Monday, April 28, 2014

IS-IS configuration.

IS-IS was a terra incognita for me for a long time, even though I used to configure several networks with IS-IS (copy'n'paste mostly). Since IS-IS is excluded from CCNP R&S track I decided to study it on my own.
This post will observe basic configuration and some best practices for IS-IS.
The topology is as following:
I adjusted several settings so let's investigate configurations.
R1:
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
 ip router isis 1 #I find it convenient to configure routing process under the interface level.
 isis metric 123 #One of the ways to change the interface metric.
!
interface FastEthernet0/0.123
 encapsulation dot1Q 123
 ip address 10.0.123.1 255.255.255.0
 ip router isis 1
 isis circuit-type level-2-only #It is excess command, since L2 only is set under the router configuration.
!
router isis 1
 net 49.0001.0010.0100.1001.00 #I embedded loopbacks interfaces.
 metric-style wide #Without this the maximum metric value is 64. By default all interfaces use the metric of 10 regardless of bandwidth.
 is-type level-2-only

R4:
interface Loopback0
 ip address 4.4.4.4 255.255.255.255
 ip router isis 1
!
interface Loopback1 #Loopbacks below are created for summarization's sake.
 ip address 10.0.0.1 255.255.255.252
 ip router isis 1
!
interface Loopback2
 ip address 10.0.0.5 255.255.255.252
 ip router isis 1
!
interface Loopback3
 ip address 10.0.0.9 255.255.255.252
 ip router isis 1
!
interface FastEthernet0/0.24
 encapsulation dot1Q 24
 ip address 10.0.24.4 255.255.255.0
 ip router isis 1
 isis network point-to-point #Like with OSPF you can set the network type, the choice is limited though.
 isis hello-interval 2 #Unlike OSPF timers do not have to match between neighbors.
!
router isis 1
 net 49.0002.0040.0400.4004.00
 metric-style wide
 is-type level-1

R2:
interface Loopback0
 ip address 2.2.2.2 255.255.255.255
 ip router isis 1
!
interface FastEthernet0/0.24
 encapsulation dot1Q 24
 ip address 10.0.24.2 255.255.255.0
 ip router isis 1
 isis network point-to-point 
!
interface FastEthernet0/0.123
 encapsulation dot1Q 123
 ip address 10.0.123.2 255.255.255.0
 ip router isis 1
 isis priority 123 #I selected R2 as DIS (analogous to OSPF DR, but there is no BDR).
!
router isis 1
 net 49.0002.0020.0200.2002.00
 metric-style wide
 summary-address 10.0.0.0 255.255.255.240 #This will create aggregated prefix for L1 and L2.

Ok, basic connectivity is established, let's check what do we have.
R2#show isis neighbors 
System Id      Type Interface   IP Address      State Holdtime Circuit Id
R1             L2   Fa0/0.123   10.0.123.1      UP    28       R2.02              
R3             L2   Fa0/0.123   10.0.123.3      UP    25       R2.02              
R4             L1   Fa0/0.24    10.0.24.4       UP    23       02

R4 is L1 only router so it should receive only default route (Like R5):
R4#show ip route 
Gateway of last resort is 10.0.24.2 to network 0.0.0.0
     2.0.0.0/32 is subnetted, 1 subnets
i L1    2.2.2.2 [115/20] via 10.0.24.2, FastEthernet0/0.24
     4.0.0.0/32 is subnetted, 1 subnets
C       4.4.4.4 is directly connected, Loopback0
     10.0.0.0/8 is variably subnetted, 5 subnets, 2 masks
C       10.0.0.8/30 is directly connected, Loopback3
C       10.0.0.0/30 is directly connected, Loopback1
C       10.0.0.4/30 is directly connected, Loopback2
C       10.0.24.0/24 is directly connected, FastEthernet0/0.24
i L1    10.0.123.0/24 [115/20] via 10.0.24.2, FastEthernet0/0.24
i*L1 0.0.0.0/0 [115/10] via 10.0.24.2, FastEthernet0/0.24
Actually, R2 doesn't advertise this route, rather R4 creates it on its own and installs in the routing table.

Only L1/2 routers can summarize (R2):
R1#show ip route 
     1.0.0.0/32 is subnetted, 1 subnets
C       1.1.1.1 is directly connected, Loopback0
     2.0.0.0/32 is subnetted, 1 subnets
i L2    2.2.2.2 [115/20] via 10.0.123.2, FastEthernet0/0.123
     3.0.0.0/32 is subnetted, 1 subnets
i L2    3.3.3.3 [115/20] via 10.0.123.3, FastEthernet0/0.123
     4.0.0.0/32 is subnetted, 1 subnets
i L2    4.4.4.4 [115/30] via 10.0.123.2, FastEthernet0/0.123
     5.0.0.0/32 is subnetted, 1 subnets
i L2    5.5.5.5 [115/30] via 10.0.123.3, FastEthernet0/0.123
     10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
i L2    10.0.0.0/28 [115/30] via 10.0.123.2, FastEthernet0/0.123 #As configured on R2.
i L2    10.0.24.0/24 [115/20] via 10.0.123.2, FastEthernet0/0.123
i L2    10.0.35.0/24 [115/20] via 10.0.123.3, FastEthernet0/0.123
C       10.0.123.0/24 is directly connected, FastEthernet0/0.123

R2#show ip route
     1.0.0.0/32 is subnetted, 1 subnets
i L2    1.1.1.1 [115/133] via 10.0.123.1, FastEthernet0/0.123
     2.0.0.0/32 is subnetted, 1 subnets
C       2.2.2.2 is directly connected, Loopback0
     3.0.0.0/32 is subnetted, 1 subnets
i L2    3.3.3.3 [115/20] via 10.0.123.3, FastEthernet0/0.123
     4.0.0.0/32 is subnetted, 1 subnets
i L1    4.4.4.4 [115/20] via 10.0.24.4, FastEthernet0/0.24
     5.0.0.0/32 is subnetted, 1 subnets
i L2    5.5.5.5 [115/30] via 10.0.123.3, FastEthernet0/0.123
     10.0.0.0/8 is variably subnetted, 7 subnets, 3 masks
i L1    10.0.0.8/30 [115/20] via 10.0.24.4, FastEthernet0/0.24
i L1    10.0.0.0/30 [115/20] via 10.0.24.4, FastEthernet0/0.24
i su    10.0.0.0/28 [115/20] via 0.0.0.0, Null0 #Notice summary route.
i L1    10.0.0.4/30 [115/20] via 10.0.24.4, FastEthernet0/0.24
C       10.0.24.0/24 is directly connected, FastEthernet0/0.24
i L2    10.0.35.0/24 [115/20] via 10.0.123.3, FastEthernet0/0.123
C       10.0.123.0/24 is directly connected, FastEthernet0/0.123

Let's check that DIS was elected correctly:
R3#show clns interface f0/0.123
FastEthernet0/0.123 is up, line protocol is up
  Checksums enabled, MTU 1497, Encapsulation SAP
  ERPDUs enabled, min. interval 10 msec.
  CLNS fast switching enabled
  CLNS SSE switching disabled
  DEC compatibility mode OFF for this interface
  Next ESH/ISH in 12 seconds
  Routing Protocol: IS-IS
    Circuit Type: level-1-2
    Interface number 0x1, local circuit ID 0x2
    Level-1 Metric: 10, Priority: 64, Circuit ID: R3.02
    DR ID: 0000.0000.0000.00
    Level-1 IPv6 Metric: 10
    Number of active level-1 adjacencies: 0
    Level-2 Metric: 10, Priority: 64, Circuit ID: R2.02
    DR ID: R2.02
    Level-2 IPv6 Metric: 10
    Number of active level-2 adjacencies: 2
    Next IS-IS LAN Level-1 Hello in 2 seconds #I haven't found the exact command to check timers on the interface, the only way as with EIGRP is to periodically repeat this command.
    Next IS-IS LAN Level-2 Hello in 65 milliseconds
Next, let's configure IS-IS authentication.
Basic L1 plain text authentication:
R4 & R2:
router isis 1
 area-password ISIS-L1-PASS
This doesn't authenticate Hello packets, thus the neighborship is established, but no routes are accepted.
L2 plain text authentication:
R1 & R2 & R3:
router isis 1
 domain-password ISIS-L2-PASS authenticate snp validate #Here we authenticate and validate SNP packets. But not Hello packets.
For area 3 I will use L1 md5 authentication (for L2 it is applicable as well):
R3 & R5:
key chain ISIS-KEY-CHAIN
 key 1
   key-string ISIS-MD5-L1
!
interface FastEthernet0/0.35
 isis authentication mode md5 level-1
 isis authentication key-chain ISIS-KEY-CHAIN level-1
Notice that per interface authentication configuration forces Hello packets to include authentication information, thus preventing neighborship to be established.

Now let's cover an interesting behavior of IS-IS when redistributing between protocols.
In the topology above I will add R6 and configure RIP between R6 and R1:

R1:
interface FastEthernet0/0.16
 encapsulation dot1Q 16
 ip address 20.0.16.1 255.255.255.0
!
router rip
 version 2
 network 20.0.0.0
 no auto-summary
R6:
interface Loopback0
 ip address 6.6.6.6 255.255.255.255
!
interface FastEthernet0/0.16
 encapsulation dot1Q 16
 ip address 20.0.16.6 255.255.255.0
!
router rip
 version 2
 network 6.0.0.0
 network 20.0.0.0
 no auto-summary
Now let's redistribute IS-IS into RIP and vice versa:
R1:
router rip
 redistribute isis 1 level-2 metric 5
!
router isis 1
 redistribute rip metric 15
R6:
R6#show ip route
     2.0.0.0/32 is subnetted, 1 subnets
R       2.2.2.2 [120/5] via 20.0.16.1, 00:00:06, FastEthernet0/0.16
     3.0.0.0/32 is subnetted, 1 subnets
R       3.3.3.3 [120/5] via 20.0.16.1, 00:00:06, FastEthernet0/0.16
     4.0.0.0/32 is subnetted, 1 subnets
R       4.4.4.4 [120/5] via 20.0.16.1, 00:00:06, FastEthernet0/0.16
     20.0.0.0/24 is subnetted, 1 subnets
C       20.0.16.0 is directly connected, FastEthernet0/0.16
     5.0.0.0/32 is subnetted, 1 subnets
R       5.5.5.5 [120/5] via 20.0.16.1, 00:00:07, FastEthernet0/0.16
     6.0.0.0/32 is subnetted, 1 subnets
C       6.6.6.6 is directly connected, Loopback0
     10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
R       10.0.0.0/28 [120/5] via 20.0.16.1, 00:00:07, FastEthernet0/0.16
R       10.0.24.0/24 [120/5] via 20.0.16.1, 00:00:07, FastEthernet0/0.16
R       10.0.35.0/24 [120/5] via 20.0.16.1, 00:00:07, FastEthernet0/0.16
Notice that R6 has no route to 10.0.123.0/24. And the reason for this is that IS-IS doesn't redistribute connected prefixes, which is odd in my opinion. The same rule applies to IPv6 (even though I haven't found the way to redistribute RIPng into IS-IS).
To fix this we can use just "redistribute connected", but I'll do it the right way (:
ip prefix-list CONNECTED-2-RIP seq 5 permit 10.0.123.0/24
ip prefix-list CONNECTED-2-RIP seq 10 deny 0.0.0.0/0 le 32
!
route-map CONNECTED-2-RIP permit 10
 match ip address prefix-list CONNECTED-2-RIP
!
route-map CONNECTED-2-RIP deny 100
!
router rip
 redistribute connected route-map CONNECTED-2-RIP
Voila:
R6#show ip route 10.0.123.0
Routing entry for 10.0.123.0/24
  Known via "rip", distance 120, metric 1
  Redistributing via rip
  Last update from 20.0.16.1 on FastEthernet0/0.16, 00:00:17 ago
  Routing Descriptor Blocks:
  * 20.0.16.1, from 20.0.16.1, 00:00:17 ago, via FastEthernet0/0.16
      Route metric is 1, traffic share count is 1

Now let's apply some best practices (I'll use R5 as example):
interface FastEthernet0/0.35
 isis hello-multiplier 4 #Hello-interval * Hello-multiplier = Hold time.
 isis hello-interval minimal #Sets helllo interval to 1 second.
!
router isis 1
 ispf level-1-2 60 #Interval before iSFP execution.
 fast-flood 15 #The number of LSPs to be sent before SPF is run.
 set-overload-bit on-startup 180 #Signals to other routers not to use this router as a transit point.
 max-lsp-lifetime 65535 #This reduces the flooding.
 lsp-refresh-interval 65505 #And this too.
 spf-interval 5 1 20 #Throttling of SPF calculations.
 lsp-gen-interval 5 1 20 #Throttling of LSP generation.
 no hello padding #By default Hello packets are padded to match MTU size of the interface.
 bfd all-interfaces #Simple and so powerful.

Ok, We've done with IPv4, time to add IPv6 stuff to the topology:
R2:
ipv6 unicast-routing
!
interface FastEthernet0/0.24
 ipv6 address 2024::2/64
 ipv6 router isis 1
!
interface FastEthernet0/0.123
 ipv6 address 2123::2/64
 ipv6 router isis 1
R1:
ipv6 unicast-routing
!
interface FastEthernet0/0.123
 ipv6 address 2123::1/64
 ipv6 router isis 1

Other routers are configured similar.
R1#show ipv6 route
I2  2024::/64 [115/20]
     via FE80::C002:12FF:FE5C:0, FastEthernet0/0.123
I2  2035::/64 [115/20]
     via FE80::C004:1DFF:FE8C:0, FastEthernet0/0.123
C   2123::/64 [0/0]
     via ::, FastEthernet0/0.123
L   2123::1/128 [0/0]
     via ::, FastEthernet0/0.123
L   FF00::/8 [0/0]
     via ::, Null0
Notice that the same IS-IS process is used for both IPv4 and IPv6, because IS-IS doesn't rely on multicast (as most of IPv4 IGPs).


The topology used along with the configuration files is available here.
Some useful tips: IS-IS NOTES
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)