HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 836
147
To configure the priority of IS-IS:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter IS-IS view.
isis [ process-id ] [ vpn-instance vpn-instance-name ]
N/A
3.
Specify a priority for IS-IS. preference { route-policy
route-policy-name |
preference } * 15 by default.
Configuring the maximum number of ECMP routes
Perform this task to implement load sharing over ECMP routes.
To configure the maximum number of ECMP routes:
Step Command Remarks
1.
Enter...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-835.png "Page 836
147
To configure the priority of IS-IS:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter IS-IS view.
isis [ process-id ] [ vpn-instance vpn-instance-name ]
N/A
3.
Specify a priority for IS-IS. preference { route-policy
route-policy-name |
preference } * 15 by default.
Configuring the maximum number of ECMP routes
Perform this task to implement load sharing over ECMP routes.
To configure the maximum number of ECMP routes:
Step Command Remarks
1.
Enter...")
![Page 837
148
The default route is only advertised to routers at the same level. You can use a routing policy to generate
the default route only when a local routing entry is matched by the policy.
To advertise a default route:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter IS-IS view. isis
[ process-id ] [ vpn-instance
vpn-instance-name ]
N/A
3. Advertise a default
route. default-route-advertise
[ route-policy
route-policy-name | [ level-1 | level-1-2 |
level-2 ]...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-836.png "Page 837
148
The default route is only advertised to routers at the same level. You can use a routing policy to generate
the default route only when a local routing entry is matched by the policy.
To advertise a default route:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter IS-IS view. isis
[ process-id ] [ vpn-instance
vpn-instance-name ]
N/A
3. Advertise a default
route. default-route-advertise
[ route-policy
route-policy-name | [ level-1 | level-1-2 |
level-2 ]...")
![Page 838
149
To filter routes calculated from received LSPs:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter IS-IS view. isis
[ process-id ] [ vpn-instance
vpn-instance-name ]
N/A
3. Filter routes calculated
from received LSPs. filter-policy { acl-number
| ip-prefix
ip-prefix-name | route-policy route-policy-name }
import By default, no filtering is
configured.
Filtering redistributed routes
IS-IS can redistribute routes from other routing protoc
ols (or...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-837.png "Page 838
149
To filter routes calculated from received LSPs:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter IS-IS view. isis
[ process-id ] [ vpn-instance
vpn-instance-name ]
N/A
3. Filter routes calculated
from received LSPs. filter-policy { acl-number
| ip-prefix
ip-prefix-name | route-policy route-policy-name }
import By default, no filtering is
configured.
Filtering redistributed routes
IS-IS can redistribute routes from other routing protoc
ols (or...")
![Page 841
152
Configuring LSP parameters
Configuring LSP timers
• Specify the maximum age of LSPs.
Each LSP has an age that decreases in the LSDB. An y LSP with an age of 0 is deleted from the LSDB.
You can adjust the age value based on the scale of a network.
To specify the maximum age of LSPs:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter IS-IS view. isis
[ process-id ] [ vpn-instance
vpn-instance-name ]
N/A
3. Specify the maximum LSP
age. timer lsp-max-age...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-840.png "Page 841
152
Configuring LSP parameters
Configuring LSP timers
• Specify the maximum age of LSPs.
Each LSP has an age that decreases in the LSDB. An y LSP with an age of 0 is deleted from the LSDB.
You can adjust the age value based on the scale of a network.
To specify the maximum age of LSPs:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter IS-IS view. isis
[ process-id ] [ vpn-instance
vpn-instance-name ]
N/A
3. Specify the maximum LSP
age. timer lsp-max-age...")
![Page 842
153
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view. interface
interface-type
interface-number N/A
3. Specify the minimum interval
for sending LSPs and the
maximum LSP number that
can be sent at a time. isis timer lsp time
[ count count ]
Optional.
By default, the minimum interval is 33
milliseconds, and the maximum LSP
n u m b e r t h a t c a n b e s e n t a t a t i m e i s 5 .
4. Specify the LSP retransmission
interval on a P2P...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-841.png "Page 842
153
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view. interface
interface-type
interface-number N/A
3. Specify the minimum interval
for sending LSPs and the
maximum LSP number that
can be sent at a time. isis timer lsp time
[ count count ]
Optional.
By default, the minimum interval is 33
milliseconds, and the maximum LSP
n u m b e r t h a t c a n b e s e n t a t a t i m e i s 5 .
4. Specify the LSP retransmission
interval on a P2P...")
152 Configuring LSP parameters Configuring LSP timers • Specify the maximum age of LSPs. Each LSP has an age that decreases in the LSDB. An y LSP with an age of 0 is deleted from the LSDB. You can adjust the age value based on the scale of a network. To specify the maximum age of LSPs: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Specify the maximum LSP age. timer lsp-max-age seconds Optional. 1200 seconds by default. • Specify the LSP refresh interval and generation interval. Each router needs to refresh LSPs generated by it self at a configurable interval and send them to other routers to prevent valid routes from being aged out. A smaller refresh interval speeds up network convergence but consumes more bandwidth. When the network topology changes, for example, a neighbor is down or up, or the interface metric, system ID, or area ID is changed, the router generates an LSP after a configurable interval. If such a change occurs frequently, excessive LS Ps are generated, consuming a large amount of router resources and bandwidth. To solve the prob lem, you can adjust the LSP generation interval. To specify the LSP refresh inte rval and generation interval: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Specify the LSP refresh interval. timer lsp-refresh seconds Optional. 900 seconds by default. 4. Specify the LSP generation interval. timer lsp-generation maximum-interval [ initial-interval [ second-wait-interval ] ] [ level-1 | level-2 ] Optional. 2 seconds by default. • Specify LSP sending intervals. If a change occurs in the LSDB, IS-IS advertises the changed LSP to neighbors. You can specify the minimum interval for sending such LSPs. On a P2P link, IS-IS requires an advertised LS P be acknowledged. If no acknowledgement is received within a configurable interval, IS-IS will retransmit the LSP. To configure LSP sending intervals:
153 Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Specify the minimum interval for sending LSPs and the maximum LSP number that can be sent at a time. isis timer lsp time [ count count ] Optional. By default, the minimum interval is 33 milliseconds, and the maximum LSP n u m b e r t h a t c a n b e s e n t a t a t i m e i s 5 . 4. Specify the LSP retransmission interval on a P2P link. isis timer retransmit seconds Optional. 5 seconds by default. Configure a proper LSP retransmission interval to avoid unnecessary retransmissions. Specifying LSP lengths IS-IS messages cannot be fragmented at the IP laye r because they are directly encapsulated in frames. IS-IS routers in an area must se nd LSPs smaller than the smallest interface MTU in this area. If the IS-IS routers have different interface MTUs, HP recommends configuring the maximum size of generated LSP packets to be smaller than the smallest interface MTU in this area. If they are not, the routers must dynamically adjust the LSP packet size to fit the smallest interface MTU, which takes time and affects other services. To s pe ci f y LS P l e n g t h s : Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Specify the maximum length of generated Level-1 LSPs or Level-2 LSPs. lsp-length originate size [ level-1 | level-2 ] 1497 bytes by default. 4. Specify the maximum length of received LSPs. lsp-length receive size 1497 bytes by default. Enabling LSP flash flooding Changed LSPs may trigger SPF recalculation, so you can enable LSP flash flooding to advertise the changed LSPs before the router recalculates rout es. Doing so can speed up network convergence. To enable LSP flash flooding: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Enable LSP flash flooding. flash-flood [ flood-count flooding-count | max-timer-interval flooding-interval | [ level-1 | level-2 ] ] * Not enabled by default.
154 Enabling LSP fragment extension After LSP fragment extension is enabled for an IS-IS process, the MTUs of all the interfaces running the IS-IS process must not be less than 512; otherwise, LSP fragment extension will not take effect. A t l e a s t o n e vi r t u a l sys t e m m u s t b e c o n fi g u re d f o r t h e ro u t e r t o g e n e ra t e ex t e n d e d L S P f ra g m e n t s . A n I S - I S process allows 50 virtual systems. To enable LSP fragment extension: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Enable LSP fragment extension and specify the working mode. lsp-fragments-extend [ [ level-1 | level-1-2 | level-2 ] | [ mode-1 | mode-2 ] ] * Not enabled by default. 4. Configure a virtual system ID. virtual-system virtual-system-id Not configured by default. Configuring SPF parameters When the LSDB changes on a router, a route calculatio n starts. Frequent route calculations consume a lot of system resources. You can set an appropriate interval for SPF calculations to improve efficiency. To configure the SPF parameters: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Configure the SPF calculation interval. timer spf maximum-interval [ initial-interval [ second-wait-interval ] ] Optional. The default SPF calculation interval is 10 seconds. Assigning a high priority to IS-IS routes An IS-IS topology change causes network convergence. By assigning a high priority to specific IS-IS routes, you can achieve faster network convergence. To assign a high priority to IS-IS routes: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A
155
Step Command Remarks
3. Assign a high priority to IS-IS
routes. priority high
{ ip-prefix
prefix-name | tag tag-value } Optional.
Not assigned by default.
If no IS-IS route is assigned a high
priority, IS-IS host routes are
processed first in network
convergence because they have
higher priority than other types of
IS-IS routes.
Setting the LSDB overload bit
By setting the overload bit in sent LSPs, a router info
rms other routers of a failure that makes it incapable
of routing and forwarding packets.
When an IS-IS router cannot record the complete LSDB due to running out of memory or some other
reasons, it will calculate wrong routes. To make troubleshooting easier, you can temporarily isolate the
router from the IS-IS network by setting the overload bit.
To set the LSDB overload bit:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter IS-IS view.
isis [ process-id ] [ vpn-instance vpn-instance-name ]
N/A
3. Set the overload bit. set-overload
[ on-startup [ [ start-from-nbr system-id
[ timeout1 [ nbr-timeout ] ] ] | timeout2 ] [ allow { external
| interlevel } * ] Not set by default.
Configuring system ID to host name mappings
In IS -IS, a system ID identifies a router or host uniquely. A system ID has a fixed length of 6 bytes. When
an administrator needs to view IS-IS neighbor information, routing table or LSDB information, using the
system IDs in dotted decimal notation is not convenient. To solve it, you can configure the mappings
between system IDs and host names, as host names are easier to remember and use.
Such mappings can be configured manually
or dynamically. Note the following:
• Using the display isis lsdb command on a router configured with dynamic system ID to host name
mapping displays router names rather than system IDs.
• If you configure both dynamic and static system ID to host name mappings on a router, the host
name for dynamic system ID to host name mapping applies.
Configuring a static system ID to host name mapping
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter IS-IS view. isis
[ process-id ] [ vpn-instance
vpn-instance-name ]
N/A
156 Step Command Remarks 3. Configure a system ID to host name mapping for a remote IS. is-name map sys-id map-sys-name A system ID can only correspond to a host name. Configuring dynamic system ID to host name mapping Configure a static system ID to host name mapping for any other router in a network. When a new router is added into the network or a mapping must be mo dified, perform configuration on all routers. You can configure dynamic system ID to host name mapping. To do so, you must configure a host name for e ach router i n the net work. Each router adver ti ses the host name i n dynamic host name C LVs to other routers. Then, all routers in the network have all the mappings to generate a mapping table. In addition, you can configure a name for the DIS in a broadcast network to help check the origin of LSPs in the LSDB. To configure dynamic system ID to host name mapping: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Specify a host name for the router. is-name sys-name Not specified by default. 4. Return to system view. quit N/A 5. Enter interface view. interface interface-type interface-number N/A 6. Configure a DIS name. isis dis-name symbolic-name Optional. Not configured by default. This command takes effect only on a router with dynamic system ID to host name mapping configured. This command is not supported on P2P interfaces. Enabling the logging of neighbor state changes Logging of neighbor state changes enables the router to output neighbor state changes to the console terminal. To enable the logging of neighbor state changes: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Enable the logging of neighbor state changes. log-peer-change Enabled by default.
157
Enhancing IS-IS network security
To enhance the security of an IS-IS network, you can configure IS-IS authentication. IS-IS authentication
involves neighbor relationship authentication, area authentication and routing domain authentication.
Configuration prerequisites
Before you enhance IS-IS network security, complete the following tasks:
• Configure IP addresses for interfaces, and make sure that all neighboring nodes can reach each
other at the network layer.
• Enable IS-IS.
Configuring neighbor relationship authentication
With neighbor relationship authentication configur ed, an interface adds the password in the specified
mode into hello packets to the pe er and checks the password in the received hello packets. If the
authentication succeeds, it forms the neighbor relationship with the peer.
Follow these guidelines when you configure neighbor relationship authentication:
• The authentication mode and password at both ends must be identical.
• The level-1 and level-2 keywords are configurable on an interface that has IS-IS enabled.
• If you configure an authentication mode and a password without specifying a level, the
authentication mode and password apply to both Level-1 and Level-2.
• If neither ip nor osi is specified, the OSI related fields in LSPs are checked.
To configure neighbor relationship authentication:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type interface-number N/A
3. Specify the authentication
mode and password. isis authentication-mode
{ md5 | simple }
[ cipher ] password [ level-1 | level-2 ]
[ ip | osi ] By default, no authentication
is configured.
Configuring area authentication
Area authentication enables a router not to install routing information from untrusted routers into the
Level-1 LSDB. The router encapsulates the authentication password in the specified mode into Level-1
packets (LSP, CSNP, and PSNP) and checks the password in received Level-1 packets.
Routers in a common area must have the same authentication mode and password.
To configure area authentication:
Step Command Remarks
1.
Enter system view.
system-view N/A
2. Enter IS-IS view. isis
[ process-id ] [ vpn-instance
vpn-instance-name ]
N/A
158
Step Command Remarks
3. Specify the area
authentication mode and
password. area-authentication-mode
{ md5 |
simple } [ cipher ] password [ ip | osi ]
By default, no area authentication
is configured.
Configuring routing domain authentication
Routing domain authentication prevents untrusted routing information from entering into a routing
domain. A router with the authentication configured encapsulates the password in the specified mode
into Level-2 packets (LSP, CSNP, PSNP) and check the password in received Level-2 packets.
All the routers in the backbone must have the same authentication mode and password.
To configure routing domain authentication:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter IS-IS view. isis
[ process-id ] [ vpn-instance
vpn-instance-name ] N/A
3.
Specify the routing domain
authentication mode and
password. domain-authentication-mode
{
md5 | simple } [ cipher ]
password [ ip | osi ] By default, no routing domain
authentication is configured.
Configuring IS-IS GR
Restarting IS-IS on a router causes networ
k disconnections and route reconvergence.
With the Graceful Restart (GR) feature, the restarting router—known as the GR Restarter—can notify the
event to its GR capable neighbors. GR capable neighbors—known as the GR Helpers—will keep their
adjacencies with the router within a configurable GR interval. After the restart, the router contacts its
neighbors to retrieve its routing table.
During this process, the network keeps stable.
The IS-IS GR and IS-IS NSR features are mutually exclusive.
To configure GR on the GR Restarter and GR Helper:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable IS-IS, and
enter IS-IS view. isis
[ process-id ] [ vpn-instance
vpn-instance-name ] Disabled by default.
3.
Enable the GR
capability for IS-IS. graceful-restart
Disabled by default.
4. Set the Graceful
Restart interval. graceful-restart interval
timer 300 seconds by default.
The Graceful Restart interval is set as the
holding time in the hello PDUs. Within the
interval, the neighbors will keep their
adjacency with the GR Restarter.
159 Step Command Remarks 5. Suppress the SA bit during restart. graceful-restart suppress-sa Optional. By default, the SA bit is not suppressed. By enabling the GR Restarter to suppress the Suppress-Advertisement (SA) bit in the hello PDUs, the neighbors will still advertise their adjacency with the GR Restarter. Configuring IS-IS NSR According to the GR feature, after a master/sla ve switchover, the GR Restarter obtains routing information from its neighbors and the IS-IS process on the new master needs to learn all routes. If the network topology has changed during the switchover period, removed routes cannot be updated to the device, which may cause black hole routes. NSR is introduced to solve the problem. It backs up IS -IS link state information from the master device to the slave device. After a master/slave switchover, NSR can complete link state recovery and route re-generation without requiring the cooperation of other devices. The IS-IS NSR and IS-IS GR features are mutually exclusive. To c o n fig u re IS - IS NS R : Step Command Remarks 1. Enter system view. system-view N/A 2. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 3. Enable IS-IS NSR. non-stop-routing Disabled by default. 4. Set the NSR interval. non-stop-routing interval interval-value 0 seconds by default, that is, no NSR interval is configured. Configuring IS-IS FRR When a link fails, the packets on the path are discarded, or a routing loop occurs until IS-IS completes the routing convergence based on the new network topology. You can enable IS-IS fast reroute (FRR) to reduce traffic recovery time. Figure 62 Network diagram for IS-IS FRR In Figure 62 , af ter you enable FRR on Router B, IS-IS automatically calculates or designates a backup next hop when a link failure is detected. In this way, pac kets are directed to the backup next hop to reduce
160 traffic recovery time. Meanwhile, IS-IS calculates the shortest path based on the new network topology, and forwards packets over the path after network convergence. You can either enable IS-IS FRR to calculate a backup next hop automatically, or to designate a backup next hop with a routing policy for routes matching specific criteria. Configuration prerequisites Before you configure IS-IS FRR, complete the following tasks: • Configure IP addresses for interfaces, and make sure that all neighboring nodes can reach each other at the network layer. • Enable IS-IS. Configuration guidelines • Do not use FRR and BFD at the same time. Otherwise, FRR may fail to take effect. • The automatic backup next hop calculation of FRR and that of TE are mutually exclusive. Configuring IS-IS FRR to automatically calculate a backup next hop Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the source address of echo packets. bfd echo-source-ip ip-address Not configured by default 3. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 4. Enable IS-IS FRR to automatically calculate a backup next hop. fast-reroute auto Not configured by default Configuring IS-IS FRR to designate a backup next hop with a routing policy You can use the apply fast-reroute backup-interface command to specify a backup next hop in a routing policy for routes matching specific criteria. For more information about the apply fast-reroute backup-interface command and routing policy configurations, see the Configuring routing policies. T o configure IS-IS FRR: Step Command Remarks 1. Enter system view. system-view N/A 2. Configure the source address of echo packets. bfd echo-source-ip ip-address Not configured by default. 3. Enter IS-IS view. isis [ process-id ] [ vpn-instance vpn-instance-name ] N/A 4. Enable IS-IS FRR to designate a backup next hop by using a routing policy. fast-reroute route-policy route-policy-name Not configured by default. Enabling IS-IS SNMP trap
161
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter IS-IS view.
isis [ process-id ] [ vpn-instance vpn-instance-name ]
N/A
3. Enable SNMP trap.
is-snmp-traps enable Enabled by default
Binding an IS-IS process with MIBs
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter IS-IS view. isis
[ process-id ] [ vpn-instance
vpn-instance-name ]
N/A
3. Bind the IS-IS process with
MIBs. isis mib-binding
process-id By default, MIBs are bound with
IS-IS process 1.
Configuring BFD for IS-IS
Step Command Remarks
1.
Enter system view.
system-view N/A
2. Enter interface view.
interface interface-type interface-number N/A
3. Enable IS-IS on the interface.
isis enable [ process-id ] Disabled by default.
4. Enable BFD on the IS-IS
interface. isis bfd enable
Not enabled by default.
Displaying and maintaining IS-IS
Task Command Remarks
Display brief IS-IS configuration
information. display isis brief
[ process-id | vpn-instance
vpn-instance-name ] [ | { begin | exclude |
include } regular-expression ] Available in any
view
Display the status of IS-IS debug
switches.
display isis debug-switches
{ process-id |
vpn-instance vpn-instance-name } [ | { begin |
exclude | include } regular-expression ] Available in any
view
Display the IS-IS Graceful Restart
state. display isis graceful-restart status
[ level-1 |
level-2 ] [ process-id | vpn-instance
vpn-instance-name ] [ | { begin | exclude |
include } regular-expression ] Available in any
view