nortel secure router 2330/4134 configuration — ipv4 and

Nortel Secure Router 2330/4134

Configuration — IPv4 andRoutingRelease: 10.2Document Revision: 03.02

www.nortel.com

NN47263-502.

Nortel Secure Router 2330/4134Release: 10.2Publication: NN47263-502Document release date: 22 September 2009

Copyright © 2007-2009 Nortel Networks. All Rights Reserved.

While the information in this document is believed to be accurate and reliable, except as otherwise expresslyagreed to in writing NORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OFANY KIND, EITHER EXPRESS OR IMPLIED. The information and/or products described in this document aresubject to change without notice.

Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks.

THE SOFTWARE DESCRIBED IN THIS DOCUMENT IS FURNISHED UNDER A LICENSE AGREEMENT ANDMAY BE USED ONLY IN ACCORDANCE WITH THE TERMS OF THAT LICENSE.

Cisco is a trademark of Cisco Systems Inc.

All other trademarks are the property of their respective owners.

.

3.

ContentsNew in this release 11Features 11

OSPF demand circuits 11MBGP 11Interface information display enhancements 12Routing over VLAN interfaces 12

IP routing concepts 13IP addressing 13

Subnet addressing 14Static routes 16Black hole static routes 16IP enhancements and policies 16

Equal Cost Multipath (ECMP) 17Route filtering and IP policies 17Prefix list 21Defining route policies 22

Unified Routing Information Base 22IP connectivity protocols 26RIP and OSPF 26Loopback IP 27Routing over VLAN interfaces 28

Configuring IP routing 29IP routing commands 29

Configuring interface match criterion 29Configuring match address of a route 30Configuring prefix list match entries 30Configuring source-protocol match metrics 31Configuring match metric for a route 32Matching the next-hop address of a route 32Matching next hop to entries in a prefix list 33Matching a route type 33Matching a tag value 34Configuring metric value for a route 35

Nortel Secure Router 2330/4134Configuration — IPv4 and Routing

NN47263-502 03.02 22 September 2009


.

4

Enabling route-flap dampening 35Configuring the destination value for a destination routing protocol 36Configuring metric type for a destination routing protocol 36Configuring load balancing for equal cost routes 37Configure prefix lists 37Configuring automatic sequencing for prefix lists 38Configure a description for a prefix list 39Configuring a static route 39Configuring an access list 40Clearing an IP prefix list 40

Show commands 41Displaying IP access lists 41Displaying interface information 41Displaying a prefix list 43Displaying IP routing protocol process parameters and statistics 44Displaying the IP routing table 44Displaying route-map information 45

Configuring routing for interfaces 45Configuring the IP address and mask for an interface 45Enabling proxy arp 46Configuring ICMP redirect messages on an interface 46Configuring ICMP destination unreachable messages on an interface 46

RIP fundamentals 49Nortel Secure Router 2330/4134 implementation of RIP 49Maintaining routing tables 49Providing RIP security 50Ensuring reachability with split horizon and poison reverse 50Routing Information Protocol 51

RIP configuration procedures 53Enabling RIP globally 53Entering key chain management mode 53Configuring a key 54Specifying key chain authentication key receive lifetime. 55Configuring a key password 56Specifying key chain authentication key send lifetime. 57Configuring RIP routing on an IP network 58Configuring split-horizon 59Configuring route redistribution 59Configuring timers 60Configuring distribution of default routes 61Configuring the default metric on a redistributed route 61Configuring a router neighbor 62Configuring an interface to suppress routing updates 62


NN47263-502 03.02 22 September 2009


.

5

Configuring the routing protocol version 63Configuring the administrative distance 63Configuring a RIP metric 64Configuring routing updates to filter networks 65Configuring authentication control 65Configuring advertisement reception 66Configuring packet reception through an interface 66Configuring advertisement transmission 67Configuring packet transmission through an interface 67Sending v1 packets to another RIP interface 68Displaying RIP configuration 68Displaying all configured RIP interfaces 69Displaying RIP information 69Displaying the RIP database 69Clearing the RIP routing table 70Resetting prefix-list entries 70

OSPF fundamentals 73OSPF summary 73Hierarchical elements 73Designated and backup designated routers 74Link state database 74LSA types 75Backbone area 76Stub areas 76Not-so-stubby areas (NSSAs) 76Transit areas 76Virtual links 77Area ranges (route summarization) 77Route redistribution (exportation) and policy 77Security 77ECMP 78Router ID 78Cost metric 78Passive interfaces 79OSPF demand circuits 79Open Shortest Path First 80

Overview 81Benefits 81OSPF routing algorithm 82Autonomous system and areas 82Neighbors 84OSPF routers 85Router types 85


NN47263-502 03.02 22 September 2009


.

6

OSPF interfaces 86OSPF and IP 87OSPF packets 88Link state advertisements 88AS external routes 89OSPF virtual links 89Specifying ASBRs 90Metric speed 92

OSPF configuration procedures 93Configuring the host name 93Configuring the router ID 93Configuring the loopback address 94Enabling OSPF 94Configuring OSPF interface priority 95Enabling OSPF on an IP interface 95Configuring OSPF area as stub area 96Configure the OSPF area default cost 97Enable authentication for an OSPF area 97Configuring an OSPF area range 98Configuring an OSPF network filter list 99Configuring a virtual link 100Configure an OSPF not-so-stubby-area 101Configuring OSPF Type 7 default origination 101Restrict redistribution into an OSPF NSSA area 102Restrict sending of summary LSAs 102Configuring an NSSA-ABR translator role 103Configuring OSPF demand circuits 104Configuring redistribution of routes into OSPF 104Configuring OSPF cost 105Configuring virtual links 106Configuring OSPF authentication 106Configuring metric for redistributed routes 107Configuring OSPF capability features 108Logging adjacency state changes 108Configuring IP address summaries 109Configuring the OSPF compatibility list 110Configuring OSPF specifics 110Calculating OSPF interface cost 111Configuring routing timers 111Configuring Constrained Shortest Path First (CSPF) 112Configuring maximum allowed DD processes 112Configuring suppression of routing updates on an interface 113Configuring the administrative distance 113


NN47263-502 03.02 22 September 2009


.

7

Configuring distribution of default information 114Configuring OSPF on an interface 114Configuring the authentication key 116Configuring the database filter 117Disabling OSPF 117Configuring the dead interval 118Configuring the hello interval 118Configuring the message digest password 118Configuring OSPF MTU 119Configuring OSPF to ignore MTU 119Configuring the link-state transmit delay 120Configuring lost link state transmit delay 120Configuring the OSPF network type 121Configuring OSPF TE metric 121Displaying OSPF parameters and statistics 122Displaying border router information 122Displaying database summary 122Displaying TE database 123Displaying virtual link information 123Displaying neighbors 123Displaying OSPF routes 124Displaying OSPF interface 124Clearing OSPF processes 124

VRRP fundamentals 127VRRP overview 127Virtual Router Redundancy Protocol 128

VRRP configuration procedures 131Configure VRRP per port 131Configuring the advertisement interval 132Configuring the authentication string 132Configuring the virtual IP address 133Configuring priority 133Configuring track priority 134Configuring the learn interval 134Configuring a VRRP group description 135Configuring the preempt flag 135Show VRRP information 136Clearing VRRP information 137

BGP fundamentals 139BGP concepts 139

Hierarchical mechanisms 139BGP routes, route properties, and updates 140


NN47263-502 03.02 22 September 2009


.

8

Policy-based routing 141Route redistribution 142Security 142Route reflectors 142Confederations 142Route flap dampening 143Route refresh 143

BGP planning considerations 144BGP minimum configuration planning 144BGP initial session customization planning 145BGP update processing and advertisement configuration planning 145BGP optimization planning 146MBGP 146

BGP configuration procedures 147BGP procedures for a minimum configuration 147

Enabling BGP 147BGP procedures for a customized configuration 147

Configuring MBGP properties 147Configuring a passive session OPEN 148Advertising the local router ID as nexthop 148Comparing the MED value of routes learned from eBGP peers 149Removing private AS numbers from route advertisements 149Configuring a BGP Confederation 150Configuring a BGP Route Reflector cluster 151Configuring soft-reconfiguration on neighbor 151Configuring strict-capability-match on neighbor 152Enabling ECMP 152Enabling an address family for a neighbor 153Configuring interval for BGP route updates 154Configuring interval for AS-origination updates 154Advertising capability to a peer 155Configuring a default route to originate to neighbor 156Configuring a neighbor description 156Configuring a distribution list 157Disallowing capability negotiation 158Allowing EBGP neighbors from indirectly connected networks 158Configuring BGP filters 159Enabling BGP on an interface 160Configuring maximum number of prefixes 160Configuring a neighbor password 161Configuring peer-group members 161Configuring a prefix list 162Configuring AS number of a remote BGP neighbor 163


NN47263-502 03.02 22 September 2009


.

9

Configuring a route map to a neighbor 163Configuring a neighbor as route reflector client 164Configuring a neighbor as route server client 165Sending a community attribute to a neighbor 165Shutting down a neighbor 166Configuring BGP neighbor timers 167Configuring a routing update source 167Configuring weight for a BGP neighbor 168Modifying a default bestpath selection 169Configuring client-to-client route reflection 169Configuring a route reflector cluster-id 170Configuring AS confederation parameters 170Enabling route flap dampening 171Configuring BGP defaults 172Enforcing first AS for EBGP routes 173Resetting a session when a peer goes down 173Logging neighbor changes 173Overriding current router-id 174Configuring background scan interval 175Defining the administrative distance 175Configuring BGP aggregate entries 176Configuring IGP synchronization 177Specifying a BGP announced network 178Configuring routing timers 178Redistributing information from another protocol 179Configuring aggregation on same next hop 180Configuring RFC1771 compatible path selection mechanism 180Configuring aggregation on same next hop 181Configuring a BGP AS path filter 181Configuring community list entries 181Matching a BGP origin code 182Matching a BGP AS-path list 182Matching a BGP community list 183Setting the BGP aggregator attribute 184Setting the prepend string for a BGP AS-path attribute 184Setting the BGP atomic aggregate attribute 185Setting the BGP community list 185Setting the BGP community attribute 186Setting the BGP local preference path attribute 186Setting the BGP origin code 187Setting the BGP originator ID attribute 188Setting the tag value for a destination routing protocol 188Setting the BGP weight for a routing table 189Configuring deterministic MED 189


NN47263-502 03.02 22 September 2009


.

10

Accepting an AS path containing my AS 190Propagating a BGP attribute unchanged to a neighbor 190Overriding a capability negotiation result 191Selectively leaking more-specific routes to a neighbor 191Displaying BGP attribute information 192Displaying routes matching communities 192Displaying BGP paths 193Displaying cidr-only information 193Displaying community information 194Displaying neighbor information 194Displaying BGP regular expression information 195Displaying BGP community information 195Displaying scan information 195Displaying BGP neighbor status summary 195Displaying inconsistent AS paths 196Displaying detailed dampening information 196Displaying routes matching route map 197Displaying routes matching a prefix list 197Displaying routes matching a filter list 198Displaying routes matching a community list 198Displaying routes matching an AS path regular expression 199Displaying AS path access lists 199Displaying community lists 199Resetting all BGP peers 200Resetting all BGP peers in IPv4 family 200Resetting BGP AS number 200Resetting BGP peer groups 201Resetting BGP neighbor ID 201Resetting BGP dampening 201Resetting BGP flap statistics 202Resetting BGP external peers 202

Sample BGP configurations 202Configuring IBGP sessions 202Configuring EBGP sessions 206


NN47263-502 03.02 22 September 2009


.

11.

New in this releaseThe following section details what’s new in Nortel Secure Router2330/4134 Configuration — IPv4 and Routing (NN47263-502) for Release10.2

ATTENTIONIn this document, the term Secure Router 2330/4134 is used interchangeably torefer to the Secure Router 2330 and the Secure Router 4134.

FeaturesSee the following sections for feature related changes.

OSPF demand circuitsOSPF demand circuits are point-to-point links. For more information, see

• “OSPF demand circuits” (page 79)

• “Configuring OSPF demand circuits” (page 104)

MBGPYou can direct all the multicast traffic to designated access points otherthan normal unicast forwarding paths using the MBGP feature. For moreinformation, see

• “MBGP” (page 146)

• “Configuring MBGP properties” (page 147)


NN47263-502 03.02 22 September 2009


.

12 New in this release

Interface information display enhancementsSee the following section for changes related to interface informationdisplay enhancements.

• “Displaying interface information” (page 41)

Routing over VLAN interfacesFor more information on routing over VLAN interfaces, see

• “Routing over VLAN interfaces” (page 28)


NN47263-502 03.02 22 September 2009


.

13.

IP routing conceptsThe router management features covered in this documentation applyregardless of which routing protocols are used and include router InternetProtocol (IP) configuration, IP route table management, Address RoutingProtocol (ARP) configuration, ARP table management, and Virtual RouterRedundancy Protocol (VRRP) configuration. You must be familiar with thebasics of routing and IP addresses.

This section includes the following topics:

• “IP addressing” (page 13)

• “Static routes” (page 16)

• “Black hole static routes” (page 16)

• “IP enhancements and policies” (page 16)

• “IP connectivity protocols” (page 26)

• “RIP and OSPF” (page 26)

• “Loopback IP” (page 27)

IP addressingAn IP version 4 address consists of 32 bits expressed in a dotted-decimalformat (x.x.x.x). The IP version 4 address space is divided into classes,with classes A, B, and C reserved for unicast addresses and accountingfor 87.5 percent of the 32-bit IP address space. Class D is reservedfor multicast addressing. Table 1 "IP addresses" (page 13) lists thebreakdown of IP address space by address range and mask.

Table 1IP addresses

Class Address range Mask Number of addresses

A 1.0.0.0—126.0.0.0 255.0.0.0 126

B 128.0.0.0—191.0.0.0 255.255.0.0 127 * 255


NN47263-502 03.02 22 September 2009


.

14 IP routing concepts

Table 1IP addresses (cont’d.)

Class Address range Mask Number of addresses

C 192.0.0.0—223.0.0.0 255.255.255.0 31 * 255 * 255

D 224.0.0.0—239.0.0.0

To express an IP address in dotted-decimal notation, you convert eachoctet of the IP address to a decimal number and separate the numbersby decimal points. For example, you specify the 32-bit IP address10000000 00100000 00001010 10100111 in dotted-decimal notation as128.32.10.167.

Each IP address class, when expressed in binary, has a different boundarypoint between the network and host portions of the address as illustratedin Figure 1 "Network and host boundaries in IP address classes" (page14). The network portion is a network number field from 8 through 24 bits.The remaining 8 through 24 bits identify a specific host on the network.

Figure 1Network and host boundaries in IP address classes

Subnet addressingSubnetworks (or subnets) extend the IP addressing scheme used byan organization to one with an IP address range for multiple networks.Subnets are two or more physical networks that share a commonnetwork-identification field (the network portion of the 32-bit IP address).


NN47263-502 03.02 22 September 2009


.

IP addressing 15

You create a subnet address by increasing the network portion to includea subnet address, thus decreasing the host portion of the IP address. Forexample, in the address 128.32.10.0, the network portion is 128.32, whilethe subnet is found in the first octet of the host portion (10). A subnetmask is applied to the IP address and identifies the network and hostportions of the address.

Table 2 "Subnet masks for class B and class C IP addresses" (page15) illustrates how subnet masks used with class B and class C addressescan create differing numbers of subnets and hosts. This example includesusing the zero subnet, which is permitted on a Secure Router 2330/4134.

Table 2Subnet masks for class B and class C IP addresses

Numberof bits Subnet mask

Number of subnets(recommended)

Number of hosts persubnet

Class B

2 255.255.192.0 2 16 382

3 255.255.224.0 6 8 190

4 255.255.240.0 14 4 094

5 255.255.248.0 30 2 046

6 255.255.252.0 62 1 022

7 255.255.254.0 126 510

8 255.255.255.0 254 254

9 255.255.255.128 510 126

10 255.255.255.192 1 022 62

11 255.255.255.224 2 046 30

12 255.255.255.240 4 094 14

13 255.255.255.248 8 190 6

14 255.255.255.252 16 382 2

Class C

1 255.255.255.128 0 126

2 255.255.255.192 2 62

3 255.255.255.224 6 30

4 255.255.255.240 14 14

5 255.255.255.248 30 6

6 255.255.255.252 62 2


NN47263-502 03.02 22 September 2009


.


Variable-length subnet masking (VLSM) is the ability to divide your intranetinto pieces that match your requirements. Routing is based on the longestsubnet mask or network that matches. Routing Information Protocol (RIP)version 2 and Open Shortest Path First (OSPF) are routing protocols thatsupport VLSM.

Static routesStatic routes allow you to create routes to a destination IP addressmanually (see also “Black hole static routes” (page 16)).

You can use a static default route to specify a route to all networks forwhich there are no explicit routes in the Forwarding Information Base orthe routing table. This route is by definition a route with the prefix lengthof zero (RFC 1812). You can configure the Secure Router 2330/4134 withany route through the IP static routing table.

Static routes can also be configured with a next hop that is not directlyconnected, but that hop must be reachable. Otherwise, the static route isnot enabled. The configured gateway can be either a specific IP addressor router interface.

Black hole static routesA black hole static route is a route with an invalid next hop, such that thedata packets destined for this network are dropped by the router (see also“Static routes” (page 16)).

While aggregating or injecting routes to other routers, the router itself maynot have a path to the aggregated destination. In such cases, the result isa black hole and a routing loop. To avoid such loops, configure a blackhole static route to the destination the router is advertising.

You can configure a preference value for a black hole route. However, youmust configure that preference value appropriately, so that when you wishthe black hole route to be used, it gets elected as the best route.

Before adding a black hole static route, perform a check to ensure thatthere is no other static route to that identical destination in an enabledstate. If such a route exists, you cannot add the black hole route and anerror message is displayed.

IP enhancements and policiesThe following sections describe the functioning of IP route policies:

• “Equal Cost Multipath (ECMP)” (page 17)

• “Route filtering and IP policies” (page 17)


NN47263-502 03.02 22 September 2009


.

IP enhancements and policies 17

• “Prefix list” (page 21)

• “Defining route policies” (page 22)

Equal Cost Multipath (ECMP)With Equal Cost Multipath (ECMP) the Secure Router 2330/4134 candetermine up to eight equal-cost paths to the same destination prefix. Youcan use multiple paths for load sharing of traffic. These multiple pathsallow faster convergence to other active paths in case of network failure.By maximizing load sharing among equal-cost paths, you can use yourlinks between routers more efficiently when sending IP traffic. EqualCost Multipath is formed using routes from same source or protocol. TheSecure Router 2330/4134 supports per-packet or flow-based ECMP.

The ECMP feature supports and complements the following protocols androute types:

• Open Shortest Path First (OSPF)

• Routing Information Protocol (RIP)

• Border Gateway Protocol (BGP)

• Static route

• Default route

Route filtering and IP policiesWhen IP traffic is routed by the Secure Router 2330/4134, a number offilters can be applied to manage, accept, redistribute, and announcepolicies for unicast routing table information. The filtering process relieson the IP prefix lists in the common routing table manager infrastructure.Filters apply in different ways to different unicast routing protocols.

Figure 2 "Route filtering for unicast routing protocols" (page 18) shows howfilters are applied to BGP, RIP, and OSPF protocol.


NN47263-502 03.02 22 September 2009


.


Figure 2Route filtering for unicast routing protocols


• “Accept policies and in filters” (page 18)

• “Redistribution filters” (page 19)

• “Out filters” (page 19)

• “Route filtering stages” (page 19)

Accept policies and in filtersAccept policies or in filters are applied to incoming traffic to determinewhether or not to add the route to the routing table. Accept policies/infilters are applied in different ways to different protocols, as follows:

• RIP and BGP—filters are applied to all incoming route information

• OSPF—filters are applied only to external route information. Internalrouting information is not filtered because otherwise, other routers inthe OSPF domain might have inconsistent databases that could affectthe router’s view of the network topology.

In a network with multiple routing protocols, the network administrator canprefer specific routes from RIP instead of from OSPF. The network prefixis a commonly used match criterion for accept policies/in filters.


NN47263-502 03.02 22 September 2009


.


Redistribution filtersRedistribution filters notify changes in the route table to the routing protocol(within the device). With redistribution filters, providing you do not breachthe protocol rules, you can choose not to advertise everything that is in theprotocol database, or you can summarize or suppress route information.On the Secure Router 2330/4134, by default, no external routes are leakedto protocols you have not configured.

Out filtersOut filters are applied to outgoing advertisements to neighbors/peers inthe protocol domain, to determine whether to announce specific routeinformation. Out filtering applies to RIP updates and BGP NLRI updates.

Out filtering may be applied to OSPF information at the administrator’sdiscretion but is not recommended since OSPF routing information mustalways be consistent across the domain. To restrict the flow of externalroute information in the OSPF protocol database, apply redistribution filtersinstead of out filters.

Route filtering stagesFigure 3 "Route filtering stages" (page 19) shows the three distinct filterstages that are applied to IP traffic.

Figure 3Route filtering stages

These stages are:

1. Filter stage 1

Filter stage 1 is the accept policy/in filter that is applied to incomingtraffic to detect changes in the dynamic (protocol-learned) routinginformation, which are then submitted to the routing table.

2. Filter stage 2


NN47263-502 03.02 22 September 2009


.


Filter stage 2 is the redistribution filter that is applied to the entries inthe routing table to the protocol during leaking process.

3. Filter stage 3

Filter stage 3 is the announce policy/out filter that is applied to outgoingtraffic within a protocol domain.

Figure 4 "Route filtering logic" (page 21) shows the logical process forroute filtering on the Secure Router 2330/4134.


NN47263-502 03.02 22 September 2009


.


Figure 4Route filtering logic

Prefix listWith Secure Router 2330/4134 IP enhancements and policies, you cancreate one or more IP prefix lists and apply this list to any IP route policy.


NN47263-502 03.02 22 September 2009


.


ATTENTIONWhen you configure a prefix list for a route policy, be sure to add the prefix asA.B.C.D/M.

Defining route policiesAs IP route policies are not tied to a specific protocol, you can define an IProute policy and its attributes globally, and then apply them individuallyto interfaces and protocols.

Unified Routing Information BaseThe Secure Router 2330/4134 supports a unified routing table having bothIPv4 unicast routes and MPLS routes.

IPv4 unicast routes belong to one of the following categories:

• Connected

• Static

• OSPF

• RIP

• BGP

Similarly, MPLS routes belong to the following categories:

• Static MPLS routes

• RSVP-TE (and mapped routes)

• LDP


NN47263-502 03.02 22 September 2009


.

Unified Routing Information Base 23

Figure 5RIB categories

As the unified route table is the composite table containing routeinformation from all protocols, used in forwarding, only one type of routeshall be selected. This selection is based on the ‘distance’ propertyassociated with the route. The route with the lower distance value ispreferred for forwarding.

The following table explains the order of selection of route type when morethan one route is available for the given destination prefix.

Table 3Selection order

Selection order Type of route Default distance Properties

1 Connected 0 Fixed

2 Static IPv4 1 Configurable

3 Static FTN 10 Fixed

4 RSVP 10 Fixed

5 LDP 10 Fixed

6 RSVP MAP route 10 Fixed

7 EBGP 20 Configurable

8 OSPF 110 Configurable

9 RIP 120 Configurable

10 IBGP 200 Configurable


NN47263-502 03.02 22 September 2009


.


Figure 6Example

In the above topology, RUT-1 will have the unified route table entries as:

Table 4Unified route table

Type Flag Prefix Next Hop Interface

Connected *> 1.1.1.1/32 loopback1

Connected *> 10.0.0.0/24 ethernet0/1

Connected *> 127.0.0.0/8 lo0

In RUT-1, adding IPv4 static route (2.2.2.2/32), MPLS static FTN(2.2.2.2/32), configuring RSVP tunnel (LSP1 for 2.2.2.2/32) and runningLDP will update Unified RIB as:

Table 5Updated Unified RIB

Type Flag Prefix Next Hop Interface ...

Connected *> 1.1.1.1/32 loopback1

MPLS 2.2.2.2/32 10.0.0.2 ethernet0/1 label 222,CLI-REG

MPLS 2.2.2.2/32 10.0.0.2 ethernet0/1 RSVP-REG,LSP1

MPLS 2.2.2.2/32 10.0.0.2 ethernet0/1 LDP-REG

Static *> 2.2.2.2/32 10.0.0.2 ethernet0/1

MPLS 3.3.3.3/32 10.0.0.2 ethernet0/1 RSVP-RSVP_MAP, LSP1

Connected *> 10.0.0.0/24 ethernet0/1

Connected *> 127.0.0.0/8 lo0

Note that the routes are selected to be programmed in FIB as per thedistance associated with the route type.

As the static route type has the lowest distance compared to other types,for the route 2.2.2.2/32, static route is preferred for FIB. If the static routeis deleted, then MPLS static route (marked as CLI-REG) will be selectedfor FIB.


NN47263-502 03.02 22 September 2009


.

Unified Routing Information Base 25

The following CLI commands are associated with the unified RIB/FIB:

show ip route

show ip route database

The above commands display the unified routing table of the router. “showip route” displays only the routes that are in FIB and “show ip routedatabase” displays all the routes in unified routing table and the routesthat are selected for FIB and programmed in FIB are marked with “*>”.

show ip route <A.B.C.D>

show ip route <A.B.C.D/M>


NN47263-502 03.02 22 September 2009


.


The above commands display the unified routing table entry for the routewith prefix A.B.C.D and prefix length M (if provided).

IP connectivity protocolsThis Secure Router 2330/4134 uses various protocols for enhanced andresilient IP connectivity. These protocols include:

• RIP

• OSPF

• VRRP

• BGP

To learn more about these protocols, see the following sections:

• “RIP fundamentals” (page 49)

• “OSPF fundamentals” (page 73)

• “VRRP fundamentals” (page 127)

• “BGP fundamentals” (page 139)

RIP and OSPFThe Secure Router 2330/4134 supports wire-speed IP routing of framesusing one of the following dynamic IP routing protocols:

• RIP version 1 (RFC 1058)

• RIP version 2 (RFC 1723)

• OSPF version 2 (RFC 2328)

Unlike static IP routing, where a manual entry must be made in therouting table to specify a routing path, dynamic IP routing uses a learningapproach to determine the paths and routes to other routers. Thereare two basic types of routing algorithm: distance vector and link state.Routing Information Protocol (RIP) is a distance vector protocol and OpenShortest Path First (OSPF) Protocol is a link state protocol.


NN47263-502 03.02 22 September 2009


.

Loopback IP 27

Loopback IPLoopback IP (also known as circuitless IP or CLIP) is a virtual interfacethat is not associated with any physical port. You can use the loopbackinterface to provide uninterrupted connectivity to your router as long asthere is an actual path to reach the device.

For example, as shown in Figure 7 "Routers with IBGP connections" (page27), a physical point-to-point link exists between R1 and R2 along with theassociated addresses (195.39.1.1/30 and 195.39.1.2/30). Note also thatan Interior Border Gateway Protocol (IBGP) session exists between twoadditional addresses, 195.39.128.1/30 (CLIP 1) and 195.39.281.2/30 (CLIP2).

CLIP 1 and CLIP 2 represent the virtual loopback addresses thatare configured between R1 and R2. These virtual interfaces are notassociated with the physical link or hardware interface. This allows theIBGP session to continue as long as there is a path between R1 and R2.An IGP (such as OSPF) is used to route addresses corresponding to theloopback addresses. After all the loopback addresses are learned by therouters in the AS, the IBGP is established and routes can be exchanged.

Figure 7Routers with IBGP connections

The loopback interface is treated as any other IP interface. The networkassociated with the loopback is treated as a local network attached to thedevice. This route always exists and the circuit is always up because thereis no physical attachment.

Routes are advertised to other routers in the domain either as externalroutes using the route-redistribution process or when you enable OSPF ina passive mode to advertise an OSPF internal route. You can configurethe OSPF protocol only on the circuitless IP interface.


NN47263-502 03.02 22 September 2009


.


When you create a loopback interface, the system software programs alocal route with the CPU as destID. The CPU processes all packets thatare destined to the loopback interface address. Any other packets withdestination addresses associated with this network (but not to the interfaceaddress) are treated as if they are from an unknown host.

A loopback address can be used as source IP address in the IP headerwhen sending remote monitoring (RMON) traps.

Routing over VLAN interfacesWith Release 10.2 and later, you can enable RIP, OSPF, BGP, and VRRPon VLAN interfaces.


NN47263-502 03.02 22 September 2009


.

29.

Configuring IP routingThis section describes CLI commands that you use to configure Layer 3(routing) functions in your Secure Router 2330/4134.

• For conceptual information about Layer 3 routing functions, see “IProuting concepts” (page 13).


• “IP routing commands” (page 29)

• “Show commands” (page 41)

• “Configuring routing for interfaces” (page 45)

IP routing commandsThe IP routing commands configure general characteristics of the router.

Configuring interface match criterionThe following procedure describes how to configure interface matchcriterion. Before configuring match criterion, you first need to configure theroute map using the route-map command. The match interface commandspecifies the next-hop interface name of a route to be matched.Use the no form of this command to remove the specified match criterion.

Procedure steps

Step Action

1 Enter configuration mode:configure terminal

2 Specify a route map:route-map <route-map-name> [deny|permit]<1-65535>


NN47263-502 03.02 22 September 2009


.

30 Configuring IP routing

3 To specify match criterion, enter:[no] match interface <ifname>

--End--

Table 6Variable definition

Variable Value

<ifname> Specifies the interface you want to match.

Configuring match address of a routeThe following procedure describes how to configure the match address ofa route. Use the no form of this command to remove the ip address entry.

Procedure steps

Step Action



3 To specify an address, enter:[no] match ip address <accesslistid>

--End--


Variable Value

<accesslistid> The access list to match. Can be specified as:• <WORD> - The name of the access list

• <1 - 199> - The IP access list number

• <1300 - 2699> - The expanded-range IP accesslist number

Configuring prefix list match entriesThe following procedure describes how to match entries of prefix lists. Usethe no form of this command to disable this function.


NN47263-502 03.02 22 September 2009


.

IP routing commands 31

Procedure steps

Step Action



3 To specify a prefix list, enter:[no] match ip address prefix-list <listname>

--End--


Variable Value

<listname> The IP address prefix list name.

Configuring source-protocol match metricsThe following procedure describes how to match source protocols. Use theno form of this command to disable this function.

Procedure steps

Step Action



3 To specify a source protocol to match, enter:[no] match source-protocol <protocol>

--End--


NN47263-502 03.02 22 September 2009


.



Variable Value

<protocol> The protocol to match. Possible values are:• bgp - Match BGP source protocol

• connected - Match all connected protocols

• ospf - Match OSPF source protocol

• rip - Match RIP source protocol

• static - Match all static protocols

Configuring match metric for a routeThe following procedure describes how to match a route metric value. Usethe no form of this command to disable this function.

Procedure steps

Step Action



3 To specify a metric value, enter:[no] match metric <metric>

--End--


Variable Value

<metric> The metric value, in the range 0 to 4294967295.

Matching the next-hop address of a routeThe following procedure describes how to match the next-hop address ofa route to specific access list criteria. Use the no form of this command todisable this function.

Procedure steps

Step Action



NN47263-502 03.02 22 September 2009


.



3 Specify the criteria to match:[no] match ip next-hop {<1-99>|<1300-2699>|<name>}

--End--


Variable Value

<1-99> The IP access list number.

<1300-2699> The IP extended access list number.

<name> The IP access list name.

Matching next hop to entries in a prefix listThe following procedure describes how to match next-hop entries to thosein a prefix list. Use the no form of this command to disable this function.

Procedure steps

Step Action



3 Specify the prefix list to match against:[no] match ip next-hop prefix-list <name>

--End--


Variable Value

<name> The IP prefix list name.

Matching a route typeThe following procedure describes how to match a specific route-type. Usethe no form of this command to disable this function.


NN47263-502 03.02 22 September 2009


.


Procedure steps

Step Action



3 Specify the route type to match:[no] match route-type external {<type-1>|<type-2>}

--End--


Variable Value

<type-1> Match OSPF external type 1 metrics.


Matching a tag valueThe following procedure describes how to match a specific tag value. Usethe no form of this command to disable this function.

Procedure steps

Step Action



3 Specify the tag value to match:[no] match tag <value>

--End--


Variable Value

<value> The tag value in the range 0 to 4294967295.


NN47263-502 03.02 22 September 2009


.


Configuring metric value for a routeThe following procedure describes how to specify a metric value for aroute. Use the no form of this command to disable this function.

Procedure steps

Step Action



3 To set the metric value, enter:[no] set metric <metric>

--End--


Variable Value

<metric> The metric value for the route, in the range 0 to4294967295.

Enabling route-flap dampeningThe following procedure describes how to enable route-flap dampening.Use the no form of this command to disable this function.

Procedure steps

Step Action



3 Enable route-flap dampening:[no] set dampening <reach> <reuse> <suppress><duration> <unreach>

--End--


NN47263-502 03.02 22 September 2009


.



Variable Value

<duration> The maximum duration to suppress a stable route(minutes) in the range 1 to 255.

<reach> The reachability half-life time for the penalty(minutes) in the range 1 to 45.

<reuse> The value to start reusing a route in the range 1 to20000.

<suppress> The value to start suppressing a route in the range1 to 20000.

<unreach> The unreachability half-life time for the penalty(minutes) in the range 1 to 45.

Configuring the destination value for a destination routing protocolThe following procedure describes how to configure the destination valuefor a destination routing protocol. Use the no form of this command todisable this function.

Procedure steps

Step Action



3 Configure the destination value:[no] set metric {<metric>|<value>}

--End--


Variable Value

<metric> Add (+number) or subtract (-number) metric value.

<value> The metric value in the range 0 to 4294967295.

Configuring metric type for a destination routing protocolThe following procedure describes how to configure metric type for adestination routing protocol. Use the no form of this command to disablethis function.


NN47263-502 03.02 22 September 2009


.


Procedure steps

Step Action



3 Configure the metric type:[no] set metric-type {<type-1>|<type-2>}

--End--


Variable Value



Configuring load balancing for equal cost routesThis procedure describes how to specify a load balancing policy for equalcost routes.

Procedure steps

Step Action

1 Enter configuration mode.configure terminal

2 To specify the policy, enter:ip load-balancing policy [per-flow|per-packet]

--End--

Configure prefix listsThe following procedure describes how to configure IP prefix lists.

Procedure steps

Step Action


2 To configure an IP prefix list, enter:


NN47263-502 03.02 22 September 2009


.


ip prefix-list <listname> [seq <seq-num>]{deny|permit}{any | <address> [le <max-prefix-length>][ge <min-prefix-length>]}

--End--


Variable Value

<listname> The name of the prefix list.

<seq-num> The sequence number in the range 1 to4294967295.

{deny|permit} Reject or forward packets.

any Any prefix match. Equivalent to specifying 0.0.0.0/0with maximum prefix length of 32.

<address> The IP Prefix/Length of the network to permit ordeny.

le <max-prefix-length> The maximum prefix length.

ge <min-prefix-length> The minimum prefix length.

Configuring automatic sequencing for prefix listsThe following procedure describes how to configure automatic sequencingfor IP prefix lists. With this feature enabled, if you do not specify asequence number for a new prefix list, the router automatically generatesand assigns a sequence number to the prefix list.

By default, automatic sequencing is enabled.

To disable automatic sequencing, use the no form of this command.

Procedure steps

Step Action


2 To configure automatic sequencing for an IP prefix list, enter:

[no] ip prefix-list sequence-number

--End--


NN47263-502 03.02 22 September 2009


.


Configure a description for a prefix listThe following procedure describes how to configure a description for anIP prefix list.

Procedure steps

Step Action


2 To configure a description for an IP prefix list, enter:

ip prefix-list <listname> description <description>

--End--


Variable Value

<listname> The name of the prefix list.

<description> Specifies the description for the prefix list.

Configuring a static routeThis procedure describes how to configure a static IP route. Use the noform of this command to disable the distance for static routes of a subnetmask.

Procedure steps

Step Action


2 To configure the IP route, enter:[no] ip route <destprefix> <ipaddressmask><gatewayip|interface> <distvalue>

--End--


Variable Value

<address> The IP destination prefix for the route to be added.

<mask> The IP destination prefix mask for the route to beadded.


NN47263-502 03.02 22 September 2009


.


Table 21Variable definition (cont’d.)

Variable Value

<gatewayip> The IP gateway address of the route to be added.

<interface> The name of the interface.

<distvalue> The distance value for the route, in the range 1 to255.

Configuring an access listThis procedure describes how to configure an access list.

Procedure steps

Step Action


2 To configure the access list, enter:[no] access-list <listname>{permit {<prefix> [exact-match]|any}|deny {<prefix> [exact-match]|any}|remark <comment>}

--End--


Variable Value

<listname> A name for the access list.

<prefix> The IP prefix (network/length) to match.

<comment> Description of the access list, up to 100 characters.

[no] Removes the access list configuration.

Clearing an IP prefix listThis procedure describes how to clear an IP prefix list.


NN47263-502 03.02 22 September 2009


.

Show commands 41

Procedure steps

Step Action

1 Clear the IP prefix list.clear ip prefix-list <list> [<prefix>]

--End--


Variable Value

<list> The IP prefix list to clear.

<prefix> The specific IP prefix/length to clear from the prefixlist.

Show commandsThe show IP commands display the general IP characteristics of therouter.

Displaying IP access listsThis procedure describes how to display IP access lists.

Procedure steps

Step Action

1 To display IP access lists, enter:show ip access-list <name>

--End--


Variable Value

<name> The name of the access list you want to display.

Displaying interface informationThis procedure describes how to display interface information.

With Release 10.2 and later, the interface display includes the highestsupported capability for each interface: FE for Fast Ethernet and GE forGigabit Ethernet.


NN47263-502 03.02 22 September 2009


.


Procedure steps

Step Action

1 To display interface information, enter:show ip interfaces

2 To display information only about a specific interface, enter:show ip interfaces interface <ifname>

3 To display a summary of the interface information, enter:

show ip interfaces brief [interface <ifname>]

4 To display information for a specific Ethernet interface, enter:

show interface ethernet <slot/port>

5 To display information for all Ethernet interfaces, enter:

show interface ethernets

--End--


Variable Value

<ifname> The interface name for which you want to displayinformation.

Figure 8show ip interface command output


NN47263-502 03.02 22 September 2009


.

Show commands 43

Figure 9show ip interface ethernet command output

Displaying a prefix listThis procedure describes how to display a prefix list.

Procedure steps

Step Action

1 To display prefix list information, enter:show ip prefix-list [<name>|detail|summary]

--End--


Variable Value

<name> The name of the prefix list you want to display.


NN47263-502 03.02 22 September 2009


.


Displaying IP routing protocol process parameters and statisticsThis procedure describes how to display IP routing protocol processparameters and statistics.

Procedure steps

Step Action

1 To display parameters and statistics, enter:show ip protocols [bgp|ospf|rip]

--End--

Displaying the IP routing tableThis procedure describes how to display the IP routing table.

Procedure steps

Step Action

1 To display the IP routing table, enter:show ip route [routetype]

--End--


Variable Value

<routetype> Optional route-type information to display. Possibleoptions are:• A.B.C.D - The network in the IP routing table to

display.

• bgp - Display BGP information.

• connected - Display connected route information.

• database - The IP routing table database todisplay.

• mpls - Display MPLS information

• ospf - Display OSPF information.

• rip - Display RIP information.

• static - Display static information.

• summary - Display a summary of all routes.


NN47263-502 03.02 22 September 2009


.

Configuring routing for interfaces 45

Displaying route-map informationThis procedure describes how to display route-map information.

Procedure steps

Step Action

1 To display route-map information, enter:show route-map [routemap]

--End--


Variable Value

[routemap] Optionally display route-map information to displayby specifying a route-map name.

Configuring routing for interfacesThis section describes some of the generic port-related IP routingcommands. Other port commands are included in sections of this manualthat describe commands that are used with a specific protocol or feature.These commands apply to both Ethernet and WAN interfaces.

Configuring the IP address and mask for an interfaceThis procedure describes how to configure the IP address and subnetmask for an interface.

Procedure steps

Step Action


2 Enter interface mode.interface <interface>

3 To configure the IP address and subnet mask, enter:ip address <address> <mask>

--End--


NN47263-502 03.02 22 September 2009


.



Variable Value

<address> The IP address for the interface.

<mask> The subnet mask for the interface.

Enabling proxy arpThis procedure describes how to enable proxy arp.

Procedure steps

Step Action



3 To enable proxy arp, enter:ip proxy_arp

--End--

Configuring ICMP redirect messages on an interfaceThis procedure describes how to configure ICMP redirect messages on aninterface. Use the no form of this command to disable.

Procedure steps

Step Action



3 To enable ICMP redirect messages, enter:[no] ip redirects

--End--

Configuring ICMP destination unreachable messages on an interfaceThis procedure describes how to enable ICMP destination unreachablemessages on an interface. Use the no form of this command to disable.


NN47263-502 03.02 22 September 2009


.

Configuring routing for interfaces 47

Procedure steps

Step Action



3 To enable ICMP destination unreachable messages, enter:[no] ip unreachables

--End--


NN47263-502 03.02 22 September 2009


.



NN47263-502 03.02 22 September 2009


.

49.

RIP fundamentalsRouting Information Protocol (RIP) is a distance vector protocol thatdynamically learns the available paths to other routers. To RIP, the bestpath to a destination is the one with the fewest hops. RIP computesdistance as a metric, usually the number of hops (or routers) from thesource node to the target node.

Nortel Secure Router 2330/4134 implementation of RIPRIP works well for small- to medium-sized networks, where the longestpath is 15 hops. A node connected directly to the router has a metric ofzero; an unreachable node has a metric of 16. When used as a provideredge (PE), the Nortel Secure Router 2330/4134 supports RIP on accessports that interface with customer edge (CE) devices. To preserve the RIPhop count across the core, the router adds one hop and then passes thehop count to the BGP multi-exit discriminator (MED).

RIPv1 advertises addresses without subnet masking. RIPv2 advertisesmore explicitly, based on the subnet mask. The Nortel Secure Router2330/4134 supports RIPv2 with backwards compatibility for RIPv1.

Maintaining routing tablesRouting tables have to be maintained to track changes in the network.For example, routers fail, better routes become available, and sometimesroutes have to be purged. RIP uses the following timers to keep therouting tables current:

• Update timer -- Routers within an autonomous system exchangerouting information through periodic RIP updates. The update timercontrols the frequency of these updates. The Nortel Secure Router2330/4134 default is to send out a RIP update every 30 seconds.

• Expiration timer -- RIP expects an update every 30 seconds from itsneighbors. If it does not receive an update in that time, RIP waitsfor a specified expiration time before declaring a route invalid. Theexpiration timer enables you to balance the need to allow time foroccasional lost update messages and the need to purge stale routes


NN47263-502 03.02 22 September 2009


.

50 RIP fundamentals

quickly. The Nortel Secure Router 2330/4134 default is to wait 180seconds.

• Triggered update timer -- When routes change, the Nortel SecureRouter 2330/4134 sends a RIP update almost immediately instead ofwaiting for its regular update message. This helps to speed up networkconvergence. The triggered update timer is set to wait for 5 seconds toavoid a storm of triggered updates.

Providing RIP securityRIP supports the following two security mechanisms that preventunauthorized routers from forming adjacencies:

• Simple text password -- This method transmits simple passwords inclear text, and is meant only to protect against honest neighbors.

• MD5 authentication -- This mechanism provides more protection thana simple password and has a greater probability of detecting hostilemessages.

Note that you must be running RIPv2 to enable MD5 authentication. Thedefault is none.

Ensuring reachability with split horizon and poison reverseProblems arise when routers claim reachability for a destination network tothe neighbor from which the route was learned. This creates a loop whereneighbors advertise erroneous routes.

The Nortel Secure Router 2330/4134 supports the following twomechanisms that help ensure the reachability of routes:

• Split horizon -- This mechanism omits routes learned from oneneighbor in updates sent to that neighbor. Split horizon minimizesrouting overhead, but may cause slower convergence. Nortel SecureRouter 2330/4134 enables split horizon by default.

• Split horizon with poison reverse -- This mechanism includes routeslearned from one neighbor in updates sent to that neighbor. However,it sets the metric to 16, which breaks the erroneous loop immediately.Poison reverse speeds up convergence, but it increases routingoverhead. Nortel Secure Router 2330/4134 disables poison reverseby default.


NN47263-502 03.02 22 September 2009


.

Routing Information Protocol 51

Routing Information ProtocolIn routed environments, routers communicate with one another totrack available routes. Routers can learn about available routesdynamically using the Routing Information Protocol (RIP). The SecureRouter 2330/4134 software implements standard RIP for exchangingTransmission Control Protocol (TCP)/IP route information with otherrouters.

RIP uses broadcast User Datagram Protocol (UDP) data packets toexchange routing information. By default, each router advertises routinginformation by sending a routing information update every 30 seconds (oneinterval). If a router does not receive an update from another router within180 seconds (six intervals), it marks the routes served by the nonupdatingrouter as being unusable. If no update is received within an additonal 120seconds (four intervals), the router removes all routing table entries for thenonupdating router. All of these intervals are user-configurable values.

RIP is known as a distance vector protocol. The vector is the networknumber and next hop, and the distance is the cost associated with thenetwork number. RIP identifies network reachability based on cost, andcost is defined as hop count. One hop is considered to be the distancefrom one router to the next. This cost or hop count is known as the metric(Figure 10 "Hop count or metric in RIP" (page 51)).

Figure 10Hop count or metric in RIP


NN47263-502 03.02 22 September 2009


.

52 RIP fundamentals

RIP version 1 was distributed in the early years of the Internet andadvertised default class address without subnet masking. RIP version 2advertises more explicitly, based on the subnet mask.

The Secure Router 2330/4134 supports RIP version 2, which advertisesrouting table updates using multicast instead of broadcasting. RIP version2 supports variable length subnet masks (VLSM) and triggered updatesof routers. RIP version 2 sends mask information. If information abouta network is not received for 180 seconds, the metric associated withthe network rises to infinity (U)—the metric resets to 16, which meansthe network becomes unreachable. If information about a network isnot received for an additional 120 seconds (four update intervals), it isremoved from the routing table. You can change the default timers byusing the ’timers basic’ command at the ’router rip’ command level.

A directly connected network has a metric of zero. An unreachablenetwork has a metric of 16. Therefore, the highest metric between any twonetworks can be 15 hops or 15 routers.


NN47263-502 03.02 22 September 2009


.

53.

RIP configuration proceduresThis section describes how to configure the Routing Information Protocol(RIP) on a Nortel Secure Router 2330/4134. Before you configure aninterface, you must globally enable RIP for all interfaces. RIP interfacesthat you later create inherit these global configuration property settings.However, to customize RIP on an interface, you can override the globalsettings.

This section documents the configuration commands and some operationalcommands. For a complete list of show, clear, and other operationalcommands, refer to Nortel Secure Router 2330/4134 CommandsReference.

Enabling RIP globallyEnable RIP to use the Nortel Secure Router 2330/4134 in a RIP network.Use the no form of this command to disable RIP.

Procedure steps

Step Action

1 Enter Configuration mode.

configure terminal

2 Enable RIP.

[no] router rip

--End--

Entering key chain management modeThe following procedure describes how to enter key chain managementmode and configure a key chain with a key chain name.

Procedure steps


NN47263-502 03.02 22 September 2009


.

54 RIP configuration procedures

Step Action


configure terminal

2 Enter key chain management mode.

key chain <keyname>

--End--


Variable Value

<keyname> The name of the key chain to manage.

Configuring a keyThe following procedure describes how to manage, add and deleteauthentication keys in a key-chain.

Procedure steps

Step Action


configure terminal


key chain <keyname>

3 Configure the key.

key <keyid

--End--


Variable Value


<keyid> The key id number in the range 0 to 21474836647.


NN47263-502 03.02 22 September 2009


.

Specifying key chain authentication key receive lifetime. 55

Specifying key chain authentication key receive lifetime.The following procedure describes how to specify the time period duringwhich the authentication key received on a key chain is received as valid.

Procedure steps

Step Action


configure terminal


key chain <keyname>


key <keyid

4 Specify the lifetime.

accept-lifetime <start> <end>

--End--


Variable Value

<end> Specify the end time using the following rule:{<TIME>|<duration>|infinite}.Variable as follows:

• TIME - HH:MM:SS DAY MONTH YEAR:

— HH:MM:SS - of the day when accept-lifetimestarts, in hours, minutes and seconds.

— DAY - The day of the month to start (1-31)

— MONTH - The month to start specified by thefirst three letters, for example, Jan.

— YEAR - The year to start (1993-2035)

• duration - The duration of the key in seconds(1-21474836646)

• infinite - Never expires.



NN47263-502 03.02 22 September 2009


.



Variable Value


<start> Specify the start time in the format HH:MM:SS DAYMONTH YEAR• HH:MM:SS - of the day when accept-lifetime

starts, in hours, minutes and seconds.

• DAY - The day of the month to start (1-31)

• MONTH - The month to start specified by the firstthree letters, for example, Jan.

• YEAR - The year to start (1993-2035)

Configuring a key passwordThe following procedure describes how to define the password to be usedby a key.

Procedure steps

Step Action


configure terminal


key chain <keyname>


key <keyid

4 Configure the key password.

key-string <password>

--End--


Variable Value



<password> A string of characters to be used as a password bythe key.


NN47263-502 03.02 22 September 2009


.

Specifying key chain authentication key send lifetime. 57

Specifying key chain authentication key send lifetime.The following procedure describes how to specify the time period duringwhich the authentication key sent on a key chain is received as valid.

Procedure steps

Step Action


configure terminal


key chain <keyname>


key <keyid

4 Specify the lifetime.

send-lifetime <start> <end>

--End--


Variable Value

<end> Specify the end time using the following rule:{<TIME>|<duration>|infinite}.Variable as follows:

• TIME - HH:MM:SS DAY MONTH YEAR:

— HH:MM:SS - of the day when accept-lifetimestarts, in hours, minutes and seconds.

— DAY - The day of the month to start (1-31)

— MONTH - The month to start specified by thefirst three letters, for example, Jan.

— YEAR - The year to start (1993-2035)

• duration - The duration of the key in seconds(1-21474836646)

• infinite - Never expires.



NN47263-502 03.02 22 September 2009


.



Variable Value


<start> Specify the start time in the format HH:MM:SS DAYMONTH YEAR• HH:MM:SS - of the day when accept-lifetime

starts, in hours, minutes and seconds.

• DAY - The day of the month to start (1-31)

• MONTH - The month to start specified by the firstthree letters, for example, Jan.

• YEAR - The year to start (1993-2035)

Configuring RIP routing on an IP networkSpecify a network as one that runs RIP. Use the no form of this commandto remove the specified network as one that runs RIP.

Procedure steps

Step Action


configure terminal

2 Enable RIP.

router rip

3 Enable RIP for the interface.

[no] network {<A.B.C.D/M>|<interface>}

--End--


Variable Value

<A.B.C.D/M> Specifies the IP address prefix and length of this IPnetwork.

<interface> Ethernet or WAN interface name. Example:Ethernet0/1 or wan1.


NN47263-502 03.02 22 September 2009


.

Configuring route redistribution 59

Configuring split-horizonConfigure split horizon to prevent loops by not advertising erroneousroutes from neighbors. Use the no form of this command to disable thisfunction.

Procedure steps

Step Action


configure terminal

2 Enter interface mode.

interface <interface>

3 Enable split-horizon with poison reverse.

[no] ip rip split-horizon [poisoned]

--End--


Variable Value

<interface> Interface name. Example: Ethernet 0/1

[poisoned] Performs split-horizon with poisoned reverse.

Configuring route redistributionTo redistribute information from other routing protocols use the redistributecommand. Use the no form of this command to disable this function.

Procedure steps

Step Action


configure terminal

2 Enable RIP.

router rip

3 Redistribute routes.


NN47263-502 03.02 22 September 2009


.


[no] redistribute {<connected>|<static>|<ospf>|<bgp>}[metric] [routemap]

--End--


Variable Value

<connected> Redistribute from connected routes

<static> Redistribute from static routes

<ospf> Redistribute from Open Shortest Path First (OSPF)

<bgp> Redistribute from Border Gateway Protocol (BGP)

[metric] Metric <0-16> Specifies metric value to be used inredistributing information

[routemap] Specifies route-map to be used to redistributesinformation

Configuring timersUse this command to adjust routing network timers. Use the no form ofthis command to return to default setting.

Procedure steps

Step Action


configure terminal

2 Enable RIP.

router rip

3 Enable timers.

[no] timers basic <update> <timeout> <garbage>

--End--


Variable Value

<update> <5-2147483647> Specifies the routing table updatetimer in seconds. The default is 30 seconds.


NN47263-502 03.02 22 September 2009


.

Configuring the default metric on a redistributed route 61


Variable Value

<timeout> <5-2147483647> Specifies the routing informationtimeout timer in seconds. The default is 180seconds. After this interval has elapsed and noupdates for a route are received, the route isdeclared invalid.

<garbage> <5-2147483647> Specifies the routing garbagecollection timer in seconds. The default is 120seconds. If a route remains invalid for the periodspecified by this variable, it is permanently removedfrom the routing table.

Configuring distribution of default routesThe following procedure describes how to generate a default route intoRIP. Use the no form of this command to disable this feature.

Procedure steps

Step Action


configure terminal

2 Enable RIP.router rip

3 Distribute a default route.[no] default-information originate

--End--

Configuring the default metric on a redistributed routeThe following procedure describes how to set a metric value on aredistributed route. Use the no form of this command to disable thisfeature.

Procedure steps

Step Action


configure terminal



NN47263-502 03.02 22 September 2009


.


3 Set the default metric value.[no] default-metric <1-16>

--End--

Configuring a router neighborThe following procedure describes how to configure a router neighbor. Usethe no form of this command to disable the specific router.

Procedure steps

Step Action


configure terminal


3 Enter the address of the neighbor.[no] neighbor <address>

--End--


Variable Value

<address> The address of the neighbor.

Configuring an interface to suppress routing updatesThe following procedure describes how to configure an interface tosuppress routing updates. Use the no form of this command to disablethis function.

Procedure steps

Step Action


configure terminal



NN47263-502 03.02 22 September 2009


.

Configuring the administrative distance 63

3 Specify the interface you want to suppress routing updates.[no] passive-interface <interface>

--End--


Variable Value

<interface> The interface you want to suppress routing updates.

Configuring the routing protocol versionThe following procedure describes how to set the routing protocol versionthat is used globally by the router. Use the no form of this command torestore the default version (v2).

Procedure steps

Step Action


configure terminal


3 Set the routing protocol version.[no] version <version>

--End--


Variable Value

<version> The routing protocol version, 1 or 2.

Configuring the administrative distanceThe following procedure describes how to set the administrative distance.Use the no form of this command to disable this function.

Procedure steps

Step Action


configure terminal


NN47263-502 03.02 22 September 2009


.



3 Set the administrative distance.[no] distance <distancevalue> [A.B.C.D/M[accesslist]]

--End--


Variable Value

<distancevalue> The administrative distance value.

Configuring a RIP metricThe following procedure describes how to add an offset to in and outmetrics to routes learned through RIP. Use the no form of this command toremove the offset list.

Procedure steps

Step Action


configure terminal


3 Modify the RIP metric.[no] offset-list <name> <direction> <metricvalue><interfacename>

--End--


Variable Value

<name> The access list name.

<direction> Direction of updates. In or out.

<metricvalue> The metric value to modify.

<interfacename> The interface name.


NN47263-502 03.02 22 September 2009


.

Configuring authentication control 65

Configuring routing updates to filter networksThe following procedure describes how to filter incoming or outgoing routeupdates using the access-list or the prefix-list. Use the no form of thiscommand to disable this feature.

Procedure steps

Step Action


configure terminal


3 To specify filter information, enter:[no] distribute-list [<prefix>|<accesslist>]<direction> <interface>

--End--


Variable Value

<prefix> Filter prefixes in routing updates.

<accesslist> The access list name.

<direction> Direction to filter routing updates, in or out.

<interface> The interface name.

Configuring authentication controlThe following procedure describes how to configure authentication control.Use the no form of this command to disable the feature.

Procedure steps

Step Action


2 Enter Interface mode:interface <interface>

3 To configure authentication control, enter:[no] ip rip authentication <authtype>

--End--


NN47263-502 03.02 22 September 2009


.



Variable Value

<authtype> The type of authentication. Possible types are:• keychain <name of keychain> - Keychain

authentication

• mode <md5|text> - Mode authentication

• string <name of string> - Stringauthentication

Configuring advertisement receptionThe following procedure specifies the version of RIP that can be receivedon the interface. This configuration overrides the ’version’ command. Usethe no form of this command to use the setting established by the versioncommand.

Procedure steps

Step Action



3 To configure advertisement reception, enter:[no] ip rip receive version <version>

--End--


Variable Value

<version> Specifies the version of RIP to receive, 1 (RIPv1), 2(RIPv2), or 1 2 (both).

Configuring packet reception through an interfaceThe following procedure describes how to enable receiving packetsthrough a specified interface. Use the no form of this command to disablethis feature.

Procedure steps


NN47263-502 03.02 22 September 2009


.

Configuring packet transmission through an interface 67

Step Action



3 To configure an interface to receive packets, enter:[no] ip rip receive-packet

--End--

Configuring advertisement transmissionThe following procedure describes how to specify the version of RIPpackets that are sent out of an interface. Use the no form of this commandto use the global RIP version control rules.

Procedure steps

Step Action



3 To configure advertisement transmission, enter:[no] ip rip send version <version>

--End--


Variable Value

<version> The RIP version to send. Possible values are:• 1 (RIPv1)

• 2 (RIPv2)

• 1-compatible

Configuring packet transmission through an interfaceThe following procedure describes how to enable sending packets throughthe specified interface. Use the no form of this command to disable thisfeature.


NN47263-502 03.02 22 September 2009


.


Procedure steps

Step Action



3 To enable packet sending on the interface, enter:[no] ip rip send-packet

--End--

Sending v1 packets to another RIP interfaceThe following procedure describes how to send RIP version 1 compatiblepackets from a version 2 RIP interface to other RIP interfaces. Thismethod forces RIPv2 to broadcast packets instead of multicasting them.Use the no form of this command to use the global RIP version controlrules.

Procedure steps

Step Action



3 To enable packet sending on the interface, enter:[no] ip rip send version 1-compatible

--End--

Displaying RIP configurationDisplay RIP process parameters and statistics.

Procedure steps

Step Action

1 Show RIP protocol information.


NN47263-502 03.02 22 September 2009


.

Displaying the RIP database 69

show ip protocols rip

--End--

Displaying all configured RIP interfacesDisplay information about all configured RIP interfaces. You can specify aninterface name to display information about a specific interface.

Procedure steps

Step Action

1 Show RIP interface information.

show ip rip interface <interface>

--End--

Displaying RIP informationDisplay RIP routes.

Procedure steps

Step Action

1 Show RIP information.

show ip rip

--End--

Displaying the RIP databaseThe following procedure describes how to show the RIP database.

Procedure steps

Step Action

1 Show the RIP database.show ip rip database

--End--


NN47263-502 03.02 22 September 2009


.


Clearing the RIP routing tableThe following procedure describes how to clear the RIP routing table.

Procedure steps

Step Action

1 Clear the RIP routing table.clear ip rip route [<A.B.C.D/M>|static|connected|rip|ospf|bgp|all]

--End--


Variable Value

<A.B.C.D/M> Removes entries which exactly match thisdestination address from RIP routing table.

static Removes static entries from the RIP routing table.

connected Removes entries for connected routes from the RIProuting table.

rip Removes only RIP routes from the RIP routing table.

ospf Removes only OSPF routes from the RIP routingtable.

bgp Removes only BGP routes from the RIP routingtable.

all Clears the entire RIP routing table.

Resetting prefix-list entriesThe following procedure describes how to reset the hit count to zero in theprefix-list entries.

Procedure steps

Step Action

1 Reset the hit counter to zero.clear ip prefix-list <word> <A.B.C.D/M>

--End--


NN47263-502 03.02 22 September 2009


.

Resetting prefix-list entries 71


Variable Value

<A.B.C.D/M> Removes entries which exactly match thisdestination address from RIP routing table.

<word> The name of the prefix list.


NN47263-502 03.02 22 September 2009


.



NN47263-502 03.02 22 September 2009


.

73.

OSPF fundamentalsOpen Shortest Path First (OSPF) is a link state protocol that determinesthe best path for routing IP traffic over a TCP/IP network based ondistance between nodes and several quality parameters. OSPF providesless router-to-router update traffic than the RIP protocol, which is adistance vector protocol.

OSPF summaryOpen Shortest Path First (OSPF) is a dynamic, hierarchical protocoldesigned to support routing in an IP network within a single autonomoussystem (AS). OSPF is a link state protocol that uses configurable metricsassociated with the speed, reliability, and delay of a network. OSPF alsosupports policy-based routing within an AS.

The Secure Router 2330/4134 implementation of OSPF utilizes a requiredprocess-id for supporting multiple instances of OSPF in the same system.The process-id has only local significance and is a number between 1 and65535.

Hierarchical elementsAn OSPF network consists of an AS, areas, and routers.

An OSPF area is an IP subnet, typically identified by a unique IPsubnetwork (subnet) number, also called the area ID. OSPF hides thetopology of an area from the rest of the AS, facilitating a significantreduction in routing (overhead) traffic within the AS, and protecting routerswithin the area from bad routing data.

OSPF routers reduce and restrict the amount of internal and externallink state information that is flooded through the AS by dividing the ASinto areas. The central area, called a backbone, distributes link stateinformation among areas.

Neighbors can form an adjacency for exchanging link state information.When two routers form a full adjacency, they go through a process calleddatabase exchange to synchronize their topological databases. When


NN47263-502 03.02 22 September 2009


.

74 OSPF fundamentals

their databases are synchronized, the routers are said to be fully adjacent.From this point on, only link state information is passed between therouters, thus conserving bandwidth. Routers connected by a point-to-pointnetwork always form an adjacency. Also, every router on a multiaccessnetwork forms an adjacency relationship with the designated router andthe backup designated router.

OSPF supports point-to-point and broadcast interfaces. Interfaces arealso known as links. Two OSPF routers that each have an interface tothe same network are called neighbors. Routers that have interfaces toat least two areas are Area Border Routers (ABRs). Routers that haveinterfaces to at least two different ASs are Autonomous System BoundaryRouters (ASBRs). When two or more areas exist, the backbone area mustbe one of the areas.

Designated and backup designated routersWhen OSPF runs over a broadcast medium, it elects one router on thatmedium to serve as designated router (DR). This router floods routinginformation for that network segment into the network.

Also on a broadcast medium, OSPF elects a backup designated router(BDR). If the DR fails, the BDR assumes the responsibilities of the DR.

Each router running OSPF has a configurable priority setting for DR/BDRelection. OSPF elects as DR the router with the highest priority value. Apriority value of 0 means that a router is not eligible to be the DR. Onceelected, the DR choice remains, even if a better router comes into thenetwork. No DR election recurs unless the current DR and its BDR fails.

Link state databaseWhen an OSPF router first joins a network, it uses the OSPF Helloprotocol to discover its neighbors. Neighbors may form adjacencies forthe purpose of exchanging routing information. Not all neighbor pairscan become adjacent. Adjacencies form by synchronizing the neighbors’topology databases through the database exchange process. Two routersbecome fully adjacent by fully synchronizing their topology databases.Only adjacent routers exchange routing information, thereby conservingbandwidth. Also, an authentication mechanism prevents unauthorizedneighbors from establishing adjacencies.

Each OSPF router generates state information about its directly connectedlinks (interfaces) and adjacencies and advertises this information in LinkState Advertisement (LSA) packets. Other routers receive the LSAs, learnthis information, and flood it throughout the areas in which they have


NN47263-502 03.02 22 September 2009


.

LSA types 75

interfaces. Each OSPF router builds a Link State Database (LSDB) fromthis information. Each ABR has one LSDB for each area in which it hasan interface.

Each OSPF router uses its LSDB to calculate the shortest path toeach destination in the AS, with itself at the root of each path. This isaccomplished by means of Dijkstra’s Shortest Path First (SPF) algorithm.The SPF tree, also known as the best path tree, is then submitted to therouting table as OSPF routes. When a network topology change occurs,OSPF recalculates the shortest path tree. The network has convergedwhen all OSPF routers have recalculated their routing tables as a resultof a change in the topology.

LSA typesTo achieve and maintain convergence among routers within the AS, OSPFfloods different LSA types into the routing domain. Every LSA has a LinkState ID (LSID) field.

Table 50LSA types

Type 1 LSA (RouterLSA)

Originated by each router in an area. A single router LSA describes thestate and cost of all the router’s links (interfaces) to the area. The LSIDcontains the router ID of the originating router.

Type 2 LSA (NetworkLSA)

Originated by the DR for each broadcast network to describe all therouters attached to the network, including the DR itself. The LSIDcontains the IP interface address of the designated router for the network.

Type 3 LSA (ABRSummary LSA)

Originated by ABRs to describe routes to networks within the area,facilitating the summarization (condensation) of routing information atarea borders. The LSID contains the destination IP network number ofthe originating ABR.

Type 4 LSA (ASBRSummary LSA)

Originated by ASBRs to describe routes to AS boundary routers,facilitating the summarization (condensation) of routing information at ASboundaries. The LSID contains the router ID of the originating ASBR.

Type 5 LSA(ASexternal LSA)

Originated by ASBRs to describe routes to destinations external to theAS, and to describe a default route for the AS. Routers internal to theAS use the default route when no specific route exists to the externaldestination. The LSID contains either the default route (0.0.0.0) or thespecific network number of the external destination.

Type 7 LSA (NSSAASexternal LSA)

Originated by ASBRs to describe routes to destinations external to theAS, only for routers within an NSSA. NSSA ABRs translate these Type 7LSAs to Type 5 LSAs and flood them into the OSPF backbone area.

Type 10 LSA (OSPFopaque LSA)

Carries traffic engineering parameters. These parameters are used inCSPF (Constrained Short Path First) calculations to provide a best pathfor traffic engineering applications such as RSVP-TE.


NN47263-502 03.02 22 September 2009


.


Backbone areaThe OSPF backbone area is the special OSPF Area 0 (often writtenas Area 0.0.0.0). The OSPF backbone always contains all area borderrouters. The backbone is responsible for distributing routing informationbetween non-backbone areas. The backbone (connectivity) must becontiguous. However, it need not be physically contiguous; backboneconnectivity can be established/maintained through the configuration ofvirtual links.

Stub areasA stub area is an OSPF area that does not import external routinginformation, but may import inter-area route summaries. However,route summaries for this stub area are still originated by the ABR to thebackbone. Routing from this type of area to networks outside of the area isbased on a default route originated by the area’s ABR into the stub area.All routers inside a stub area must be configured as stub routers. ASBRscannot be configured as stub routers because, in that case, externalrouting information would not be flooded into the area. Also, a stub areacannot be used as a transit area for virtual links.

The Nortel Secure Router 2330/4134 supports stub areas and theability to advertise a default route with a metric, as well as the option ofimporting summary routes into the area. By default, summary routes areimported into stub areas, and a default route is flooded into the area.An administrator can prevent this behavior and disallow the import ofsummary LSAs.

Not-so-stubby areas (NSSAs)A not-so-stubby area (RFCs 1587 and 3101) is an OSPF area that allowsexternal routes to be flooded (advertised) into the area as Type-7 LSAsfrom an ASBR connected to the NSSA. In this case, the ASBR originatesthe Type- 7 LSA and floods it into the NSSA from external networkdestinations. The NSSA ABR translates each Type-7 LSA into a Type-5LSA and floods it into the adjacent area. Unlike stub areas, all OSPFsummary routes (Type-3 LSAs) can be imported into the NSSA area. Anadministrator can disable the import mechanism. If disabled, OSPF sendsa default summary.

A default route cannot be originated into the area as a Type-3 LSA, butrather as a Type-7 LSA. This avoids the situation where the router prefersa Type-3 default route over a more specific Type-7 route.

Transit areasA transit area supports virtual links to other areas disconnected from theOSPF backbone.


NN47263-502 03.02 22 September 2009


.

Security 77

Virtual linksA virtual link consists of two ABRs, a transit area across which virtuallink data can pass, and the logical connection between the two ABRs. Avirtual link through a transit area allows OSPF to distribute inter-area routesummaries and external routing information.

With virtual links, OSPF can remove topological restrictions on area layoutwithin an AS. Should the backbone area become disconnected, someareas of the AS may become unreachable. Virtual links can be usedto avoid or work around this problem and allow such areas to maintainconnectivity to the backbone.

On either end of the virtual link to a remote area, configure the router IDof the remote ABR and the area ID of the intervening transit area. OSPFtreats the virtual link as a point-to-point network belonging to the backboneand linking the two ABRs. Virtual links cannot be configured through astub area or NSSA area.

Area ranges (route summarization)To reduce the number of advertisements for networks contained withinan area configured on an OSPF router, configure an area range, whichis a contiguous range of network addresses contained within an area.Configure multiple contiguous ranges for any OSPF ABR in your network.The router can advertise these as summary routes associated with aspecific OSPF area.

Route redistribution (exportation) and policyAn OSPF router uses export policies to determine which non-OSPF routesto redistribute (export) into the OSPF routing domain. For example, anOSPF ASBR uses an export policy to determine which non-OSPF routesto redistribute into the OSPF AS, as external routes.

The Nortel Secure Router 2330/4134 export policies support matchingconditions and actions that you can apply only at the OSPF global level.By default, if you do not explicitly reference a configured export policy,OSPF imports all routes from the protocol.

SecurityOSPF supports two authentication types: simple password authenticationand MD5 cryptographic authentication. When configured, thesemechanisms prevent unauthorized routers from forming adjacencies withthe routing entity.


NN47263-502 03.02 22 September 2009


.


The Nortel Secure Router 2330/4134 supports simple password and MD5for OSPF security. (The default is none.) You can configure authenticationat the OSPF area and individual interface levels of the configurationhierarchy. Configuring security at a lower level of the OSPF hierarchyoverrides security configured at the next-higher level of the hierarchy.

ECMPThe OSPF protocol maintains and evaluates multiple equal-cost routesto all destinations. All of the multiple routes are of the same type (forexample, intra-area, inter-area, type 1 external, or type 2 external), cost,and area association. However, each route may specify a different nexthop and advertising router. For broadcast networks, the next hop includesthe IP address of the next router (if any) in the path toward the destination.

The OSPF standard states no requirement that a router keep track of allpossible equal-cost routes to a destination, but the Nortel Secure Router2330/4134 tracks and evaluates up to eight ECMP routes.

OSPF submits ECMP routes to the routing table, but is not affected by theECMP configured limit, which only determines the number of ECMP routesdownloaded to the forwarding information base (FIB) table of best routes.When more than eight ECMP paths exist to a destination, the FIB of therouting engine contains only the first eight routes that OSPF submitted.

Router IDOSPF uses the router ID in LSAs. Because router ID is a critical attributethat must be a unique loopback address within the network, OSPF restartswhen the router ID changes. The Nortel Secure Router 2330/4134 restartsOSPF if an administrator changes the router ID.

Cost metricOSPF uses metrics to calculate the cost of the paths. Specifically, twoconfigurable parameters relate to the cost: the reference bandwidth, andthe metric. The link terminated by any OSPF interface has some inherentavailable bandwidth that determines its relative cost when calculatingbest routes to any IP destination. This applies to any link between OSPFneighbors.

OSPF uses the reference bandwidth as a basis for indicating the cost(relative bandwidth capability) of any OSPF area interface. By default, thereference bandwidth for OSPF is 100,000,000 b/s (100 Mb/s), and the costof any OSPF interface is (reference_bandwidth/link_bandwidth), resultingin a unitless or relative cost metric value. Each OSPF interface has adefault cost metric value of 1, but the implied bandwidth of the interfacedepends on the reference-bandwidth and link-bandwidth values.


NN47263-502 03.02 22 September 2009


.

OSPF demand circuits 79

On the Nortel Secure Router 2330/4134, you can accept the defaultreference-bandwidth value or configure a more accurate value as the basisfor all OSPF interface costs:

• If you configure a metric, then the cost assumes the metric value,irrespective of whether you configured a reference bandwidth value.

• If a reference bandwidth has been configured, then OSPF computesthe cost as (reference bandwidth/link bandwidth), where link bandwidthis that of the underlying layer 2 interface.

• If both metric and reference bandwidth have not been configured, thenthe redistributed routes have a default metric value of 10, which canalso be configured manually.

Passive interfacesOSPF allows a directly attached interface to be configured as a passiveinterface or passive link. OSPF does not run on a passive interface, butOSPF running globally on the routing engine still advertises the interfaceas an internal route.

A passive interface is different from disabling OSPF on an interface. OSPFadvertises passive interfaces and does not advertise disabled interfaces.

A passive interface is also different from exporting a directly attached routeinto OSPF. OSPF advertises passive interfaces as OSPF internal routes.

OSPF demand circuitsOSPF demand circuits are point-to-point links. The costs vary with usage.An example is an ISDN basic-rate service, whereby charges can be basedboth on connect time and on bytes/packets transmitted.

OSPF routers transmit two types of routing protocol traffic. First, therouters send Hello packets over each link periodically for neighbordiscovery and maintenance. Second, routers exchange OSPF LSAs toachieve and maintain link-state database synchronization. The OSPFdemand circuit extensions remove the periodic nature of both traffic types.These extensions reduce the amount of OSPF routing traffic, by removingall OSPF protocol traffic from demand circuits after the routing domain isin a steady state. The OSPF demand circuit extensions are specified inRFC 1793. With demand circuits, routers send OSPF Hellos and LSAsuntil the synchronization of the initial link-state database. To removethe periodic nature of OSPF database synchronization, the router doesnot flood periodic refreshes of LSAs over the demand circuits. When arouter receives a new LSA instance, it compares the contents of the newinstance with the current LSA copy in the router database. If the contents


NN47263-502 03.02 22 September 2009


.


have not changed, the router does not flood the new LSA over attacheddemand circuits. If the contents of an LSA change, the router floods theLSA over the demand circuit.

When a router suppresses LSAs on the demand circuit, there is no LSArefresh. In this case, the neighboring routers normally age out the LSAs.To prevent the routers on the other side of the demand circuit from agingout an LSA, the router indicates that the LSA must not be aged by settingthe DoNotAge bit when flooding the LSA over the demand circuit. TheDoNotAge bit is a significant bit in the LSA Age field. LSAs that have theDoNotAge bit set are not aged because the router holds them in the OSPFlink-state database.

LSAs in regular OSPF areas can have the DoNotAge set only if everyrouter in the OSPF domain is capable of DoNotAge processing. If a routerin a remote regular area cannot process DoNotAge LSAs, this informationmust be conveyed to all other Demand Circuit capable routers, so that theydo not mistakenly flood DoNotAge LSAs. To achieve this, area borderrouters transmit the existence of DoNotAge-incapable routers acrossarea boundaries, using indication-LSAs after one of the attached areasreceives an LSA from a DoNotAge-incapable routers. Indication-LSAsare type-4-summary LSAs (also called ASBR-summary-LSAs), listing thearea border router itself as the described ASBR, with the LSA cost set toLSInfinity and the DC-bit set to clear.

Open Shortest Path FirstOpen Shortest Path First (OSPF) is an Interior Gateway Protocol (IGP)that distributes routing information between routers belonging to a singleautonomous system (AS). Intended for use in large networks, OSPF is alink state protocol, which supports IP subnets and the tagging of externallyderived routing information.


• “Overview” (page 81)

• “Benefits” (page 81)

• “OSPF routing algorithm” (page 82)

• “Autonomous system and areas” (page 82)

• “Neighbors” (page 84)

• “OSPF routers” (page 85)

• “Router types” (page 85)

• “OSPF interfaces” (page 86)

• “OSPF and IP” (page 87)


NN47263-502 03.02 22 September 2009


.

Open Shortest Path First 81

• “OSPF packets” (page 88)

• “AS external routes” (page 89)

• “OSPF virtual links” (page 89)

• “Specifying ASBRs” (page 90)

• “Metric speed” (page 92)

OverviewIn an OSPF network, each router maintains a link state database thatdescribes the topology of the autonomous system (AS). The databasecontains the local state for each router in the AS, including the router’susable interfaces and reachable neighbors. Each router periodicallychecks for changes in its local state and shares any changes detectedby flooding link state advertisements (LSA) throughout the AS. Routerssynchronize their topological databases based on the sharing ofinformation from LSAs.

From the topological database, each router constructs a shortest-pathtree, with itself as the root. The shortest-path tree gives the optimal routeto each destination in the AS. Routing information from outside the ASappears on the tree as leaves.

OSPF routes IP traffic based solely on the destination IP address andsubnet mask, and IP TOS contained in the IP packet header.

BenefitsIn large networks OSPF offers the following benefits:

• Fast convergence

In the event of topological changes, OSPF recalculates routes quickly.

• Minimal routing protocol traffic

Unlike distance vector routing protocols such as RIP, OSPF generatesa minimum of routing protocol traffic.

• Load sharing

OSPF provides support for equal-cost multipath routing. If severalequal-cost routes to a destination exist, traffic is distributed equallyamong them.


NN47263-502 03.02 22 September 2009


.


OSPF routing algorithmA separate copy of the OSPF routing algorithm (Dijkstra) runs in eacharea. Routers that are connected to multiple areas run multiple copiesof the algorithm. The sequence of processes governed by the routingalgorithm is as follows:

1. When a router starts, it initializes the OSPF data structures and thenwaits for indications from lower-level protocols that the router interfacesare functional.

2. A router then uses the Hello Protocol to discover neighbors. Onpoint-to-point and broadcast networks the router dynamically detectsits neighbors by sending hello packets to the multicast addressAllSPFRouters.

3. On all multiaccess networks (broadcast or nonbroadcast), the HelloProtocol also elects a designated router (DR) for the network.

4. The router attempts to form adjacencies with some of its neighbors.On multiaccess networks, the DR determines which routers becomeadjacent. This behavior does not occur if a router is configured as apassive interface, because passive interfaces do not form adjacencies.

5. Adjacent neighbors synchronize their topological databases.

6. The router periodically advertises its link state, and also does so whenits local state changes. LSAs include information about adjacencies,enabling quick detection of dead routers on the network.

7. LSAs are flooded throughout the area, ensuring that all routers in anarea have exactly the same topological database.

8. From this database each router calculates a shortest-path tree, withitself as root. This shortest-path tree in turn yields a routing table forthe protocol.

Autonomous system and areasThe autonomous system (AS) can be subdivided into areas that grouptogether contiguous networks, routers connected to these networks, andattached hosts. Each area has its own topological database, which isinvisible from outside the area. Routers within an area know nothingof the detailed topology of other areas. Subdividing the AS into areassignificantly reduces the amount of routing protocol traffic as compared totreating the entire AS, as a single link state domain.

You can attach a router to more than one area. When you do so, you canmaintain a separate topological database for each connected area. Tworouters within the same area maintain an identical topological database forthat area. Each area is assigned a unique area ID and the area ID 0.0.0.0is reserved for the backbone area.


NN47263-502 03.02 22 September 2009


.


Packets are routed in the AS based on their source and destinationaddresses. If the source and destination of a packet reside in the samearea intra-area routing is used. If the source and destination of a packetreside in different areas inter-area routing is used. Intra-area routingprotects the area from bad routing information because no routinginformation obtained from outside the area can be used. Inter-area routingmust pass through the backbone area, which is described in the followingsection.


• “Backbone area” (page 83)

• “Stub area” (page 84)

• “Not so stubby area (NSSA)” (page 84)

Backbone areaThe backbone area consists of the following network types:

• Networks and attached routers that are not contained in any other area

• Routers that belong to multiple areas

The backbone is usually contiguous but you can create a noncontiguousarea by configuring virtual links.

You can configure virtual links between any two backbone routers thathave an interface to a common nonbackbone area. Virtual links belong tothe backbone and use intra-area routing only. For more information onvirtual links, see “OSPF virtual links” (page 89).

The backbone is responsible for distributing routing information betweenareas. The topology of the backbone area is invisible to other areas, whileit knows nothing of the topology of those areas.

In inter-area routing, a packet travels along three contiguous paths in apoint-to-multipoint configuration, as follows:

1. An intra-area path from the source to an area border router (ABR)

2. A backbone path between the source and destination areas

3. Another intra-area path to the destination

The OSPF routing algorithm finds the set of such paths that has thesmallest cost. The topology of the backbone dictates the backbone pathsused between areas. Inter-area paths are selected by examining therouting table summaries for each connected ABR. The OSPF behavior


NN47263-502 03.02 22 September 2009


.


was modified according to OSPF standards so that OSPF routes cannotbe learned through an area border router (ABR) unless it is connected tothe backbone or through a virtual link.

Stub areaA stub area is configured at the edge of the OSPF routing domain and hasonly one ABR. A stub area does not receive LSAs for routes outside theAS, reducing the size of its link state database. A packet destined outsidethe stub area is routed to the ABR, which examines it before forwardingthe packet to its destination. The network behind a passive interface istreated as a stub area, and does not form adjacencies. It is advertised intothe OSPF area as an internal route.

Not so stubby area (NSSA)A not so stubby area prevents the flooding of external LSAs into the areaby replacing them with a default route. An NSSA can import small stub(non-OSPF) routing domains into OSPF. Like stub areas, NSSAs areat the edge of an OSPF routing domain. Non-OSPF routing domainsare attached to the NSSAs, forming NSSA transit areas. Accessing theaddressing scheme of small stub domains permits the NSSA border routerto also perform manual aggregation.

NeighborsIn an OSPF network, any two routers that have an interface to the samenetwork are neighbors. Routers use the Hello Protocol to discovertheir neighbors and maintain neighbor relationships. On a broadcast orpoint-to-point network, the Hello Protocol dynamically discovers neighbors.

The Hello Protocol provides bidirectional communication betweenneighbors. Periodically OSPF routers send out hello packets over allinterfaces. Included in these hello packets is the following information:

• The router priority

• The router Hello Timer and Dead Timer values

• A list of routers that sent this router hello packets on this interface

• The router choice for designated router (DR) and backup designatedrouter (BDR)

Bidirectional communication is determined when one router discovers itselflisted in its neighbor’s hello packet.

Neighbor adjacenciesNeighbors can form an adjacency to exchange routing information. Whentwo routers form an adjacency, they go through a database exchangeprocess to synchronize their topological databases. When their databases


NN47263-502 03.02 22 September 2009


.


are synchronized, the routers are said to be fully adjacent. Bandwidth isconserved because, from this point on, only routing change information ispassed between the adjacent routers.

All routers connected by a point-to-point network or a virtual link alwaysform an adjacency.

OSPF routersTo limit the amount of routing protocol traffic, the Hello Protocol elects adesignated router (DR) and a backup designated router (BDR) on eachmultiaccess network. Instead of neighboring routers forming adjacenciesand swapping link state information with each other (which on a largenetwork can mean a lot of routing protocol traffic), all routers on thenetwork form adjacencies with the DR and the BDR only and send linkstate information to them. The DR redistributes this information to everyother adjacent router.

When operating in backup mode, the BDR receives link state informationfrom all routers on the network and listens for acknowledgements. If theDR fails, the BDR can transition quickly to the role of DR because itsrouting tables are up-to-date.

Router typesRouters in an OSPF network can take on different roles depending on howyou configure them. Table 51 "Router types in an OSPF network" (page85) describes the router types you can configure in an OSPF network.

Table 51Router types in an OSPF network

Router Type Description

AS boundary router (ASBR) A router attached at the edge of an OSPF network is called anAS boundary router (ASBR). An ASBR generally has one or moreinterfaces that run an inter-domain routing protocol such as BGP.In addition, any router distributing static routes or RIP routes intoOSPF is considered an ASBR. The ASBR forwards external routesinto the OSPF domain. In this way, routers inside the OSPF networklearn about destinations outside their domain.

Area border router (ABR) A router attached to two or more areas inside an OSPF network isconsidered an area border router (ABR). ABRs play an importantrole in OSPF networks by condensing the amount of OSPFinformation that is disseminated.

Internal router (IR) A router that has interfaces only within a single area inside an OSPFnetwork is considered an internal router (IR). Unlike ABRs, IRshave topological information only about the area in which they arecontained.


NN47263-502 03.02 22 September 2009


.


Table 51Router types in an OSPF network (cont’d.)

Router Type Description

Designated router (DR) In a broadcast network a single router is elected to be thedesignated router (DR) for that network. A DR assumes theresponsibility of making sure all routers on the network aresynchronized with one another and also advertises that network tothe rest of the AS.

Backup designated router(BDR)

A backup designated router (BDR) is elected in addition to thedesignated router (DR) and, in the event of failure of the DR, canassume its role quickly.

OSPF interfacesAn OSPF interface, or link, is configured on an IP interface. In the SecureRouter 2330/4134, an IP interface is a single link (router port). The stateinformation associated with the interface is obtained from the underlyinglower level protocols and the routing protocol itself.

On a Secure Router 2330/4134, OSPF interfaces are designated as oneof the following types:

• broadcast (active)

• passive

The Secure Router 2330/4134 supports OSPF on the following interfacetypes:

1. Ethernet (Operates in broadcast network mode only)

2. WAN bundles: PPP, MLPPP, FR, MFR, HDLC (Operates inpoint-to-point network mode only.)

3. Loopback (Operates in passive mode only)

4. IP-IP, GRE, and IPsec tunnels (operates over point-to-point tunnelsonly)

ATTENTIONWhen an OSPF interface is enabled, you cannot change its interface type. Youmust first disable the interface. You can then change its type and reenable it.


• “Broadcast interface” (page 87)

• “Passive interface” (page 87)


NN47263-502 03.02 22 September 2009


.


Broadcast interfaceBroadcast interfaces support many attached routers and can addressa single physical message to all attached broadcast routers (sent toAllSPFRouters and AllDRouters).

Broadcast interfaces discover neighboring routers dynamically using theOSPF Hello Protocol. Each pair of routers on a broadcast network, suchas an Ethernet, communicate directly.

Passive interfaceThe objective of the passive interface is to enable an interface to advertiseinto an OSPF domain while limiting its adjacencies.

When changing the interface type value to passive, it is advertised into theOSPF domain as an internal stub network with the following behaviors:

• does not send hello packets into the OSPF domain

• does not receive hello packets from the OSPF domain

• does not form adjacencies in the OSPF domain

With the passive interface feature, the interface requires only a newinterface type value to allow it to be advertised as an OSPF internal route.Without the passive interface feature, to advertise a network into OSPFand not form OSPF adjacencies, it must be configured as a non-OSPFinterface and the local network must be redistributed as an AS-externalLSA.

OSPF and IPOSPF runs in conjunction with IP, which means that an OSPF packet issent with an IP data packet header. The protocol field in the IP header isset to 89, which identifies it as OSPF, distinguishing it from other packetsthat use an IP header.

A destination in an OSPF route advertisement is expressed as an IPaddress and a variable-length mask. Taken together, the address andthe mask indicate the range of destinations to which the advertisementapplies.

The ability to specify a range of networks allows OSPF to send onesummary advertisement that represents multiple destinations. Forexample, a summary advertisement for the destination 128.185.0.0 with amask of 255.255.0.0 describes a single route to destinations 128.185.0.0to 128.185.255.255.


NN47263-502 03.02 22 September 2009


.


OSPF packetsAll OSPF packets start with a 24 octet header that contains informationabout the OSPF version, the packet type and length, the ID of the routertransmitting the packet, and the ID of the OSPF area from which thepacket is sent. An OSPF packet is one of the following types:

• Hello packets

Hello packets are transmitted between neighbors and are neverforwarded. The Hello Protocol requires routers to send hello packetsto neighbors at pre-defined hello intervals. If hello packets are notreceived by a neighbor router within the specified dead interval, theneighbor router declares the other router dead.

• Database description (DD) packets

DD packets are exchanged when a link is first established betweenneighboring routers which synchronize their link state databases.

• Link state request packets

Link state request packets describe one or more link stateadvertisements that a router is requesting from its neighbor. Routerssend link state requests if the information received in DD packets froma neighbor is not consistent with its own link state database.

• Link state update packets

Link state update packets contain one or more link stateadvertisements, and are sent following a change in network conditions.

• Link state acknowledgement packets

Link state acknowledgement packets are sent to acknowledgereceipt of link state updates and contain the headers of the link stateadvertisements that were received.

Link state advertisementsOSPF does not require each router to send its entire routing table toits neighbors. Instead, each OSPF router floods only link state changeinformation in the form of link state advertisements (LSA) throughout thearea or AS. LSAs in OSPF are one of the following five types:

• Router links advertisement

A router links advertisement is flooded only within the area andcontains information about neighbor routers and the LANs to whichthe router is attached. A backbone router can flood router linkadvertisements within the backbone area.

• Network links advertisement

A network links advertisement is generated by a DR on a LAN, listingall routers on that LAN and flooding only within the area. A backboneDR can flood network links advertisements within the backbone area.


NN47263-502 03.02 22 September 2009


.


• Network summary link advertisement

A network summary link advertisement is flooded into an area by anABR that describes networks that are reachable outside the area. AnABR attached to two areas generates a different network summarylink advertisement for each of these areas. ABRs also generate areasummary link advertisements containing information about destinationswithin an area, which are flooded to the backbone area.

• AS boundary router (ASBR) summary link advertisement

An ASBR summary link advertisement describes the cost of the path toan ASBR from the router generating the advertisement.

• AS external link advertisement

An AS external link advertisement is sent by an ASBR to describethe cost of the path to a destination outside the AS from the ASBRgenerating the advertisement. This information is flooded to all routersin the AS.

AS external routesOSPF considers the following routes to be AS external (ASE) routes:

• A route to a destination outside the AS

• A static route

• A default route

• A route derived by RIP

• A directly connected network not running OSPF

OSPF virtual linksOn an OSPF network, a Secure Router 2330/4134 that is acting asan ABR must be connected directly to the backbone. If no physicalconnection is available, you can configure a virtual link manually.

Figure 11 "Virtual link between ABRs through a transit area" (page90) shows how to configure a virtual link between the ABR in area 2.2.2.2and the ABR in area 0.0.0.0.


NN47263-502 03.02 22 September 2009


.


Figure 11Virtual link between ABRs through a transit area

To configure a virtual link between the ABRs in area 1 and area 3, youdefine area 2 as the transit area between the other two areas, and identifyR2 as the neighbor router through which R3 must send information toreach the backbone through R1.

Specifying ASBRsASBRs advertise non-OSPF routes into OSPF domains so that they canbe passed along throughout the OSPF routing domain. A router canfunction as an ASBR if one or more of its interfaces is connected to anon-OSPF network (for example, RIP, BGP, or EGP).

An ASBR router imports external routes into the OSPF domain by usingAS-external LSAs (LSA type 5) originated by the ASBR.

AS-external LSAs flood across area borders. When an ASBR importsexternal routes, it imports OSPF route information using external type 1 ortype 2 metrics. This gives a four-level routing hierarchy, as shown in Table52 "ASBR routing hierarchy" (page 90), according to routing preference.

Table 52ASBR routing hierarchy

Level Description

1 Intra-area routing

2 Inter-area routing


NN47263-502 03.02 22 September 2009


.


Table 52ASBR routing hierarchy (cont’d.)

Level Description

3 External type 1 metrics

4 External type 2 metrics

This results in a routing preference from most preferred to least preferredof:

• routing within an OSPF area

• routing within the OSPF domain

• routing within the OSPF domain and external routes with external type1 metrics

• routing within the OSPF domain and external routes with external type2 metrics

For example, an ASBR can import RIP routes into OSPF with externaltype 1 metrics. Another ASBR can import Internet routes and advertise adefault route with an external type 2 metric. This results in RIP-importedroutes having a higher preference than the Internet-imported defaultroutes. In reality, BGP Internet routes must use external type 2 metrics,whereas RIP imported routes must use external type 1 metrics.

The reason for this is that routes imported into OSPF as external type1 are from Internal Gateway Protocols (IGP) whose external metric iscomparable to OSPF metrics. With external type 1 metrics, OSPF addsthe internal cost of the ASBR to the external metric. Exterior GatewayProtocols (EGP), whose metric is not comparable to OSPF metrics, useexternal type 2 metrics. For External type 2 metrics, only the internalOSPF cost to the ASBR router is used in the routing decision.

To conserve resources, you can limit the number of ASBRs in yournetwork or specifically control which routers perform as ASBRs to controltraffic flow.

Types of OSPF areasTable 53 "OSPF LSA area types" (page 92) displays the various LSAtypes exchanged between areas. LSAs are used to share link stateinformation among routers; there are seven different types. They typicallycontain information about the router and its neighbors and are generatedperiodically to ensure connectivity or generated upon the change in stateof a router or link (that is, up or down).


NN47263-502 03.02 22 September 2009


.


Table 53OSPF LSA area types

LSAType Description Area of distribution

1 Type 1 LSAs are called router LSAs and are originatedby a router to describe its set of active interfaces andneighbors.

Only within the same area.

2 Type 2 LSAs are called network LSAs and describes anetwork segment such as broadcast or point-to-point. In abroadcast network, network LSAs are originated by thedesignated router (DR).

Only within the same area.

3 Type 3 LSAs are called network-summary LSAs and areoriginated by the area border router (ABR) to describe thenetworks within an area.

Passed between areas.

4 Type 4 LSAs are called ASBR-summary LSAs andadvertises the location of the ASBRs from area to area.


5 Type 5 LSAs are called AS-external LSAs. This describesnetworks outside of the OSPF domain and are originatedby the ASBR and passed between areas. In stub andNSSA, type 5 LSA routes are replaced with a singledefault route.


6 Type 6 LSAs are called group-membership LSAs. Theyare used to identify the location of multicast groupmembers in multicast OSPF.


7 Type 7 LSAs are used in OSPF NSSAs to import externalroutes.

Translated between areas.

Metric speedFor OSPF, the best path to a destination is the path that offers theleast-cost metric delay. In OSPF, cost metrics are configurable, so you canspecify preferred paths. You can configure metric speed globally or forspecific ports and interfaces on your network. In addition, you can controlredistribution options between non-OSPF interfaces and OSPF interfaces.

Default metric speeds are assigned for different port types, such as 10Mbit/s or 100 Mbit/s ports. On a Secure Router 2330/4134, you canspecify a new metric speed for an IP interface. The IP interface is a routerport.


NN47263-502 03.02 22 September 2009


.

93.

OSPF configuration procedures

Configuring the host nameConfigure the router host name.

Procedure steps

Step Action

1 Enter Configuration Mode.

configure terminal

2 Set the host name.

hostname <router>

--End--


Variable Value

<router> Host name of the router.

Configuring the router IDConfigure the router ID.

Procedure steps

Step Action


configure terminal

2 Set the router ID.


NN47263-502 03.02 22 September 2009


.

94 OSPF configuration procedures

router-id <loopback>

--End--


Variable Value

<loopback> The router identifier address. The router-id must bea valid loopback address.

Configuring the loopback addressConfigure the loopback address.

Procedure steps

Step Action


configure terminal

2 Enter Loopback Interface mode.

interface loopback <bundle>

3 Set the loopback address.

ip address <A.B.C.D>

--End--


Variable Value

<A.B.C.D> The interface loopback address.

<bundle> The loopback bundle name.

Enabling OSPFThe following procedure describes how to enter router mode and specifyan OSPF process to configure.

Procedure steps

Step Action



NN47263-502 03.02 22 September 2009


.

Enabling OSPF on an IP interface 95

2 Specify an OSPF process to configure.router ospf <process-id>

--End--


Variable Value

<process-id> The OSPF process-id you want to configure, in therange 1 to 65535.

Configuring OSPF interface priorityConfigure the priority for an interface. Default value is 1.

Procedure steps

Step Action


configure terminal



3 Set the priority.

ip ospf priority <priority>

--End--


Variable Value


<priority> Interface priority. Range is 0 to 255. Default is 1.

Enabling OSPF on an IP interfaceConfigure OSPF for an IP interface.

Procedure steps

Step Action


configure terminal


NN47263-502 03.02 22 September 2009


.


2 Enable OSPF.

router ospf <process-id>

3 Configure OSPF for the IP interface.

network <networkaddress> area <areaid>

--End--


Variable Value

<process-id> <1-65535> Any positive integer identifying a routingprocess. The process ID should be unique for eachrouting process.

<networkaddress> Network address to configure. Can be IPv4 networkaddress<A.B.C.D> or IPv4 network address withprefix length <A.B.C.D/M>.

<areaid> The area ID. Can be in IPv4 address format<A.B.C.D> or as 4 octets <0-4294967295> unsignedinteger value

Configuring OSPF area as stub areaThis procedure describes the steps necessary to configure OSPF area.

Procedure steps

Step Action


configure terminal

2 Enable OSPF.


3 Configure the OSPF area as a stub.

area <area-id> stub [no-summary]

--End--


Variable Value

<area-id> The OSPF area id specified in integer (1 to4294967295) or IP address (A.B.C.D) format.


NN47263-502 03.02 22 September 2009


.

Enable authentication for an OSPF area 97


Variable Value

[no-summary] Specifies to not inject inter-area routes into the stub.

<process-id> The unique OSPF process ID in the range 1 to65535.

Configure the OSPF area default costThis procedure describes how to specify the summary-default cost of aNSSA or stub area.

Procedure steps

Step Action


configure terminal

2 Enable OSPF.


3 Set the default cost for the area.

area <area-id> default-cost <cost>

--End--


Variable Value


<cost> An integer specifying the stub’s advertised defaultsummary cost in the range 0 to 16777215.


Enable authentication for an OSPF areaThis procedure describes the steps necessary to enable authentication foran OSPF area.

Procedure steps


NN47263-502 03.02 22 September 2009


.


Step Action


configure terminal

2 Enable OSPF.


3 Enable authentication for an OSPF area.

area <area-id> authentication [message-digest]

--End--


Variable Value


[message-digest] Use message-digest authentication.


Configuring an OSPF area rangeThis procedure describes the steps necessary to configure an OSPF arearange.

Procedure steps

Step Action


configure terminal

2 Enable OSPF.


3 area <area-id> range <A.B.C.D/M> [<advertise>|<not-advertise>]

--End--


Variable Value

<advertise> Advertise the range.


NN47263-502 03.02 22 September 2009


.

Configuring an OSPF network filter list 99


Variable Value


<not-advertise> Do not advertise the range.

<A.B.C.D/M> The area range prefix in address/mask format.


Configuring an OSPF network filter listThis procedure describes the steps necessary to configure an OSPF filterlist.

Procedure steps

Step Action


configure terminal

2 Enable OSPF.


3 Configure the OSPF filter list.

area <area-id> filter-list {<access>|<prefix>}<listname> {<in>|<out>}

--End--


Variable Value

<access> Filter networks by access list.


<in> Filter networks sent to the specified area.

<listname> The name of the IP prefix or access list.

<out> Filter networks sent from the specified area.

<prefix> Filter networks by prefix list.



NN47263-502 03.02 22 September 2009


.


Configuring a virtual linkThis procedure describes the steps necessary to configure a virtual linkand define its parameters.

Procedure steps

Step Action


configure terminal

2 Enable OSPF.


3 area <area-id> virtual-link <A.B.C.D> [authentication<null>|<message-digest>] [dead-interval <interval>] [hello-interval<interval>] [retransmit-interval <interval>] [transmit-delay<interval>] [authentication-key <key>] [message-digest-key]

--End--


Variable Value

<A.B.C.D> The IP address of the virtual link neighbor.


<authentication> Enable authentication for this OSPF area virtual link.

<authentication-key> Specify the authentication key.

<dead-interval> Specify the dead router detection interval.

<hello-interval> Specify the hello packet interval.

<interval> The interval, in the range 1 to 65535.

<key> The authentication key.

<message-digest> Specify to use message-digest authentication.

<message-digest-key> Specifies the message digest key.

<null> Specifies to use null authentication.


<retransmit-interval> Specify the LSA retransmit interval.

<transmit-delay> Specify the LSA transmittion delay.


NN47263-502 03.02 22 September 2009


.

Configuring OSPF Type 7 default origination 101

Configure an OSPF not-so-stubby-areaThis procedure describes the steps necessary to configure an OSPFnot-so-stubby-area.

Procedure steps

Step Action


configure terminal

2 Enable OSPF.


3 Configure the OSPF not-so-stubby-area.

area <area-id> nssa

--End--


Variable Value



Configuring OSPF Type 7 default originationThis procedure describes the steps necessary to originate Type 7 defaultsinto a NSSA area.

Procedure steps

Step Action


configure terminal

2 Enable OSPF.


3 Configure Type 7 default origination.


NN47263-502 03.02 22 September 2009


.


area <area-id> nssa default-information-originate

--End--


Variable Value



Restrict redistribution into an OSPF NSSA areaProcedure steps

Step Action


configure terminal

2 Enable OSPF.


3 Restrict redistribution in the OSPF NSSA area.

area <area-id> nssa no-redistribution

--End--


Variable Value



Restrict sending of summary LSAsThis procedure describes the steps necessary to restrict sending summaryLSAs into a NSSA.

Procedure steps


NN47263-502 03.02 22 September 2009


.

Configuring an NSSA-ABR translator role 103

Step Action


configure terminal

2 Enable OSPF.


3 Restrict sending of summary LSAs.

area <area-id> nssa no-summary

--End--


Variable Value



Configuring an NSSA-ABR translator roleThis procedure describes the steps necessary to configure the NSSA-ABRtranslator role.

Procedure steps

Step Action


configure terminal

2 Enable OSPF.


3 Set the NSSA-ABR translator role.

area <area-id> nssa translator-role {<always>|<candidate>|<never>}

--End--


NN47263-502 03.02 22 September 2009


.



Variable Value

<always> Always translate NSSA-LSA to Type-5 LSA.


<candidate> Translate NSSA-LSA to Type-5 LSA if elected.

<never> Never translate NSSA-LSA.


Configuring OSPF demand circuitsPerform this procedure to configure an interface as an OSPF demandcircuit. By default, no OSPF demand circuits are configured.

Procedure 1Procedure steps

Step Action

1 To enter configuration mode, enter:

configure terminal.

2 To specify the interface to configure, enter:

interface <interface>.

3 To configure the interface as an OSPF demand circuit, enter:

[no] ip ospf demand-circuit.

--End--


Variable Value

[no] Disables OSPF demand circuit

Configuring redistribution of routes into OSPFRedistribute routes from other protocols into OSPF.

Procedure steps

Step Action



NN47263-502 03.02 22 September 2009


.

Configuring OSPF cost 105

configure terminal

2 Enable OSPF.


3 Redistribute a route.

redistribute <protocol>

--End--


Variable Value


<protocol> Protocol to redistribute.

Configuring OSPF costMake a route the preferred route by changing its cost.

Procedure steps

Step Action


configure terminal

2 Enable OSPF.


3 Exit.

exit



5 Configure cost.

ip ospf cost <cost>

--End--


NN47263-502 03.02 22 September 2009


.



Variable Value



<cost> <1-65535> Specifies the link-state metric. Thedefault value is 10.

Configuring virtual linksConnect a temporarily disjointed non-backbone area to a backbone area,or repair a non-contiguous backbone area.

Procedure steps

Step Action


configure terminal

2 Enable OSPF.


3 Define interfaces on which OSPF runs and associate them.

area <areaid> virtual-link <address>

--End--


Variable Value


<areaid> Area ID in IPv4 address format <a.b.c.d> or as 4octets unsigned integer value <0-4294967295>.

<address> Address to link.

Configuring OSPF authenticationSend and receive OSPF packets with the specified authentication method.

Procedure steps


NN47263-502 03.02 22 September 2009


.

Configuring metric for redistributed routes 107

Step Action


configure terminal



3 Enable authentication.

ip ospf authentication

--End--


Variable Value


Configuring metric for redistributed routesThe following procedure describes how to set the metric of redistributedroutes

Procedure steps

Step Action


configure terminal

2 Enable OSPF.


3 Set the metric of redistributed routes.

default-metric <value>

--End--


Variable Value

<value> The default metric value, in the range 0 to16777214.


NN47263-502 03.02 22 September 2009


.


Configuring OSPF capability featuresThe following procedure describes how to enable a specific OSPF feature.

Procedure steps

Step Action


configure terminal

2 Enable OSPF.


3 Enable a specific feature.

capability <feature>

--End--


Variable Value

<feature> The feature to enable. Possible values are:• cspf - Constrained Shortest Path First

• opaque - Opaque LSA

• traffic-engineering - OSPF TrafficEngineering extension

Logging adjacency state changesThe following procedure describes how to configure the Secure Router4134 to log changes in OSPF adjacency state.

With the log-adjacency-changes command, all state changes can belogged by using the detail parameter. Use the no form of this commandto disable this function.

The OSPF adjacency change messages are logged at the notificationpriority level of the syslog. By default, the syslog does not log theadjacency state changes messages. To enable logging of OSPFadjacency state changes, you must configure the syslog to log thenotification-level messages.

Procedure steps


NN47263-502 03.02 22 September 2009


.

Configuring IP address summaries 109

Step Action


2 Enable OSPF.


3 To log adjacency state changes, enter:log-adjacency-changes [detail]exit

4 To enable logging of notification level routing messages (whichinclude OSPF adjacency state change messages), enter:

system logging syslog module routing local0 notice

--End--

Configuring IP address summariesThe following procedure describes how to summarize or suppress externalroutes with the specified address range.

Procedure steps

Step Action


2 Enable OSPF.


3 To configure IP address summaries, enter:summary-address <A.B.C.D/M> [not-advertise] [tag<value>]

--End--


Variable Value

<A.B.C.D/M> The range of addresses given as IPv4 startingaddress and a mask indicating the range.

[not-advertise] Suppresses external routes.

[tag] Specify a tag.

<value> The tag value, in the range 0 to 4294967295.


NN47263-502 03.02 22 September 2009


.


Configuring the OSPF compatibility listThe following procedure describes how to configure the OSPFcompatibility list.

Procedure steps

Step Action


configure terminal

2 Enable OSPF.


3 Configure the compatibility list.

compatible rfc1583

--End--

Configuring OSPF specificsThe following procedure describes how to specify the OSPF ABR type.

Procedure steps

Step Action


configure terminal

2 Enable OSPF.


3 Specify the ABR type.

ospf abr-type <type>

--End--


Variable Value

<type> Type of implementation. Possible choices are:• cisco - Alternative ABR, Cisco implementation

• ibm - Alternative ABR, IBM implementation

• standard - Standard behavior


NN47263-502 03.02 22 September 2009


.

Configuring routing timers 111

Calculating OSPF interface costThe following procedure describes how to modify the reference bandwidthused to calculate the OSPF cost.

Procedure steps

Step Action


configure terminal

2 Enable OSPF.


3 Calculate the interface cost.

auto-cost reference-bandwidth <bandwidth>

--End--


Variable Value

<bandwidth> Reference bandwidth in terms of Mbits per second,in the range 1 to 4294967.

Configuring routing timersThe following procedure describes how to adjust routing timers.

Procedure steps

Step Action


configure terminal

2 Enable OSPF.


3 Adjust timers.

timers spf <delay> <hold>

--End--


NN47263-502 03.02 22 September 2009


.



Variable Value

<delay> Delay between receiving a change to SPFcalculation, in the range 0 to 2147483647.

<hold> Hold time between consecutive SPF calculations, inthe range 0 to 2147483647.

Configuring Constrained Shortest Path First (CSPF)The following procedure describes how to configure the CSPF defaultcomputation retry interval and tie break method.

Procedure steps

Step Action


configure terminal

2 Enable OSPF.


3 To set the CSPF default computation retry interval, enter:

cspf default-retry-interval <interval>

4 To set the CSPF tie-break method, enter:

cspf tie-break <random|least-fill|most-fill>

--End--


Variable Value

<interval> The default computation interval, in the range 1 to3600.

Configuring maximum allowed DD processesThe following procedure describes how to specify the maximum numberallowed to process DD concurrently.

Procedure steps

Step Action



NN47263-502 03.02 22 September 2009


.

Configuring the administrative distance 113

configure terminal

2 Enable OSPF.


3 To specify the maximum number, enter:

max-concurrent-dd <maxprocess>

--End--


Variable Value

<maxprocess> Maximum number of DD processes.

Configuring suppression of routing updates on an interfaceThe following procedure describes how to suppress routing updates onan interface

Procedure steps

Step Action


configure terminal

2 Enable OSPF.


3 To configure the interface to suppress routing updates, enter:

passive-interface <interface>

--End--


Variable Value

<interface> The interface you want to suppress routing updates.

Configuring the administrative distanceThe following procedure describes how to define an administrativedistance.

Procedure steps


NN47263-502 03.02 22 September 2009


.


Step Action


configure terminal

2 Enable OSPF.


3 To define the administrative distance, enter:

distance <distance>

--End--


Variable Value

<distance> The OSPF administrative distance, in the range 1 to255.

Configuring distribution of default informationThe following procedure describes how to control distribution of defaultinformation.

Procedure steps

Step Action


configure terminal

2 Enable OSPF.


3 To control distribution, enter:

default-information originate [always] [metric<0-16777214>] [metric-type [1|2]] [route-map <name>]

--End--

Configuring OSPF on an interfaceThe following procedure describes how to configure OSPF on an interface.

Procedure steps


NN47263-502 03.02 22 September 2009


.

Configuring OSPF on an interface 115

Step Action


configure terminal

2 Enter Interface Mode.


3 To see a list of configurable OSPF features, enter:

ip ospf [authentication] [authentication-key<WORD>] [cost <1 - 65535>] [database-filter all out][dead-interval <1 - 65535>] [debug packet <dd | detail| hello | ls-ack | ls-request | ls-update | recv |send>] [demand-circuit] [disable all] [hello-interval<1 - 65535>] [message-digest-key <1 - 255>] [mtu<576 - 65535>] [mtu-ignore] [network <broadcast |non-broadcast | point-to-multipoint | point-to-point>][priority <0 - 255>] [retransmit-interval <1 - 3600>][te-metric <1 - 65535>] [transmit-delay <1 - 3600>]

--End--

Table 86Variable definitions

Variable Value

[authentication] Enable authentication for this OSPF area virtuallink.

[authentication-key <WORD>] Specifies the authentication password key.

[database-filter all out] Filters OSPF LSA during synchronization andflooding

[dead-interval <1 - 65535>] Specify the dead router detection interval.

[debug packet <dd | detail | hello | ls-ack |ls-request | ls-update | recv | send>]

Accesses OSPF packet debug commands.• dd - OSPF database description

• detail - detail OSPF information

• hello - OSPF hello

• ls-ack - OSPF link state acknowledgment

• ls-request - OSPF link state request

• ls-update - OSPF link state update

• recv - packet received

• send - packet sent

[demand-circuit] Specifies OSPF demand circuit.


NN47263-502 03.02 22 September 2009


.


Variable Value

[disable all ] Disables OSPF.

[hello-interval <1 - 65535>] Specify the hello packet interval.

[message-digest-key <1 - 255>] Specifies the message digest authenticationpassword (key).

[mtu <576 - 65535>] Specifies the MTU size.

[mtu-ignore] Ignores the MTU in DBD packets.

[network <broadcast | non-broadcast |point-to-multipoint | point-to-point>]

Specifies network type.• broadcast - specifies an OSPF broadcast

multi-access network

• non-broadcast - specifies an OSPF NBMAnetwork

• point-to-multipoint - specifies an OSPF pointto multiple point network

• point-to-point - specifies an OSPF point topoint network

priority <0-255> The unique OSPF process ID in the range 1 to65535.

[retransmit-interval <1-3600>] Specify the LSA retransmit interval.

[te-metric <1-65535>] OSPF TE metric information.

[transmit-delay <1-3600>] Specifies the link state transmittion delay.

Configuring the authentication keyThe following procedure describes how to configure the authenticationpassword.

Procedure steps

Step Action


configure terminal



3 To configure the authentication password, enter:

ip ospf authentication-key <key>

--End--


NN47263-502 03.02 22 September 2009


.

Disabling OSPF 117


Variable Value

<key> The OSPF password (key).

Configuring the database filterThe following procedure describes how to filter OSPF LSA duringsynchronization and flooding.

Procedure steps

Step Action


configure terminal



3 To configure the database filter, enter:

ip ospf database-filter all out

--End--

Disabling OSPFThe following procedure describes how to disable OSPF.

Procedure steps

Step Action


configure terminal



3 To disable OSPF on the interface, enter:

ip ospf disable all

--End--


NN47263-502 03.02 22 September 2009


.


Configuring the dead intervalThe following procedure describes how to configure the interval after whicha neighbor is declared dead.

Procedure steps

Step Action


configure terminal



3 To set the dead-interval, enter:

ip ospf dead-interval [1-65535]

--End--

Configuring the hello intervalThe following procedure describes how to configure the time betweenHELLO packets.

Procedure steps

Step Action


configure terminal



3 To specify the interval between HELLO packets, enter:

ip ospf hello-interval [1-65535]

--End--

Configuring the message digest passwordThe following procedure describes how to specify the message digestauthentication password.

Procedure steps


NN47263-502 03.02 22 September 2009


.

Configuring OSPF to ignore MTU 119

Step Action


configure terminal



3 To specify the message digest authentication password, enter:

ip ospf message-digest-key [1-255] md5 <password>

--End--


Variable Value

<password> The OSPF password.

Configuring OSPF MTUThe following procedure describes how to specify the OSPF interfaceMaximum Transmission Units (MTU).

Procedure steps

Step Action


configure terminal



3 To specify the MTU, enter:

ip ospf mtu [576-65535]

--End--

Configuring OSPF to ignore MTUThe following procedure describes how to set OSPF to ignore the MTUin DBD packets.

Procedure steps


NN47263-502 03.02 22 September 2009


.


Step Action


configure terminal



3 To ignore MTU, enter:

ip ospf mtu-ignore

--End--

Configuring the link-state transmit delayThe following procedure describes how to specify the OSPF link statetransmit delay.

Procedure steps

Step Action


configure terminal



3 To specify the transmit delay, enter:

ip ospf transmit-delay [1-3600]

--End--

Configuring lost link state transmit delayThe following procedure describes how to specify the time betweenretransmitting lost link state advertisements.

Procedure steps

Step Action


configure terminal



NN47263-502 03.02 22 September 2009


.

Configuring OSPF TE metric 121


3 To specify the retransmit interval, enter:

ip ospf retransmit-interval [1-3600]

--End--

Configuring the OSPF network typeThe following procedure describes how to specify the OSPF network type.

Procedure steps

Step Action


configure terminal



3 To specify the network type, enter:

ip ospf network <type>

--End--


Variable Value

<type> The OSPF network type. Possible values are:• broadcast - broadcast multi-access network

• point-to-point - point to point network

Configuring OSPF TE metricThe following procedure describes how to configure the OSPF te-metric.

Procedure steps

Step Action


configure terminal




NN47263-502 03.02 22 September 2009


.


3 To specify the te-metric, enter:

ip ospf te-metric [1-65535]

--End--

Displaying OSPF parameters and statisticsThe following procedure describes how to show IP routing protocolprocess parameters and statistics.

Procedure steps

Step Action

1 To show OSPF parameters and statistics, enter:

show ip protocols ospf

--End--

Displaying border router informationThe following procedure describes how to show border and boundaryrouter information.

Procedure steps

Step Action

1 To show border and boundary router information, enter:

show ip ospf border-routers

--End--

Displaying database summaryThe following procedure describes how to show the OSPF databasesummary.

Procedure steps

Step Action

1 To show the OSPF database summary, enter:


NN47263-502 03.02 22 September 2009


.

Displaying neighbors 123

show ip ospf database

--End--

Displaying TE databaseThe following procedure describes how to show the OSPF te-database.

Procedure steps

Step Action

1 To show the te-database, enter:

show ip ospf te-database

--End--

Displaying virtual link informationThe following procedure describes how to show OSPF virtual linkinformation.

Procedure steps

Step Action

1 To show virtual link information, enter:

show ip ospf virtual-links

--End--

Displaying neighborsShow router neighbor information.

Procedure steps

Step Action

1 Display information for neighbor routers.

show ip ospf neighbor

--End--


NN47263-502 03.02 22 September 2009


.


Displaying OSPF routesDisplay OSPF routes learned from neighbors.

Procedure steps

Step Action

1 Display OSPF routes.

show ip ospf route

--End--

Displaying OSPF interfaceDisplay detailed OSPF interface information.

Procedure steps

Step Action

1 Display OSPF information.

show ip ospf interface <interface>

--End--


Variable Value


Clearing OSPF processesThe following procedure describes how to clear OSPF process information.

Procedure steps

Step Action

1 To clear an individual process, enter:

clear ip ospf <processid>

2 To clear all OSPF processes, enter:


NN47263-502 03.02 22 September 2009


.

Clearing OSPF processes 125

clear ip ospf process

--End--


Variable Value

<processid> The OSPF process to clear.


NN47263-502 03.02 22 September 2009


.



NN47263-502 03.02 22 September 2009


.

127.

VRRP fundamentals

VRRP overviewIn statically routed networks, when a router fails, all the network devicesconnected to this router are unable to have traffic routed. Typically thismeans these devices cannot reach the Internet or other networks.

IPv4’s Virtual Router Redundancy Protocol (VRRP) eliminates this singlepoint of failure by dynamically assigning virtual routers that can providenetwork connectivity in the event the primary router fails. One virtualrouter is designated as the Master which is assigned the IP addresses ofconnected devices. The Master router can manage multiple primary andsecondary IP addresses.

Alternate virtual routers (up to 254) are designated as backup virtualrouters in the event the Master fails. Each backup is configured with apriority setting that determines the order in which backup routers take overin the event the Master fails. When the Master router fails, the backuprouter with the highest priority number will preempt all other backup routersin assuming the duties of the Master router. If you disable the preemptfeature (using the no vrrp preempt command), the backup virtual routerthat is configured as the Master virtual router will remain such until theoriginal Master virtual router recovers.

The mechanism by which virtual routers in the same network communicatestatus and priority is through VRRP advertisements from the Master virtualrouter. VRRP uses the assigned multicast address 224.0.0.18. By default,these advertisements are sent every second, but you can configure theinterval.

In addition to maintaining network connectivity when a router fails, VRRPallows network administrators to share routing duties with multiple routersthereby reducing the impact of heavy traffic loads.


NN47263-502 03.02 22 September 2009


.

128 VRRP fundamentals

Virtual Router Redundancy ProtocolBecause end stations are often configured with a static default gateway IPaddress, a loss of the default gateway router causes a loss of connectivityto the remote networks.

The Virtual Router Redundancy Protocol (VRRP) (RFC 2338) is designedto eliminate the single point of failure that can occur when the single staticdefault gateway router for an end station is lost. VRRP introduces theconcept of a virtual IP address (transparent to users) shared between twoor more routers connecting the common subnet to the enterprise network.With the virtual IP address as the default gateway on end hosts, VRRPprovides a dynamic default gateway redundancy in the event of failover.

The VRRP router controlling the IP addresses associated with a virtualrouter is called the primary router and forwards packets to these IPaddresses. The election process provides a dynamic transition offorwarding responsibility if the primary router becomes unavailable.

In the configuration example shown in Figure 12 "Virtual RouterRedundancy Protocol configuration" (page 129), the first three hosts installa default route to R1 (virtual router 1) and the other three hosts install adefault route to R2 (virtual router 2).

This configuration not only has the effect of load sharing the outgoingtraffic, but it also provides full redundancy. If either router fails, the otherrouter assumes responsibility for both addresses.


NN47263-502 03.02 22 September 2009


.

Virtual Router Redundancy Protocol 129

Figure 12Virtual Router Redundancy Protocol configuration

Each Secure Router 4134 can support up to 255 virtual routers. VRRPuses the following terms:

• VRRP router—a router running the VRRP protocol

• Virtual router—an abstract object acting as the default router for one ormore hosts, consisting of a virtual router ID and a set of addresses

• IP address owner—the VRRP router that has virtual router IPaddresses as real interface addresses (This router is the one thatresponds to packets sent to this IP address.)

• Primary IP address—an IP address selected from the real addressesand used as the source address of packets sent from the routerinterface (The virtual primary router sends VRRP advertisements usingthis IP address as the source.)

• Virtual router master—the router assuming responsibility for forwardingpackets sent to the IP address associated with the virtual router andanswering ARP requests for these IP addresses. The IP addressowner always becomes the virtual router master.

• Virtual router backup—the virtual router that becomes the primaryrouter if the current primary router fails


NN47263-502 03.02 22 September 2009


.

130 VRRP fundamentals

When a VRRP router is initialized, if it is the IP address owner, its priorityis 255 and it sends a VRRP advertisement. The VRRP router alsobroadcasts a gratuitous ARP request containing the virtual router MACaddress for each IP address associated with the virtual router. The VRRProuter then transitions to the controlling state.

In the controlling state, the VRRP router functions as the forwarding routerfor the IP addresses associated with the virtual router. It responds to ARPrequests for these IP addresses, forwards packets with a destination MACaddress equal to the virtual router MAC address, and accepts only packetsaddressed to IP addresses associated with the virtual router if it is theIP address owner. If the priority is not 255, the router transitions to thebackup state to ensure that all layer 2 switches in the down path relearnthe new origin of the VRRP MAC addresses.

In the backup state, a VRRP router monitors the availability and state ofthe primary router. It does not respond to ARP requests and must discardpackets with a MAC address equal to the virtual router MAC address.It does not accept packets addressed to IP addresses associated withthe virtual router. If a shutdown occurs, it transitions back to the initializestate. If the primary router goes down, the backup router sends the VRRPadvertisement and ARP request described in the preceding paragraph andtransitions to the controlling state.

Whenever a packet is redirected on the same IP subnet on which it isreceived, the Nortel Secure Router 2330/4134 sends an Internet ControlMessages Protocol (ICMP) redirect packet data unit (PDU) to the IPaddress source of the packet. ICMP redirect uses the VRRP IP subnetas the source IP address for the end stations using the VRRP IP addressas the next hop.

If an advertisement timer fires, the router sends an advertisement.If an advertisement is received with a 0 priority, the router sends anadvertisement. The router transitions to the backup state:

• If the priority is greater than the local priority

• if it is the same as the local priority and the primary IP address of thesender is greater than the local primary IP address.

Otherwise, it discards the advertisement. If a shutdown occurs, the primaryrouter sends a VRRP advertisement with a priority of 0 and transitions tothe initialize state.


NN47263-502 03.02 22 September 2009


.

131.

VRRP configuration procedures

Configure VRRP per portConfigure VRRP on a port. Use the no for of this command to remove thissetting.

Procedure steps

Step Action


configure terminal



3 Specify the VRRP group number.

vrrp [1-255]

4 Enable VRRP on port.

enable

--End--


Variable Value


<vrid> A unique integer value that represents the virtualrouter ID in the range 1 to 254. The virtual routeracts as the default router for one or more assignedaddresses.


NN47263-502 03.02 22 September 2009


.

132 VRRP configuration procedures

Configuring the advertisement intervalThe following procedure describes how to configure the time, in seconds,between sending advertisement messages. Use the no for of thiscommand to remove this setting.

Procedure steps

Step Action


configure terminal




vrrp [1-255]

4 To configure the advertisement interval, enter:

advertisement_interval [1-255]

--End--

Configuring the authentication stringThe following procedure describes how to specify the authentication stringused to authenticate VRRP packets received from other routers in a group.Use the no for of this command to remove this setting.

Procedure steps

Step Action


configure terminal




vrrp [1-255]

4 To specify the authentication string, enter:

authentication <key>

--End--


NN47263-502 03.02 22 September 2009


.

Configuring priority 133


Variable Value

<key> The authentication string, maximum 8 characters.

Configuring the virtual IP addressThe following procedure describes how to configure IP addressesassociated with this virtual router. Use the no for of this command toremove this setting.

Procedure steps

Step Action


configure terminal




vrrp [1-255]

4 To specify the IP address of the virtual router, enter:

ipaddr <address>

--End--


Variable Value

<address> The IP address of the virtual router.

Configuring priorityThe following procedure describes how to set the priority level of the routerwithin a VRRP group. Use the no for of this command to remove thissetting.

Procedure steps

Step Action


configure terminal


NN47263-502 03.02 22 September 2009


.





vrrp [1-255]

4 To set the priority level, enter:

priority [1-254]

--End--

Configuring track priorityThe following procedure describes how to configure tracked interface andtrack priority. Use the no for of this command to remove this setting.

Procedure steps

Step Action


configure terminal




vrrp [1-255]

4 To configure the tracked interface and priority, enter:

track interface <interface name> track_priority<priority>

--End--


Variable Value

<interface name> The name of the interface to track.

<priority> The priority given to the track.

Configuring the learn intervalThe following procedure describes how to configure the backup router tolearn the advertisement interval from the master. Use the no for of thiscommand to remove this setting.


NN47263-502 03.02 22 September 2009


.

Configuring the preempt flag 135

Procedure steps

Step Action


configure terminal




vrrp [1-255]

4 To configure the backup router to learn the advertisementinterval from the master, enter:

learn_adv_interval

--End--

Configuring a VRRP group descriptionThe following procedure describes how to set a description message forVRRP group. Use the no for of this command to remove this setting.

Procedure steps

Step Action


configure terminal




vrrp [1-255]

4 To configure a VRRP group description, enter:

description "description text"

--End--

Configuring the preempt flagThe following procedure describes how to set the preempt flag. Use theno for of this command to remove this setting.


NN47263-502 03.02 22 September 2009


.


Procedure steps

Step Action


configure terminal




vrrp [1-255]

4 To set the preempt flag, enter:

preempt

--End--

Show VRRP informationShows the status of configured VRRP functionality.

Procedure steps

Step Action

1 Show information.

show vrrp [mode <summary>|<detailed>] [interface<ifnum>] [group <all>|<groupnum>]

--End--


Variable Value

<all> Display all group information.

<detailed> Display detailed information.

<ifnum> The interface number to display.

[interface] The VRRP interface.

[group] The VRRP group. Range is 1 - 255.

<groupnum> The group number to display.

[mode] The display mode. Summary or detailed. Default issummary.

<summary> Display summary information.


NN47263-502 03.02 22 September 2009


.

Clearing VRRP information 137

Clearing VRRP informationThis procedure describes how to clear VRRP information.

Procedure steps

Step Action

1 Clear VRRP information.

clear vrrp [interface <ifnum>] [group <all>|<groupnum>]

--End--


Variable Value

<all> Clear all VRRP groups.

<ifnum> The interface number to clear.

[interface] Clear a VRRP interface.

[group] Clear a VRRP group.

<groupnum> The group number to clear.


NN47263-502 03.02 22 September 2009


.



NN47263-502 03.02 22 September 2009


.

139.

BGP fundamentalsThe Border Gateway Protocol (BGP) is routing protocol used for routingbetween Autonomous Systems. The main purpose of the Border GatewayProtocol (BGP) is to exchange network-layer reachability information(NLRI) among IP routers in different autonomous systems, for example,between ISPs. An autonomous system (AS) is a set of interconnectednetworks administered by a single authority, and with certain routingbehaviors determined by common routing policies.

Because BGP routes traffic between networks, it is also referred to asExternal BGP (EBGP) as opposed to routing protocols like RIP and OSPFthat route traffic within a network and are referred to as Interior GatewayProtocols (IGP). BGP can also be used as an IGP (routing within a singleAS, and in this case is referred to as Interior BGP (IBGP).

The primary characteristics of BGP are its scalability and stability. Forthese reasons, BGP is the routing protocol typically used by InternetService Providers to route over the Internet.

A protocol that allows BGP to maximize the efficiency of routing tables isclassless interdomain routing (CIDR). CIDR is used by BGP to reducethe size of the Internet routing tables. CIDR allows BGP to manageblocks of IP address as single routing table entries. For example, the IPaddress block 200.1.x.x is 256 Class C address blocks, 200.1.0.x through200.1.255.x. Without CIDR, routers would have to advertise 256 Class Caddress blocks to BGP peers. With CIDR, BGP can advertise one block,200.1.x.x.

BGP also maximizes routing efficiency by only exchanging full routinginformation when connections are first established. Thereafter, onlychanges to routing tables are sent to neighbors. Also BGP only advertisesoptimal routes.

BGP conceptsHierarchical mechanisms

A BGP network consists of BGP peers, peer groups, communities, andextended communities.


NN47263-502 03.02 22 September 2009


.

140 BGP fundamentals

Multiple BGP neighbors can be assigned to a peer group. The peer groupis internal if all of its member peers reside within an AS. The peer group isexternal if all of its member peers reside outside the AS. The peers withina peer group share the same configuration, including routing policies. Anypeer assigned to a peer group automatically inherits any configuration andpolicies established for the peer group, but an administrator can overridecertain attributes of this configuration at the individual peer level.

A BGP community is a collection of destinations larger than a BGP peergroup. BGP identifies members of a community by means of a communityattribute inserted in the route to each community destination. As with aBGP peer group, the BGP community can be an efficient mechanismto identify a large number of routes to which an administrator can applycommon routing policies. The community attribute identifies the AS oforigin and specific ID of the community to which the route (or communitydestination) belongs.

BGP identifies members of an extended community by means of extendedcommunity attributes. As with any BGP community, the BGP extendedcommunity is also an efficient mechanism for identifying a set of routes towhich an administrator can apply common routing policies.

BGP routes, route properties, and updatesWithin BGP, a route is a path to a network destination by way ofintervening BGP peers. BGP routers advertise routes (or send routeupdates) with the following path attributes or properties:

• The BGP origin —Identifies the type of BGP peer that originated theroute advertisement (an iBGP or eBGP peer).

• The BGP community — Identifies the AS of origin and BGP communityin which the destination network resides. The community ID can be anumeric value or one of the well-known BGP community names. Howa BGP peer handles a received route associated with a well-knowncommunity depends on the community name:

— no-advertise (Do not advertise this route to any other BGP peers.)

— no-export (Do not advertise this route outside a confederationboundary.)

— no-export-subconfed (Do not advertise this route to external BGPpeers, including those in the local BGP confederation.)

• The BGP next hop — Identifies the address of the next BGP peeralong the advertised path to the destination network.

• The BGP AS path — Identifies the sequence of ASs traversed alongthe advertised path to the destination network. A BGP peer thatoriginates an advertisement inserts its own AS number into the ASpath value, unless the update is advertised to a peer in the same


NN47263-502 03.02 22 September 2009


.

BGP concepts 141

AS, in which case the originating peer sends the route with an emptyAS path value. Any external peer receiving an update adds its ownlocal AS number to the AS path value before redistributing the routeto another peer. This is a mechanism for accumulating an accurateAS path value. If any BGP peer receives a BGP update that alreadycontains that peer’s local AS number in the AS path field, the routerdiscards the route, thereby preventing the establishment of routingloops in the network.

• The BGP local preference — Identifies the metric value assigned by aBGP router to advertise its relative preference for a particular route to adestination network. This attribute has significance only to iBGP peersin the same AS, as the advertising peer. External peers ignore anylocal preference value advertised from a BGP router in another AS.Any iBGP peer can override an advertised local preference value withits own preferred value before importing the route into the BGP RIB.

• The BGP multi-exit discriminator (MED) — Identifies the metric valueassigned by a BGP router to advertise its relative preference for aparticular route into its local AS. If that AS has multiple entry points,then an eBGP peer can compare MED values advertised in routes tothe same destination in the target AS. The eBGP peer can then preferto use the route with the lowest advertised MED value.

An administrator can set routing policies that use any or all of theseproperties to influence the behaviors of BGP configured on a Nortel SecureRouter 2330/4134.

Policy-based routingBGP uses import and export routing policies to control the types of routesadvertised from the routing table, or accepted into the routing table,respectively.

Export policies allow BGP to advertise certain routes that match defined(default or configured) criteria. Export policies also enable BGP to alter theproperties of certain routes before advertising them.

BGP import policies allow BGP to filter route updates received, and toassign properties to accepted routes before installing them into the routingtable. An administrator can create routing policies to prefer, modify, orredistribute routes associated with a:

• BGP peer

• BGP peer group

• BGP community

• BGP extended community


NN47263-502 03.02 22 September 2009


.


Route redistributionBGP can redistribute, to its domain, routes learned by other dynamic andstatic routing protocols. BGP then advertises these routes to its externalpeers according to any export policy configured. Note that connectedroutes and loopback addresses are not automatically redistributed, but anadministrator can use policies to export such routes.

BGP supports the redistribution of routing information from other routingprotocols such as RIP, OSPF, and static routes. BGP attributes of theroutes can be altered by applying a routing policy during redistribution.

Note that routes are redistributed only if they are in the forwarding table(that is, they are active routes). The Nortel Secure Router 2330/4134does not support extensions that allow BGP to send out routes that arenot active routes.

SecurityBGP can authenticate peerings and routing protocol exchanges.Authentication guarantees that BGP imports routing information fromtrusted peers only. An administrator can configure a password for thispurpose. By default, authentication security is disabled.

Route reflectorsRoute Reflectors and Confederations are two different techniques used tosolve the same problem of full iBGP meshing.

BGP systems generally require full-mesh connectivity within an AS tofacilitate redistribution of external routes to all routers in the same AS.However, scaling issues can arise within an AS that contains a significantnumber of BGP routers because they all exchange the same informationwith each other, causing an unacceptable amount of BGP control traffic.To avoid this scenario, an administrator can configure Route Reflectors todecrease the BGP control traffic inside the AS.

A Route Reflector is a cluster of BGP devices within an AS, with onesystem serving as a Route Reflector server and other BGP systemsserving as client peers. The server redistributes intracluster routinginformation to its client peers. Outside the cluster, non-client peers receiveintercluster routing information from the server. Non-client peers may alsobe Route Reflectors.

ConfederationsConfederations and Route Reflectors are two different techniques used tosolve the same problem of full iBGP meshing.


NN47263-502 03.02 22 September 2009


.

BGP concepts 143

One solution to the requirement of full-mesh connectivity between iBGPpeers consists of splitting an AS into several sub-ASs that together forma confederation. Each sub-AS contains a collection of fully-meshed iBGPpeers. BGP routers on a sub-AS border communicate with other sub-ASborder routers using a smaller number of eBGP sessions. Therefore,implementing a confederation substantially simplifies the requirement for1-to-n connectivity among all peers within an AS, resulting in less controltraffic and more available router resources and bandwidth for user datatraffic within the AS.

To external ASs, the confederation looks like a single AS with a singleAS number, which is the confederation identifier. The confederationhides the sub- AS numbers from peers outside the local AS. Because theconfederation looks to external peers like a single AS, processing of ASpath attributes such as next hop, local-preference, and MED occur in thenormal manner.

Route flap dampeningA route is flapping when its state oscillates from available to unavailable toavailable periodically. An available route resides in the router FIB, whereasan unavailable route has been withdrawn from the router FIB. Every timea route flaps, BGP assigns to that route a penalty that is cumulative.When the penalty reaches a certain limit (called the suppress limit), BGPsuppresses (stops advertising) the flapping route. However, as routeavailability stabilizes, BGP also actively reduces the penalty value forthat route by half, at a period defined by a half-life attribute. Once thepenalty value diminishes below a reuse threshold value, BGP can resumeadvertising (reusing) the route.

When route flapping occurs, BGP systems generate too many routeupdate messages, thereby reducing the efficiency of peers in the network.By damping route flaps, BGP generates fewer route updates, therebyhelping to optimize BGP operation in peers and in the network.

Route refreshWhen any import policies for the local BGP peer change, all of the routesadvertised by a remote peer must be re-evaluated against all existing(including new and modified) import policies. One way to perform thisoperation is for the local peer, at great expense of available resources, to:

• Maintain a real-time database of all routes advertised by remote peers,at the expense of local memory and CPU resources.

• Reapply all import policies to the above routes.

• Import into the BGP RIB-IN table only those routes accepted by thelatest BGP import policies on the local peer.


NN47263-502 03.02 22 September 2009


.


Instead of the above approach, the route-refresh feature enables the localpeer to:

• Not maintain a real-time database of all routes advertised by remotepeers, saving local memory and CPU resources.

• Request a remote peer to resend all of the routes currently in itsRIB-OUT table. Upon receiving the requested routes, the local peercan reapply all of its current import policies. The RIB-OUT tablecontains the routes that the router announces to adjacent peers.

• Import into the BGP RIB-IN table only those routes qualified by thelatest local BGP import policies on the local peer. The RIB-IN tablecontains the routes that the router learns from adjacent peers.

A BGP speaker uses the BGP Capabilities Advertisement to advertiseto peers at session OPEN its ability to originate and correctly processroute-refresh messages. By using the BGP-CAP mechanism, the BGPspeaker will send route-refresh messages only to peers that also supportthe feature.

BGP planning considerationsAn administrator can plan for the different stages of BGP configuration byobtaining certain key information from the detailed network design plan.For the purpose of grouping related configuration tasks, the stages of BGPconfiguration planning are:

• BGP minimum configuration planning

• BGP initial session customization planning

• BGP update processing and advertisement configuration planning

• BGP optimization planning

BGP minimum configuration planningBefore you begin BGP minimum configuration, determine the followingfrom your network design plan:

• The AS number in which the local BGP peer resides.

• The address families to be supported by the local BGP peer. (Bydefault, BGP supports the IPv4 address family, but can also supportthe IPv6 address family.)

• The names of BGP groups you want to configure on this router.

• For each BGP neighbor, its peer type (internal iBGP or externaleBGP).

• The number of any AS in which BGP peers reside.


NN47263-502 03.02 22 September 2009


.

BGP planning considerations 145

• The IP addresses of the local and remote BGP peers in each group.(By default, the address of the local peer is its router-id.)

• The names of any routing policies necessary to allow certain otherBGP peers to connect dynamically, or as needed, to the local peer.

BGP initial session customization planningBefore customizing the behavior or sessions between the local and anyremote BGP peers, you should finish the minimum configuration of theNortel Secure Router 2330/4134 local BGP peer. The administrator shouldthen additionally determine from the network design plan these settings foreach static or dynamic peer configured on the local BGP router:

• BGP session OPEN type (active or passive)

• BGP connection type (direct or multihop)

• Authentication password

• Session timer settings (default or customized)

BGP update processing and advertisement configuration planningAfter BGP minimum configuration and initial session customization, youcan customize how the local peer must process received updates andoutgoing advertisements. From the network design plan, determine if thelocal BGP peer must:

• Advertise the local router ID as nexthop (to all, group, or specific peers)

• Advertise no aggregator ID in updates (to all, group, or specific peers)

• Advertise MED values (to all, group, or specific peers)

• Compare MED values in routes learned from eBGP peers

• Remove a private AS number from routes

• Replace the peer AS number with the local AS number in updatesreceived from peers

• Keep routes that contain the local AS number

• Accept routes containing the local AS number n times

• Allow default or set customized maximum routes and session teardowncriteria for each address family


NN47263-502 03.02 22 September 2009


.


BGP optimization planningTo help optimize BGP operations, determine from the network design planif the local BGP peer:

• Is part of an AS confederation

• Is part of a Route Reflector cluster

• Is part of any specific communities or extended communities

• Has requirements for customized import and export policies

• Should support damping for flapping routes

• Should support the BGP Route Refresh capability

MBGPBGP Multicast (MBGP) allows BGP to connect multicast topologies withinand outside an AS.

Routers implementing the MBGP feature carry two separate sets ofrouting information for unicast and multicast routing. Multicast protocolssuch as Protocol Independent Multicast (PIM ) use this multicast routinginformation to build multicast distribution trees. Using MBGP, you candirect all the multicast traffic to designated access points other than normalunicast forwarding paths. Combined with the power of BGP policies,MBGP controls over the multicast traffic inside as well as outside theAS. MBGP supports most applicable unicast BGP CLI commands, withthe exception that MBGP routes are not redistributed to other protocolsand BGP routes are not redistributed to MBGP. To configure multicastBGP, specify the IPv4 multicast address family (using the address-familycommand) before configuring the desired BGP property (the defaultaddress family is unicast).


NN47263-502 03.02 22 September 2009


.

147.

BGP configuration procedures

BGP procedures for a minimum configurationEnabling BGP

Enable BGP to support the exchange of routes between autonomoussystems. This procedure enables BGP with mainly default configurationvalues. Any peer groups created under BGP inherit these default values.You can choose to override (customize) many of these BGP global valuesat the BGP group or individual peer level.

Use the no form of this command to revert.

Procedure steps

Step Action


configure terminal

2 Enter router mode and specify the BGP AS number.

router bgp <1-65535>

--End--

BGP procedures for a customized configurationConfiguring MBGP properties

Specify the IPv4 multicast address-family to configure MBGP properties.

Procedure 2Procedure steps

Step Action

1 Enter configuration mode.

configure terminal



NN47263-502 03.02 22 September 2009


.

148 BGP configuration procedures


3 For multicast configuration, specify the IPv4 multicast addressfamily (default family is IPv4 unicast):

address-family ipv4 multicast

--End--

Configuring a passive session OPENConfigure a passive session OPEN if you do not want BGP to sendthe active OPEN message to another peer to establish a BGP session.Instead, the local peer waits for the remote peer to initiate the BGPsession and responds accordingly. (By default, BGP actively initiatessession OPEN with another peer.)

Use the no form of this command to disable this function.

Procedure steps

Step Action


configure terminal





4 Set the session to passive.

[no] neighbor <A.B.C.D|X:X::X:X|tag> passive

--End--

Advertising the local router ID as nexthopAdvertise the local router ID as the next hop to force iBGP peers and/oreBGP Confederation Peers in the local AS to use that local node as thenext hop for routing traffic to destinations outside the AS.



NN47263-502 03.02 22 September 2009


.

BGP procedures for a customized configuration 149

Procedure steps

Step Action


configure terminal





4 Advertise as next hop.

[no] neighbor <A.B.C.D|X:X::X:X|tag> next-hop-self

--End--

Comparing the MED value of routes learned from eBGP peersCompare the multi-exit discriminator (MED) value of routes learned fromeBGP peers so that the Nortel Secure Router 2330/4134 can select theroute with the lowest advertised MED value.


Procedure steps

Step Action


configure terminal



3 Configure to always compare MED values.

[no] bgp always-compare-med

--End--

Removing private AS numbers from route advertisementsRemove private AS numbers from route advertisements to avoidpropogating those routes to other BGP peers. When an ISP’s local eBGPpeer receives a route update message from an eBGP peer on a privateAS, the ISP’s peer must remove the private AS numbers.


NN47263-502 03.02 22 September 2009


.



Procedure steps

Step Action


configure terminal





4 Remove private AS numbers from route advertisements.

[no] neighbor <A.B.C.D|X:X::X:X|tag> remove-private-AS

--End--

Configuring a BGP ConfederationConfigure a BGP confederation to avoid the scaling issues that thefull-mesh connectivity requirement causes. A confederation splits a majorAS into multiple sub-ASs. Although each sub-AS contains a group offully-meshed iBGP peers, the sub-AS BGP border router communicateswith other sub-AS BGP border routers using a smaller number of eBGPsessions. Together, the sub-ASs and their respective peers form aconfederation, which appears to external ASs as a single AS.


Procedure steps

Step Action


configure terminal



3 Configure a confederation.

bgp confederation <id>

4 Configure confederation peer AS numbers


NN47263-502 03.02 22 September 2009


.


[no] bgp confederation peers <AS-numbers>

--End--


Variable Value

<id> Identifier name.

Configuring a BGP Route Reflector clusterConfigure a BGP Route Reflector cluster to achieve full iBGP meshingwithin a large AS. With this configuration, an administrator subdivides anAS into peer clusters.


Procedure steps

Step Action


configure terminal



3 Configure a cluster-id.

[no] bgp cluster-id <cluster-id>

--End--


Variable Value

<cluster-id> Cluster identifier.

Configuring soft-reconfiguration on neighborThis procedure describes the steps necessary to configure the routersoftware to start storing updates.



NN47263-502 03.02 22 September 2009


.


Procedure steps

Step Action


configure terminal





4 Configure the router software to start storing updates.

[no] neighbor <A.B.C.D|X:X::X:X|tag> soft-reconfiguration inbound

--End--

Configuring strict-capability-match on neighborThis procedure describes the steps necessary to close the BGPconnection if capability value does not completely match to remote peer.


Procedure steps

Step Action


configure terminal



3 Configuring strict-capability-match on a neighbor.

[no] neighbor <A.B.C.D|X:X::X:X|tag> strict-capability-match

--End--

Enabling ECMPThis procedure describes the steps necessary to enable ECMPprocessing.


NN47263-502 03.02 22 September 2009


.



Procedure steps

Step Action


configure terminal





4 Enable ECMP processing.

[no] ebgp-ecmp

--End--

Enabling an address family for a neighborThe following procedure describes how to activate the current addressfamily for the supplied neighbor.

Use the no form of this command to clear this setting.

Procedure steps

Step Action


configure terminal





4 To activate the address family, enter:

[no] neighbor <A.B.C.D|X:X::X:X|tag> activate

--End--


NN47263-502 03.02 22 September 2009


.


Configuring interval for BGP route updatesThe following procedure describes how to configure the minimum intervalbetween sending BGP routing updates.


Procedure steps

Step Action


configure terminal



3 To set the minimum advertisement interval, enter:

[no] neighbor <A.B.C.D|X:X::X:X|tag> advertisement-interval <interval>

--End--


Variable Value

<interval> The advertisement interval, in seconds, in the range0 to 600.

Configuring interval for AS-origination updatesThe following procedure describes how to set the minimum intervalbetween sending AS-origination routing updates.


Procedure steps

Step Action


configure terminal



3 To set the minimum interval, enter:


NN47263-502 03.02 22 September 2009


.


[no] neighbor <A.B.C.D|X:X::X:X|tag> as-origination-interval <interval>

--End--


Variable Value

<interval> The minimum interval, in seconds, in the range 1 to600.

Advertising capability to a peerThe following procedure describes how to advertise capabilities to aneighbor.


Procedure steps

Step Action


configure terminal





4 To advertise a capability, enter:

[no] neighbor <A.B.C.D|X:X::X:X|tag> capability<dynamic|orf|route-refresh>

--End--


Variable Value

<dynamic> Advertise dynamic capability to this neighbor.

<orf> Advertise ORF capability to this neighbor.

<route-refresh> Advertise route-refresh capability to this neighbor.


NN47263-502 03.02 22 September 2009


.


Configuring a default route to originate to neighborThe following procedure describes how to originate a default route to thespecified neighbor.


Procedure steps

Step Action


configure terminal





4 To configure a default route, enter:

[no] neighbor <A.B.C.D|X:X::X:X|tag> default-originateroute-map <mapname>

--End--


Variable Value

<mapname> The route-map name.

Configuring a neighbor descriptionThe following procedure describes how to configure a neighbor’s specificdescription.


Procedure steps

Step Action


configure terminal




NN47263-502 03.02 22 September 2009


.


3 To configure the description, enter:

[no] neighbor <A.B.C.D|X:X::X:X|tag> description<description>

--End--


Variable Value

<description> A short description of this neighbor, up to 80characters.

Configuring a distribution listThe following procedure describes how to filter updates to and from thespecified neighbor.


Procedure steps

Step Action


configure terminal





4 To filter updates, enter:

[no] neighbor <A.B.C.D|X:X::X:X|tag> distribute-list<identifier>

--End--


NN47263-502 03.02 22 September 2009


.



Variable Value

<identifier> The distribute list identifier. Possible values are:• IP access list number, in the range 1 to 199

• Expanded range IP access list number, in therange 1300 to 2699

• The IP access list name

Disallowing capability negotiationThe following procedure describes how to disallow capability negotiationwith the specified neighbor.


Procedure steps

Step Action


configure terminal



3 To disallow capability negotiation, enter:

[no] neighbor <A.B.C.D|X:X::X:X|tag> dont-capability-negotiate

--End--

Allowing EBGP neighbors from indirectly connected networksThe following procedure describes how to allow EBGP neighbors not ondirectly connected networks.


Procedure steps

Step Action


configure terminal



NN47263-502 03.02 22 September 2009


.



3 To allow EBGP neighbors, enter:

[no] neighbor <A.B.C.D|X:X::X:X|tag> ebgp-multihop<maxhop>

--End--


Variable Value

<maxhop> The maximum hop count, in the range 1 to 255.

Configuring BGP filtersThe following procedure describes how to establish BGP filters.


Procedure steps

Step Action


configure terminal





4 Establish BGP filters.

[no] neighbor <A.B.C.D|X:X::X:X|tag> filter-list<listname> <in|out>

--End--


Variable Value

<in> Filter incoming routes.

<listname> The AS path access list name.

<out> Filter outgoing routes.


NN47263-502 03.02 22 September 2009


.


Enabling BGP on an interfaceThe following procedure describes how to enable BGP on an interface.


Procedure steps

Step Action


configure terminal



3 Enable BGP on an interface.

[no] neighbor <A.B.C.D|X:X::X:X|tag> interface<interface>

--End--


Variable Value

<interface> The interface for which you want to enable BGP.

Configuring maximum number of prefixesThe following procedure describes how to set the maximum number ofprefixes accepted from the specified peer.


Procedure steps

Step Action


configure terminal





4 Set the maximum number of prefixes.


NN47263-502 03.02 22 September 2009


.


[no] neighbor <A.B.C.D|X:X::X:X|tag> maximum-prefix<maxprefix>

--End--


Variable Value

<maxprefix> The maximum number of prefixes, in the range 1 to4294967295.

Configuring a neighbor passwordThe following procedure describes how to set a password for the specifiedneighbor.


Procedure steps

Step Action


configure terminal



3 Set a password for the specified neighbor.

[no] neighbor <A.B.C.D|X:X::X:X|tag> password<password>

--End--


Variable Value

<password> The password for the specified neighbor.

Configuring peer-group membersThe following procedure describes how to add the specified interface as apeer-group member.



NN47263-502 03.02 22 September 2009


.


Procedure steps

Step Action


configure terminal





4 Add a peer-group member.

[no] neighbor <A.B.C.D|X:X::X:X|tag> peer-group<groupname>

--End--


Variable Value

<groupname> The name of the peer group to join.

Configuring a prefix listThe following procedure describes how to filter updates to and from thespecified neighbor.


Procedure steps

Step Action


configure terminal





4 Configure the prefix list.


NN47263-502 03.02 22 September 2009


.


[no] neighbor <A.B.C.D|X:X::X:X|tag> prefix-list <name><in|out>

--End--


Variable Value

<in> Filter incoming updates.

<name> The name given to the prefix list.

<out> Filter outgoing updates.

Configuring AS number of a remote BGP neighborThe following procedure describes how to set the AS number of a remoteBGP neighbor.


Procedure steps

Step Action


configure terminal



3 Set the AS number.

[no] neighbor <A.B.C.D|X:X::X:X|tag> remote-as<asnumber>

--End--


Variable Value

<asnumber> The AS number of the specified remote BGPneighbor, in the range 1 to 65535.

Configuring a route map to a neighborThe following procedure describes how to apply a route map to thespecified neighbor.


NN47263-502 03.02 22 September 2009


.



Procedure steps

Step Action


configure terminal





4 Configure the route map.

[no] neighbor <A.B.C.D|X:X::X:X|tag> route-map<mapname> <in|out>

--End--


Variable Value

<in> Apply route map to incoming routes.

<mapname> The name of the route map.

<out> Apply route map to outbound routes.

Configuring a neighbor as route reflector clientThe following procedure describes how to configure the specified neighboras a route reflector client. Use the no form of this command to disable thisfunction.


Procedure steps

Step Action


configure terminal




NN47263-502 03.02 22 September 2009


.




4 Configure as route reflector client.

[no] neighbor <A.B.C.D|X:X::X:X|tag> route-reflector-client

--End--

Configuring a neighbor as route server clientThe following procedure describes how to configure the specified neighboras a route server client. Use the no form of this command to disable thisfunction.


Procedure steps

Step Action


configure terminal





4 Configure as router server client.

[no] neighbor <A.B.C.D|X:X::X:X|tag> route-server-client

--End--

Sending a community attribute to a neighborThe following procedure describes how to send a community attribute tothe specified neighbor.



NN47263-502 03.02 22 September 2009


.


Procedure steps

Step Action


configure terminal





4 Send the community attribute.

[no] neighbor <A.B.C.D|X:X::X:X|tag> send-community<both|extended|standard>

--End--


Variable Value

<both> Send Standard and Extended Community attributes.

<extended> Send Extended Community attributes.

<standard> Send Standard Community attributes.

Shutting down a neighborThe following procedure describes how to administratively shutdown anyactive sessions for the specified neighbor and clear all related routing data.


Procedure steps

Step Action


configure terminal



3 Shutdown the neighbor.


NN47263-502 03.02 22 September 2009


.


[no] neighbor <A.B.C.D|X:X::X:X|tag> shutdown

--End--

Configuring BGP neighbor timersThe following procedure describes how to configure BGP per-neighbortimers.


Procedure steps

Step Action


configure terminal



3 Configure BGP neighbor timers.

[no] neighbor <A.B.C.D|X:X::X:X|tag> timers <keepalive>[connect <interval>]

--End--


Variable Value

[connect] Configure the neighbor connect timer.

<interval> The connect timer interval, in the range 1 to 65535.

<keepalive> The keepalive interval for the specified neighbor, inthe range 0 to 65535.

Configuring a routing update sourceThe following procedure describes how to configure a source for thespecified neighbor’s routing updates.


Procedure steps

Step Action



NN47263-502 03.02 22 September 2009


.


configure terminal



3 Configure the update source.

[no] neighbor <A.B.C.D|X:X::X:X|tag> update-source<source>

--End--


Variable Value

<source> The interface name or address of the update source.

Configuring weight for a BGP neighborThe following procedure describes how to configure the weight for thespecified BGP neighbor.


Procedure steps

Step Action


configure terminal





4 Configure the weight.

[no] neighbor <A.B.C.D|X:X::X:X|tag> weight <weight>

--End--


Variable Value

<weight> The default weight, in the range 0 to 65535.


NN47263-502 03.02 22 September 2009


.


Modifying a default bestpath selectionThe following procedure describes how to modify the default bestpathselection. Use the no form of this command to clear this setting.

Procedure steps

Step Action


configure terminal



3 To modify the default selection, enter:

[no] bgp bestpath [as-path ignore] [compare-confed-aspath] [compare-routerid] [med [confed][missing-as-worst]]

--End--


Variable Value

[as-path ignore] Ignore as-path length in selecting a route.

[compare-confed-aspath] Allow comparing confederation AS path length.

[compare-routerid] Compare router-id for identical EBGP paths.

[confed] Compare MED among confederation paths.

[med] Configure MED attribute.

[missing-as-worst] Treat missed MED as the least preferred one.

Configuring client-to-client route reflectionThe following procedure describes how to configure client-to-client routereflection.


Procedure steps

Step Action


configure terminal



NN47263-502 03.02 22 September 2009


.



3 To configure route reflection, enter:

[no] bgp client-to-client reflection

--End--

Configuring a route reflector cluster-idThe following procedure describes how to configure the route reflectorcluster-id.


Procedure steps

Step Action


configure terminal



3 To configure the cluster-id, enter:

[no] bgp cluster-id <id>

--End--


Variable Value

<id> The route reflector cluster-id. Can be configured as32bit quantity, in the range 1 to 4294967295 or in IPaddress format.

Configuring AS confederation parametersThe following procedure describes how to configure confederationparameters.



NN47263-502 03.02 22 September 2009


.


Procedure steps

Step Action


configure terminal



3 To configure confederation parameters, enter:

[no] bgp confederation [identifer <asnumber>] [peers<peer>]

--End--


Variable Value

[identifer <asnumber>] Configure confederation by AS number, in the range1 to 65535.

[peers <peer>] Configure confederation by peer AS by listing eachpeer number, in the range 1 to 65535, followed by aspace, up to a maximum of 255 entries.

Enabling route flap dampeningThe following procedure describes how to enable and configure route flapdampening.


Procedure steps

Step Action


configure terminal





4 To enable and configure flap dampening, enter:


NN47263-502 03.02 22 September 2009


.


[no] bgp dampening [route-map <mapname>] [<hltime><reuse> <suppress> <duration> <uhltime>]

--End--


Variable Value

<duration> Maximum duration to suppress a stable route.

<hltime> Reachability half-life time for a penalty, in minutes.

<reuse> Value to start reusing a route.

[route-map <mapname>] Configure route-map criteria by map name.

<suppress> Value to start suppressing a route.

<uhltime> Unreachability half-life time for a penalty, in minutes.

Configuring BGP defaultsThe following procedure describes how to configure BGP defaults.


Procedure steps

Step Action


configure terminal



3 To configure BGP defaults, enter:

[no] bgp default [ipv4-unicast] [local-preference<value>]

--End--


Variable Value

[ipv4-unicast] Activate IPv4 unicast for a peer by default.

[local-preference<value>]

Configure the local preference value, in the range0 to 4294967295. The higher the value, the morepreferred.


NN47263-502 03.02 22 September 2009


.


Enforcing first AS for EBGP routesThe following procedure describes how to enforce the first AS for an EBGProute.


Procedure steps

Step Action


configure terminal



3 To enforce the first AS, enter:

[no] bgp enforce-first-as

--End--

Resetting a session when a peer goes downThe following procedure describes how to immediately reset a session if alink to a directly connected external peer goes down.


Procedure steps

Step Action


configure terminal



3 To configure the session to reset, enter:

[no] bgp fast-external-failover

--End--

Logging neighbor changesThe following procedure describes how to configure logging neighborchanges.


NN47263-502 03.02 22 September 2009


.


Use the no form of the bgp log-neighbor-changes command to clearthis setting.

The BGP neighbor change messages are logged at the notification prioritylevel of the syslog. By default, the syslog does not log the neighborchanges messages. To enable logging of BGP neighbor changes, youmust configure the syslog to log the notification-level messages.

Procedure steps

Step Action


configure terminal



3 To log neighbor changes, enter:

[no] bgp log-neighbor-changesexit

4 To enable logging of notification level routing messages (whichinclude BGP neighbor change messages), enter:

system logging syslog module routing local0 notice

--End--

Overriding current router-idThe following procedure describes how to override the current routeridentifier and reset peers.


Procedure steps

Step Action


configure terminal



3 To override the router id, enter:


NN47263-502 03.02 22 September 2009


.


[no] bgp router-id <id>

--End--


Variable Value

<id> The manually configured router identifier, in IPaddress format.

Configuring background scan intervalThe following procedure describes how to configure the background scaninterval, in seconds.


Procedure steps

Step Action


configure terminal





4 To set the scan interval, enter:

[no] bgp scan-time <interval>

--End--


Variable Value

<interval> The scan interval, in seconds, in the range 10 to 60.Default is 60.

Defining the administrative distanceThe following procedure describes how to configure the administrativedistance.


NN47263-502 03.02 22 September 2009


.



Procedure steps

Step Action


configure terminal





4 To configure the administrative distance, enter:

[no] distance [<distance>] [bgp <ext> <int> <local>]

--End--


Variable Value

[bgp] Configure the BGP distance.

[<distance>] Configure the administrative distance, in the range1 to 255.

<ext> Distance for routes external to the AS, in the range1 to 255.

<int> Distance for routes internal to the AS, in the range1 to 255.

<local> Distance for local routes, in the range 1 to 255.

Configuring BGP aggregate entriesThe following procedure describes how to configure BGP aggregateentries.


Procedure steps

Step Action


configure terminal


NN47263-502 03.02 22 September 2009


.






4 To configure aggregate entries, enter:

[no] aggregate-address <prefix> [as-set] [summary-only]

--End--


Variable Value

[as-set] Generate AS set path information.

[summary-only] Filter more specific routes from updates.

Configuring IGP synchronizationThe following procedure describes how to configure BGP to perform IGPsynchronization.


Procedure steps

Step Action


configure terminal





4 To configure synchronization, enter:

[no] synchronization

--End--


NN47263-502 03.02 22 September 2009


.


Specifying a BGP announced networkThe following procedure describes how to specify a network to announcevia BGP.


Procedure steps

Step Action


configure terminal





4 To specify a network, enter:

[no] network [<prefix>] [synchronization]

--End--


Variable Value

<prefix> IP prefix of the network. Length is optional.

[synchronization] Perform IGP synchronization on network routes.

Configuring routing timersThe following procedure describes how to configure routing keepalive andholdtime timers.


Procedure steps

Step Action


configure terminal




NN47263-502 03.02 22 September 2009


.


3 To configure timers, enter:

[no] timers bgp <keepalive> <holdtime>

--End--


Variable Value

<holdtime> The hold timer value, in the range 0 to 65535.

<keepalive> The keepalive interval, in the range 0 to 65535.

Redistributing information from another protocolThe following procedure describes how to redistribute information fromanother protocol.


Procedure steps

Step Action


configure terminal





4 To redistribute information, enter:

[no] redistribute <protocol> route-map <mapname>

--End--


NN47263-502 03.02 22 September 2009


.



Variable Value

<mapname> The pointer to route-map entries.

<protocol> The protocol you want to redistribute from. Possiblechoices are:• connected - redistribute from connected routes.

• ospf - redistribute from OSPF routes.

• rip - redistribute from RIP routes.

• static - redistribute from Static routes.

Configuring aggregation on same next hopThe following procedure describes how to configure BGP to performaggregation only when the next hop matches the specified IP address.Use the no form of this command to clear this setting.

Procedure steps

Step Action


configure terminal

2 To configure aggregation, enter:

[no] bgp aggregate-nexthop-check

--End--

Configuring RFC1771 compatible path selection mechanismThe following procedure describes how to set RFC1771 compatible pathselection mechanism.. Use the no form of this command to clear thissetting.

Procedure steps

Step Action


configure terminal



NN47263-502 03.02 22 September 2009


.


[no] bgp rfc1771-path-select

--End--

Configuring aggregation on same next hopThe following procedure describes how to set the Strict RFC1771 setting.Use the no form of this command to clear this setting.

Procedure steps

Step Action


configure terminal


[no] bgp rfc1771-strict

--End--

Configuring a BGP AS path filterThis procedure describes how to configure a BGP autonomous systempath filter. Use the no form of this command to clear this setting.

Procedure steps

Step Action


2 To configure the BGP AS system path filter, enter:[no] ip as-path access-list <name> [deny|permit]

--End--


Variable Value

<name> Regular expression access list name.

Configuring community list entriesThis procedure describes how to add a community list entry. Use the noform of this command to clear this setting.


NN47263-502 03.02 22 September 2009


.


Procedure steps

Step Action


2 To add the community list entry, enter:[no] ip community-list <name> [permit|deny]

--End--


Variable Value

<name> The community list name.

Matching a BGP origin codeThis procedure describes how to match a BGP origin code. Use the noform of this command to clear this setting.

Procedure steps

Step Action



3 Specify the origin to match:[no] match origin {<egp>|<igp>|<incomplete>}

--End--


Variable Value

<egp> Match from a remote egp origin.

<igp> Match from a local igp origin.

<incomplete> Match from an unknown origin.

Matching a BGP AS-path listThis procedure describes how to match a BGP AS-path list. Use the noform of this command to clear this setting.


NN47263-502 03.02 22 September 2009


.


Procedure steps

Step Action



3 Specify the AS-path list to match against:[no] match as-path <list>

--End--


Variable Value

<list> The AS-path access list to match against.

Matching a BGP community listThis procedure describes how to match a BGP community list. Use the noform of this command to clear this setting.

Procedure steps

Step Action



3 Specify the community list to match against:[no] match community <list> [exact-match]

--End--


Variable Value

[exact-match] Do an exact match of communities.

<list> The community list to match against.


NN47263-502 03.02 22 September 2009


.


Setting the BGP aggregator attributeThis procedure describes how to set the BGP aggregator attribute. Usethe no form of this command to clear this setting.

Procedure steps

Step Action



3 Set the BGP aggregator attribute:[no] set aggregator as <asnum> <address>

--End--


Variable Value

<address> The IP address of the aggregator.

<asnum> The AS number of the aggregator.

Setting the prepend string for a BGP AS-path attributeThis procedure describes how to set the prepend string for a BGP AS-pathattribute. Use the no form of this command to clear this setting.

Procedure steps

Step Action



3 Set the prepend string for a BGP AS-path attribute:[no] set as-path {[tag]|[prepend <list>]}

--End--


NN47263-502 03.02 22 September 2009


.



Variable Value

<list> A list of AS-path numbers, separated by spaces, to amax list size of 255. Valid range of AS-path numbersis 1 to 65535.

[prepend] Prepend to the AS-path.

[tag] Set the tag as an AS-path attribute.

Setting the BGP atomic aggregate attributeThis procedure describes how to set the BGP atomic aggregate attribute.Use the no form of this command to clear this setting.

Procedure steps

Step Action



3 Set the BGP atomic aggregate attribute:[no] set atomic-aggregate

--End--

Setting the BGP community listThis procedure describes how to set the BGP community list. Use the noform of this command to clear this setting.

Procedure steps

Step Action



3 Set the BGP community list:[no] set comm-list <list> [delete]

--End--


NN47263-502 03.02 22 September 2009


.



Variable Value

[delete] Deletes matching communities.

<list> The community list name.

Setting the BGP community attributeThis procedure describes how to set the BGP community attribute. Usethe no form of this command to clear this setting.

Procedure steps

Step Action



3 Set the BGP community attribute:[no] set community [community-number <number>][internet] [local-AS] [no-advertise] [no-export][additive]

--End--


Variable Value

[additive] Add to an existing community.

[community-number] Specify a community number.

[internet] Specify as a well known community.

[local-AS] Do not send outside the local AS.

[no-advertise] Do not advertise to any peer.

[no-export] Do not export to next AS.

<number> The community number in aa:nn format.

Setting the BGP local preference path attributeThis procedure describes how to set the BGP local preference pathattribute. Use the no form of this command to clear this setting.


NN47263-502 03.02 22 September 2009


.


Procedure steps

Step Action



3 Set the BGP local preference path attribute:[no] set local-preference <prefval>

--End--


Variable Value

<prefval> The preference value in the range 0 to 4294967295.

Setting the BGP origin codeThis procedure describes how to set the BGP origin code. Use the no formof this command to clear this setting.

Procedure steps

Step Action



3 Set the BGP origin code:[no] set origin {[egp]|[igp]|[incomplete]}

--End--


Variable Value

[egp] Set the origin as a remote EGP.

[igp] Set the origin as a local IGP.

[incomplete] Set the origin as unknown heritage.


NN47263-502 03.02 22 September 2009


.


Setting the BGP originator ID attributeThis procedure describes how to set the BGP originator ID attribute. Usethe no form of this command to clear this setting.

Procedure steps

Step Action



3 Set the BGP originator ID attribute:[no] set originator-id <A.B.C.D>

--End--


Variable Value

<A.B.C.D> The IP address of the originator.

Setting the tag value for a destination routing protocolThis procedure describes how to set the tag value for a destination routingprotocol. Use the no form of this command to clear this setting.

Procedure steps

Step Action



3 Set the tag value for a destination routing protocol:[no] set tag <value>

--End--


Variable Value

<value> The tag value, in the range 0 to 4294967295.


NN47263-502 03.02 22 September 2009


.


Setting the BGP weight for a routing tableThis procedure describes how to set the BGP weight for a routing table.Use the no form of this command to clear this setting.

Procedure steps

Step Action



3 Set the BGP weight for a routing table:[no] set weight <value>

--End--


Variable Value

<value> The weight value, in the range 0 to 4294967295.

Configuring deterministic MEDThis procedure describes how to compare MED variable whenchoosing routes advertised by different peers in the same AS. MultiExit Discriminator (MED) is used in best path selection by BGP. MED iscompared after BGP attributes weight, local preference, AS-path and originhave been compared and are equal. Use the no form of this commandto clear this setting.

Procedure steps

Step Action




3 Enable deterministic MED:[no] bgp deterministic-med

--End--


NN47263-502 03.02 22 September 2009


.


Accepting an AS path containing my ASThis procedure describes how to accept an AS path containing the currentAS. Use the no form of this command to clear this setting.

Procedure steps

Step Action






4 Configure to accept the AS-path.

[no] neighbor <A.B.C.D|X:X::X:X|tag> allowas-in<numoccur>

--End--


Variable Value

<numoccur> The number of occurrences of the AS number, in therange 1 to 10.

Propagating a BGP attribute unchanged to a neighborThis procedure describes how to propagate a BGP attribute unchanged tothe specified neighbor. You must specify remote-as or peer-group settingsfirst. Use the no form of this command to clear this setting.

Procedure steps

Step Action







NN47263-502 03.02 22 September 2009


.


4 Configure to propagate a BGP attribute unchanged.

[no] neighbor <A.B.C.D|X:X::X:X|tag> attribute-unchanged {<as-path>|<med>|<next-hop>}

--End--


Variable Value

<as-path> Use the as-path attribute.

<med> Use the MED attribute.

<next-hop> Use the next-hop attribute.

Overriding a capability negotiation resultThis procedure describes how to override a capability negotiation result.Use the no form of this command to clear this setting.

Procedure steps

Step Action




3 Override a capability negotiation result.

[no] neighbor <A.B.C.D|X:X::X:X|tag> override-capability

--End--


Variable Value

<value> The weight value, in the range 0 to 4294967295.

Selectively leaking more-specific routes to a neighborThis procedure describes how to selectively leak more-specific routes to aparticular neighbor. Use the no form of this command to clear this setting.


NN47263-502 03.02 22 September 2009


.


Procedure steps

Step Action






4 Leak routes to a neighbor.

[no] neighbor <A.B.C.D|X:X::X:X|tag> unsuppress-map<map>

--End--


Variable Value

<map> The name of the route-map used to select routes tobe unsuppressed.

Displaying BGP attribute informationThe following procedure describes how to display BGP attributeinformation.

Procedure steps

Step Action

1 To display BGP attribute information, enter:

show bgp ipv4 [unicast|multicast] attribute-info

--End--

Displaying routes matching communitiesThe following procedure describes how to display routes matching specificcommunities.


NN47263-502 03.02 22 September 2009


.


Procedure steps

Step Action

1 To display routes matching a specified community, enter:

show bgp ipv4 [unicast|multicast] community <number>[local-AS] [no-advertise] [no-export]

--End--


Variable Value

<number> The community number is AA:NN format.

[local-AS] Do not send outside the local AS.

[no-export] Do not export to the next AS.

[no-advertise] Do not advertise to any peer.

Displaying BGP pathsThe following procedure describes how to display BGP path information.

Procedure steps

Step Action

1 To display BGP path information, enter:

show bgp ipv4 [unicast|multicast] paths

--End--

Displaying cidr-only informationThe following procedure describes how to display BGP cidr-onlyinformation.

Procedure steps

Step Action

1 To display cidr-only information, enter:

show bgp ipv4 [unicast|multicast] cidr-only

--End--


NN47263-502 03.02 22 September 2009


.


Displaying community informationThe following procedure describes how to display information on routesmatching the community. To modify the lines displayed, use the | (outputmodifier token) ; to save the output to a file use the > output redirectiontoken.

Procedure steps

Step Action

1 To display community information, enter:

show bgp ipv4 [unicast|multicast] community <type><exact-match>

--End--


Variable Value

<exact-match> Specifies that Router display the exact match of thecommunities.

<type> Possible values are:• AA:NN - Specifies a valid value for a community

number.

• local-AS - Do not send outside local AS(well-known community).

• no-advertise - Do not advertise to any peer(well-known community).

• no-export - Do not export to next AS (well-knowncommunity).

Displaying neighbor informationThe following procedure describes how to display neighbor information.

Procedure steps

Step Action

1 To display neighbor information, enter:

show bgp ipv4 [unicast|multicast] neighbors

--End--


NN47263-502 03.02 22 September 2009


.


Displaying BGP regular expression informationThe following procedure describes how to display BGP regular expressioninformation.

Procedure steps

Step Action

1 To display regular expression information, enter:

show bgp ipv4 [unicast|multicast] quote-regexp

--End--

Displaying BGP community informationThe following procedure describes how to display BGP communityinformation.

Procedure steps

Step Action

1 To display community information, enter:

show bgp ipv4 [unicast|multicast] community-info

--End--

Displaying scan informationThe following procedure describes how to display scan information.

Procedure steps

Step Action

1 To display scan information, enter:

show bgp ipv4 [unicast|multicast] scan

--End--

Displaying BGP neighbor status summaryThe following procedure describes how to display a BGP neighbor statussummary.


NN47263-502 03.02 22 September 2009


.


Procedure steps

Step Action

1 To display a neighbor status summary, enter:

show bgp ipv4 [unicast|multicast] summary

--End--

Displaying inconsistent AS pathsThe following procedure describes how to display inconsistent AS paths.

Procedure steps

Step Action

1 To display inconsistent AS paths, enter:

show bgp ipv4 [unicast|multicast] inconsistent-as

--End--

Displaying detailed dampening informationThe following procedure describes how to display detailed dampeninginformation.

Procedure steps

Step Action

1 To display detailed dampening information, enter:

show bgp ipv4 [unicast|multicast] dampening <type>

--End--


NN47263-502 03.02 22 September 2009


.



Variable Value

<type> The type of dampening information to display.Possible choices are:• dampened-paths - Display paths suppressed

due to dampening.

• flap-statistics - Display flap statistics ofroutes.

• parameters - Display details of configureddampening parameters.

Displaying routes matching route mapThe following procedure describes how to display routes that match aparticular route map.

Procedure steps

Step Action

1 To display routes, enter:

show bgp ipv4 [unicast|multicast] route-map <mapname>

--End--


Variable Value

<mapname> The route map to match against.

Displaying routes matching a prefix listThe following procedure describes how to display routes that match aparticular prefix list.

Procedure steps

Step Action


show bgp ipv4 [unicast|multicast] prefix-list<listname>

--End--


NN47263-502 03.02 22 September 2009


.



Variable Value

<listname> The prefix list to match against.

Displaying routes matching a filter listThe following procedure describes how to display routes matching aparticular filter list.

Procedure steps

Step Action


show bgp ipv4 [unicast|multicast] filter-list<listname>

--End--


Variable Value

<listname> The filter list to match against.

Displaying routes matching a community listThe following procedure describes how to display routes matching aparticular community list.

Procedure steps

Step Action


show bgp ipv4 [unicast|multicast] community-list<listname>

--End--


Variable Value

<listname> The community list to match against.


NN47263-502 03.02 22 September 2009


.


Displaying routes matching an AS path regular expressionThe following procedure describes how to

Procedure steps

Step Action


show bgp ipv4 [unicast|multicast] regexp <expression>

--End--


Variable Value

<expression> A regular expression used to match the BGP ASpaths.

Displaying AS path access listsThis procedure describes how to list AS path access lists.

Procedure steps

Step Action

1 To display AS path access lists, enter:show ip as-path-access-list <name>

--End--


Variable Value

<name> The name of the AS path access list you want todisplay.

Displaying community listsThis procedure describes how to display a community list.


NN47263-502 03.02 22 September 2009


.


Procedure steps

Step Action

1 To display the community list, enter:show ip community-list <name>

--End--


Variable Value

<name> The name of the community list you want to display.

Resetting all BGP peersThe following procedure describes how to reset all BGP peers in the IPv4address family.

Procedure steps

Step Action

1 To clear all IPv4 BGP peers, enter:

clear bgp ipv4 *

--End--

Resetting all BGP peers in IPv4 familyThe following procedure describes how to reset all BGP peers in the IPv4address family.

Procedure steps

Step Action

1 To clear all IPv4 BGP peers, enter:

clear bgp ipv4 {unicast|multicast} [in|out|soft][prefix-filter]

--End--

Resetting BGP AS numberThe following procedure describes how clear peers in a BGP AS.


NN47263-502 03.02 22 September 2009


.


Procedure steps

Step Action

1 To clear all IPv4 BGP AS number, enter:

clear bgp ipv4 {unicast|multicast} <AS-number>[in|out|soft] [prefix-filter]

--End--

Resetting BGP peer groupsThe following procedure describes how to reset BGP peer groups.

Procedure steps

Step Action

1 To clear all IPv4 BGP peer groups, enter:

clear bgp ipv4 {unicast|multicast} peer-group<groupname> [in|out|soft] [prefix-filter]

--End--

Resetting BGP neighbor IDThe following procedure describes how to reset BGP neighbor address.

Procedure steps

Step Action

1 To clear all IPv4 BGP neighbor ID, enter:

clear bgp ipv4 {unicast|multicast} <A.B.C.D>[in|out|soft] [prefix-filter]

--End--

Resetting BGP dampeningThe following procedure describes how to reset BGP dampening.

Procedure steps

Step Action

1 To clear all IPv4 BGP dampening, enter:


NN47263-502 03.02 22 September 2009


.


clear bgp ipv4 {unicast|multicast} dampening<A.B.C.D|A.B.C.D/M>

--End--

Resetting BGP flap statisticsThe following procedure describes how to reset flap statistics.

Procedure steps

Step Action

1 To clear all IPv4 BGP flap statistics, enter:

clear bgp ipv4 {unicast|multicast} flap-statistics<A.B.C.D|A.B.C.D/M>

--End--

Resetting BGP external peersThe following procedure describes how to reset external peers.

Procedure steps

Step Action

1 To clear all IPv4 BGP flap statistics, enter:

clear bgp ipv4 {unicast|multicast} external[in|out|soft] [prefix-filter]

--End--

Sample BGP configurationsConfiguring IBGP sessions

An IBGP Session is established between 2 BGP peers if they both belongto the same autonomous system number. They need not be directlyconnected to make any peer relationship. IBGP Sessions need to be fullymeshed to get EBGP routes advertised to all peers in the autonomoussystem.

Configuring an IBGP Session between 2 Nortel Secure RoutersCONFIGURATION OF NORTEL1:


NN47263-502 03.02 22 September 2009


.

Sample BGP configurations 203

conf terminterface bundle ToNT2link t1 1/1encapsulation pppip address 40.40.40.1 255.255.255.0exitrouter bgp 100neighbor 40.40.40.2 remote-as 100exit

CONFIGURATION OF NORTEL2:

conf terminterface bundle ToNT1link t1 1/1encapsulation pppip address 40.40.40.2 255.255.255.0exitrouter bgp 100neighbor 40.40.40.1 remote-as 100exit

The above configuration should bring up an IBGP Session betweenNortel1 and Nortel2.

Configuring an IBGP Session between a Nortel Router and a3rd Party RouterCONFIGURATION OF NORTEL1:

conf terminterface bundle To3rdlink t1 2/1encapsulation pppip address 30.30.30.1 255.255.255.0exitrouter bgp 100neighbor 30.30.30.3 remote-as 100exit

CONFIGURATION OF 3RD PARTY ROUTER:

interface Serial3/0ip address 30.30.30.3 255.255.255.0encapsulation pppexit


NN47263-502 03.02 22 September 2009


.


router bgp 100neighbor 30.30.30.1 remote-as 100exit

The above configuration should bring up an IBGP Session betweenNortel1 and the 3rd party router.

Configuring an IBGP Multi-Hop Session between 2 NortelSecure RoutersCONFIGURATION OF NORTEL1:

conf terminterface bundle ToNT2link t1 1/1encapsulation pppip address 40.40.40.1 255.255.255.0exitinterface loopback 1ip address 60.60.60.1 255.255.255.255exitip route 60.60.60.2 255.255.255.255 40.40.40.2 1router bgp 100neighbor 60.60.60.2 remote-as 100exitexit


conf terminterface bundle ToNT1link t1 1/1encapsulation pppip address 40.40.40.2 255.255.255.0exitinterface loopback 1ip address 60.60.60.2 255.255.255.255exitip route 60.60.60.1 255.255.255.255 40.40.40.2 1router bgp 100neighbor 60.60.60.1 remote-as 100exit

Note in the above configuration we have added an ip route command toreach the other side loopback interface. We need to have a route to reachthe bgp peer address, either through a static route or through any otherprotocol like rip or ospf.


NN47263-502 03.02 22 September 2009


.


Reachability to the peer address has been achieved, but the session isstill in an Active state. The BGP Session is not established because thereis one thing that is missing still. When BGP Initiates a connection withanother peer, it would always use its outgoing interface as its sourceaddress. In this case Nortel2 would use 40.40.40.2 and Nortel1 would use40.40.40.1. But BGP is configured with neighbor address as 60.60.60.1in Nortel2 and 60.60.60.2 in Nortel1 instead of 40.40.40.1 and .2. So weneed to instruct BGP to use 60.60.60.1 and .2 as source address insteadof 40.40.40.x

By putting an update-source command under the neighbor, BGP wouldstart using the 60.60.60.x address.

SR4134> conf termSR4134/configure> router bgp 100SR4134/configure/router/bgp 100> neighbor 60.60.60.2update-source 1

SR4134_2> conf termSR4134_2/configure> router bgp 100SR4134_2/configure/router/bgp 100> neighbor 60.60.60.1update-source 1

Configuring an IBGP Multi-Hop Session between a NortelRouter and a 3rd Party RouterCONFIGURATION OF NORTEL1

conf terminterface bundle To3rdlink t1 2/1encapsulation pppip address 30.30.30.1 24exitinterface loopback 1ip address 60.60.60.2 32exitip route 60.60.60.3 255.255.255.255 30.30.30.3 1router bgp 100neighbor 60.60.60.3 remote-as 100neighbor 60.60.60.3 update-source 1exit

CONFIGURATION OF 3RD PARTY ROUTER

interface Loopback1ip address 60.60.60.3 255.255.255.255interface Serial3/0


NN47263-502 03.02 22 September 2009


.


ip address 30.30.30.3 255.255.255.0encapsulation pppexitip route 60.60.60.1 255.255.255.255 30.30.30.1 1router bgp 100neighbor 60.60.60.1 remote-as 100neighbor 60.60.60.1 update-source loopback 1exit

By adding update-source on Nortel and the 3rdPartyRouter we couldestablish an IBGP session between Nortel and 3rdPartyRouter.

Configuring EBGP sessionsAn EBGP Session is established between 2 BGP peers if they belongto two different autonomous system numbers. They need to be directlyconnected to make a peer relationship. If an EBGP Peer is not directlyconnected and it is of Multi-hops away, it has to be specially configuredunder that neighbor to take care of peer relationship.

Configuring an EBGP Session between 2 Nortel Secure RoutersCONFIGURATION OF NORTEL1:

conf terminterface bundle ToNT2link t1 1/1encapsulation pppip address 40.40.40.1 255.255.255.0exitrouter bgp 100neighbor 40.40.40.2 remote-as 200


conf terminterface bundle ToNT1link t1 1/1encapsulation pppip address 40.40.40.2 255.255.255.0exitrouter bgp 200neighbor 40.40.40.1 remote-as 100

The above configuration should bring up an EBGP Session betweenNortel1 and Nortel2.


NN47263-502 03.02 22 September 2009


.


Configuring an EBGP Session between a Nortel Router and a3rd Party RouterCONFIGURATION OF NORTEL1:

conf terminterface bundle To3rdlink t1 2/1encapsulation pppip address 30.30.30.1 255.255.255.0exitrouter bgp 100neighbor 30.30.30.3 remote-as 200

CONFIGURATION OF 3RDPARTYROUTER:

interface Serial3/0ip address 30.30.30.3 255.255.255.0encapsulation pppexitrouter bgp 200neighbor 30.30.30.1 remote-as 100

The above configuration should bring up an EBGP Session betweenNortel1 and 3rdPartyRouter.

Configuring an EBGP Multi-Hop Session between a NortelRouter and a 3rd Party RouterCONFIGURATION OF NORTEL1:

conf terminterface bundle To3rdlink t1 2/1encapsulation pppip address 30.30.30.1 255.255.255.0exitinterface loopback 1ip address 60.60.60.2 32exitip route 60.60.60.3 255.255.255.255 30.30.30.3 1router bgp 100neighbor 60.60.60.3 remote-as 200neighbor 60.60.60.3 ebgp-multihopneighbor 60.60.60.3 update-source 1


NN47263-502 03.02 22 September 2009


.


On an IBGP Multihop session we need to take care of only theupdate-source for getting the BGP to an Established state, but in case ofEBGP neighbors we have to specify the session to be EBGP_MULTIHOPin their neighbor configuration itself.

CONFIGURATION OF 3RDPARTYROUTER:

interface Loopback1ip address 60.60.60.3 255.255.255.255interface Serial3/0ip address 30.30.30.3 255.255.255.0encapsulation pppexitip route 60.60.60.1 255.255.255.255 30.30.30.1 1router bgp 200neighbor 60.60.60.1 remote-as 100neighbor 60.60.60.1 ebgp-multihopneighbor 60.60.60.1 update-source loopback 1

The above configuration should bring up an EBGP Session over multi-hopbetween Nortel1 and 3rdPartyRouter.

Configuring an EBGP Multi-Hop Session between 2 NortelSecure RoutersCONFIGURATION OF NORTEL1:

conf terminterface bundle ToNT2link t1 1/1encapsulation pppip address 40.40.40.1 255.255.255.0exitinterface loopback 1ip address 60.60.60.1 255.255.255.255exitip route 60.60.60.2 255.255.255.255 40.40.40.2 1router bgp 100neighbor 60.60.60.2 remote-as 200neighbor 60.60.60.2 update_source 1neighbor 60.60.60.2 ebgp-multihop

On an IBGP Multihop session we need to take care of only theupdate_source for getting the BGP to an Established state, but in case ofEBGP neighbors we have to specify the session to be EBGP_MULTIHOPin their neighbor configuration itself.



NN47263-502 03.02 22 September 2009


.


conf terminterface bundle ToNT1link t1 1/1encapsulation pppip address 40.40.40.2 255.255.255.0exitinterface loopback 1ip address 60.60.60.2 255.255.255.255exitip route 60.60.60.1 255.255.255.255 40.40.40.2 1router bgp 200neighbor 60.60.60.1 remote-as 100neighbor 60.60.60.1 update-source 1neighbor 60.60.60.1 ebgp-multihop


NN47263-502 03.02 22 September 2009


.



NN47263-502 03.02 22 September 2009


.

Nortel Secure Router 2330/4134

Configuration — IPv4 and RoutingRelease: 10.2Publication: NN47263-502Document revision: 03.02Document release date: 22 September 2009


While the information in this document is believed to be accurate and reliable, except as otherwise expressly agreed to in writingNORTEL PROVIDES THIS DOCUMENT "AS IS" WITHOUT WARRANTY OR CONDITION OF ANY KIND, EITHER EXPRESSOR IMPLIED. The information and/or products described in this document are subject to change without notice.

Nortel, Nortel Networks, the Nortel logo, and the Globemark are trademarks of Nortel Networks.

THE SOFTWARE DESCRIBED IN THIS DOCUMENT IS FURNISHED UNDER A LICENSE AGREEMENT AND MAY BE USEDONLY IN ACCORDANCE WITH THE TERMS OF THAT LICENSE.

Cisco is a trademark of Cisco Systems Inc.

All other trademarks are the property of their respective owners.

To provide feedback or to report a problem in this document, go to www.nortel.com/documentfeedback.

www.nortel.com

nortel secure router 2330/4134 configuration — ipv4 and

Documents