Differences

This shows you the differences between two versions of the page.

konfiguration [2009/09/13 14:37] (current)
Line 1: Line 1:
 +===== Configuring IS-IS for IP routing on Cisco Routers =====
 +This chapter gives an overview of the most important configuration commands which are used on cisco routers. \\
 +The cisco IOS provides a configuration help which can be called with a "?" after the command. For a complete configuration reference take a look at the cisco manuals on the [[http://www.cisco.com|cisco webpage]]. \\
 +The practical use of these commands can be found in the [[labs_conf|configuration chapter of this paper]].
 +
 +===== Cisco IOS - commands: =====
 +
 +==== Basic IS-IS configuration: ====
 +
 +== Activate the IS-IS routing process:==
 +
 +The "router isis" command enables the IS-IS routing process on the router, it is possible to add a number with the so called tag to label the routing process. Normally this tag is not in use because older IOS releases are unable to form routing adjacencies when the tags are different.
 +
 +<code>(config)#router isis [tag]
 +(config-router)#net ADRESSE1
 +(config-router)#net ADRESSE2</code>
 +
 +The OSI address which is used with the net-command is described in the chapter [[https://m1k3.kicks-ass.org/isis_wiki/doku.php?id=adressierungsschema|"OSI - Adressierungsschema"]]
 +
 +== Activate IS-IS routing on the interface: ==
 +
 +<code>(config)#interface INTERFACE
 +(config-if)#ip address IP-ADRESSE NETMASKE
 +(config-if)#ip router isis</code>
 +
 +With the "ip router isis" command the interface is added to the IS-IS routing process.
 +
 +== Passive interface ==
 +
 +With the "passive" declaration of an interface a protocol activity via an interface can be forbidden.\\
 +This is often used for a statical route to the ISP and preventing the ISP network from routing flaps.
 +
 +<code>
 +(config-router)#passive-interface INTERFACE
 +</code>
 +
 +==== Hello packages: ====
 +((packettypes chapter of this paper: https://m1k3.kicks-ass.org/isis_wiki/doku.php?id=pakettypen))
 +==Type of the Hello Packages:==
 +
 +<code>isis circuit-type INTERFACE LEVEL</code>
 +
 +LEVEL ... a link can be set to level 1 or level 2 only or to level 1 and 2 \\
 +if the link is set to level 1 and 2 only level 2 adjacencies will be formed!
 +
 +==Hello Intervall:==
 +
 +Usually there are 3 hello packets sent during each holding time. For optimization in special cases it is possible to modify this timers with the following commands:
 +
 +<code>(config-if)#isis hello-intervall VALUE</code>
 +
 +VALUE ... between 1 and 65535 or minimal which means a holdtime of one second. The hello interval depends on the hello multiplier.
 +
 +<code>(config-if)#isis hello-multiplier VALUE</code>
 +
 +VALUE ... between 3 and 1000 is the number of hello packages in the time of one "hold-interval" \\
 +
 +The following figure gives an example how IS-IS handles misconfigured intervals:
 +
 +{{holding_interval.jpg}}((IS-IS Deployment in IP Networks page 79 - figure 2-7))
 +
 +System A advertises a holding time of 30 seconds and system B advertises a holding time of 40 seconds. Every time system A receives a hello packet from system B the holding time will be resetted and also system B resets the holding time every time when a hello packet from system A is received. \\
 +With this mechanism different configurations of holding times are no problem for an IS-IS network any more.
 +
 +==== Designated Intermediate System: ====
 +((pseudonode chapter of this paper: https://m1k3.kicks-ass.org/isis_wiki/doku.php?id=pseudonode))
 +The Designated Intermediate System is almost the same like the Designated Router in the OSPF routing system.
 +
 +<code>(config-if)#isis priority PRIORITY [level-1|level-2]</code>
 +... the router with the highest PRIORITY is elected to the Designated Intermediate System. If there are more routers with the same priority the MAC-address is used for the election process. \\
 +For a detailed explanation of the DIS, please take a look at the [[pseudonode|pseudonode chapter of this paper]]
 +
 +==== Metric: ====
 +((metric chapter of this paper: https://m1k3.kicks-ass.org/isis_wiki/doku.php?id=metrik))((IS-IS Deployment in IP Networks page 113 - 120))((IS-IS Network Design Solutions page 110 - 114))
 +Look at the [[metrik|metric chapter of this paper]]
 +
 +== Modify the default metric ==
 +
 +The default value is 10. If there are some routes that should be prefered, the "isis metric" command can be used for changing this value.
 +
 +<code>(config)#interface INTERFACE
 +(config-if)#isis metric VALUE
 +</code>
 +
 +== Metric style ==
 +
 +The maximum value of the complete metric between sender and receiver is defined with 1023 (ISO 10589 and RFC 1195). If this is not enough the wide metric style or the default metric style can be used as the narrow style.
 +
 +<code>(config)#router isis
 +(config-router)#metric-style VALUE
 +</code>
 +
 +VALUE ... wide/narrow/transition \\
 +
 +Wide metric means that the routers can use the new metric format which supports the large metric formats \\
 +Transition metric means that the routers can use the new and the old metric format \\
 +Narrow metric means that the routers are limited to a maximum metric of 63 per interface, based at ISO 10589 and RFC 1195 \\
 +
 +==== Plain text authentication: ====
 +((IS-IS Network Design Solutions page 83 - 85))
 +There are three different ways for the configuration of __plaintext authentication__: \\
 +
 +== Interface authentication ==
 +
 +<code>(config-if)#isis password STRING</code>
 +
 +STRING is the plaintext password. By default the password is used for level 1 if level 2 is not configured seperately.
 +
 +== Area authentication ==
 +
 +<code>(config)#area-password STRING</code>
 +Level 1 (area) authentication means adding the authentication password to all level 1 LSPs, CSNPs and PSNPs. \\
 +
 +== Domain authentication ==
 +
 +<code>(config)#domain-password STRING</code>
 +Level 2 (domain) authentication, which means the adding of the authentication password to all level 2 LSPs, CSNPs and PSNPs. \\
 +
 +Plaintext authentication is not very secure but it is the first step on the way to a secure network. One configuration example with debugging can be found in the [[ppslc#isis_point_to_point_configuration_with_two_routers_in_different_areas_and_authentication|configuration]] section.
 +
 +If authentication is configured in a network it is possible to verify the authentication process with the "debug isis adj-packets" command. In the following part one example of a mismatched authentication and one with a working authentication configuration can be found:
 +
 +__Not working authentication:__
 +
 +<code>
 +01:59:26: ISIS-Adj: Sending L1 LAN IIH on Loopback0, length 1514
 +01:59:28: ISIS-Adj: Sending L2 LAN IIH on Loopback0, length 1514
 +01:59:33: ISIS-Adj: Sending serial IIH on Serial0/0, length 1499
 +01:59:33: ISIS-Adj: Rec serial IIH from *PPP* (Serial0/0), cir type L1L2, cir id
 + 00, length 1499
 +01:59:33: ISIS-Adj: Authentication failed
 +</code>
 +
 +__Working authentication:__
 +
 +<code>
 +02:13:52: ISIS-Adj: Sending L2 LAN IIH on Loopback0, length 1514
 +02:13:58: ISIS-Adj: Sending serial IIH on Serial0/0, length 1499
 +02:14:00: ISIS-Adj: Sending L1 LAN IIH on Loopback0, length 1514
 +02:14:00: ISIS-Adj: Rec serial IIH from *PPP* (Serial0/0), cir type L1L2, cir id
 + 00, length 1499
 +02:14:00: ISIS-Adj: rcvd state UP, old state UP, new state UP
 +02:14:00: ISIS-Adj: Action = ACCEPT
 +</code>
 +
 +==== Encrypted authentication: ====
 +
 +((IS-IS Network Design Solutions page 83 - 85))
 +
 +==For Hello-Packets:==
 +
 +__Define the authentication mode:__
 +<code>(config-if)#[no] isis authentication mode [md5|text] [level1|level2]</code>
 +__Define the used key-chain:__
 +<code>(config-if)#[no] isis authentication key-chain KEY [level1|level2]</code>
 +__One way authentication:__
 +<code>(config-if)#[no] isis authentication send-only [level1|level2]</code>
 +The router sends authentication information but it doesn't check the received authentication data.
 +
 +==For LSPs:==
 +
 +<code>(config)#[no] isis authentication mode [md5|text] [level1|level2]
 +(config)#[no] isis authentication key-chain KEY [level1|level2]
 +(config)#[no] isis authentication send-only [level1|level2]</code>
 
konfiguration.txt · Last modified: 2009/09/13 14:37 (external edit)
 
Except where otherwise noted, content on this wiki is licensed under the following license:CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki