|
|
This chapter introduces you to data networking design concepts and is organized as follows:
Data networking, or internetworking, is the interconnection of two or more networks so that the resources of each network are available to the users and machines connected to the other networks. Internetworks typically include some or all of the following three components:
Each of the three major components of an internetwork have distinct design requirements. You must plan for many different types of media and protocols and for possible interconnection to networks outside your organization's control.
A campus is a building or a group of buildings connected to one corporate network that comprises many LANs. If you own the campus network, you probably own the wires deployed in the campus. The campus network topology is primarily LAN technology connecting all the end systems within the building. Campus networks often use LAN technologies such as Ethernet (10 Mbps), Fast Ethernet (100 Mbps), and Gigabit Ethernet (1000 Mbps, or 1 Gbps).
A large campus can use WAN technology to connect the buildings. Although the wiring and protocols of a campus might be based on WAN technology, they do not share the WAN constraint of the high cost of bandwidth. After the wire is installed, bandwidth is inexpensive because you own the wires and there is no recurring payment to a service provider. However, upgrading the physical wiring can be expensive. Consequently, it is common to implement a campus design that is optimized for the fastest functional architecture that runs on existing physical wire.
 |
Note For a discussion of the design issues related to carrying packetized voice in a campus setting, see "Traffic Engineering." |
WAN communication is often characterized by relatively low throughput, long delays, and high error rates. WAN communication is often called a service because the network provider often charges users a tariff for the services provided by the WAN. It is important to remember that WAN connections include the cost of renting media (wire) from a service provider to connect two or more campuses. Because the WAN infrastructure is often rented from a service provider, WAN network designs must minimize the cost of bandwidth by enhancing efficiency. For example, all technologies and features used to connect campuses over a WAN are designed to meet the following requirements:
When there are many remote single users or sites, the aggregate WAN bandwidth cost is proportionally more important in remote connections than in WAN connections. Given that the three-year cost of a network is a non-equipment expense, the WAN media rental charge from a service provider is the largest cost component of a remote network. Unlike WAN connections, smaller sites or single users seldom need to connect 24 hours a day.
Consequently, the most typical choices for remote connections are dial-up and dedicated WAN options. These types of connections generally run at speeds of 128 kbps or lower.
Cisco products give you flexibility in solving multiple internetworking problems without creating multiple networks or losing existing data communication investments. The Cisco ICS 7750 is a comprehensive solution that enables you to use data and call routing devices (multiservice route processor [MRP] cards, which are available in many different configurations) to provide a reliable, secure network for voice and data. The Cisco ICS 7750 is for use with up to 9 Catalyst 3524-PWR XL switches.
The Cisco ICS 7750 and all other Cisco switching and routing products use Cisco IOS software. The IOS software enables disparate groups, diverse devices, and multiple protocols all to be integrated into a highly reliable and scalable network. Cisco IOS software also supports advanced security, quality of service, and traffic services. The Cisco ICS 7750 also includes system management software (Cisco ICS 7700 System Manager), Cisco CallManager 3.0, and other applications, which run on one or more system processing engine (SPE) cards.
|
Note For information about IOS software, refer to the IOS software configuration and command reference publications, which are available on the Documentation CD-ROM. For information about the Cisco ICS 7700 System Manager software, refer to the Cisco ICS 7700 System Manager User Guide. For information about Cisco CallManager 3.0, refer to the Cisco CallManager 3.0 documentation. |
Routing is the act of selecting a path and moving information across that path from a source to a destination. Routing devices (routers and MRP cards) connect networks by means of physical attachments to either LANs or WANs. You can use a routing device to connect only LANs together, only WANs together, or any combination. (In telephony, routing is the process of selecting a connection for a call.)
Routing involves two basic activities: determining optimal routing paths and transporting packets through an internetwork.
A routing device's attachment to a LAN or a WAN is called an interface (port). For example, a connection to an Ethernet LAN is made with an Ethernet interface. (For consistency, the term interface is used throughout the remainder of this book.)
When a routing device is routing IP, each LAN or WAN it is connected to must have a unique IP network or subnetwork assigned to it. Each interface on the node must have a valid IP host address for the subnet it is attached to. In most cases, a node can have only one connection to any single subnet. (One exception to this rule is that Cisco routers allow up to four serial links to share the same subnet, provided that they all terminate at the same destination router.)
A metric is a standard of measurement, such as path length, that is used by routing algorithms to determine the optimal path to a destination. To aid the process of path determination, routing algorithms initialize and maintain routing tables, which contain route information. Route information varies depending on the routing algorithm used.
Routing algorithms fill routing tables with a variety of information. Destination/next hop associations tell a router that a particular node (destination device) can best be reached by sending the packet to a particular router representing the "next hop" on the way to the final destination. When a router receives an incoming packet, it checks the destination address and attempts to associate this address with the next hop. Table 4-1 depicts a sample destination/next hop routing table.
To reach network: | Send to: |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Routing tables also can contain other information, such as data about the desirability of a path. Routers compare metrics to determine optimal routes, and these metrics differ depending on the design of the routing algorithm used.
As it examines the packet's destination address, the router determines whether it can forward the packet to the next hop. If the router cannot forward the packet, it typically drops it. If the router can forward the packet, it changes the destination address to that of the next hop and transmits the packet.
The next hop might be the ultimate destination host. If not, the next hop is usually another router, which executes the same switching decision process. As the packet moves through the internetwork, its physical address changes, but its protocol address remains constant.
|
Note See "Designing Your Converged Network," for information about hierarchical network design. |
Routing devices are necessary to ensure scalability as the network grows and expands. They provide the following capabilities:
LANs become overburdened for several reasons: an increasing number of network users, faster CPUs and operating systems, and increased use of the Internet and other network-intensive applications. In data networking, switching is a technology that alleviates congestion in LANs by reducing traffic and increasing bandwidth. (In telephony, switching is the process of a connecting a call through the PSTN.)
Ethernet, the most common LAN protocol, is a half-duplex technology—each Ethernet host checks the network to determine whether data is being transmitted before it transmits data. It defers transmission if the network is in use. (Full-duplex technologies do not use the same wire for sending and receiving operations.) In spite of this transmission deferral, it is still possible that two or more Ethernet hosts will transmit at the same time, which results in a collision. When a collision occurs, the hosts enter a back-off phase and retransmit later. As more hosts are added to the network, they must wait more often before they can begin transmitting, and collisions are more likely to occur. When software is in use that uses a lot of bandwidth, such as client-server applications, hosts transmit more often and for longer periods of time. An Ethernet LAN switch, such as a Catalyst 3524-PWR XL, improves bandwidth by separating collision domains and selectively forwarding traffic to the appropriate segments.
In general, incorporating switches in network designs results in the following benefits:
The degree to which a system is fault tolerant (able to operate properly even when there are errors) depends mainly on the following two interrelated concepts:
You can calculate availability rates for hardware as follows:
Step 2 Calculate the mean time to repair (MTTR)—how long it typically takes to fix a hardware problem.
Step 3 Divide MTBF by the sum of MTBF and MTTR:
There are three ways to improve availability:
|
Note The cost of making your network completely fault tolerant is prohibitive; you must select the appropriate level of fault tolerance for your organization. |
A nonredundant internetwork is shown in Figure 4-1.
Typically, WAN links are the least reliable components in an internetwork, usually because of problems in the local loop (the connection between your internetwork and a service provider, such as a phone company or an Internet Service Provider [ISP]). Also, these links are often considerably slower than the LANs they connect.
However, because they can connect geographically dispersed sites, WAN links often make up the backbone network and are therefore critical to corporate operations. Because WAN links are vital, their lack of reliability and speed make them good candidates for redundancy.
To make the internetwork shown in Figure 4-1 more fault tolerant, you could add a WAN link between each remote office and the corporate office, which results in the topology shown in Figure 4-2. The new topology has several advantages. First, it provides a backup link if a primary link connecting a remote office and the corporate office fails. Second, if the routers support load balancing, link bandwidth is increased, lowering response times for users and increasing application availability.
|
Note If you deploy dual links as shown in Figure 4-2, you do not have redundancy unless each link can handle its own traffic and the traffic of the other link in the pair. |
Load balancing distributes traffic across two or more routes and balances the level of traffic on each. Is supported in all IP environments, on either a per-packet or per-destination basis. Per-packet load balancing is recommended if the WAN links are relatively slow (for example, less than 56 kbps). If WAN links are faster than 56 kbps, enabling fast switching is recommended. When fast switching is enabled, load balancing occurs on a per-destination basis.
|
Note Refer to the Cisco ICS 7750 Software Configuration Guide for information about how to configure MRP cards. Refer to the Cisco IOS Desktop Switching Software Configuration Guide for information about how to configure Catalyst 3524-PWR XL switches. |
Routers can automatically compensate for failed WAN links by using protocols such as the Enhanced Interior Gateway Routing Protocol (EIGRP) and Open Shortest Path First (OSPF). If one link fails, the routing software recalculates the routing algorithm and begins sending all traffic through another link. Processing continues despite the WAN link failure, improving application availability.
|
Note For more information about protocols, see "IP Routing Protocols" later in this chapter. |
The primary disadvantage of duplicating WAN links to each remote office is cost. As shown in Figure 4-2, three new WAN links are required to make the network redundant. In large star networks with more remote offices, 10 or 20 new WAN links might be needed, as well as new equipment (including new WAN router interfaces). A lower cost alternative links the remote offices using a meshed topology, as shown in Figure 4-3.
In the "before" portion of Figure 4-3, any failure associated with either link A or B blocks access to a remote site. The failure might involve the link connection equipment, such as a data service unit (DSU) or a channel service unit (CSU), the router (either the entire router or a single router port), or the link itself. Adding link C as shown in the "after" portion of the figure offsets the effect of a failure in any single link. If link A or B fails, the affected remote site can still access the corporate office through link C and the other site's link to the corporate office. Note also that if link C fails, the two remote sites can communicate through their connections to the corporate office.
A meshed topology has three advantages over a redundant star topology:
A redundant star is a reasonable solution under the following conditions:
Media (cables and associated hardware) are subject to failure. Media components that can fail include transceivers, hubs, terminators, lobe or attachment unit interface (AUI) cables, and Ethernet, coaxial, and fiber-optic cables.
Another way to minimize the effects of media failures is to deploy redundant components. For example, you could deploy network interface cards (NICs) and interface cables in pairs.
|
Note Deploying redundant components doubles the cost of network connectivity for each end station as well as the interface usage on all internetworking devices and is therefore only recommended in situations where complete redundancy is required. It is also important to note that end station software, including both the network and the application subsystems, must be able to effectively use the redundant components. The application software or the networking software or both must be able to detect network failures and initiate use of the other network. |
Routers and MRP cards can sense certain media failures and route traffic around them as long as alternative paths are available. If routing updates or routing keepalive messages (indicating that the router is still functional) are not received from devices that are normally reached through a particular router interface, the router soon declares that route to be down and looks for alternatives. Meshed networks provide these alternative paths, allowing the router to compensate for media failures.
Routers, switches, and other internetworking devices can develop hardware problems. When serious failures occur, the use of redundant devices can effectively reduce the effects of a hardware failure. After a failure, discovery protocols help end stations choose new communication paths across the network. If each network connected to the failed device has an alternative path out of the local area, complete connectivity is still possible. For example, routing metrics can be set to ensure that backup routers are not used unless the primary routers are not functioning, making switchover automatic and rapid.
Risks can range from hostile intruders to untrained users who download Internet applications that have viruses. Hostile intruders can steal data, change data, and initiate denial-of-service (DoS) attacks (overwhelming a server with requests, causing service to be denied to other users).
As is the case with most technical design requirements, achieving security goals means making difficult design decisions. You must balance security goals and goals for affordability, usability, performance, and availability. Also, security adds to the IT staff's workload because they are responsible for maintaining user login IDs, passwords, and audit logs.
Implementing network security measures affects network performance. Security features such as packet filters and data encryption consume CPU power and memory on hosts, routers, and servers. (See "Packet Filters" and "Data Encryption" later in this chapter.) Encryption can use more than 15 percent of available CPU power on a router or server. Even if it is implemented on dedicated devices instead of on shared routers or servers, encryption still has an effect on network performance because packets are delayed while they are being encrypted or decrypted.
Security can also make it more difficult to meet availability goals because forcing all traffic through a particular encryption device creates a single point of failure. Also, to maximize performance and minimize security complexity, a router that is running encryption probably should not offer load balancing. Instead, implement load balancing on the routers between the pair of devices offering encryption.
This section describes some typical elements of secure networks. You can select from these elements when designing solutions for common security challenges, which are described in "Selecting Security Solutions" later in this chapter.
Authentication identifies who is requesting network services. The term authentication usually refers to authenticating users, but it also applies to the verification of a software process; for example, some routing protocols support route authentication whereby a router must pass some criteria before another router accepts its routing updates.
Most security policies state that to access a network and its services a user must enter a name and password that are authenticated by a security server. To maximize security, one-time (dynamic) passwords can be used. With one-time password systems, a user's password always changes. This is often accomplished through a software application or with a security card (a device about the size of a credit card). In either case, users enter a personal identification number (PIN) that enables them to use the software or the card. A one-time password is then generated that is used to access the corporate network for a limited time. The password is synchronized with a central security server that resides on the network.
While authentication controls who can access network resources, authorization controls what they can do when they have access. Authorization grants privileges to processes and users. Authorization lets a security administrator control parts of a network such as directories and files on servers.
Authorization varies from user to user, partly depending on a user's department or job function. For example, a policy might state that only Human Resources employees should see salary records for people they don't manage. Explicitly listing the authorized activities of each user with respect to every resource is difficult, so techniques are used to simplify the process. For example, a network manager can create user groups for users with the same privileges.
To effectively analyze the security of a network and to respond to security incidents, establish procedures for collecting network activity data. Collecting this data is called accounting or auditing.
For networks with strict security policies, audit data should include all attempts to achieve authentication and authorization by any person. It is especially important to log "anonymous" or "guest" access to public servers. The data should also log all attempts by users to change their access rights.
The collected data should include user and host names for login and logout attempts and previous and new access rights when access rights are changed. Each entry in the audit log should be timestamped.
The audit process should not collect passwords. Collecting passwords creates the potential for a security breach if the audit records are improperly accessed. (Neither correct nor incorrect passwords should be collected. An incorrect password often differs from the valid password by only a single character or transposition of characters.)
A further extension of auditing is the concept of security assessment. With security assessment, the network is examined from within by professionals trained in the vulnerabilities exploited by network invaders. Part of any security policy and audit procedure should be periodic assessments of the vulnerabilities in a network. The result should be a specific plan for correcting deficiencies, which may be as simple as retraining staff.
Encryption is a process that scrambles data to protect it from being read by anyone but the intended receiver. An encryption device encrypts data before placing it on a network. A decryption device decrypts the data before passing it to an application. A router, server, end system, or dedicated device can act as an encryption or decryption device. Encrypted data is sometimes called ciphered data. Data that is not encrypted is called plain text or clear text.
Encryption is useful for keeping data confidential. It can also be used to identify the sender of data. Although authentication and authorization should also protect the confidentiality of data and identify senders, encryption is a good security feature to implement in case the other types of security fail.
|
Note Using encryption can degrade network performance. (See "Analyzing Security Design Decisions" earlier in this chapter.) Do not use encryption until you have analyzed security risks and identified severe consequences if data is not confidential and the identity of senders of data is not guaranteed. On internal networks and networks that use the Internet simply for Web browsing, e-mail, and file transfer, encryption is usually not necessary. |
A security policy should state that packet filters follow one of the following policies:
The first policy requires a thorough understanding of specific security threats and can be hard to implement. The second policy is easier to implement and more secure because the security administrator does not have to predict future attacks for which packets should be denied. The second policy is also easier to test because there is a finite set of accepted uses of the network.
Cisco implements the second policy in its packet filters, which are called access control lists (ACLs). An ACL on a router or switch running the Cisco IOS software always has an implicit deny-all statement at the end. Accept statements are processed before the implicit deny-all statement. (The statement is implicit because the administrator does not have to actually enter it, though it is a good idea to enter it to make the behavior of the list more obvious.)
ACLs help you determine whether network traffic is forwarded or blocked at interfaces on a router or switch. ACL definitions provide criteria that are applied to packets that enter or exit an interface. Typical criteria are the packet source address, the packet destination address, or the upper-layer protocol in the packet.
Because IOS software tests a packet against each criterion in the list until a match is found, you should design ACLs with care to provide good performance. By studying traffic flow, you can design the list so that most packets match the earliest conditions. Fewer conditions to check per packet means better throughput. It is best to order the list with the most general statements at the top and the most specific statements at the bottom, with the last statement being the general, implicit deny-all statement.
|
Note For additional information about ACLs, refer to Chapter 1, "System Operation," in the Cisco ICS 7750 Administration and Troubleshooting Guide. |
|
Note For additional information about setting up a firewall, refer to Chapter 1, "System Operation," in the Cisco ICS 7750 Administration and Troubleshooting Guide. For information about IOS commands related to security, refer to the Cisco ICS 7750 Software Configuration Guide. |
Physical security refers to limiting access to key network resources by keeping those resources behind a locked door. Physical security also refers to protecting resources from natural disasters such as floods, fires, storms, and earthquakes. Because physical security is such an obvious requirement, it is easy to forget to plan for it, but it should never be overlooked or considered less important than other goals.
Depending on your particular network design, physical security should be installed to protect core routers, demarcation points, cabling, modems, servers, hosts, backup storage, and so on. Make sure equipment is placed in computer rooms that have card key access or some other type of security. Computer rooms should also be equipped with UPSs, fire alarms, fire abatement mechanisms, and water-removal systems. To protect equipment from earthquakes and high winds during storms, it should be installed in racks that attach to the floor or wall.
|
Note See "Preparing Your Site," for a detailed list of site requirements. |
The previous section described some typical elements of network security. This section explains how to meet the following security challenges:
When you connect your network to the Internet, you are connecting to thousands of unknown networks and their users. It is important that you secure the Internet connection with a set of overlapping security mechanisms, including firewalls, packet filters, physical security, audit logs, authentication, and authorization. Public servers that host World Wide Web content or provide File Transfer Protocol (FTP) services can sometimes allow non-authenticated access, but all other servers should require authentication and authorization.
If you can afford two separate servers, run your FTP services on a different server than Web services. FTP users have more opportunities for reading and possibly changing files than Web users do. A hacker could use FTP to damage your organization's Web pages, and in extreme cases could compromise Web-based e-commerce and other applications. Avoid granting Internet access to Trivial File Transfer Protocol (TFTP) servers, because TFTP offers no authentication features.
Be careful when adding Common Gateway Interface (CGI) or other types of scripts to Web servers. Test scripts thoroughly for security leaks. Install e-commerce applications on Web servers only if the applications are compatible with the Secure Socket Layer (SSL) standard.
E-mail servers are a common place for intruder break-ins. By its very nature, an e-mail server must allow outsider access. Ensure that network administrators keep up to date on well-known bugs and security leaks by subscribing to mailing lists dedicated to security information.
The following are some common security issues to be aware of when connecting to the Internet:
Enterprise networks should have well-defined exit and entry points. An organization that has only one Internet connection can manage Internet security problems more easily than an organization that has many Internet connections.
To maximize security, select a protocol that offers route authentication such as Routing Information Protocol (RIP) Version 2 or Open Shortest Path First (OSPF). Static and default routing is also a good option because there are no routing updates to be compromised. Internet routers should be equipped with packet filters to prevent DoS attacks.
When securing the Internet connection, you can use Network Address Translation (NAT) to protect internal network addressing schemes. NAT hides internal network numbers from outside networks and translates internal network numbers when outside access is required.
Security is critical for dial-up access and should consist of firewall technologies, physical security, authentication and authorization mechanisms, auditing, and possibly encryption. Authentication and authorization are the most important features for dial-up access security. One-time passwords are also useful for protecting dial-up access. (See "Authentication" earlier in this chapter.)
Remote users and remote routers that use the Point-to-Point Protocol (PPP) should be authenticated with the Challenge Handshake Authentication Protocol (CHAP). The Password Authentication Protocol (PAP), which offers less security than CHAP, is not recommended.
Another option for authentication, authorization, and accounting is the Remote Authentication Dial-In User Server (RADIUS) protocol. RADIUS gives an administrator the option of having a centralized database of user information. The database includes authentication and configuration information and specifies the type of service permitted by a user (such as PPP, Telnet, rlogin, and so on). RADIUS is a client/server protocol. An access server acts as a client of a RADIUS server.
Carefully control dial-up services; for example, discourage users from attaching modems and analog lines to their own workstations or servers. It is helpful to have a single dial-in point, such as a single large modem pool or access server so that all users are authenticated in the same way. A different set of modems should be used for any dial-out services. Both dial-in and dial-out services should be authenticated.
If the modems and access servers support call-back (most do), then use it. With the call-back feature, when a user dials in and is authenticated, the system disconnects the call and calls back on a specified number. Call-back is useful because the system calls back the actual user, not a hacker masquerading as the user. Call-back can easily be compromised, however, and should not be the only security mechanism.
One of the most important things that you can do is to carefully configure and protect modems and access servers so that hackers cannot reconfigure them. Program modems to reset to the standard configuration at the start and end of each call, and set modems and access servers so that they terminate calls cleanly. Servers should force a logout if the user hangs up unexpectedly.
Methods of securing Internet connections also apply to internal enterprise networks. Internal network services can make use of authentication and authorization, packet filters, audit logs, physical security, encryption, and so on.
To protect internal networks, it is important to protect internetworking devices such as routers and switches. Usernames and passwords should be required for accessing these devices, whether the user accesses the device through a console port or network. A first-level password can be used for administrators who simply need to check the status of the devices. A second-level password should be used for administrators who have permission to view or change configurations.
If you permit modem access to the console ports of internetworking devices, ensure that the modems are secured just as standard dial-in user modems are, and assign them phone numbers that are unlisted and unrelated to the organization's main number(s). Also be sure to change the phone numbers when there is staff turnover.
If you have numerous routers and switches, you may wish to use a protocol such as the Terminal Access Controller Access Control System (TACACS) to manage large numbers of router and switch usernames and passwords in a centralized database. TACACS also offers auditing features.
|
Note For more information about TACACS and other security features available on the Cisco ICS 7750, refer to the Cisco ICS 7750 Software Configuration Guide. |
As is the case with Internet connections, internal networks should run the most secure versions of DNS, FTP, and Web software. Select implementations of Network Information Services (NIS) and other types of naming and addressing servers carefully based on the level of security offered.
User services include end systems, applications, hosts, file servers, database servers, and other services. File and other servers should offer authentication and authorization features. End systems can also offer these features if users are concerned about other people using their systems. Encourage users to log out of sessions when leaving their desks for long periods of time, and to turn off their machines when leaving work. Automatic logouts can also be deployed to automatically logout a session that has had no activity for a period of time.
Security policies and procedures should specify accepted practices regarding passwords: when they should be used, how they should be formatted, and how they can be changed. In general, passwords should include both letters and numbers, be at least six characters, not be a common word, and be changed often.
On servers, root password knowledge (or the non-UNIX equivalent) should be limited to a few people. Guest accounts should be avoided if possible. Protocols that support the concept of trusted hosts, such as rlogin and rsh on UNIX systems, should be used with caution. If possible, isolate hosts that permit guest accounts and support trusted hosts.
Kerberos is an authentication system that provides user-to-host security for application-level protocols such as FTP and Telnet. If requested by the application, Kerberos can also provide encryption. Kerberos relies on a symmetric key database that uses a key distribution center (KDC) on a Kerberos server.
The following areas deserve special mention in any discussion of scalability:
Though there are many potential barriers to scalability, it is limited primarily by two factors: operational issues and technical issues. Typically, operational issues are more significant than technical issues. Operational scaling concerns encourage the use of large areas or protocols that do not require hierarchical structures. When hierarchical protocols are required, technical scaling concerns promote the use of small areas. Finding the right balance is the art of network design.
From a technical standpoint, routing protocols scale well when they minimize the extent to which they use memory, central processing unit (CPU), and bandwidth:
|
Note These three issues also affect CPU usage. |
Distance vector protocols such as RIP and EIGRP broadcast their complete routing table periodically, whether or not the routing table has changed. When the network is stable, distance vector protocols behave well but waste bandwidth because of the periodic sending of routing table updates, even when no change has occurred. When a failure occurs in the network, distance vector protocols do not add excessive load to the network, but they take a long time to reconverge to an alternative path or to flush a bad path from the network.
Link-state routing protocols such as OSPF were designed to address the limitations of distance vector routing protocols (slow convergence and unnecessary bandwidth usage). Link-state protocols are more complex than distance vector protocols, and running them adds to the router's overhead. The additional overhead (in the form of memory utilization and bandwidth consumption when link-state protocols first start up) constrains the number of neighbors that a router can support and the number of neighbors that can be in an area (a logical set of network segments and their attached devices).
When the network is stable, link-state protocols minimize bandwidth usage by sending updates only when a change occurs. A hello mechanism ascertains accountability of neighbors. When a failure occurs in the network, link-state protocols flood link-state advertisements (LSAs) throughout an area. LSAs cause every router within the failed area to recalculate routes. The fact that LSAs need to be flooded throughout the area in failure mode and the fact that all routers recalculate routing tables constrain the number of neighbors that can be in an area.
Among the most common IP routing protocols are RIP, EIGRP, and OSPF. The following sections describe some of the performance and scalability characteristics that you need to consider when selecting IP routing protocols.
The features of RIP Version 2 are as follows:
|
Note RIP Version 2 authentication uses up an entire route entry—if you use authentication, there can be only 24 route entries (instead of the normal 25) per packet. |
RIP Version 2 has the following limitations:
The features of EIGRP are as follows:
 |
Tips To ensure good performance in large internetworks, EIGRP should be used only on networks with simple hierarchical topologies. |
In the late 1980s, the Internet Engineering Task Force (IETF) created the Open Shortest Path First (OSPF) protocol to meet the need for an interior link-state routing protocol suitable for use on large enterprise networks. OSPF is defined in RFC 2178.
The features of OSPF are as follows:
Posted: Mon Oct 2 13:18:46 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.