peer 9:1::2 as-number 65009 peer 9:3::2 as-number 65009 # ipv6-family undo synchronization network 9:1:: 64 network 9:3:: 64 network 10:: 64

9-32 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 9 BGP4+ configuration

peer 9:3::2 enable peer 9:1::2 enable peer 10::2 enable # return z Configuration file of Router C

# sysname routerC # ipv6 # interface Pos2/0/0 link-protocol ppp ipv6 address 9:2::1/64 # interface Pos3/0/0 link-protocol ppp ipv6 address 9:3::2/64 # bgp 65009 router-id 3.3.3.3 peer 9:3::1 as-number 65009 peer 9:2::2 as-number 65009 # ipv6-family undo synchronization network 9:2:: 64 network 9:3:: 64 peer 9:3::1 enable peer 9:2::2 enable # return z Configuration file of Router D

# sysname routerD # ipv6 # interface Pos1/0/0 link-protocol ppp ipv6 address 9:1::2/64 # interface Pos2/0/0 link-protocol ppp ipv6 address 9:2::2/64 # bgp 65009 router-id 4.4.4.4 peer 9:1::1 as-number 65009 peer 9:2::1 as-number 65009 # ipv6-family undo synchronization network 9:1:: 64

Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-33

Nortel Secure Router 8000 Series 9 BGP4+ configuration Configuration - IP Routing

network 9:2:: 64 peer 9:2::1 enable peer 9:1::1 enable # return 9.8.2 Example of configuring BGP4+ route reflection

Networking requirements Router B receives an update packet that passes the EBGP and forwards it to Router C. Router C is a route reflector with two clients, which are RouterB and Router D. Router B and Router D do not need an IBGP connection. When Router C receives the route update packet from Router B, it reflects the information to Router D. Similarly, when Router C receives the route update packet from Router D, it reflects the information to Router B.

Figure 9-2 BGP route reflector

Route AS200 Reflector

POS2/0/0 POS1/0/0 101::1/96 102::1/96 RouterC POS1/0/0 GbE1/0/0 POS1/0/0 POS2/0/0 IBGP IBGP 102::2/96 1::1/64 101::2/96 100::1/96

AS100 POS2/0/0 100::2/96 RouterB RouterD RouterA

Configuration roadmap The steps in the configuration roadmap are 1. Establish an IBGP connection between the client and the route reflector. 2. Configure Router C as the routing reflector and check the routing information.

Preparation data To complete the configuration, you need the following data:

z The number of AS100 and AS200. z The router IDs of Router A, Router B, Router C, and Router D are 1.1.1.1, 2.2.2.2, 3.3.3.3, and 4.4.4.4 respectively.

Configuration procedure Step 1 Configure the IPv6 address for each interface. Step 2 Configure basic BGP4+ functions. # Configure Router A:

9-34 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 9 BGP4+ configuration

[RouterA] ipv6 [RouterA] bgp 100 [RouterA-bgp] router-id 1.1.1.1 [RouterA–bgp] peer 100::2 as-number 200 [RouterA-bgp] ipv6-family [RouterA-bgp-af-ipv6] peer 100::2 enable [RouterA-bgp-af-ipv6] network 1::/64 [RouterA-bgp-af-ipv6] quit [RouterA-bgp] # Configure Router B:

[RouterB] ipv6 [RouterB] bgp 200 [RouterB-bgp] router-id 2.2.2.2 [RouterB-bgp] peer 100::1 as-number 100 [RouterB-bgp] peer 101::1 as-number 200 [RouterB-bgp] ipv6-family [RouterB-bgp-af-ipv6] peer 100::1 enable [RouterB-bgp-af-ipv6] peer 101::1 enable # Configure Router C:

[RouterC] ipv6 [RouterC] bgp 200 [RouterC-bgp] router-id 3.3.3.3 [RouterC-bgp] peer 101::2 as-number 200 [RouterC-bgp] peer 102::2 as-number 200 [RouterC-bgp] ipv6-family [RouterC-bgp-af-ipv6] peer 101::2 enable [RouterC-bgp-af-ipv6] peer 102::2 enable # Configure Router D:

[RouterD] ipv6 [RouterD] bgp 200 [RouterD-bgp] router-id 4.4.4.4 [RouterD-bgp] peer 102::1 as-number 200 [RouterD-bgp] ipv6-family [RouterD-bgp-af-ipv6] peer 102::1 enable Step 3 Configure the route reflector. # Configure Router C as a route reflector, and Router B and Router D as the clients:

[RouterC-bgp] ipv6-family [RouterC-bgp-af-ipv6] peer 101::2 reflect-client [RouterC-bgp-af-ipv6] peer 102::2 reflect-client # Check the routing table of Router B:

[RouterB]display bgp ipv6 routing-table

Total Number of Routes: 6

BGP Local router ID is 2.2.2.2 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete

Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-35

Nortel Secure Router 8000 Series 9 BGP4+ configuration Configuration - IP Routing

*> Network : 1:: PrefixLen : 64 NextHop : 100::1 LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : 100 i

*> Network : 100:: PrefixLen : 96 NextHop : :: LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : i

* NextHop : 100::1 LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : 100 i

*> Network : 101:: PrefixLen : 96 NextHop : :: LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : i

i NextHop : 101::1 LocPrf : 100 MED : 0 PrefVal : 0 Label : Path/Ogn : i

*>i Network : 102:: PrefixLen : 96 NextHop : 101::1 LocPrf : 100 MED : 0 PrefVal : 0 Label : Path/Ogn : i # Check the routing table of Router D:

[RouterD]display bgp ipv6 routing-table

Total Number of Routes: 5

BGP Local router ID is 4.4.4.4 Status codes: * - valid, > - best, d - damped, h - history, i - internal, s - suppressed, S - Stale Origin : i - IGP, e - EGP, ? - incomplete *>i Network : 1:: PrefixLen : 64 NextHop : 100::1 LocPrf : 100 MED : 0 PrefVal : 0 Label : Path/Ogn : 100 i

*>i Network : 100:: PrefixLen : 96 NextHop : 101::2 LocPrf : 100 MED : 0 PrefVal : 0 Label :

9-36 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 9 BGP4+ configuration

Path/Ogn : i

*>i Network : 101:: PrefixLen : 96 NextHop : 102::1 LocPrf : 100 MED : 0 PrefVal : 0 Label : Path/Ogn : i

*> Network : 102:: PrefixLen : 96 NextHop : :: LocPrf : MED : 0 PrefVal : 0 Label : Path/Ogn : i

i NextHop : 102::1 LocPrf : 100 MED : 0 PrefVal : 0 Label : Path/Ogn : i The routing table shows that Router D and Router B learn the routing information advertised by Router A from Router C. ----End

Configuration files z Configuration file of Router A

# sysname RouterA # ipv6 # interface GigabitEthernet1/0/0 ipv6 address 1::1/64 # interface Pos2/0/0 link-protocol ppp ipv6 address 100::1/96 # bgp 100 router-id 1.1.1.1 peer 100::2 as-number 200 # ipv6-family undo synchronization network 1:: 64 network 100:: 96 peer 100::2 enable # return z Configuration file of Router B

# sysname RouterB #

Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-37

Nortel Secure Router 8000 Series 9 BGP4+ configuration Configuration - IP Routing

ipv6 # interface Pos1/0/0 link-protocol ppp ipv6 address 101::2/96 # interface Pos2/0/0 link-protocol ppp ipv6 address 100::2/96 # bgp 200 router-id 2.2.2.2 peer 100::1 as-number 100 peer 101::1 as-number 200 # ipv6-family undo synchronization network 100:: 96 network 101:: 96 peer 100::1 enable peer 101::1 enable # return z Configuration file of Router C

# sysname RouterC # ipv6 # interface Pos1/0/0 link-protocol ppp ipv6 address 102::1/96 # interface Pos2/0/0 link-protocol ppp ipv6 address 101::1/96 # bgp 200 router-id 3.3.3.3 peer 101::2 as-number 200 peer 102::2 as-number 200 # ipv6-family undo synchronization network 101:: 96 network 102:: 96 peer 101::2 enable peer 101::2 reflect-client peer 102::2 enable peer 102::2 reflect-client # return z Configuration file of Router D

#

9-38 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 9 BGP4+ configuration

sysname RouterD # ipv6 # interface Pos1/0/0 link-protocol ppp ipv6 address 102::2/96 # bgp 200 router-id 4.4.4.4 peer 102::1 as-number 200 # ipv4-family unicast undo synchronization # ipv6-family undo synchronization network 102:: 96 peer 102::1 enable # return

Issue 5.3 (30 March 2009) Nortel Networks Inc. 9-39

Nortel Secure Router 8000 Series Configuration - IP Routing

Contents

10 Routing policy configuration...... 10-1 10.1 Introduction...... 10-2 10.1.1 Routing policy...... 10-2 10.1.2 Filters ...... 10-3 10.1.3 Application of routing policy ...... 10-4 10.1.4 FRR principle...... 10-4 10.1.5 Routing table...... 10-5 10.2 Configuring IP-prefix list...... 10-5 10.2.1 Establishing the configuration task ...... 10-5 10.2.2 Configuring an IPv4 prefix list ...... 10-6 10.2.3 Configuring an IPv6 prefix list ...... 10-7 10.2.4 Checking the configuration...... 10-8 10.3 Configuring the route-policy...... 10-8 10.3.1 Establishing the configuration task ...... 10-8 10.3.2 Creating a route-policy...... 10-9 10.3.3 Configuring if-match clauses...... 10-9 10.3.4 Configuring apply clauses...... 10-11 10.3.5 Checking the configuration...... 10-12 10.4 Applying routing filters ...... 10-13 10.4.1 Establishing the configuration task ...... 10-13 10.4.2 Filtering the route received ...... 10-14 10.4.3 Configuring the route advertised...... 10-14 10.4.4 Applying route-policy when external routes are imported...... 10-15 10.4.5 Checking the configuration...... 10-16 10.5 Controlling valid time of routing policy...... 10-16 10.5.1 Establishing the configuration task ...... 10-16 10.5.2 Configuring the delay for applying routing policy...... 10-17 10.5.3 Checking the configuration...... 10-17 10.6 Configuring IP FRR of the public network ...... 10-18 10.6.1 Establishing the configuration task ...... 10-18 10.6.2 Configuring route-policy...... 10-18 10.6.3 Enabling IP FRR in the public network ...... 10-19

Issue 5.3 (30 March 2009) Nortel Networks Inc. i

Nortel Secure Router 8000 Series Configuration - IP Routing

10.6.4 Checking the configuration...... 10-20 10.7 Maintaining routing policy...... 10-20 10.7.1 Clearing statistics of IP prefix list...... 10-20 10.8 Configuration examples ...... 10-21 10.8.1 Example of filtering routes received and sent...... 10-21 10.8.2 Example of applying the routing policy during importing routes ...... 10-26 10.8.3 Example of configuring the IP FRR of the public network...... 10-31

ii Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing

Figures

Figure 10-1 Routing information sent and received...... 10-21 Figure 10-2 Routing policy application during route import...... 10-27 Figure 10-3 IP FRR in the public network ...... 10-31

Issue 5.3 (30 March 2009) Nortel Networks Inc. iii

Nortel Secure Router 8000 Series Configuration - IP Routing

Tables

Table 10-1 Differences between routing policy and policy-based routing...... 10-2

Issue 5.3 (30 March 2009) Nortel Networks Inc. v

Nortel Secure Router 8000 Series Configuration - IP Routing 10 Routing policy configuration

10 Routing policy configuration

About this chapter

The following table shows the contents of this chapter.

Section Description 10.1 Introduction This section describes the principles and concepts of routing policy. 10.2 Configuring IP-prefix list This section describes how to configure IP-prefix lists. 10.3 Configuring the This section describes how to configure a route-policy, route-policy define a set of match conditions, and change the attribute of the routing information. 10.4 Applying routing filter This section describes how to apply filters that relate to the routing policy to the routing protocol. For configuration examples, see Example of filtering routes received and sent and Example of applying the routing policy during importing routes. 10.5 Controlling valid time of This section describes how to adjust the valid time of a routing policy route-policy. 10.6 Configuring IP FRR of This section describes how to configure the IP fast reroute the public network (FRR) of the public network. For a configuration example, see Example of configuring the IP FRR of the public network. 10.7 Maintaining routing This section describes how to clear the statistics of the IP policy prefix list. 10.8 Configuration examples This section provides configuration examples for routing policy.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 10-1

Nortel Secure Router 8000 Series 10 Routing policy configuration Configuration - IP Routing

10.1 Introdu c tion This section covers the following topics that must understand before you configure the routing polic y:

z Routing policy z Filters z Application of routing policy z FRR principle z Routing table 10.1.1 Routing policy The routing information uses the routing policy to change the path of the network traffic by chan ging the route attributes. When a router sends or receives routing information, it can use certain policies to filter the routing information. The policy includes the following information:

z Send or receive partial routing information that meets the requirements. z A certain routing protocol, for example, the Routing Information Protocol Next Generation (RIPng), must import the routing information that other routing protocols discover to enrich its routing information. When you import routing information from other routing protocols, the router can import partial routing information that meets the requirements, and configure the certain attribute of the imported routing information to make it meet the basic requirements. To im plement the routing policy, you must perform the following actions:

z Configure one or a group of matching rules in advance. Use information such as destination address and the address of the router that advertises routing information as rules. z Define the attributes of routing information that applies to the matched routes. z Apply the matching rules to the routing policy to advertise, receive, and import routes.

Routing policy and policy-based routing Different from the forwarding by searching the FIB according to the destination address of a packet, Policy Based Routing (PBR) is a route selection mechanism based on the policies set by users. PBR supports the information based on the source address and the size of packets. PBR selects routes according to the policy set by users. PBR can be applicable to security and load balancing.

Table 10-1 Differences between routing policy and policy-based routing.

Routing policy Policy-based routing

Forwards based on destination address in Forwards based on policy. the routing table. If the forwarding fails, then forwards by searching the routing table.

10-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 10 Routing policy configuration

Routing policy Policy-based routing

Based on control plane and serves the Based on forwarding plane and services the routing protocol and routing table. forwarding policy.

Combines with the routing policy Manually configure hop-by-hop to ensure the forwarding of the packet policy.

The application command is route-policy. The application command is policy-based-route.

10.1.2 Filters The Secure Router 8000 Series provides many types of filters for routing protocols. Some of these filters are access control list (ACL), IP-prefix list, AS-Path filter, community filter, extended community filter, and route-policy. The following section describes these filters.

ACL The ACL consists of the ACL for IPv4 packets and the ACL6 for IPv6 packets. When you define the ACL, you can specify IP address and subnet scope to match the destination network segment address or the next-hop address of the routing information. For more information about ACL and ACL6 configuration, see Nortel Secure Router 8000 Series Configuration Guide - IP Services(NN46240-504).

IP-prefix list The IP-prefix list consists of the IPv4 prefix list and IPv6 prefix list. The function of the IP-prefix list is similar to that of the ACL but the IP-prefix is more flexible and easier to understand. Identify an IP-prefix list by its list name. Each prefix list includes multiple entries. Each entry can independently specify the match range of a network prefix form. Identify the match range by an index number. The index number designates the sequence of the matching process. During the matching process, the router checks entries it identifies by the index number in ascending order. When a single entry meets the condition, the matching stops.

AS-Path filter The BGP routing information packet includes an autonomous system (AS) path domain. The AS-Path filter specifies the matching condition for the AS path domain.

Community filter Only BGP uses the community filter. The BGP routing information includes a community attribute domain to identify a community. The community filter specifies the match condition for the community attribute domain.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 10-3

Nortel Secure Router 8000 Series 10 Routing policy configuration Configuration - IP Routing

Extcommunity-filter The extended community filter (Extcommunity-filter) is used only in BGP. The extended community of BGP supports only the Router-Target (RT) extended community of the VPN. The extcommunity-filter specifies matching conditions for the extended community attribute.

RD Filter Through Route Distinguisher (RD), the VPN instance implements the independency of address space and distinguishes the IPv4 and IPv6 prefixes of the same address space. The RD attribute filter specifies matching conditions for different RDs.

Route-policy The route-policy is a complex filter. The route-policy not only matches certain attributes of the routing information, but also changes the attribute of routing information when it meets certain conditions. The route-policy uses the filters mentioned previously to define its filtering rule. A route-policy consists of multiple nodes. The relationship among the nodes is OR. The system examines the nodes in the routing policy in turn. After a node in the routing policy permits the route, it passes the matching test of the route-policy and does not test other nodes. Each node uses a set of if-match and apply clauses. The if-match clauses define the matching rules. The matching objects are certain attributes of routing information. The relation of if-match clauses in a node is AND. As a result, a matching test of this node succeeds only when all the match conditions in if-match clauses are met. The apply clause specifies actions. When certain route meets the matching rules, the apply claus e configures attributes. 10.1.3 Applica t ion of routing policy The routing policy provides two applications:

z Import the routing information after a routing protocol imports routes found by others. Only the routes that meet the conditions import. z Filter the routing information that a routing protocol distributes or receives. Only the routes that meet the conditions are received or distributed. For information about the configuration of routing policy applications, see the related routing protocol configurations. 10.1.4 FRR principle In the traditional IP network, after the lower layer detects the link defect, the system completes the routing convergence in several seconds. For certain services that are sensitive to time delay or packet loss, the convergence time of several seconds is not acceptable. Several seconds can lead to service breakdown. For example, the maximum acceptable time for the Voice over Internet Protocol (VoIP) service is approximately 50 milliseconds when network interruption occurs. To avoid the service interruption by defects in the link, ensure that the transmitting system can detect the defects and take measures to resolve it.

10-4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 10 Routing policy configuration

FRR indicates that when defects occur to the lower layer, reports the information to the upper layer . Certain measures are taken to transmit the packets through a backup link. The link defects on the loading service reduce to a minimum. According to the location of the application, FRR divides into IP FRR and VPN FRR. IP FRR can further divide into public network IP FRR and VPN IP FRR.

z Public network IP FRR protects routers of the public network. z VPN IP FRR protects the customer edge (CE) router. z VPN FRR protects the CE router. For information about the configuration of VPN IP FRR and VPN FRR, see Nortel Secure Router 8000 Series Configuration Guide - VPN (NN46240-507). The FRR function of the Secure Router 8000 Series provides backups for direct routes, static routes, and the dynamic routes of the Routing Information Protocol (RIP), Open Shortest Path First (OSPF), Intermediate System-to-Intermediate System (IS-IS), and BGP. 10.1.5 Routing table Each router uses a local core (management) routing table and each routing protocol maintains its routing table.

z Protocol routing table A protocol routing table conserves the routes that the protocol discovers. When a router that runs certain routing protocol needs to advertise the routes it discovers through other ways, the routes must import to the protocol routing table. For example, if a router that runs OSPF needs to advertise direct routes, static routes, or IS-IS routes through OSPF, the router must import these routes to the OSPF routing table.

z Local core routing table Routers use the local core routing table to forward packet. The routing table uses the preference and metric of various routing protocols.

NOTE

For a router that supports L3VPN, each VPN-instance uses its management routing table.

10.2 Configuring IP-prefix list

NOTE

z This section provides only the configuration of IP-prefix. z For information about the configuration of the AS-Path filter, community filter, and excommunity-filter, see BGP Configuration. 10.2.1 Establishing the configuration task

Applicable environment Before you apply the routing policy, configure the matching rules or filter. The function of the IP-prefix list is similar to that of the ACL, but the former is more flexible and easier to

Issue 5.3 (30 March 2009) Nortel Networks Inc. 10-5

Nortel Secure Router 8000 Series 10 Routing policy configuration Configuration - IP Routing

understand. When you use the IP-prefix list to filter the routing information, the matching objects are the destination address of the routing information.

Preconfiguration tasks None

Data preparation To configure the IP prefix list, you need the following data.

No. Data 1 Name of IP-Prefix list 2 Matched address scope

Configuration pr ocedures

No. Procedure 1 Configuring an IPv4 prefix list

2 Configuring an IPv6 prefix list

3 Checking the configuration

10.2.2 Configuring an IPv4 prefix list Do as follows on the router to which you apply the IP prefix list: Step 1 Run:

system-view The system view appears. Step 2 Run:

ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } ip-address mask-length [ greater-equal greater-equal-value ] [ less-equal less-equal-value ] This command configures the IPv4 prefix list. ----End

You can specify the range of mask length by using the following formula: mask-length <= greater-equal-value <= less-equal-value <= 32 If you only specify greater-equal, the range of the prefix is [greater-equal-value, 32]; if you only specify less-equal, the range of the prefix is [mask-length, less-equal-value].

10-6 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 10 Routing policy configuration

Identify an IPv4 prefix list by its list name. Each prefix list can include multiple entries. Each entry can independently specify the matching range of a network prefix form and identify it with an index-number. For example, the following is an IPv4 prefix list named abcd:

# ip ip-prefix abcd index 10 permit 1.0.0.0 8 ip ip-prefix abcd index 20 permit 2.0.0.0 8 During the matching process, the system checks the entries it identifies by the index number in ascending order. After an entry meets the condition, it means that all entries meet the condition, and the system does not match other entries. In the Secure Router 8000 Series, unmatched routes cannot pass the filtering of the IP-Prefix list. If all entries are in the deny mode, then all routes are filtered out. Nortel recommends that you define a permit 0.0.0.0 0 less-equal 32 entry after the multiple entries in the deny mode, which allows all the other IPv4 routes to pass the IP-prefix filtering.

NOTE

If you define more than one IP-prefix entry, at least one entry must be in the permit mode. 10.2.3 Configuring an IPv6 prefix list Do as follows on the router to which you apply the IP prefix list: Step 1 Run:

system-view The system view appears. Step 2 Run:

ip ipv6-prefix ipv6-prefix-name [ index index-number ] { permit | deny } ipv6-address prefix-length [ greater-equal greater-equal-value ] [ less-equal less-equal-value ] This command configures the IPv6 prefix list. ----End

Identify an IPv6 prefix-list by its list name. Each prefix list can include multiple entries. Each entry can independently specify the matching range of a network prefix form and identify it with an index-number. For example, the following is an IPv6 prefix list named abcd:

# ip ipv6-prefix abcd index 10 permit 1:: 64 ip ipv6-prefix abcd index 20 permit 2:: 64 During the matching process, the system checks the entries it identifies by the index-number in ascending order. After an entry meets the condition, it means that all entries meet the condition, and the system does not match other entries. In the Secure Router 8000 Series, unmatched routes cannot pass the filtering of the IP-Prefix list. If all entries are in deny mode, then all routes are filtered out. Nortel recommends that you define a permit :: 0 less-equal 128 after the multiple entries in the deny mode, to allow all the other IPv4 routes to pass the IP-Prefix filtering.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 10-7

Nortel Secure Router 8000 Series 10 Routing policy configuration Configuration - IP Routing

NOTE

If you define more than one IPv6-prefix entry, at least one entry must be in permit mode. 10.2.4 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the information about the display ip ip-prefix [ ip-prefix-name ] IPv4 prefix list. Check the information about the display ip ipv6-prefix [ ipv6-prefix-name ] IPv6 prefix list.

10.3 Configuring the route-policy 10.3.1 Establishing the configuration task

Applicable envi ro nment Use the route-policy to match the routing information or some attributes of routing infor mation, and to change these attributes after certain conditions are met. The matching cond itions can be the filtering lists in the preceding section. A route-policy can use multiple nodes. Each node divides into the following clauses:

z if-match clause—This clause defines the matching rules. Routing information uses the matching rules to comply with the route-policy. The matching objects are attributes of the routing information. z apply clause—This clause specifies actions, which are the configuration commands the router uses after a route satisfies the filtering conditions you specify in the if-match clauses. The apply clause can change certain attributes of the route.

Preconfiguration tasks Before you configure a route-Policy, complete the following tasks:

z Configuring IP-prefix list. z Configure routing protocols.

Data preparation To c onfigure the route-policy, you need the following data:

No. Data 1 Name and node number of the route-policy 2 Matching condition

10-8 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 10 Routing policy configuration

No. Data 3 The route attribute value to change

Configuration procedures

No. Procedure 1 Creating a route-policy 2 Configuring if-match clauses 3 Configuring apply clauses 4 Checking the configuration

10.3.2 Creating a route-policy Do as follows on the router to which you apply the route-policy: Step 1 Run:

system-view The system view appears. Step 2 Run:

route-policy route-policy-name { permit | deny } node node This command creates the node of the route-policy and the route-policy view appears. ----End

The permit command specifies the matching mode for a defined node in the route-policy. If a route is satisfactory, the router performs the apply clauses for the node without testing the next node. The deny command specifies the matching mode for a defined node in the route-policy. In this mode, the router does not use the apply clause. If a route entry satisfies all the if-match claus es of the node, the router denies the route and does not test the next node. If the entry does not satisfy all the clauses, the route continues testing the next node. If you define multiple nodes in a route-policy, at least one of them must be in the permit mode. When you use the route-policy parameter to filter routing information, the following actions occur:

z If the routing information does not match any node, it is denied by the route-policy. z If all the nodes in the routing policy are in the deny mode, the route-policy denies all routing information. 10.3.3 Configuring if-match clauses Do as follows on the router to which you apply the route-policy:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 10-9

Nortel Secure Router 8000 Series 10 Routing policy configuration Configuration - IP Routing

Step 1 Run:

system-view The system view appears. Step 2 Run:

route-policy route-policy-name { permit | deny } node node The route-policy view appears. Step 3 Perform the following as required to configure the if-match clause in the route-policy:

z Run:

if-match acl acl-number This command matches the ACL.

z Run:

if-match cost cost This command matches the cost of the routing information.

z Run:

if-match interface interface-type interface-number This command matches the outgoing interface of the routing information.

z Run:

if-match ip { next-hop | route-source} { acl acl-number | ip-prefix ip-prefix-name } The command matches the IPv4 routing information (the next hop or address).

z Run:

if-m atch i p-prefix ip-prefix-name

NOTE

For the same route-policy node, you cannot run the if-match acl command and the if-match ip-prefix at the same time because that latest configuration overrides the previous configuration. This command matches the ip-prefix.

z Run:

if-match ipv6 { address | next-hop | route-source } prefix-list ipv6-prefix-name This command matches the IPv6 routing information.

z Perform as follows to match the type of the routing information: − Run:

if-match route-type { external-type1 | external-type1or2 | external-type2 | internal | nssa-external-type1 | nssa-external-type1or2 | nssa-external-type2 } This comm and matches the various OSPF routing information.

− Run:

if-match route-type { is-is-level-1 | is-is-level-2 } This command matches the IS-IS routing information of various levels.

10-10 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 10 Routing policy configuration

z Run:

if-match tag tag This command matches the tag of the OSPF routing information. You can configure the commands in Steps 3 regardless of the order. A node can use multiple if-match clauses or none. ----End

NOTE

z For the same node in the route-policy, the relation between if-match clauses is AND. The routing information must satisfy all the match conditions before the route-policy performs the action of the apply clause. In the if-match route-type and if-match interface commands, the relation between If-match clauses is OR. In other commands, the relation between If-match clauses is AND. z If you do not specify an if-match clause, all the routes are satisfactory. 10.3.4 Configuring apply clauses Do as follows on the router to which you apply the route-policy: Step 1 Run:

system-view The system view appears. Step 2 Run:

route-policy route-policy-name { permit | deny } node node The route-poli cy view appears. Step 3 Perform as required to configure the apply clause in the route-policy:

z Run:

appl y back up-interface interface-type interface-number This command configures the backup outgoing interface.

z Run:

appl y backup-nexthop { ip-address | auto } This co m mand configures the backup next hop.

z Run:

apply cost [ + | - ] cost This co m mand configures the cost of the routing information.

z Configure the cost type of the routing information. − Run:

appl y cost -type { external | internal } This command configures the cost type of IS-IS.

− Run:

appl y cost -type { type-1 | type-2 }

Issue 5.3 (30 March 2009) Nortel Networks Inc. 10-11

Nortel Secure Router 8000 Series 10 Routing policy configuration Configuration - IP Routing

This command configures the cost type of OSPF.

z Run:

apply ip-address next-hop ipv4-address This command configures the next-hop address of the IPv4 routing information.

z Run:

apply ipv6 next-hop ipv6-address This command configures the next-hop address of the IPv6 routing information.

z Run:

apply isis { level-1 | level-1-2 | level-2 } This command configures the route level of IS-IS.

z Run:

apply ospf { backbone | stub-area } This command configures the area of the OSPF routing information.

z Run:

apply preference preference This command configures the preference of the routing protocol.

z Run:

apply tag tag This command configures the tag of the routing information. You can run the commands in step 3 regardless of the order. ----End

10.3.5 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the route-policy. display route-policy [ route-policy-name ]

Run the display route-policy command. If you can view all configured routing policies, it means that the routing policy is correctly configured.

display route-policy Route-policy : 10 permit : 10 Match clauses : if-match ip-prefix 10 Apply clauses : apply cost 100 permit : 20 Apply clauses : apply community 1 2 3

10-12 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 10 Routing policy configuration

10.4 Applying routing filters 10.4.1 Establishing the configuration task

Applicable environment After you define the filters (IP prefix list, ACL, or route-policy) that relate to the routing policy, you must import the filters to the protocols. The routing filter applies to the following cases:

z Filtering the route received and sent Use the filter-policy command in various protocols and reference the ACL and IP prefix list to filter the received and sent routes. The filter-policy receives and advertises only the partial routes that meet the requirements. Use the following commands:

− filter-policy import that filters the received routes. − filter-policy export that filters the sent routes. For the Distance Vector protocols and the link state protocols, the operation process of the filter-policy command is different.

− Distance Vector Protocol The Distance Vector protocol generates based on the routing table. The filter affects the route received from the neighbor and the route to send to the neighbor. − Link State Protocol The link state protocol generates based on the link state database. The filter-policy does not affect the advertisement of the link state or the integrity of the link state database. Therefore, the affect on the import and export is different. On the import, the filter-policy determines only which routes to install to the local core routing information from the protocol routing table. On the export, the filter-policy controls whether to advertise the routes other protocols import, for example, imported RIP routes, but does not affect the link state advertisement made by other routers. z Applying policy to import external routes − Apply the import-route command in various protocols. Import the external route to various protocols and apply the route-policy to the imported routes. − After you import the external routes, run the filter-policy export to filter the routing information. Only the routing information that passes the filtering is advertised.

NOTE

z BGP provides a powerful filtering function. For information about the configuration of the BGP policy, see BGP Configuration. z For details about the filter-policy and import-route commands and their applications in RIP, OSPF, IS-IS, and BGP, see the configuration information for these protocols.

Preconfiguration tasks Before you apply the related filters of the route-policy, complete the following task:

z Complete the procedures in Configuring IP-prefix list.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 10-13

Nortel Secure Router 8000 Series 10 Routing policy configuration Configuration - IP Routing

z Configure an ACL. z Complete the procedures in Configuring the route-policy.

Data preparation To configure the related filters of route-policy, you need the following data.

No. Data 1 Name of IP prefix list 2 Name of ACL 3 Name of route-policy and node number

Configuration procedures

No. Procedure 1 Filtering the route received 2 Configuring the route advertised 3 Applying route-policy when external routes are imported 4 Checking the configuration

10.4.2 Filtering the route received This procedure uses OSPF as an example. Configure OSPF to filter the received routes. Step 1 Run:

system-view The system view appears. Step 2 Run:

ospf [ process-id ] This command enables the OSPF process and the OSPF view appears. Step 3 Run:

filter-policy { acl-number | ip-prefix ip-prefix-name } import This command filters the route received. ----End

10.4.3 Configuring the route advertised This procedure uses BGP as an example. Configure BGP to filter the advertised route.

10-14 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 10 Routing policy configuration

Step 1 Run:

system-view The system view appears. Step 2 Run:

bgp as-number The BGP view appears. Step 3 Run:

ipv4-family unicast The IPv4 unicast address family view appears. Step 4 Run:

filter-policy { acl-number | ip-prefix ip-prefix-name } export [ protocol [ process-id ] ] This command filters advertised routing information. For the routes that BGP imports, only those that meet requirements are added to the local BGP routing table and advertised to BGP peers.

z Specify protocol to filter only the specific routing information. z If you do not specify the protocol, all BGP routing information that you import by using the network command is filtered. ----End

NOTE

z For the link state protocol, only the routing information imported is filtered. z For Distance Vector protocol, the routing information imported and the routing information that the protocol discovers is filtered. 10.4.4 Applying route-policy when external routes are imported This procedure uses RIP as an example. Apply a route-policy when importing external routes. Step 1 Run:

system-view The system view appears. Step 2 Run:

rip [ process-id ] This command enables the RIP routing process and the RIP view appears. Step 3 Run:

import-route protocol [ process-id ] [ cost cost ] [ route-policy route-policy-name ] This command imports the external routes. ----End

Issue 5.3 (30 March 2009) Nortel Networks Inc. 10-15

Nortel Secure Router 8000 Series 10 Routing policy configuration Configuration - IP Routing

10.4.5 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the information about the protocol display rip process-id route routing table (like RIP). Check the information about the IP display ip routing-table routing table.

Run the display rip process-id route command on the neighboring router to find that the route that matches the neighbor filtering condition is filtered or the apply action is performed. Run the display ip routing-table command on the neighboring router to find that the route that matches the neighbor filtering condition is filtered or the apply action is performed.

10.5 Controlling valid time of routing policy 10.5.1 Establishing the configuration task

Applicable environment In actual applications, after the configurations of multiple matched routing polices change, the Routing Management module (RM) immediately notifies various protocols that it re-applies routing policies if the configuration of a routing policy is complete. The incomplete routing policy can cause route flapping and the instability of the network. The Secure Router 8000 Series provides the following rules for processing changes of routing policy:

z When the commands you use to configure a routing policy change, RM does not notify various protocols of the changes immediately, but waits for a short time (by default, it is 30 seconds), and then notifies various protocols to use the changed routing policy. z If the routing policy changes again during the waiting time, RM resets the timer. You can run the related commands to select the wait time according to the actual situation.

Preconfiguration tasks None

Data preparation To configure the valid time of the routing policy, you need the following data.

No. Data 1 Delay to apply the routing policy

10-16 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 10 Routing policy configuration

Configuration procedures

No. Procedure 1 Configuring the delay for applying routing policy 2 Checking the configuration

10.5.2 Configuring the delay for applying routing policy Do as follows on the router on which you must change the delay for applying routing policy: Step 1 Run:

system-view The system view appears. Step 2 Run:

route-policy-change notify-delay delay-time This command configures the delay for applying routing policy. The value of the delay ranges from 0 to 180 seconds. By default, the value is 30 seconds.

z If you configure the value to 0, RM immediately notifies the protocol to apply a new policy when the routing policy changes. z If you do not use the command, by default, the value of the delay is 30 seconds. Step 3 Run:

refresh bgp all This command configures the BGP to apply new routing policy. This step is optional. After you use the command the effect of the policy filtering is immediate. You can run the command to configure BGP to immediately apply new policies. ----End

The timer affects the ACL, IP prefix list, AS_Path filter, community filter, extended community filter, and route-policy. 10.5.3 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the delay for applying the routing display current-configuration | include policy notify-delay

After you run the display current-configuration command, you can find the delay for applying the routing policy. For example:

Issue 5.3 (30 March 2009) Nortel Networks Inc. 10-17

Nortel Secure Router 8000 Series 10 Routing policy configuration Configuration - IP Routing

display current-configuration | include notify-delay route-policy-change notify-delay 10

10.6 Configuring IP FRR of the public network 10.6.1 Establishing the configuration task

Applicable environment IP FRR applies to the service sensitive to packet loss or delay in the private network.

Preconfiguration tasks Before you configure IP FRR of the public network, complete the following tasks:

z Configure routing policy on each router to implement interworking of the network. z Generate two routes with different cost.

Data preparation To configure the IP FRR of public network, you need the following data.

No. Data 1 Name of the route-policy and the node number 2 Outgoing interface of the backup routing 3 Next hop of the backup routing (optional)

Configuration procedures

No. Procedure 1 Configuring route-policy 2 Enabling IP FRR in the public network 3 Checking the configuration

10.6.2 Configuring route-policy Do as follows on the router to which you apply the public network IP FRR: Step 1 Run:

system-view The system view appears.

10-18 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 10 Routing policy configuration

Step 2 Run:

route-policy route-policy-name { permit | deny } node node This command creates the node of the route-policy and the route-policy view appears. Step 3 Run:

if-match This command configures the match condition to filter the backup routes. You can use the if-match command according to the introduction in Configuring if-match clauses. This step is optional. If you do not configure the match condition, IP FRR backs up outgoing interfaces and next hops for all routes on the router. Some routes that do not need backups are configured with backups. You must correctly configure the relation between routes that require back up and the backup routes. Nortel recommends that you use the match condition to specify the routes to back up. Step 4 Run:

apply backup-interface interface-type interface-number This command configures the backup outgoing interface. Step 5 Run:

apply backup-nexthop ip-address This command configures the backup next hop. ----End

z If you specify the backup next hop, you must specify the backup outgoing interface. z If you specify the backup outgoing interface on the P2P link, you do not need to specify the backup next hop. z If you specify the backup outgoing interface on a non-P2P link, you must specify the backup next hop. 10.6.3 Enabling IP FRR in the public network Do as follows on the router to which you apply the public network IP FRR: Step 1 Run:

system-view The system view appears. Step 2 Run:

ip frr route-policy route-policy-name This command enables the IP FRR function. Before you apply the IP FRR function, you must enable the IP FRR function. As a result, the policy you use to configure the outgoing interface and the next hop become valid. ----End

Issue 5.3 (30 March 2009) Nortel Networks Inc. 10-19

Nortel Secure Router 8000 Series 10 Routing policy configuration Configuration - IP Routing

10.6.4 Checking the configuration Use the commands in the following table to check the previous configuration.

Action Command Check the route-policy. display route-policy [ route-policy-name ] Check the backup outgoing interface display ip routing-table verbose and the backup next hop in the display ip routing-table ip-address [ mask | routing table. mask-length ] [ longer-match ] verbose display ip routing-table ip-address1 { mask1 | mask-length1 } ip-address2 { mask2 | mask-length2 } verbose

Run the display ip routing-table verbose command. If you can find the backup outgoing interface and backup next hop of the route, it means that the FRR is correctly configured.

display ip routing-table 172.17.1.0 verbose Routing Table : Public Summary Count : 1

Destination: 172.17.1.0/24 Protocol: OSPF Process ID: 1 Preference: 60 Cost: 0 NextHop: 192.168.10.2 Neighbour: 0.0.0.0 State: Active Adv Age: 00h00m06s Tag: 0 Priority: 0 Label: NULL QoSInfo: 0x0 RelayNextHop: 0.0.0.0 Interface: GigabitEthernet2/0/0 TunnelID: 0x0 BkNextHop: 192.168.20.2 BkInterface: igabitEthernet3/0/0 BkLabel: 0 SecTunnelID: 0x0 BkPETunnelID: 0x0 BkPESecTunnelID: 0x0

10.7 Maintaining routing policy The section covers the following topics: Clearing statistics of IP prefix list 10.7.1 Clearing statistics of IP prefix list

You cannot restore statistics of IP prefix list after you clear them. Confirm the action before you use the command.

To clear the statistics of IP prefix lists, run the following commands in the user view.

10-20 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 10 Routing policy configuration

Action Command Clear the IPv4 prefix list statistics. reset ip ip-prefix [ ip-prefix-name ] Clear the IPv6 prefix list statistics. reset ip ipv6-prefix [ ipv6-prefix-name ]

By default, the statistics of the IP prefix list do not clear.

10.8 Configuration examples The section provides the following examples:

z Example of filtering routes received and sent z Example of applying the routing policy during importing routes z Example of configuring the IP FRR of the public network 10.8.1 Example of filtering routes received and sent

Networking requirements As shown in Figure 10-1, in a network that runs OSPF, Router A receives routes from the network and provides a partial Internet route for Router B. Router A provides only 172.1.17.0/24, 172.1.18.0/24, and 172.1.19.0/24 for Router B. Router C receives only 172.1.18.0/24. Router D sends only 172.1.18.0/24. Router D receives all routes provided by Router B.

Figure 10-1 Routing information sent and received

RouterC

POS3/0/0 POS1/0/0 192.168.2.1/24 172.1.16.0/24 192.168.2.2/24 POS1/0/0 172.1.17.0/24 192.168.1.2/24 172.1.18.0/24 172.1.19.0/24 POS1/0/0 POS1/0/0 172.1.20.0/24 192.168.3.2/24 RouterB 192.168.1.1/24 RouterA POS2/0/0 192.168.3.1/24

RouterD OSPF

Configuration roadmap The steps in the configuration roadmap are

z Configure basic OSPF functions on Router A, Router B, Router C, and Router D. z Configure static routes on Router A and check the filtering result on Router B.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 10-21

Nortel Secure Router 8000 Series 10 Routing policy configuration Configuration - IP Routing

z Configure the route advertisement policy on Router A and check the filtering results on Router B. z Configure the route receiving policy on Router C and check the filtering result on Router C.

Data preparation To filter the routes received and sent, you need the following data.

z Five state routes that Router A imports z Router A, Router B, Router C, and Router D reside in Area 0 z Name of the IP prefix list and route to filter

Configuration procedure Step 1 Configure the IP address for each interface. Step 2 Configure OSPF. # Configure Router A:

[RouterA] ospf [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit [RouterA-ospf-1] quit # Configure Router B:

[RouterB] ospf [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit # Configure Router C:

[RouterC] ospf [RouterC-ospf-1] area 0 [RouterC-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255 [RouterC-ospf-1-area-0.0.0.0] quit [RouterC-ospf-1] quit # Configure Router D:

[RouterD] ospf [RouterD-ospf-1] area 0 [RouterD-ospf-1-area-0.0.0.0] network 192.168.3.0 0.0.0.255 [RouterD-ospf-1-area-0.0.0.0] quit Step 3 Configure five static routes on Router A and import these routes to OSPF:

[RouterA] ip route-static 172.1.16.0 24 NULL0 [RouterA] ip route-static 172.1.17.0 24 NULL0 [RouterA] ip route-static 172.1.18.0 24 NULL0 [RouterA] ip route-static 172.1.19.0 24 NULL0 [RouterA] ip route-static 172.1.20.0 24 NULL0

10-22 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 10 Routing policy configuration

[RouterA] ospf [RouterA-ospf-1] import-route static [RouterA-ospf-1] quit # Check the IP routing table on Router B to view the five static routes OSPF imports:

[RouterB] display ip routing-table Route Flags: R - relay, D - download to fib ------Routing Tables: Public Destinations : 16 Routes : 16

Destination/Mask Proto Pre Cost Flags NextHop Interface

127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 172.1.16.0/24 O_ASE 150 1 D 192.168.1.1 Pos1/0/0 172.1.17.0/24 O_ASE 150 1 D 192.168.1.1 Pos1/0/0 172.1.18.0/24 O_ASE 150 1 D 192.168.1.1 Pos1/0/0 172.1.19.0/24 O_ASE 150 1 D 192.168.1.1 Pos1/0/0 172.1.20.0/24 O_ASE 150 1 D 192.168.1.1 Pos1/0/0 192.168.1.0/24 Direct 0 0 D 192.168.1.2 Pos1/0/0 192.168.1.1/32 Direct 0 0 D 192.168.1.1 Pos1/0/0 192.168.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.2.0/24 Direct 0 0 D 192.168.2.1 Pos3/0/0 192.168.2.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.2.2/32 Direct 0 0 D 192.168.2.2 Pos3/0/0 192.168.3.0/24 Direct 0 0 D 192.168.3.1 Pos2/0/0 192.168.3.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.3.2/32 Direct 0 0 D 192.168.3.2 Pos2/0/0

Step 4 Configure route advertisement policy. # Configure the IP prefix list a2b on Router A:

[RouterA] ip ip-prefix a2b index 10 permit 172.1.17.0 24 [RouterA] ip ip-prefix a2b index 20 permit 172.1.18.0 24 [RouterA] ip ip-prefix a2b index 30 permit 172.1.19.0 24 # Configure the route advertisement policy on Router A and use the IP prefix list a2b to filter routes:

[RouterA] ospf [RouterA-ospf-1] filter-policy ip-prefix a2b export static # Check the IP routing table on Router Bto view the three routes Router B receives from a2b:

[RouterB] display ip routing-table Route Flags: R - relay, D - download to fib ------Routing Tables: Public Destinations : 14 Routes : 14

Destination/Mask Proto Pre Cost Flags NextHop Interface

127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Issue 5.3 (30 March 2009) Nortel Networks Inc. 10-23

Nortel Secure Router 8000 Series 10 Routing policy configuration Configuration - IP Routing

172.1.17.0/24 O_ASE 150 1 D 192.168.1.1 Pos1/0/0 172.1.18.0/24 O_ASE 150 1 D 192.168.1.1 Pos1/0/0 172.1.19.0/24 O_ASE 150 1 D 192.168.1.1 Pos1/0/0 192.168.1.0/24 Direct 0 0 D 192.168.1.2 Pos1/0/0 192.168.1.1/32 Direct 0 0 D 192.168.1.1 Pos1/0/0 192.168.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.2.0/24 Direct 0 0 D 192.168.2.1 Pos3/0/0 192.168.2.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.2.2/32 Direct 0 0 D 192.168.2.2 Pos3/0/0 192.168.3.0/24 Direct 0 0 D 192.168.3.1 Pos2/0/0 192.168.3.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.3.2/32 Direct 0 0 D 192.168.3.2 Pos2/0/0

Step 5 Configure route receiving policy. # Configure the IP prefix list named in on Router C:

[RouterC] ip ip-prefix in index 10 permit 172.1.18.0 24 # Configure the receiving policy on Router C and use the IP prefix list named in to filter routes:

[RouterC] ospf [RouterC-ospf-1] filter-policy ip-prefix in import # Check the IP routing table on Router C to see that Router C in the local core routing table receives only one route from the list named in:

[RouterC] display ip routing-table Route Flags: R - relay, D - download to fib ------Routing Tables: Public Destinations : 6 Routes : 6

Destination/Mask Proto Pre Cost Flags NextHop Interface

127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 172.1.18.0/24 O_ASE 150 1 D 192.168.2.1 Pos1/0/0 192.168.2.0/24 Direct 0 0 D 192.168.2.2 Pos1/0/0 192.168.2.1/32 Direct 0 0 D 192.168.2.1 Pos1/0/0 192.168.2.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0

# Check the OSPF routing table of Router C. You can see that three routes that the list a2b defines are in the OSPF routing table. In the link state protocol, you can run the filter-policy import command to filter the routes that join the local core routing table from the protocol routing table.

[RouterC] display ospf routing

OSPF Process 1 with Router ID 192.168.2.2 Routing Tables

Routing for Network Destination Cost Type NextHop AdvRouter Area 192.168.3.0/24 2 Stub 192.168.2.1 192.168.3.1 0.0.0.0

10-24 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 10 Routing policy configuration

192.168.1.0/24 2 Stub 192.168.2.1 192.168.3.1 0.0.0.0 192.168.2.0/24 1 Stub 192.168.2.2 192.168.2.2 0.0.0.0

Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 172.1.17.0/24 1 Type2 1 192.168.2.1 192.168.1.1 172.1.18.0/24 1 Type2 1 192.168.2.1 192.168.1.1 172.1.19.0/24 1 Type2 1 192.168.2.1 192.168.1.1

Total Nets: 6 Intra Area: 3 Inter Area: 0 ASE: 3 NSSA: 0 ----End

Configuration files z Configuration file of Router A

# sysname RouterA # interface Pos1/0/0 link-protocol ppp ip address 192.168.1.1 255.255.255.0 # ospf 1 filter-policy ip-prefix a2b export static import-route static area 0.0.0.0 network 192.168.1.0 0.0.0.255 # ip ip-prefix a2b index 10 permit 172.1.17.0 24 ip ip-prefix a2b index 20 permit 172.1.18.0 24 ip ip-prefix a2b index 30 permit 172.1.19.0 24 # ip route-static 172.1.16.0 255.255.255.0 NULL0 ip route-static 172.1.17.0 255.255.255.0 NULL0 ip route-static 172.1.18.0 255.255.255.0 NULL0 ip route-static 172.1.19.0 255.255.255.0 NULL0 ip route-static 172.1.20.0 255.255.255.0 NULL0 # return z Configuration file of Router B

# sysname RouterB # interface Pos1/0/0 link-protocol ppp ip address 192.168.1.2 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 192.168.3.1 255.255.255.0 # interface Pos3/0/0 link-protocol ppp

Issue 5.3 (30 March 2009) Nortel Networks Inc. 10-25

Nortel Secure Router 8000 Series 10 Routing policy configuration Configuration - IP Routing

ip address 192.168.2.1 255.255.255.0 # ospf 1 area 0.0.0.0 network 192.168.1.0 0.0.0.255 network 192.168.2.0 0.0.0.255 network 192.168.3.0 0.0.0.255 # return z Configuration file of Router C

# sysname RouterC # interface Pos1/0/0 link-protocol ppp ip address 192.168.2.2 255.255.255.0 # ospf 1 filter-policy ip-prefix in import area 0.0.0.0 network 192.168.2.0 0.0.0.255 # ip ip-prefix in index 10 permit 172.1.18.0 24 # return z Configuration file of Router D

# sysname RouterD # interface Pos1/0/0 link-protocol ppp ip address 192.168.3.2 255.255.255.0 # ospf 1 area 0.0.0.0 network 192.168.3.0 0.0.0.255 # return 10.8.2 Example of applying the routing policy during importing routes

Networking requirements As shown in Figure 10-2, Router B exchanges routing information with Router A through OSPF and with Router C through IS-IS. Router B imports IS-IS routes into the OSPF routing protocol and uses the routing policy to configure the route attributes at the same time. The cost value of the route 172.17.1.0/24 is 100 and the tag attribute of the route 172.17.2.0/24 is 20.

10-26 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 10 Routing policy configuration

Figure 10-2 Routing policy application during route import

RouterB POS1/0/0 POS2/0/0 IS-IS OSPF 192.168.1.2/24 192.168.2.2/24 GbE1/0/0 172.17.1.1/24 RouterA GbE2/0/0 172.17.2.1/24 POS4/0/0 POS1/0/0 192.168.2.1/24 192.168.1.1/24 RouterC GbE3/0/0 172.17.3.1/24

Configuration roadmap The steps in the configuration roadmap are 1. Configure basic IS-IS functions on Router B and Router C. 2. Configure OSPF on Router A and Router B and then import the IS-IS routes. 3. Configure the routing policy on Router B and apply the routing policy as OSPF imports the IS-IS routing, and check the routing information.

Data preparation To complete the configuration, you need the following data:

z The IS-IS class of Router C is Level-2. The system ID is ID 0000.0000.0001. The IS-IS class of Router B is Level-2. The system ID is ID 0000.0000.0002. The area number of RouterB and RouterC is 10. z Router A and Router B are in the OSPF backbone area (Area 0). z Configure the name of the filtering list and IP prefix list. The cost value of routing 172.17.1.0/24 is 100. The tag value of routing 172.17.2.0/24 is 20.

Configuration procedure Step 1 Configure the IP address for each interface. Step 2 Configure the IS-IS routing protocol. # Configure Router C:

[RouterC] isis [RouterC-isis-1] is-level level-2 [RouterC-isis-1] network-entity 10.0000.0000.0001.00 [RouterC-isis-1] quit [RouterC] interface pos 4/0/0 [RouterC-Pos4/0/0] isis enable [RouterC-Pos4/0/0] quit [RouterC] interface GigabitEthernet 1/0/0 [RouterC-GigabitEthernet1/0/0] isis enable [RouterC-GigabitEthernet1/0/0] quit [RouterC] interface GigabitEthernet 2/0/0 [RouterC-GigabitEthernet2/0/0] isis enable [RouterC-GigabitEthernet2/0/0] quit [RouterC] interface GigabitEthernet 3/0/0

Issue 5.3 (30 March 2009) Nortel Networks Inc. 10-27

Nortel Secure Router 8000 Series 10 Routing policy configuration Configuration - IP Routing

[RouterC-GigabitEthernet3/0/0] isis enable [RouterC-GigabitEthernet3/0/0] quit # Configure Router B:

[RouterB] isis [RouterB-isis-1] is-level level-2 [RouterB-isis-1] network-entity 10.0000.0000.0002.00 [RouterB-isis-1] quit [RouterB] interface pos 2/0/0 [RouterB-Pos2/0/0] isis enable [RouterB-Pos2/0/0] quit Step 3 Configure the OSPF routing protocol and route import: # Configure Router A and enable OSPF:

[RouterA] ospf [RouterA-ospf-1] area 0 [RouterA-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [RouterA-ospf-1-area-0.0.0.0] quit # Configure Router B. Enable OSPF and import IS-IS routes:

[RouterB] ospf [RouterB-ospf-1] area 0 [RouterB-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 [RouterB-ospf-1-area-0.0.0.0] quit [RouterB-ospf-1] import-route isis 1 # Check the OSPF routing list of Router A to see the imported routes:

[RouterA] display ospf routing

OSPF Process 1 with Router ID 192.168.1.1 Routing Tables

Routing for Network Destination Cost Type NextHop AdvRouter Area 192.168.1.0/24 1 Stub 192.168.1.1 192.168.1.1 0.0.0.0

Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 172.17.1.0/24 1 Type2 1 192.168.1.2 192.168.1.2 172.17.2.0/24 1 Type2 1 192.168.1.2 192.168.1.2 172.17.3.0/24 1 Type2 1 192.168.1.2 192.168.1.2 192.168.2.0/24 1 Type2 1 192.168.1.2 192.168.1.2

Routing for NSSAs Destination Cost Type Tag NextHop AdvRouter

Total Nets: 5 Intra Area: 1 Inter Area: 0 ASE: 4 NSSA: 0

[RouterA] Step 4 Configure the filtering list. # Configure ACL 2002 and permit 172.17.2.0/24 to pass:

10-28 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 10 Routing policy configuration

[RouterB] acl number 2002 [RouterB-acl-basic-2002] rule permit source 172.17.2.0 0.0.0.255 [RouterB-acl-basic-2002] quit # Configure the IP prefix list named prefix-a and permit 172.17.1.0/24 to pass:

[RouterB] ip ip-prefix prefix-a index 10 permit 172.17.1.0 24 Step 5 Configure the route-policy:

[RouterB] route-policy isis2ospf permit node 10 [RouterB-route-policy] if-match ip-prefix prefix-a [RouterB-route-policy] apply cost 100 [RouterB-route-policy] quit [RouterB] route-policy isis2ospf permit node 20 [RouterB-route-policy] if-match acl 2002 [RouterB-route-policy] apply tag 20 [RouterB-route-policy] quit [RouterB] route-policy isis2ospf permit node 30 [RouterB-route-policy] quit Step 6 Apply the route-policy when the route imports. # Configure Router B and apply the route-policy as the route imports:

[RouterB] ospf [RouterB-ospf-1] import-route isis 1 route-policy isis2ospf [RouterB-ospf-1] quit # Check the OSPF routing list of Router A to see the cost of routing with the destination address 172.17.1.0/24 is 100. The tag of the routing identifier with the destination address 172.17.2.0/24 is 20. Other routing attributes do not change.

[RouterA] display ospf routing

OSPF Process 1 with Router ID 192.168.1.1 Routing Tables

Routing for Network Destination Cost Type NextHop AdvRouter Area 192.168.1.0/24 1 Stub 192.168.1.1 192.168.1.1 0.0.0.0

Routing for ASEs Destination Cost Type Tag NextHop AdvRouter 172.17.1.0/24 100 Type2 1 192.168.1.2 192.168.1.2 172.17.2.0/24 1 Type2 20 192.168.1.2 192.168.1.2 172.17.3.0/24 1 Type2 1 192.168.1.2 192.168.1.2 192.168.2.0/24 1 Type2 1 192.168.1.2 192.168.1.2

Routing for NSSAs Destination Cost Type Tag NextHop AdvRouter

Total Nets: 5 Intra Area: 1 Inter Area: 0 ASE: 4 NSSA: 0

[RouterA] ----End

Issue 5.3 (30 March 2009) Nortel Networks Inc. 10-29

Nortel Secure Router 8000 Series 10 Routing policy configuration Configuration - IP Routing

Configuration files z Configuration file of Router A

# sysname RouterA # interface Pos1/0/0 link-protocol ppp ip address 192.168.1.1 255.255.255.0 # ospf 1 area 0.0.0.0 network 192.168.1.0 0.0.0.255 # return z Configuration file of Router B

# sysname RouterB # acl number 2002 rule 5 permit source 172.17.2.0 0.0.0.255 # isis 1 is-level level-2 network-entity 10.0000.0000.0002.00 # interface Pos1/0/0 link-protocol ppp ip address 192.168.1.2 255.255.255.0 # interface Pos2/0/0 link-protocol ppp ip address 192.168.2.2 255.255.255.0 isis enable 1 # ospf 1 import-route isis 1 route-policy isis2ospf area 0.0.0.0 network 192.168.1.0 0.0.0.255 # route-policy isis2ospf permit node 10 if-match ip-prefix prefix-a apply cost 100 route-policy isis2ospf permit node 20 if-match acl 2002 apply tag 20 route-policy isis2ospf permit node 30 # ip ip-prefix prefix-a index 10 permit 172.17.1.0 24 # return z Configuration file of Router C

# sysname RouterC

10-30 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 10 Routing policy configuration

# isis 1 is-level level-2 network-entity 10.0000.0000.0001.00 # interface GigabitEthernet1/0/0 ip address 172.17.1.1 255.255.255.0 isis enable 1 # interface GigabitEthernet2/0/0 ip address 172.17.2.1 255.255.255.0 isis enable 1 # interface GigabitEthernet3/0/0 ip address 172.17.3.1 255.255.255.0 isis enable 1 # interface Pos4/0/0 link-protocol ppp ip address 192.168.2.1 255.255.255.0 isis enable 1 # return 10.8.3 Example of configuring the IP FRR of the public network

Networking requirements As shown in Figure 10-3, configure the backup egress and the backup next hop to configure link B as the backup of link A. When defects occur to link A, the flow switches to link B.

Figure 10-3 IP FRR in the public network

GbE1/0/0 GbE2/0/0 192.168.10.2/24 192.168.11.2/24 RouterA GbE2/0/0 GbE2/0/0 192.168.10.1/24 192.168.11.1/24 GbE1/0/0 A GbE1/0/0 172.16.1.1/24 172.17.1.1/24 RouterT RouterC GbE3/0/0 GbE3/0/0 B 192.168.20.1/24 192.168.21.1/24

GbE1/0/0 GbE2/0/0 192.168.20.2/24 192.168.21.2/24 RouterB

Configuration roadmap The steps in the configuration roadmap are 1. Enable basic OSPF functions on each router. 2. Configure a larger cost value on interface GbE3/0/0 of Router T and Router C.

Issue 5.3 (30 March 2009) Nortel Networks Inc. 10-31

Nortel Secure Router 8000 Series 10 Routing policy configuration Configuration - IP Routing

3. Configure the route-policy on Router T, configure the next hop and backup egress, enable the IP FRR of the public network, and check the information about the backup egress and the backup next hop. 4. Check the information about the backup egress and the backup next hop after you disable the IP FRR.

Data preparation To complete the configuration, you need the following data:

z The cost value of the OSPF interface is 100. z Configure the name of the route-policy and the node number. Configure the backup next hop 192.168.20.2 and the backup egress GbE3/0/0.

Configuration procedure Step 1 Configure the IP address for each interface. Step 2 Configure OSPF on Router T, Router A, Router B, and Router C. Step 3 Configure the cost value on the OSPF interface. # Configure a relatively large cost value on GbE/0/0 on Router T. Enable OSPF to choose link A:

[RouterT] interface gigabitethernet 3/0/0 [RouterT-GigabitEthernet3/0/0] ospf cost 100 [RouterT-GigabitEthernet3/0/0] quit # Configure the cost value on GbE3/0/0 on Router C. Enable OSPF to choose link A:

[RouterC] interface gigabitethernet 3/0/0 [RouterC-GigabitEthernet3/0/0] ospf cost 100 [RouterC-GigabitEthernet3/0/0] quit Step 4 Configure the route-policy. # Configure the route-policy on Router T and configure the backup next hop and backup egress. Configure an if-match clause to limit the application scope:

[RouterT] ip ip-prefix frr1 permit 172.17.1.1 24 [RouterT] route-policy ip_frr_rp permit node 10 [RouterT-route-policy] if-match ip-prefix frr1 [RouterT-route-policy] apply backup-nexthop 192.168.20.2 [RouterT-route-policy] apply backup-interface gigabitethernet3/0/0 [RouterT-route-policy] quit Step 5 Enable the IP FRR function of the public network.

[RouterT] ip frr route-policy ip_frr_rp # Check the information about the egress and the backup next hop on Router T:

display ip routing-table 172.17.1.0 verbose Routing Table : Public Summary Count : 1

Destination: 172.17.1.0/24 Protocol: OSPF Process ID: 1

10-32 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 10 Routing policy configuration

Preference: 10 Cost: 3 NextHop: 192.168.10.2 Neighbour: 0.0.0.0 State: Active Adv Age: 01h16m46s Tag: 0 Priority: 0 Label: NULL QoSInfo: 0x0 RelayNextHop: 0.0.0.0 Interface: GigabitEthernet2/0/0 TunnelID: 0x0 BkNextHop: 192.168.20.2 BkInterface: GigabitEthernet3/0/0 BkLabel: NULL SecTunnelID: 0x0 BkPETunnelID: 0x0 BkPESecTunnelID: 0x0 Step 6 When you do not need the IP FRR function, use the undo ip frr command to enable the action:

[RouterT] undo ip frr # After you disable the IP FRR, check the backup egress and the backup next hop:

display ip routing-table 172.17.1.0 verbose Routing Table : Public Summary Count : 1

Destination: 172.17.1.0/24 Protocol: OSPF Process ID: 1 Preference: 10 Cost: 3 NextHop: 192.168.10.2 Neighbour: 0.0.0.0 State: Active Adv Age: 01h16m46s Tag: 0 Priority: 0 Label: NULL QoSInfo: 0x0 RelayNextHop: 0.0.0.0 Interface: GigabitEthernet2/0/0 TunnelID: 0x0 ----End

Configuration files z Configuration file of Router T

# sysname RouterT # ip frr route-policy ip_frr_rp # interface GigabitEthernet2/0/0 ip address 192.168.10.1 255.255.255.0 # interface GigabitEthernet3/0/0 ip address 192.168.20.1 255.255.255.0 ospf cost 100 # interface GigabitEthernet1/0/0 ip address 172.16.1.1 255.255.255.0 # ospf 1 area 0.0.0.0 network 192.168.10.0 0.0.0.255 network 192.168.20.0 0.0.0.255

Issue 5.3 (30 March 2009) Nortel Networks Inc. 10-33

Nortel Secure Router 8000 Series 10 Routing policy configuration Configuration - IP Routing

area 0.0.0.1 network 172.16.1.0 0.0.0.255 # ip ip-prefix frr1 permit 172.17.1.1 24 # route-policy ip_frr_rp permit node 10 if-match ip-prefix frrl apply backup-nexthop 192.168.20.2 apply backup-interface GigabitEthernet3/0/0 # return z Configuration file of Router A

# sysname RouterA # interface GigabitEthernet1/0/0 ip address 192.168.10.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 192.168.11.2 255.255.255.0 # ospf 1 area 0.0.0.0 network 192.168.10.0 0.0.0.255 network 192.168.11.0 0.0.0.255 # return z Configuration file of Router B

# sysname RouterB # interface GigabitEthernet1/0/0 ip address 192.168.20.2 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 192.168.21.2 255.255.255.0 # ospf 1 area 0.0.0.0 network 192.168.20.0 0.0.0.255 network 192.168.21.0 0.0.0.255 # return z Configuration file of Router C

# sysname RouterC # interface GigabitEthernet1/0/0 ip address 172.17.1.1 255.255.255.0 # interface GigabitEthernet2/0/0 ip address 192.168.11.1 255.255.255.0 #

10-34 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing 10 Routing policy configuration

interface GigabitEthernet3/0/0 ip address 192.168.21.1 255.255.255.0 ospf cost 100 # ospf 1 area 0.0.0.0 network 192.168.11.0 0.0.0.255 network 192.168.21.0 0.0.0.255 area 0.0.0.2 network 172.17.1.0 0.0.0.255 # return

Issue 5.3 (30 March 2009) Nortel Networks Inc. 10-35

Nortel Secure Router 8000 Series Configuration - IP Routing

Contents

A Acronyms and abbreviations...... A-1

Issue 5.3 (30 March 2009) Nortel Networks Inc. i

Nortel Secure Router 8000 Series Configuration - IP Routing A Acronyms and abbreviations

A Acronyms and abbreviations

A ABR Area border router ACL Access control list ARP Address Resolution Protocol AS Autonomous system; access server ASBR Autonomous system boundary router ATM Asynchronous Transfer Mode

B BDR Backup designated router BGP Border Gateway Protocol BRI Basic rate interface

C CE Customer edge CIDR Classless Inter-Domain Routing CLNP Connectionless network protocol CPU Central Processing Unit CSNP Complete sequence number PDUs

D DD Database description DIS Designated intermediate system DR Designated router

Issue 5.3 (30 March 2009) Nortel Networks Inc. A-1

Nortel Secure Router 8000 Series A Acronyms and abbreviations Configuration - IP Routing

DVMRP Distance Vector Multicast Routing Protocol

E EBGP External BGP EGP Exterior Gateway Protocol

F FDDI Fiber Distributed Digital Interface

H HDLC High level Data Link Control

I IBGP Internal BGP ICMP Internet Control Message Protocol ID Identification IETF Internet Engineering Task Force IGP Interior Gateway Protocol IP Internet Protocol ISDN Integrated Services Digital Network IS-IS Intermediate System-to-Intermediate System ISO International Organization for Standardization ISP Internet service provider

L L2VPN Layer 2 VPN L3VPN Layer 3 VPN LAN Local area network LAPB Link access procedure, balanced LSA Link state advertisement LSDB Link-state data base LSP Label switch path LSR Label switching router

A-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing A Acronyms and abbreviations

LSU Link state update packet

M MAC Medium Access Control MPBGP Multiprotocol Border Gateway Protocol MBGP Multicast BGP MD5 Message Digest 5 MED Multi-exit discrimination MIB Management Information Base MP Multilink PPP MPLS Multiprotocol Label Switching MTU Maximum Transmission Unit

N NBMA NonBroadcast Multiple Access NET Network entity title NLRI Network layer reachable information NSSA Not so stubby area

O OSI Open System Interconnection OSPF Open Shortest Path First

P P2P Point to Point PC Personal computer PDU Protocol Data Unit PE Provider edge PIM Protocol Independent Multicast PIM-DM Protocol Independent Multicast-Dense Mode PIM-SM Protocol Independent Multicast-Sparse Mode POS Packet over SDH/SONET PPP Point-to-Point Protocol

Issue 5.3 (30 March 2009) Nortel Networks Inc. A-3

Nortel Secure Router 8000 Series A Acronyms and abbreviations Configuration - IP Routing

PRI Primary rate interface PSNP Partial sequence number PDUs

R RIP Routing Information Protocol RPF Reverse Path Forwarding

S SNMP Simple Network Management Protocol SPF Shortest Path First

T TCP Transmission Control Protocol TE Traffic engineering

U UDP User Datagram Protocol UP User plane

V VPN Virtual Private Network VRP Versatile routing platform VT Virtual-template

W WAN Wide area network

A-4 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing

Contents

Index ...... i-1

Issue 5.3 (30 March 2009) Nortel Networks Inc. i

Nortel Secure Router 8000 Series Configuration - IP Routing

Index

BGP4+ examples, 9-29 B BGP4+ maintenance BGP debugging, 9-27 authentication, 8-54 BGP4+ overwiew, 9-2 basic configuration, 8-20 BGP4+ routing policies default-route, 8-27 advertise route policies, 9-8 load-balancing, 8-54 recieve route policies, 9-8 preference, 8-41 BGP4+ timers, 9-17 route aggregation, 8-26, 8-29 route filtering, 8-28 I BGP attribute as-path, 8-8, 8-45 IP route filtering community, 8-11 ACL, 10-3 local preference, 8-10, 8-42 as-path, 10-3 MED, 8-9, 8-42 community, 10-3 next hop, 8-9, 8-44 deny all, 10-7 origin, 8-8 extended community list, 10-4 BGP concepts IP-prefix, 10-3 community, 8-15, 8-59 IP route policy confederation, 8-16, 8-62 applying, 10-12 peer group, 8-15, 8-57 creating, 10-9 route aggregation, 8-13, 8-29 defining, 10-10 route dampening, 8-14, 8-39 IP routing protocol route reflector, 8-15, 8-60 load sharing, 1-6 BGP routing policies route backup, 1-6 advertise route policies, 8-35 route preferences, 1-5 recieve route policies, 8-36 route selection, 1-3 BGP4+ routing principle, 1-2 basic configuration, 9-2 IPv4 default route default-route, 9-7 overview, 2-2 import route, 9-6 IPv4 static route load-balancing, 9-19 configuring, 2-4 preference, 9-11 example, 2-7 route filtering, 9-6 overview, 2-2 BGP4+ attribute IPv6 default route as-path, 9-14 overview, 2-2 local preference, 9-12 IPv6 static route MED, 9-12 configuring, 2-6 next hop, 9-13 example, 2-11 BGP4+ concepts overview, 2-2 community, 9-23 IS-IS peer group, 9-21 authentication, 7-45 route dampening, 9-9 basic configuration, 7-21 route reflector, 9-25 dynamic hostname, 7-18, 7-43

Issue 5.3 (30 March 2009) Nortel Networks Inc. i-1

Nortel Secure Router 8000 Series Configuration - IP Routing

import route, 7-57 LSR packet, 5-14 NET, 7-4, 7-21 LSU packet, 5-15 preference, 7-24, 7-55 OSPF timers, 5-42 route aggregation, 7-28, 7-56 OSPFv2 Vs OSPFv3 route filtering, 7-29, 7-56 common factors, 6-2 IS-IS concepts differences, 6-2 administrative tags, 7-17 LSA type, 6-2 fast flooding, 7-43 OSPFv3 levels, 7-4 basic configuration, 6-5 LSP fragment extension, 7-17 cost metrics, 6-12 multi-instancing, 7-16 import route, 6-13 multi-processing, 7-16 load-balancing, 6-12 network types, 7-7 route filtering, 6-11 route leaking, 7-7, 7-31, 7-57 route summary, 6-11 IS-IS IPv6, 7-15, 7-54 OSPFv3 concepts IS-IS maintenance silent-interface, 6-18 debugging, 7-60 virtual link, 6-9 IS-IS packet OSPFv3 timers, 6-15 hello packet, 7-10 IS-IS packets R address format, 7-3 LSP, 7-11 RIP PDU format, 7-8 additional metrics, 3-12 SNP, 7-13 authentication, 3-18, 3-21 IS-IS timers, 7-35 basic configuration, 3-7 default-route, 3-12, 3-14 O import route, 3-16 load-balancing, 3-18, 3-20 OSPF preference, 3-12, 3-15 authentication, 5-20, 5-46 route aggregation, 3-12, 3-13 basic configuration, 5-24 route filtering, 3-12, 3-14 default-route, 5-38 RIP concepts import route, 5-37 neighbours, 3-18, 3-22 load-balancing, 5-36 routing loops, 3-3 route aggregation, 5-8, 5-33 RIP overview, 3-2 route filtering, 5-34 RIP packet, 3-4 OSPF concepts RIP poison reverse, 3-18, 3-19 ABR, 5-5 RIP split horizon, 3-18, 3-19 ASBR, 5-5 RIP timers, 3-3, 3-18 backbone routers, 5-5 RIP versions DR and BDR, 5-10 configuring, 3-7, 3-10 IGP, adjacency, 5-22 example, 3-24 multi-instance, 5-22 RIPng network types, 5-9 additional metrics, 4-8, 4-9 NSSA, 5-7 default-route, 4-8, 4-10 sham links, 5-22 import route, 4-8, 4-12 stub area, 5-7 load-balancing, 4-13, 4-15 traffic engineering, 5-21 preference, 4-9 OSPF maintenance route aggregation, 4-8, 4-10 resetting, 5-53, 7-59, 8-66, 9-28 RIPng overview, 4-2 OSPF network management, 5-49 RIPng packet, 4-3 OSPF overview, 5-3 RIPng poison reverse, 4-13, 4-14 OSPF packets RIPng split horizon, 4-13, 4-14 DD packet, 5-13 RIPng timer, 4-13 hello packet, 5-12

i-2 Nortel Networks Inc. Issue 5.3 (30 March 2009)

Nortel Secure Router 8000 Series Configuration - IP Routing

i.

Issue 5.3 (30 March 2009) Nortel Networks Inc. i-3

Nortel Secure Router 8000 Series Configuration - IP Routing

Copyright © 2009 Nortel Networks All Rights Reserved.

Printed in Canada, India, and the United States of America

Release: 5.3 Publication: NN46240-505 Document Revision: 01.01 Document status: Standard Document release date: 30 March 2009

To provide feedback or to report a problem in this document, go to www.nortel.com/documentfeedback. www.nortel.com

LEGAL NOTICE

While the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document are subject to change without notice.

Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks.

All other trademarks are the property of their respective owners.

ATTENTION For information about the safety precautions, read "Safety messages" in this guide. For information about the software license, read "Software license" in this guide.