OSPF enforces a fairly rigid design for an ISP backbone. Area 0 is the backbone area and must exist if there are to be more than two OSPF areas in a network. Area 0
provides transit between the other areas, and every other area must be connected to it.
OSPF offers a multitude of area types, including backbone, regular, stub, totally stubby, and not so stubby areas. Most ISPs tend to use only backbone and regular areas; very few make use of OSPF inter-area summarization capabilities. The reason is that, these days, iBGP carries all the prefixes across an ISP backbone. All that OSPF carries are the loopbacks and the infrastructure addresses, and it is often desirable to see those across the entire backbone. Loopbacks do need to be visible across the backbone because the loopback is usually the iBGP next hop for most of the prefixes carried in the backbone. An iBGP next hop cannot be a default route created by OSPF or BGP.
Putting a prefix into OSPF is achieved simply by creating a network statement with the relevant network, inverse mask, and area to which the network should belong.
So, to put 192.168.1.0/24 into OSPF, the command required is simply this
Router8(config-router)# network 192.168.1.0 0.0.0.255 area 0
This prefix cannot be put into OSPF unless it is physically attached to the router, so announcing 192.168.1.0/24 needs an interface to use an address out of this network block.
To find neighbors in OSPF, simply mark the required interface as being nonpassive.
The IOS Software default is to assume that all interfaces are active. Because most ISP routers have large numbers of interfaces, and OSPF tends to run only on
interfaces connected to other routers, it is really important to change OSPF’s default behavior of searching for neighbors on every interface so that they all are marked as passive unless required. This is achieved by using the passive-interface default command. It is recommended that ISPs use this command by default in any configuration template that they create for their routers. Otherwise, large
aggregation routers waste CPU sending OSPF hellos to nonexistent neighbors on all the interfaces that it has. (Worse, if customer networks are connected and their neighboring router is running OSPF, an adjacency might be established, wreaking havoc in the ISP backbone.)
A typical router configuration might look something like the following:
interface FastEthernet1/0 description Ethernet backbone
ip address 200.200.7.129 255.255.255.224 no ip redirects
no ip directed-broadcast no ip proxy-arp
ip ospf message-digest-key 1 md5 7 01100F175804 no ip mroute-cache
!
interface Serial1/0
description 2 Mbps Link to Router8 bandwidth 2000
ip address 200.200.7.1 255.255.255.252
no ip redirects
no ip directed-broadcast no ip proxy-arp
ip ospf message-digest-key 1 md5 7 01100F175804 no ip mroute-cache no passive-interface Serial 1/0
area 0 authentication message-digest ! authentication
Notice the OSPF configuration, especially the neighbor authentication. This will be covered in Chapter 5, “Operational Practices.” It is very important that
authentication be used for all routing protocol neighbor relationships. Denial-of-service attacks on routing protocols are becoming more common as the more traditional avenues are being closed up.
If an area is not physically connected to the backbone area, OSPF provides a concept called a virtual link. ISPs sometimes need to use virtual links if their networks don’t fall into the rigid layout required by OSPF. The virtual link is a bridge over an
intermediate area, connecting the remote area to the backbone. A configuration sample from a router using two virtual links to connect to the core backbone follows:
router ospf 100
log-adjacency-changes
area 0 authentication message-digest ! virtual link goes to Area0
area 30 authentication message-digest
area 30 virtual-link 222.222.7.224 message-digest-key 1 md5 7 13061E010803
area 30 virtual-link 222.222.35.224 message-digest-key 1 md5 7 00071A150754
area 40 authentication message-digest passive-interface default
no passive-interface Serial 0/0 no passive-interface Serial 0/1
network 222.222.11.224 0.0.0.0 area 30 network 222.222.17.0 0.0.0.3 area 30 network 222.222.32.0 0.0.0.3 area 40
!
The router physically connects Area 30 to Area 40 and requires a virtual link to two routers in Area 0 so that Area 40 can see the rest of the ISP’s backbone.
Very little else is required for configuring OSPF. As long as the basic design rules are remembered, OSPF works well and scales very nicely. There is no real limit to the number of routers that can be in an area. However, it is worth being prudent and designing so that OSPF Area 0 is the backbone of the ISP network and the subareas are the distribution and access layers of the network. A typical configuration is to use Area 0 for the national backbone and for each PoP to have one area of its own. The more routers exist in an area, or the more areas a router is a member of, the more the CPU has to work. If the backbone is richly meshed or has unstable physical connections, it is better to have fewer routers in an area and fewer areas connected to one router.
Configuring IS-IS
IS-IS is quite similar to OSPF in many ways, and both use the same Dijkstra SPF algorithm for path calculation. Implementation is slightly different, though, and IS-IS support in IOS Software has benefited from many years of experience in the major ISP backbones in the United States.
IS-IS does not have an area concept like OSPF. Instead, it has two levels: Level 1 (areas) and Level 2 (the backbone). The IS-IS backbone is simply a contiguous collection of Level 2–capable routers linking Level 1 areas together. Most ISPs implement IS-IS using Level 2 only—they see little benefit in the extra complexity that running both Level 1 and Level 2 offers. A router can be in Level 1 only, Level 2 only, or both Level 1 and Level 2. IS-IS has a link-state database for Level 1 and also one for Level 2.
Another feature of IS-IS is that it does not use IP for transport. Instead, it relies on CLNS, a protocol that runs on the wire alongside IP. (For the security conscious, this makes IS-IS harder to attack because CLNS rarely is routed across the Internet.) To enable CLNS on a router, the global configuration command clns routing is
required.
As with OSPF, IS-IS needs to carry only infrastructure addresses; this means the point-to-point links for the backbone networks and the loopback addresses of the network equipment. IS-IS automatically installs all connected interfaces into the routing protocol, so no network statements are required. Also, to make IS-IS find neighbors, simply activate IS-IS on a router interface and the neighbor will be found.
This is much easier than handling the passive/ no-passive interface and the network statement/mask as found in OSPF.
Because IS-IS is using CLNS, each router requires a number called an NSAP, a number that can be between 8 and 20 bytes large. Each NSAP must be unique across the backbone. NSAPs are set using the net statement under IS-IS. Although NSAPs are supposed to be officially allocated by OSI, most ISPs simply pick a
number that works for them and use it. OSI protocols are not announced across the Internet, so there is no danger of a collision between NSAP addresses used in
different ISPs.
The other thing to note when setting up a new IS-IS backbone is that wide metrics should be used. The original IS-IS used narrow metrics (6 bit), which allows only 63 different values. Wide metrics are 32 bit, obviously giving considerable more scope and flexibility. Wide metrics should be set as the default in any ISP template for IS-IS. IS-IS has a uniform value of 10 for the link cost; OSPF sets the link cost based on the bandwidth configured on the interface. So, to make different links have different costs, the IS-IS metric is configured manually. Having only 6 bits to play with is very restrictive, especially with the larger backbones, so the 32-bit metric makes more sense from the start.
A configuration example corresponding to the initial preceding OSPF example might be as follows:
clns routing
!
interface FastEthernet1/0 description Ethernet backbone
ip address 200.200.7.129 255.255.255.224
ip router isis CORE ! activate IS-IS on this interface
isis circuit-type level-2 ! Level 2 only no ip redirects
no ip directed-broadcast no ip proxy-arp
no ip mroute-cache
!
interface Serial1/0
description 2 Mbps Link to Router8 bandwidth 2000
ip address 200.200.7.1 255.255.255.252
ip router isis CORE ! activate IS-IS on this interface
isis circuit-type level-2 ! Level 2 only no ip redirects
no ip directed-broadcast no ip proxy-arp
IS-IS has several other performance options that make it ideally suited for larger ISP backbones. These include the capability to reconfigure timer values for larger
topologies, to leak Level 2 specifics into Level 1 areas, and to support mesh groups for NBMA clouds.