So below are some best practices I think folks running IP networks whose IGP is based on IS-IS could consider in scaling the operation of this protocol in their environments:
#####
! Create key chains to be used for HMAC-MD5 authentication
! for both Level-1 and Level-2.
key chain isis-security-l1
key 1
key-string xxxxx
key chain isis-security-l2
key 1
key-string xxxxx
!
!
!
! Create the Loopback interface/Router-ID.
! It will NOT have IS-IS running on it because it is not
! a transit interface. So disabling IS-IS on it, while
! announcing the IP prefixes into IS-IS, allows the IS-IS
! domain to scale because LSP/Hello packets are not
! unnecessarily generated for the Loopback interface.
! Also, an IS-IS metric will NOT be set, which will
! default the Loopback interface's metric to zero (0).
! This helps to keep the metric value understandable
! and unambiguous.
int lo0
ip address 192.168.0.1 255.255.255.255
ipv6 address 2001:db8:192:168:0:1/128
!
!
!
! This interface is in the core, and is in the same
! area as other IS's in this core.
! This interface is in a Level-1 area.
int gi0/1
ip address 192.168.1.1 255.255.255.192
ipv6 address 2001:db8:192:168:1:1/112
!
! Enable IS-IS for IPv4 and IPv6
ip router isis 1
ipv6 router isis 1
!
! Ensure this interface runs at Level-1.
isis circuit-type level-1
!
! Set the cost of this link appropriately
! for IPv4 and IPv6.
isis metric 400 level-1
isis ipv6 metric 400 level-1
!
! Enable HMAC-MD5 authentication for the Level-1
! area.
isis authentication mode md5 level-1
!
! Associate the key chain earlier configured with
! this IS at Level-1.
isis authentication key-chain isis-security-l1 level-1
!
! Set this IS to be the DIS in this Level-1 area.
! On another IS, configure it as a backup DIS with
! a priority higher than the default of 64, but lower
! than the maximum of 127, e.g., a DIS of 126 configured
! on another IS in this area sets it up as a backup DIS.
isis priority 127 level-1
!
! Enable BFD for fast failure detection.
! This helps reduce the convergence times of IS-IS
! because it will be signaled, much earlier, about link
! failure.
bfd interval 250 min_rx 250 multiplier 3
!
!
!
! This interface is used for a trunk link to another PoP.
! This trunk link forms part of your network-wide backbone,
! and as such, will be a Level-2 interface, making this
! router a Level-1/Level-2 IS.
! To make this IS-IS BCP more interesting, we will assume
! this trunk link is a broadcast multi-access link, i.e.,
! Ethernet.
! Metric and authentication are all configured for Level-2.
int gi0/2
ip address 192.168.2.1 255.255.255.252
ipv6 address 2001:db8:192:168:2:1:/126
ip router isis 1
ipv6 router isis 1
isis circuit-type level-2-only
isis metric 400 level-2
isis ipv6 metric 400 level-2
isis authentication mode md5 level-2
isis authentication key-chain isis-security-l2 level-2
!
! As this is an Ethernet interface, IS-IS will attempt to
! elect a DIS when it forms an adjacency.
! However, because it is running as a point-to-point WAN
! link, with only 2 IS's on the wire, configuring IS-IS to
! operate in "point-to-point mode" scales the protocol by
! reducing the link failure detection times.
! Point-to-point mode improves convergence times on
! Ethernet networks because it prevents the election of a
! DIS on the wire, prevents the flooding process from using
! CSNP's for database synchronization, simplifies the SPF
! computations and reduces the IS's memory footprint due
! to a smaller topology database.
isis network point-to-point
!
!
!
! We now configure parametres specific to the IS-IS routing
! protocol.
! This covers both IPv4 and IPv6, as IS-IS supports both
! IP protocols in the same implementation.
router isis 1
! Create an NET.
! This is made up of a private AFI (49), an
! area part, a System ID (taken from the padded Loopback
! interface IP address) and an N-SEL of zero (0).
net 49.0001.1921.6800.0001.00
!
! Enable HMAC-MD5 authentication
authentication mode md5
authentication key-chain isis-security-l1 level-1
authentication key-chain isis-security-l2 level-2
!
! Enable iSPF (incremental SPF).
! This, in the long run, reduces CPU demand because
! SPF calculations are run only on the affected changes
! in the SPT.
! As this is a Level-1/Level-2 router, enable iSPF at
! both levels 60 seconds after the command has been
! entered into the configuration.
! Note that IOS only supports iSPF for IPv4.
ispf level-1-2 60
!
! Enable wide/extended metric support for IS-IS.
! IOS, by default, supports narrow metrics, which
! means you can define cost values between 1-63.
! This is not scalable.
! To solve this problem, enable wide metrics, which
! allows you to define cost values between
! 1-16777214.
metric-style wide
!
! Disable IIH padding because on high speed links, it may
! strain huge buffers; and on low speed links, it may waste
! bandwidth and affect other time sensitive applications,
! e.g., voice.
! Disabling IIH padding is safe because IOS will still pad
! the first 5 IIH's to the full MTU to aid in the discovery
! of MTU mismatches.
no hello padding
!
! Allow the Loopback interface IP address to be carried
! within IS-IS, while preventing said interface from being
! considered in the flooding process.
passive-interface Loopback0
!
! Log changes in the state of the adjacencies.
log-adjacency-changes
!
! Tell the IS to ignore LSP's with an incorrect data-link
! checksum, rather than purge them.
! Purging LSP's with a bad checksum causes the initiating
! IS to regenerate that LSP, which could overload the IS
! if perpetuated in a cycle.
! So rather than purge them, ignore them.
ignore-lsp-errors
!
! Reduce the amount of control traffic, conserving CPU
! usage for generation and refreshing of LSP's.
! Do this by increasing the LSP lifetime to its limits.
max-lsp-lifetime 65535
!
! Reduce the frequency of periodic LSP flooding of the
! topology, which reduces link utilization.
! This is safe because there other mechanisms to guard
! against persistence of corrupted LSP's in the LSDB.
lsp-refresh-interval 65000
!
! Customize IS-IS throttling of SPF calculations.
! Good for when you also use BFD for IS-IS.
! These are recommended values for fast convergence.
spf-interval 5 1 20
!
! Customize IS-IS throttling of PRC calculations.
! PRC calculates routes without performing a full SPF
! calculation.
! This is done when a change is signaled by another IS,
! but without a corresponding change in the basic
! network topology, e.g., the need to reinstall a route
! in the IS-IS RIB.
! These are recommended values for fast convergence.
prc-interval 5 1 20
!
! Customize IS-IS throttling of LSP generation.
! These are recommended values for fast convergence.
lsp-gen-interval 5 1 20
!
! Enable IS-IS fast-flooding of LSP's.
! This tells the IS to always flood the LSP that triggered
! an SPF before the router actually runs the SPF
! computation.
! This command used to be 'ip fast-convergence' and has
! since been replaced from IOS 12.3(7)T.
! Below, we shall tell the IS to flood the first 10 LSP's
! which invoke the SPF before the SPF computation is
! started.
fast-flood 10
!
! Enable IS-IS IETF Graceful Restart.
! This ensures an IS going through a control plane
! switchover continues to forward traffic as if nothing
! happened.
! Software and platform support is limited, so check
! whether your particular platform/code supports this.
! Also, deploy only if it's necessary.
nsf ietf
!
! Enable BFD support for IS-IS.
! With BFD running on the interface, a failure of the link
! would signal IS-IS immediately.
! IS-IS will then converge accordingly.
bfd all-interfaces
!
! Tell IS-IS to ignore the Attached bit if it is set.
! The Attached bit is set when an L1/L2 IS learns L1
! routes from other L1 routers in the same area.
! The Attached bit causes the installation of an
! IS-IS-learned default route in the IS-IS RIB on L1
! routers in the same area, as well as in the forwarding
! table if IS-IS is the best routing protocol from which
! the default route was learned.
! The Attached bit allows L1 IS's to forward traffic for
! unknown destinations to the closest L1/L2 router.
! This may lead to sub-optimal routing as the specific
! prefixes, particularly for those belonging to Loopback
! interfaces in well-deployed networks, for different areas
! are not contained in the local L1 router's forwarding
! table (a problem fixed by Route Leaking from L1/L2 IS's
! to L1 routers).
! Note that this command is currently hidden in IOS, but
! will appear in the configuration once entered.
! It is also not very well-documented, but is quite self
! explanatory.
ignore-attached-bit
!
! Enable the IPv6 address family for in IS-IS.
address-family ipv6
!
! Enable multitopology support for IPv6 in IS-IS.
! Multitopology support allows the IPv4 topology to
! be independent of that of IPv6.
! Especially important when dual-stacking
! IPv4 and IPv6 - this helps prevent network outages
! when IS-IS for IPv6 is enabled on interfaces that have
! been assigned an IPv6 address.
multi-topology
!
! Customize the IS-IS SPF and PRC calculations for the
! IPv6 database.
spf-interval 5 1 20
prc-interval 5 1 20
Things to consider on routers operating as Level-1-only
IS's:
! IS-IS BCP techniques under the IS-IS routing process.
router isis 1
! In addition to the interface, tell the IS-IS
! routing process to operate in a Level-1 area only.
is-type level-1
Things to consider on routers operating as Level-1 & Level-2
IS's:
! IS-IS BCP techniques under the IS-IS routing process.
router isis 1
! To prevent the sub-optimal routing of traffic from L1
! IS's in one area to L1 IS's in another area, configure
! and enable Route Leaking on L1/L2 routers that form the
! backbone connectivity between two or more different
! areas.
! Route Leaking permits L1/L2 routers to install L1 routes
! learned from one area into L1 IS's routing/forwarding
! tables in another area.
! This allows for reachability between L1 routers located
! behind L1/L2 routers in different areas.
! Note that sections of this configuration are NOT part of
! IS-IS, per se, i.e., route map and prefix list
! configurations.
redistribute isis ip level-2 into level-1 route-map FOO
!
! Do the same for IPv6
address-family ipv6
redistribute isis level-2 into level-1 distribute-list isis-route-leaking6
!
ip prefix-list foo seq 10 permit 0.0.0.0/0 le 32
!
route-map FOO permit 10
match ip address prefix-list foo
!
ipv6 prefix-list foo6 seq 10 permit ::/0 le 128
Things to consider on core routers running BGP:
! IS-IS BCP techniques under the IS-IS routing process.
router isis 1
! When a core router fails, for whatever reason, e.g.,
! reload due to memory exhaustion, reload due to software
! crash, e.t.c., tell other IS's not to use it as a transit
! router as it recovers, until BGP has fully converged.
! This is useful because IGP's converge faster than BGP. A
! fully converged IGP would provide reachability to border
! and other routers in the network.
! However, other IS's transiting the recovering core router
! have no way of knowing when its BGP sessions have fully
! converged.
! If BGP on the core router has not yet converged, edge and
! other routers would forward traffic through the core
! routers. However, since BGP on the core routers has not
! yet fully converged, traffic could be potentially
! blackholed.
! To guard against this situation, tell the core routers
! not to advertise themselves as a valid transit path until
! their BGP sessions have fully converged, in case of
! router recovery status.
set-overload-bit on-startup wait-for-bgp
#####
Tuesday, June 10, 2008
Subscribe to:
Post Comments (Atom)
1 comment:
Thanks Mark, Any BCP's for running MPLS would also be much appreciated.
Cheers,
Maina Noah.
Post a Comment